Which version are you running?
On 3 Mar 2022, at 03:39, Rahman Duran <rahman.duran@erzurum.edu.tr> wrote:
Hi,
I am trying to implement a service based authorize section in FreeRadius (just like in Aruba ClearPass) so I can selectively decide what to do with the request based on source IP, SSID, username realm etc.
Long story short, the following configuration works in default virtual server but it does not in inner tunnel. In inner-tunnel, if the first ldap section could not find user, then it does not go on and check second ldap;
authorize { ..... ..... .....
### AUTHORIZE: Hizmet verecek servis tanımları buradan itibaren tanımlanacak. ### Bu bölüm olduğu gibi "inner-tunnel" virtual server'ın aynı kısmına kopyalanmalı.
### 000: BIDB Test Ağı Servisi ### ### Test ağı if ( \ ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address == 172.19.148.9/32)) \ && (&NAS-Port-Type == "Wireless-802.11") \ && (&Called-Station-SSID == "bidb-test") \ && (&User-Name =~ /^.+@erzurum\.edu\.tr$/) \ ) {
update request { ETU-Radius-Service-Name := "BIDB_Test" } if (&Virtual-Server == "inner-tunnel") { update outer.request { ETU-Radius-Service-Name := "BIDB_Test" } }
# EAP modülü OK döndürüyorsa işlemleri burada kes, gerisini authentication bölümündeki EAP modülü işleyecek. group etu_eap_process { eap if (ok) { return } }
# İstek bir EAP isteği ise ve biz inner-tunnel değil isek burada başka bir kontrol yapma. Bunları inner-tunele bırak if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) { # Authentication source group etu_auth_source { redundant { ldap_personel ldap_ogrenci }
# Auth source'da kullanıcı bulunmuyorsa isteği reddet if (noop || notfound) { update request { Module-Failure-Message := "Auth Source Reject: [%{User-Name}] No matching user found in authentication source!" } if (&Virtual-Server == "inner-tunnel") { update outer.request { Module-Failure-Message := "Auth Source Reject: [%{User-Name}] No matching user found in authentication source!" } } reject } }
# Authentication modules group etu_auth_modules { pap mschap } }
# Servis eşleştiyse burada işleyişi kes, diğer servislere bakma return }
..... ..... .....
The above section is same in both default and inner tunnel, but when doing eap-peap or eap-ttls (so inner-tunnel used), user sarched in [ldap_personel] and not found, so it should search in [ldap_ogrenci] but it does not. Here is the debug section:
.... .... ....
(633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type == "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") && (&User-Name =~ /^.+@erzurum\.edu\.tr$/) ) { (633) EXPAND &Packet-Src-IP-Address (633) --> 10.10.243.23 (633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type == "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") && (&User-Name =~ /^.+@erzurum\.edu\.tr$/) ) -> TRUE (633) if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type == "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") && (&User-Name =~ /^.+@erzurum\.edu\.tr$/) ) { (633) update request { (633) ETU-Radius-Service-Name := "BIDB_Test" (633) } # update request = noop (633) if (&Virtual-Server == "inner-tunnel") { (633) EXPAND &Virtual-Server (633) --> inner-tunnel (633) if (&Virtual-Server == "inner-tunnel") -> TRUE (633) if (&Virtual-Server == "inner-tunnel") { (633) update outer.request { (633) ETU-Radius-Service-Name := "BIDB_Test" (633) } # update outer.request = noop (633) } # if (&Virtual-Server == "inner-tunnel") = noop (633) group { (633) eap: No EAP-Message, not doing EAP (633) [eap] = noop (633) if (ok) { (633) if (ok) -> FALSE (633) } # group = noop (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) { (633) EXPAND &Virtual-Server (633) --> inner-tunnel (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) -> TRUE (633) if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) { (633) group { (633) redundant { rlm_ldap (ldap_personel): Closing connection (10): Hit idle_timeout, was idle for 53546 seconds rlm_ldap (ldap_personel): Closing connection (12): Hit idle_timeout, was idle for 53529 seconds rlm_ldap (ldap_personel): Closing connection (11): Hit idle_timeout, was idle for 53522 seconds rlm_ldap (ldap_personel): You probably need to lower "min" rlm_ldap (ldap_personel): Closing connection (13): Hit idle_timeout, was idle for 53521 seconds rlm_ldap (ldap_personel): You probably need to lower "min" rlm_ldap (ldap_personel): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap_personel): Opening additional connection (14), 1 of 32 pending slots used rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389 rlm_ldap (ldap_personel): Waiting for bind result... rlm_ldap (ldap_personel): Bind successful rlm_ldap (ldap_personel): Reserved connection (14) (633) ldap_personel: EXPAND (&(email=%{User-Name})(objectClass=kPerson)) (633) ldap_personel: --> (&(email=ogr1@erzurum.edu.tr )(objectClass=kPerson)) (633) ldap_personel: Performing search in "cn=personel,dc=etu" with filter "(&(email=ogr1@erzurum.edu.tr)(objectClass=kPerson))", scope "sub" (633) ldap_personel: Waiting for search result... (633) ldap_personel: Search returned no results rlm_ldap (ldap_personel): Released connection (14) Need 1 more connections to reach min connections (2) rlm_ldap (ldap_personel): Opening additional connection (15), 1 of 31 pending slots used rlm_ldap (ldap_personel): Connecting to ldap://95.183.213.8:389 rlm_ldap (ldap_personel): Waiting for bind result... rlm_ldap (ldap_personel): Bind successful (633) [ldap_personel] = notfound (633) } # redundant = notfound (633) if (noop || notfound) { (633) if (noop || notfound) -> TRUE (633) if (noop || notfound) { (633) update request { (633) EXPAND Auth Source Reject: [%{User-Name}] No matching user found in authentication source! (633) --> Auth Source Reject: [ogr1@erzurum.edu.tr] No matching user found in authentication source! (633) Module-Failure-Message := Auth Source Reject: [ ogr1@erzurum.edu.tr] No matching user found in authentication source! (633) } # update request = noop (633) if (&Virtual-Server == "inner-tunnel") { (633) EXPAND &Virtual-Server (633) --> inner-tunnel (633) if (&Virtual-Server == "inner-tunnel") -> TRUE (633) if (&Virtual-Server == "inner-tunnel") { (633) update outer.request { (633) EXPAND Auth Source Reject: [%{User-Name}] No matching user found in authentication source! (633) --> Auth Source Reject: [ogr1@erzurum.edu.tr] No matching user found in authentication source! (633) Module-Failure-Message := Auth Source Reject: [ ogr1@erzurum.edu.tr] No matching user found in authentication source! (633) } # update outer.request = noop (633) } # if (&Virtual-Server == "inner-tunnel") = noop (633) [reject] = reject (633) } # if (noop || notfound) = reject (633) } # group = reject (633) } # if ((&Virtual-Server == "inner-tunnel") || (!(&Virtual-Server == "inner-tunnel") && !&EAP-Message)) = reject (633) } # if ( ((&Packet-Src-IP-Address < 10.10.243.0/24) || (&Packet-Src-IP-Address == 172.19.148.9/32)) && (&NAS-Port-Type == "Wireless-802.11") && (&Called-Station-SSID == "bidb-test") && (&User-Name =~ /^.+@erzurum\.edu\.tr$/) ) = reject (633) } # authorize = reject (633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID: %{Calling-Station-ID} Auth-Type: %{control:Auth-Type} (633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type: (633) Invalid user (Auth Source Reject: [ogr1@erzurum.edu.tr] No matching user found in authentication source!): [ogr1@erzurum.edu.tr] (from client rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID: a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type: (633) Using Post-Auth-Type Reject (633) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (633) Post-Auth-Type REJECT { (633) attr_filter.access_reject: EXPAND %{User-Name} (633) attr_filter.access_reject: --> ogr1@erzurum.edu.tr (633) attr_filter.access_reject: Matched entry DEFAULT at line 11 (633) [attr_filter.access_reject] = updated (633) update outer.session-state { (633) &Module-Failure-Message := &request:Module-Failure-Message -> 'Auth Source Reject: [ogr1@erzurum.edu.tr] No matching user found in authentication source!' (633) } # update outer.session-state = noop (633) } # Post-Auth-Type REJECT = updated (633) EXPAND Called-Station-ID: %{Called-Station-ID} Calling-Station-ID: %{Calling-Station-ID} Auth-Type: %{control:Auth-Type} (633) --> Called-Station-ID: a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type: (633) Login incorrect (Auth Source Reject: [ogr1@erzurum.edu.tr] No matching user found in authentication source!): [ogr1@erzurum.edu.tr] (from client rektorluk port 0 cli 3233fb9fb6d3 via TLS tunnel) Called-Station-ID: a8bd27c04dac Calling-Station-ID: 3233fb9fb6d3 Auth-Type: (633) } # server inner-tunnel (633) Virtual server sending reply (633) eap_ttls: Got tunneled Access-Reject (633) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed .... .... ....
Any idea why "redundant" behaves different in the inner-tunnel or what am I missing?
Regards,
Rahman Duran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jorge Pereira jpereira@networkradius.com