Authenticating users on LDAP based on Group name
I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5 I can't modify the conf files manually. I have to use the pfsense WebGui. I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs. Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords. The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.) LDAP CONF: /usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $ # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" } ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ### # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = InternetAccess compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes # # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. # ### MS Active Directory Compatibility is disabled ### # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 # # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
On Mar 25, 2015, at 1:24 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
I can't modify the conf files manually. I have to use the pfsense WebGui.
That makes it very difficult to do anything non-standard. To be honest, you’re probably better of just editing the files.
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server.
You will probably need to run 2.2.6, which has a number of fixes for Active Directory. Alan DeKok.
I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs.
you do not authenticate using group membership. you authorize using group membership. you must authenticate an identity before you can authorize it.
Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111)
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.)
LDAP CONF:
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" }
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = InternetAccess
the groupmembership_attribute is not the group name in AD, but a RADIUS Attribute that is returned by LDAP. you have to add the objectClass and AttributeType to the group object in AD so that it is returned when queried. someone will keep me honest if i am incorrect.
compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes
# # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. #
### MS Active Directory Compatibility is disabled ###
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028
# # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I do not think what I need is nonstandard. Let me explain my need in non technical way. I need the users to enter username and password. Compare the username/password against Active Directory, then extract the Groups the user belong to and compare/verify it includes the Group set up in Radius LDAP config. If match pass, else reject. Maybe this can be done with any combination of the normal filter, base filter, group membership filter, group attribute, etc. On Mar 25, 2015 4:42 PM, "Brendan Kearney" <bpk678@gmail.com> wrote:
I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs.
you do not authenticate using group membership. you authorize using group membership. you must authenticate an identity before you can authorize it.
Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111)
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.)
LDAP CONF:
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" }
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html #
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA...
# # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = InternetAccess
the groupmembership_attribute is not the group name in AD, but a RADIUS Attribute that is returned by LDAP. you have to add the objectClass and AttributeType to the group object in AD so that it is returned when queried. someone will keep me honest if i am incorrect.
compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes
# # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. #
### MS Active Directory Compatibility is disabled ###
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028
# # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2015-03-25 22:26 GMT+01:00 Jose Torres-Berrocal <jetsystemservices@gmail.com>:
I do not think what I need is nonstandard.
Let me explain my need in non technical way. I need the users to enter username and password. Compare the username/password against Active Directory, then extract the Groups the user belong to and compare/verify it includes the Group set up in Radius LDAP config. If match pass, else reject.
Where in the Radius LDAP config did you set up the Group? In groupmembership_attribute? Have you already modified the groupmembership_filter to match your MS AD schema? Do you only want to authenticate users in the group InternetAccess with Radius or also users of other groups?
Maybe this can be done with any combination of the normal filter, base filter, group membership filter, group attribute, etc.
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax. On my first email I included my LDAP.conf file as generated by pfsense. I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group. For now I only need to identify only one Group. I am using FreeRadius for a Squid proxy server then the User is used on Dansguardian. On Mar 25, 2015 7:21 PM, "Ben Humpert" <ben@an3k.de> wrote: > 2015-03-25 22:26 GMT+01:00 Jose Torres-Berrocal < > jetsystemservices@gmail.com>: > > I do not think what I need is nonstandard. > > > > Let me explain my need in non technical way. I need the users to enter > > username and password. Compare the username/password against Active > > Directory, then extract the Groups the user belong to and compare/verify > it > > includes the Group set up in Radius LDAP config. If match pass, else > > reject. > > Where in the Radius LDAP config did you set up the Group? In > groupmembership_attribute? > > Have you already modified the groupmembership_filter to match your MS AD > schema? > > Do you only want to authenticate users in the group InternetAccess > with Radius or also users of other groups? > > > Maybe this can be done with any combination of the normal filter, base > > filter, group membership filter, group attribute, etc. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal <jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry? The original ldap file says the following about membership_filter "Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)." and this about membership_attribute "The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist." That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter. What is the case in your setup? Could you post an example of a group and as well an user like the one below? # Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab # guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup.
