Hi Mathew, I have tried the option you had suggested but no luck. Hi All, I have gone through the Freeradius logs and found that Freeradius is able to find the user id i.e macaddress which is multi value field from LDAP but the problem is with the password. Freeradius is retrieving all the three macaddress values for the password from the LDAP, but for some reasons, it is trying to match with the first value all the time. I am posting the detailed log. I am getting the Accept-Accept reply for the very first value in the multivalued field. Could someone help me please? *Freeradius configuration:* *LDAP conf file config:* update { control:Password-With-Header += 'macAddress' } user { filter = "(macAddress=%{%{Stripped-User-Name}:-%{User-Name}})" } *Freeradius log:* Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812 length 103 User-Name = 'e4:a4:71:a3:88:6f' User-Password = 'e4:a4:71:a3:88:6f' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da (2) Received Access-Request packet from host 172.16.XX.XX port 35697, id=22, length=103 (2) User-Name = 'e4:a4:71:a3:88:6f' (2) User-Password = 'e4:a4:71:a3:88:6f' (2) NAS-IP-Address = 127.0.1.1 (2) NAS-Port = 0 (2) Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "e4:a4:71:a3:88:6f", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (macAddress=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (macAddress=e4:a4:71:a3:88:6f) (2) ldap : EXPAND ou=People,dc=icts,dc=res,dc=in (2) ldap : --> ou=People,dc=icts,dc=res,dc=in (2) ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=it section,ou=People,dc=icts,dc=res,dc=in" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac' (2) ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f' (2) ldap : control:Password-With-Header += '0c:c4:7a:22:63:23' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Config already contains "known good" password. Ignoring Password-With-Header (2) WARNING: pap : Config already contains "known good" password. Ignoring Password-With-Header (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type PAP { (2) pap : Login attempt with password (2) ERROR: pap : Cleartext password does not match "known good" password (2) pap : Passwords don't match (2) [pap] = reject (2) } # Auth-Type PAP = reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : EXPAND %{User-Name} (2) attr_filter.access_reject : --> e4:a4:71:a3:88:6f (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sending Access-Reject packet to host 172.16.XX.XX port 35697, id=22, length=0 Sending Access-Reject Id 22 from 172.16.XX.XXX:1812 to 172.16.XX.XX:35697 Waking up in 3.9 seconds. (2) Cleaning up request packet ID 22 with timestamp +24 On Thu, Sep 14, 2017 at 1:42 AM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2017-09-13 at 22:51 +0530, Srinivasa R wrote:
# it section, People, icts.res.in dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ieee802Device homeDirectory: /home/it loginShell: /bin/bash uid: it cn: it section uidNumber: 10001 gidNumber: 10000 sn: section givenName: it telephoneNumber: mobile: macAddress: 28:f1:0e:2a:c1:ac macAddress: e4:a4:71:a3:88:6f macAddress: 0c:c4:7a:22:63:23
I'm probably missing something here, but can't you just get your LDAP server to do the searching for you? i.e. update the ldap filter to something like
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User- Name}})(macAddress=%{Calling-Station-Id}))"
If that returns ok, both User-Name and Calling-Station-Id matched. If not, then one or other or both didn't.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R