Thank you Alan for your help Le 11 déc. 2015 1:37 AM, "Alan DeKok" <aland@deployingradius.com> a écrit :
The LDAP module is configured to let the user connect when the diallupAccess is set to true. But it let any users connect to any network my VPN server is offering access to.
And... what does the debug output say?
It works normally, no problem IMHO. Debug output from freeradius 3.0.10 : Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: --> (uid=*my_login*) Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND TMPL LITERAL Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Performing search in "ou=users,... ldap root..." with filter "(uid=*my_login*)", scope "sub" Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Waiting for search result... Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: User object found at DN "uid=*my_login,ou=users,... ldap root..." Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Processing user attributes Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: control:Password-With-Header += '....' Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: control:NT-Password := 0x.... Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: control:LM-Password := 0x.... Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute "radiusControlAttribute" not found in LDAP object Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute "radiusRequestAttribute" not found in LDAP object Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute "radiusReplyAttribute" not found in LDAP object Fri Dec 11 20:05:09 2015 : Debug: rlm_ldap (ldap): Released connection (1) Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [ldap] = updated Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Peer sent EAP Response (code 2) ID 1 length 67 Fri Dec 11 20:05:09 2015 : Debug: (1) eap: No EAP Start, assuming it's an on-going EAP conversation Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [eap] = updated Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Converted: Password-With-Header = '.....' -> Crypt-Password = '....' Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Removing &control:Password-With-Header Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Normalizing LM-Password from hex encoding, 32 bytes -> 16 bytes Fri Dec 11 20:05:09 2015 : WARNING: (1) pap: Auth-Type already set. Not setting to PAP Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [pap] = noop Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [expiration] = noop Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [logintime] = noop Fri Dec 11 20:05:09 2015 : Debug: (1) } # authorize = updated Fri Dec 11 20:05:09 2015 : Debug: (1) Found Auth-Type = EAP Fri Dec 11 20:05:09 2015 : Debug: (1) # Executing group from file /etc/freeradius/sites-enabled/mercure_def.ldap Fri Dec 11 20:05:09 2015 : Debug: (1) authenticate { Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Expiring EAP session with state 0xab2a5c78ab2b464c Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Finished EAP session with state 0xab2a5c78ab2b464c Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Previous EAP request found for state 0xab2a5c78ab2b464c, released from the list Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Peer sent packet with method EAP MSCHAPv2 (26) Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Calling submodule eap_mschapv2 to process data Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/mercure_def.ldap Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2: Auth-Type MS-CHAP { Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Found NT-Password Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Found LM-Password Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Creating challenge hash with username: *my_login* Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Client is using MS-CHAPv2 Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Adding MS-CHAPv2 MPPE keys Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [mschap] = ok Fri Dec 11 20:05:09 2015 : Debug: (1) } # Auth-Type MS-CHAP = ok Fri Dec 11 20:05:09 2015 : Debug: (1) MSCHAP Success Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Sending EAP Request (code 1) ID 2 length 51 Fri Dec 11 20:05:09 2015 : Debug: (1) eap: EAP session adding &reply:State = 0xab2a5c78aa28464c Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]: returned from eap (rlm_eap) for request 1 Fri Dec 11 20:05:09 2015 : Debug: (1) [eap] = handled Fri Dec 11 20:05:09 2015 : Debug: (1) } # authenticate = handled Fri Dec 11 20:05:09 2015 : Debug: (1) Using Post-Auth-Type Challenge Fri Dec 11 20:05:09 2015 : Debug: (1) Post-Auth-Type sub-section not found. Ignoring. Fri Dec 11 20:05:09 2015 : Debug: (1) # Executing group from file /etc/freeradius/sites-enabled/mercure_def.ldap Fri Dec 11 20:05:09 2015 : Debug: (1) session-state: Nothing to cache Fri Dec 11 20:05:09 2015 : Debug: (1) Sent Access-Challenge Id 74 length 0 Fri Dec 11 20:05:09 2015 : Debug: (1) EAP-Message = 0x010200331a0301002e533d46343036424236353131394133333632313543433342323030384533444645414545454435393844 Fri Dec 11 20:05:09 2015 : Debug: (1) Message-Authenticator = 0x00000000000000000000000000000000 Fri Dec 11 20:05:09 2015 : Debug: (1) State = 0xab2a5c78aa28464c6d6710904a42a679 Fri Dec 11 20:05:09 2015 : Debug: (1) Finished request
What is the best method to filter users depending on which NAS-Port-Id they are using ?
You can check for the value of the NAS-Port-Id attribute.
What do you want to do? Do you have an example?
It will allow me to authorize several users to access any networks they need to access without puting any network configuration in the LDAP.
Typically you control access by NAS IP address, not NAS Port-Id.
My NAS has always the same IP when only the NAS Port-Id takes different values. I can only differentiate the networks my users try to reach by NAS Port-Id Furthermore, RFC2865 say that we shouldn't use NAS-Identifier to find the shared secret but we'd better deal with NAS-IP Address. Is this the same with NAS-Port Id? Should I take care of that ?
As always, run the server in debug mode to see what the server is receiving. Then, write rules to match those attributes, and go from there.
Ok, so I can write things like : user { filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(accessNetwork=%{request:NAS-Port-Id}))" } instead of user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } in my freeradius/mods-available/ldap file ? accessNetwork is a multi-valued attribute of a custom LDAP schema I wrote a few months ago. All the best François L.