I made a progress on this issue. I
added pap under Autz-Type Ldap1, as below, and then Auth-Type was set to pap.
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
myldap
myldap2
}
pap # <-- the change
}
Autz-Type Web{
files
}
files
pap
}
The purpose of doing this is to make sure
pap is the last module being called during the authorization process.
My questions are,
Thanks!
Andrew
P.S.
In users file,
DEFAULT Called-Station-Id =~
".*Guest@myu", Autz-Type := Ldap1
Fall-Through = no
Debug output,
rad_recv: Access-Request packet from host
192.168.1.113 port 20000, id=8, length=98
User-Name
= "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port
= 152
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name =
"tester", looking up realm NULL
rlm_realm: No such realm
"NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand:
%{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand:
%{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users: Matched entry DEFAULT at
line 71
++[files] returns ok
rlm_pap: WARNING! No "known good" password
found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance group
redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tester
WARNING: Deprecated conditional expansion
":-". See "man unlang" for details
expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand:
ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap2.myu.ca:389,
authentication 0
rlm_ldap: setting TLS CACert File to
/usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as
uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added User-Password =
{SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tester authorized to use remote
access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[myldap] returns ok
++- redundant-load-balance group
redundant-load-balance returns ok
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password
"testing"
rlm_pap: Using SSHA encryption.
rlm_pap: Normalizing SSHA1-Password from base64
encoding
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [tester] (from client myusj113 port 152)
Sending Access-Accept of id 8 to 192.168.1.113 port
20000
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 8 with timestamp +54
Ready to process requests.
From: cxu
[mailto:cxu@unbsj.ca]
Sent: Thursday, February 07, 2008
2:27 PM
To:
'freeradius-users@lists.freeradius.org'
Subject: Problem when removing
Auth-Type := Ldap in users file
Hi,
I am testing the freeradius server,
and try to clarify rules applied in freeradius. In the following trials, I
could not figure out how to make Autz-Type Ldap1 in authorize section to
correctly set Auth-Type used in authentication without the help from
“Auth-Type := Ldap1”.
With the following entry in users file,
**************
DEFAULT Called-Station-Id =~
".*Guest@myu", Autz-Type := Ldap1, Auth-Type := Ldap1
**************
the user authentication worked fine.
Below is the debug output.
**************
rad_recv: Access-Request
packet from host 192.168.1.113 port 20000, id=19, length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port = 189
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No
EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users:
Matched entry DEFAULT at line 70
++[files] returns ok
rlm_pap: WARNING! No
"known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering
redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user
authorization for tester
WARNING: Deprecated
conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn:
Checking Id: 0
rlm_ldap: ldap_get_conn: Got
Id: 0
rlm_ldap: attempting LDAP
reconnection
rlm_ldap: (re)connect to
ldap.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert
File to /usr/local/etc/raddb/certs/unbCA.crt
rlm_ldap: setting TLS
Require Cert to never
rlm_ldap: bind as
uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: performing search
in ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added
User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check
items in directory...
rlm_ldap: looking for reply
items in directory...
rlm_ldap: user tester
authorized to use remote access
rlm_ldap: ldap_release_conn:
Release Id: 0
+++[myldap2] returns ok
++- redundant-load-balance
group redundant-load-balance returns ok
rad_check_password:
Found Auth-Type Ldap1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your
configuration so that the "known
good"
!!!
!!! clear text password is
in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "Ldap1"
+- entering group Ldap1
++- entering
redundant-load-balance group redundant-load-balance
rlm_ldap: - authenticate
rlm_ldap: login attempt by
"tester" with password "testing"
rlm_ldap: user DN:
uid=tester,ou=people,dc=myu,dc=ca
rlm_ldap: (re)connect to
ldap.myu.ca:389, authentication 1
rlm_ldap: setting TLS CACert
File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS
Require Cert to never
rlm_ldap: bind as
uid=tester,ou=people,dc=myu,dc=ca/testing to ldap.myu.ca:389
rlm_ldap: waiting for bind
result ...
rlm_ldap: Bind was
successful
rlm_ldap: user tester
authenticated succesfully
+++[myldap2] returns ok
++- redundant-load-balance
group redundant-load-balance returns ok
Login OK: [tester] (from
client unbsj113 port 189)
Sending Access-Accept of id
19 to 192.168.1.113 port 20000
Finished request 0.
Going to the next request
Waking up in 0.8 seconds.
Waking up in 4.1 seconds.
Cleaning up request 0 ID 19
with timestamp +99
Ready to process requests.
**************
However when I removed
Auth-Type := Ldap1 in the entry,
**************
DEFAULT Called-Station-Id =~
".*Guest@myu", Autz-Type := Ldap1
**************
the user authentication
failed. The Auth Type is set to Local instead of Ldap.