Hi Ivan, Sorry to get back to you early as I did not had ldap access :( After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Thanks and Regards. Test Case 1 :: 1 UID +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} -> expand: %{User-Name} -> 0014F846C199 expand: (&(did=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(did=0014F846C199)) expand: ou=roles,o=entitlement -> ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(did=0014F846C199)) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/<via Auth-Type = Accept>] (from client samir port 0) Sending Access-Accept of id 39 to 216.2.193.1 port 38625 Finished request 3. Test Case 2 :: Multiple UIDs rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38, length=34 User-Name = "0014F846C199" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} -> expand: %{User-Name} -> 0014F846C199 expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(uid=0014F846C199)) expand: ou=roles,o=entitlement -> ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=0014F846C199)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [0014F846C199/<no User-Password attribute>] (from client samir port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 0014F846C199 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds ----- Original Message ---- From: Ivan Kalik <tnt@kalik.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thursday, March 20, 2008 1:01:11 PM Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in ldap as,
No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf
If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply?
And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