Am Mittwoch, 9. Januar 2013, 16:51:22 schrieb Matthew Ceroni:

> Hi:

>

> I am using FreeRadius version 2.1.12 on CentOS6.

>

> I am authenticating against Active Directory (that works). And authorizing

> against LDAP (that works as well).

>

> I am trying to return attributes, used for VLAN assignment, based on the

> usersDN.

>

> In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the

> following

>

>

> #

> # The ldap module will set Auth-Type to LDAP if it has not

> # already been set

> ldap

> if (control:Ldap-UserDn =~ /OU=QA/) {

> update reply {

> Tunnel-Type:1 := 13

> Tunnel-Medium-Type:1 := 6

> Tunnel-Private-Group-Id:1 := 7

> }

> }

> elsif (control:Ldap-UserDn =~ /OU=IT/) {

> update reply {

> Tunnel-Type:1 := 13

> Tunnel-Medium-Type:1 := 6

> Tunnel-Private-Group-Id:1 := 2

> }

> }

> else {

> update reply {

> Tunnel-Type:1 := 13

> Tunnel-Medium-Type:1 := 6

> Tunnel-Private-Group-Id:1 := 21

> }

> }

>

> In the authorize section. That works, when authorize is done it queries

> LDAP successfully.

>

> Looking through the radius debug I see the IF statements processing:

>

> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,

> length=122

> User-Name = "mceroni"

> NAS-IP-Address = 127.0.0.1

> Calling-Station-Id = "02-00-00-00-00-01"

> Framed-MTU = 1400

> NAS-Port-Type = Wireless-802.11

> Connect-Info = "CONNECT 11Mbps 802.11b"

> EAP-Message = 0x0200000c016d6365726f6e69

> Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558

> # Executing section authorize from file /etc/raddb/sites-enabled/default

> +- entering group authorize {...}

> ++[preprocess] returns ok

> ++[chap] returns noop

> ++[mschap] returns noop

> ++[digest] returns noop

> [suffix] No '@' in User-Name = "mceroni", looking up realm NULL

> [suffix] No such realm "NULL"

> ++[suffix] returns noop

> [ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL

> [ntdomain] No such realm "NULL"

> ++[ntdomain] returns noop

> [eap] EAP packet type response id 0 length 12

> [eap] No EAP Start, assuming it's an on-going EAP conversation

> ++[eap] returns updated

> ++[files] returns noop

> [ldap] performing user authorization for mceroni

> [ldap] expand: %{Stripped-User-Name} ->

> [ldap] ... expanding second conditional

> [ldap] expand: %{User-Name} -> mceroni

> [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->

> (samAccountName=mceroni)

> [ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail

> OU,dc=clairmail,dc=local

> [ldap] ldap_get_conn: Checking Id: 0

> [ldap] ldap_get_conn: Got Id: 0

> [ldap] attempting LDAP reconnection

> [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0

> [ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to

> cmad01.clairmail.local:389

> [ldap] waiting for bind result ...

> [ldap] Bind was successful

> [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with

> filter (samAccountName=mceroni)

> [ldap] looking for check items in directory...

> [ldap] looking for reply items in directory...

> WARNING: No "known good" password was found in LDAP. Are you sure that the

> user is configured correctly?

> [ldap] user mceroni authorized to use remote access

> [ldap] ldap_release_conn: Release Id: 0

> ++[ldap] returns ok

> ++? if (control:Ldap-UserDn =~ /OU=QA/)

> ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE

> ++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE

> ++? elsif (control:Ldap-UserDn =~ /OU=IT/)

> ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE

> ++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE

> ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}

> +++[reply] returns ok

>

> And it appears to set the attributes:

>

> +[pap] returns noop

> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/)

> expand: %{request:User-Name} -> mceroni

> ? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) ->

> FALSE

> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE

> Found Auth-Type = EAP

> # Executing group from file /etc/raddb/sites-enabled/default

> +- entering group authenticate {...}

> [eap] EAP Identity

> [eap] processing type tls

> [tls] Initiate

> [tls] Start returned 1

> ++[eap] returns handled

> Sending Access-Challenge of id 0 to 127.0.0.1 port 48400

> Tunnel-Type:1 = VLAN

> Tunnel-Medium-Type:1 = IEEE-802

> Tunnel-Private-Group-Id:1 = "2"

> EAP-Message = 0x010100061920

> Message-Authenticator = 0x00000000000000000000000000000000

> State = 0x2a1689d42a17904c9b87561fac99b7b3

> Finished request 0.

> Going to the next request

> Waking up in 4.9 seconds.

> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1,

> length=250

> User-Name = "mceroni"

> NAS-IP-Address = 127.0.0.1

> Calling-Station-Id = "02-00-00-00-00-01"

> Framed-MTU = 1400

> NAS-Port-Type = Wireless-802.11

> Connect-Info = "CONNECT 11Mbps 802.11b"

> EAP-Message =

> 0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da8

> 5eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00

> 330032009a009900450044002f00960041000500040015001200090014001100080006000300

> ff0100000400230000 State = 0x2a1689d42a17904c9b87561fac99b7b3

> Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e

>

>

> But in the final response those attributes are not there.

>

> Sending Access-Accept of id 9 to 127.0.0.1 port 48400

> MS-MPPE-Recv-Key =

> 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e

> MS-MPPE-Send-Key =

> 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1

> EAP-Message = 0x03090004

> Message-Authenticator = 0x00000000000000000000000000000000

> User-Name = "mceroni"

>

>

> Any help would be appreciated.

>

> Thanks

 

Hi,

 

please set the

 

use_tunneled_reply=yes

 

in the outer tunnel. Then FR copies the attributes from the inner tunnel to the outer reply.

 

Greetings,

 

--

Dr. Michael Schwartzkopff

Guardinistr. 63

81375 München

 

Tel: (0163) 172 50 98

Fax: (089) 620 304 13