a few things 1) (0) files : Performing unfiltered search in 'uid=richardl,cn=users,cn=compat,dc=acskype,dc=com', scope 'base' (0) files : Waiting for search result... (0) files : No group membership attribute(s) found in user object no group membership found there 2) you dont have Fallthrough set to yes in the first entry you have, thus the server WONT proceed any further in the users file (ie your second check item is never hit.... so maybe set a fall through for that check item (see examples provided with server) finally, dont use the users file for this, use unlang and put a nice trivial LDAP check into the post-auth section which then sets the relevant VLAN to drop the user onto.....eg, as a quick'n'dirty example if ( "%{master_ldap:ldaps:///dc=my,dc=example,dc=com?distinguishedName?sub?(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=FreeRADIUS,OU=admin,DC=my,DC=example,DC=com))}" ) { update reply { &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := "VLAN" &Termination-Action := "RADIUS-Request" &Tunnel-Private-Group-Id := "666" } } On 19 April 2017 at 17:36, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 19, 2017, at 12:07 PM, Richard Laing <richard.laing@armourcomms.com> wrote:
Hi Alan thank you for taking a look at the output for me on the last message.
1. Never said it doesn't work, said no VLAN on application of more than one group.
What do you mean by "application of more than one group"?
I explained how the "users" file works. I pointed you to documentation. If you put more than one DEFAULT in, it will only match the first one. Unless you follow the documentation.
3. You ignored the following output, if I use an incorrect password then I will get a fail. I looking for the user have its request authorized and have the VLAN assigned over to that user correctly.
So you want users with bad passwords to be put into a different VLAN?
The debug log you attached showed a *successful* authentication.
Also if I run radtest the user seems to work just not on the group memberships
See the FAQ for "it doesn't work"
Again, you're asking questions which are poorly phrased, and don't contain enough information for me to help you.
radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101 Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812 User-Name = 'richardl' User-Password = 'Testing 101' NAS-IP-Address = 192.168.10.2 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 198 from 192.168.10.2:1812 to 192.168.10.2:41248 length 20
We never ask for the output from radclient. We ALWAYS ask for the output of the server.
Again... please follow instructions. When you don't follow instructions, you don't get the problem fixed.
4. I will update into the latest version and hopeful have a follow up soon, would interested in hearing your ideas on the best method of securing free-radius & LDAP together
If only I understood what you were doing, and what *exactly* was going wrong, and what you expected to happen.
I already asked that, and your response here was still fairly vague. "I tried stuff, and it didn't work".
Ask a bad question, get a bad answer.
Ask a good question, get a good answer.
It's up to you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html