Hi, I read that, but what if user not found in ldap? Radius seems to need some auth-type. How i can force auth-type using ldap? My radius gives this message -> "No authenticate method (Auth-Type) configuration found for the request: Rejecting the user" Here is some other logs if i use only ldap for authorize section: rad_recv: Access-Request packet from host 10.10.1.100 port 1024, id=198, length=224 Framed-MTU = 1466 NAS-IP-Address = 10.10.1.100 NAS-Identifier = "8021x" User-Name = "lnx01.demo.local" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 37 NAS-Port-Type = Ethernet NAS-Port-Id = "37" Called-Station-Id = "00-16-b9-55-48-c0" Calling-Station-Id = "00-e0-00-1c-1e-c1" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x02330016017375736530312e64656d6f2e6c6f63616c Message-Authenticator = 0x5c313918e00d0d385d435e3194c284ed +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "lnx01.demo.local", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 190 ++[files] returns ok [ldap] performing user authorization for lnx01.demo.local [ldap] expand: (cn=%u) -> (cn=lnx01.demo.local) [ldap] expand: ou=8021x,dc=demo,dc=local -> ou=8021x,dc=demo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.10.101.31:389, authentication 0 rlm_ldap: setting TLS CACert Directory to /path/to/ca/dir/ rlm_ldap: bind as cn=Directory Manager/ to 10.10.101.31:389 rlm_ldap: waiting for bind result ... request done: ld 0x9ba2480 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=8021x,dc=demo,dc=local, with filter (cn=lnx01.demo.local) request done: ld 0x9ba2480 msgid 2 [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user suse01.demo.local authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [suse01.demo.local/<no User-Password attribute>] (from client 8021x port 37 cli 00-e0-00-1c-1e-c1) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> suse01.demo.local attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 198 to 10.10.1.100 port 1024 Waking up in 4.9 seconds. Cleaning up request 0 ID 198 with timestamp +6 Ready to process requests. Br, Ville
We have openldap which includes our machine accounts. We have also computer certificates. Now what i want to do that freeradius, checks authorization against ldap and authenticate against certificates.
I have tested to put ldap to authorization section and eap to authentication section, but this wont work. I have also tested to put both ldap and eap to authorization section, but ldap wont return reject if user's noot found.
Is there any method to return reject for authorization section if user not found in ldap and stop processing there? Or is there any other method to do this?
Read doc/rlm_ldap about access_attr.
Ivan Kalik Kalik Informatika ISP