Thank you for the description of the attribute parameter. I began to understand it. If I end using the attribute parameter it would be "cn", and the value "InternetAccess" as that is the group name. In which parameter I should write the value and what syntax on both? In terms of the base_filter, still do not understand it, as I do not have a radiusprofile, but using it in my config as default. On pfsense I leave this parameter empty, but the generated Conf file includes it. Even though I do not have a radiusprofile I successfully match my users/password against AD. So it seems to be ignored. As the Groups/Users attributes example you ask, I need help getting that. I just create the Group with the AD defaults using the MS AD GUI, and assign the user as a member without any fancy stuff. On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben@an3k.de> wrote:
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal < jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry?
The original ldap file says the following about membership_filter
"Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)."
and this about membership_attribute
"The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist."
That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter.
What is the case in your setup? Could you post an example of a group and as well an user like the one below?
# Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab
# guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest
As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For the group/user attribute properties I see that probably this come from Linux. If you can tell me the Linux command used to get that, I can search the Web for the MS equivalent. On Mar 26, 2015 9:54 AM, "Jose Torres-Berrocal" <jetsystemservices@gmail.com> wrote:
Thank you for the description of the attribute parameter. I began to understand it. If I end using the attribute parameter it would be "cn", and the value "InternetAccess" as that is the group name. In which parameter I should write the value and what syntax on both?
In terms of the base_filter, still do not understand it, as I do not have a radiusprofile, but using it in my config as default. On pfsense I leave this parameter empty, but the generated Conf file includes it. Even though I do not have a radiusprofile I successfully match my users/password against AD. So it seems to be ignored.
As the Groups/Users attributes example you ask, I need help getting that. I just create the Group with the AD defaults using the MS AD GUI, and assign the user as a member without any fancy stuff. On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben@an3k.de> wrote:
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal < jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry?
The original ldap file says the following about membership_filter
"Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)."
and this about membership_attribute
"The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist."
That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter.
What is the case in your setup? Could you post an example of a group and as well an user like the one below?
# Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab
# guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest
As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I found how to run Radius in debug mode in pfsense. I have made some changes in the config files also. This are the key settings: server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Tramontane10520 basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = * compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes ### MS Active Directory Compatibility is disabled ### In case you are wandering why I have "*" in base_filter and groupmembership_attribute, is an attempt for Radius to ignore this settings, otherwise the pfsense default will have set it to the default which I think do not match with my AD settings. On the wiki, this parameters are empty, thus ignored. I think am closer but still fails. By the way I tried setting compare_check_items = no, but this makes the Ldap_Group setting to be ignored, all users get Auth-Type = Accept THIS IS THE DEBUG OUTPUT: radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built on Sep 29 2014 at 22:08:50 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/wimax including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/always including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cache including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/counter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ detail.example.com including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/digest including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/etc_group including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/files including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5 including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/linelog including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/passwd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/policy including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radrelay including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/realm including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/redis including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/rediswho including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/replicate including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smsotp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sql_log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/pbi/freeradius-i386" localstatedir = "/var" sbindir = "/usr/pbi/freeradius-i386/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client squid { ipaddr = 192.168.56.1 require_message_authenticator = no secret = "squid4030" shortname = "squid" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/pbi/freeradius-i386/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427428800 [2015-03-27 00:00:00] Module: Instantiating module "weekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427601600 [2015-03-29 00:00:00] Module: Instantiating module "monthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 1427860800 [2015-04-01 00:00:00] Module: Instantiating module "forever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 0 [2015-03-26 15:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ?�(rlm_logintime modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/motp exec motp { wait = yes program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/pbi/freeradius-i386/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap ldap { server = "jetsms-srv2003.jetdom.local" port = 389 password = "Tramontane10520" expect_password = yes identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem" cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/" certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt" keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key" randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" require_cert = "never" } basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = "*" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = yes do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x285164a0 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/pbi/freeradius-i386/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem" certificate_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem" CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem" private_key_password = "whatever" dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh" random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups" hints = "/usr/pbi/freeradius-i386/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/pbi/freeradius-i386/etc/raddb/modules/files files { usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users" acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users" preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/pbi/freeradius-i386/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.56.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.56.1 port = 1813 } Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 24 to 192.168.56.1 port 1783 rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24, length=71 Sending duplicate reply to client squid port 1783 - ID: 24 Sending Access-Reject of id 24 to 192.168.56.1 port 1783 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 25 to 192.168.56.1 port 1783 rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25, length=71 Sending duplicate reply to client squid port 1783 - ID: 25 Sending Access-Reject of id 25 to 192.168.56.1 port 1783 Waking up in 1.7 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) rlm_ldap::ldap_groupcmp: User found in group internetaccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Pairs do not match. Rejecting user. [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = reject ++} # policy redundant = reject +} # group authorize = reject expand: -> Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 26 to 192.168.56.1 port 1783 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26, length=71 Sending duplicate reply to client squid port 1783 - ID: 26 Sending Access-Reject of id 26 to 192.168.56.1 port 1783 Waking up in 0.7 seconds. Cleaning up request 0 ID 24 with timestamp +13 Waking up in 3.2 seconds. Cleaning up request 1 ID 25 with timestamp +17 Waking up in 0.9 seconds. Cleaning up request 2 ID 26 with timestamp +18 Ready to process requests. On Thu, Mar 26, 2015 at 12:56 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
For the group/user attribute properties I see that probably this come from Linux. If you can tell me the Linux command used to get that, I can search the Web for the MS equivalent. On Mar 26, 2015 9:54 AM, "Jose Torres-Berrocal" < jetsystemservices@gmail.com> wrote:
Thank you for the description of the attribute parameter. I began to understand it. If I end using the attribute parameter it would be "cn", and the value "InternetAccess" as that is the group name. In which parameter I should write the value and what syntax on both?
In terms of the base_filter, still do not understand it, as I do not have a radiusprofile, but using it in my config as default. On pfsense I leave this parameter empty, but the generated Conf file includes it. Even though I do not have a radiusprofile I successfully match my users/password against AD. So it seems to be ignored.
As the Groups/Users attributes example you ask, I need help getting that. I just create the Group with the AD defaults using the MS AD GUI, and assign the user as a member without any fancy stuff. On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben@an3k.de> wrote:
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal < jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry?
The original ldap file says the following about membership_filter
"Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)."
and this about membership_attribute
"The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist."
That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter.
What is the case in your setup? Could you post an example of a group and as well an user like the one below?
# Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab
# guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest
As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry I thought the debug output included the Conf files. Here I include the Users.Conf: /usr/pbi/freeradius-i386/etc/raddb/users "test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group == "internetaccess", Auth-Type := Accept On Thu, Mar 26, 2015 at 8:52 AM, Ben Humpert <ben@an3k.de> wrote:
2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal < jetsystemservices@gmail.com>:
I have setup the group in groupmembership_attribute as a naive intent to accomplish my goal. If that is not the correct parameter I will really appreciate your help on where I should set my Group and the syntax.
Well, the setting clearly asks for an attribute such as sAMAccountName or userPassword. The name of a group is a value, the value of the attribute cn. So yes, it is not the correct parameter ;)
On my first email I included my LDAP.conf file as generated by pfsense.
I think is closed as needed because I was successful matching user/pass with AD when group membership_attribute is default, but for all Users. Now I need to change it to consider the Group.
Setting up user authentication is kind of simple. You just need to match the basedn, filter and base_filter to your directory and that's it. After understanding how these settings are merged into a search request it is also easy to set up group authentication. I did so after working with XLAT, now it's easy for me but before I had no clue at all what I was doing :) What helped me much was the information that unlike in databases like *SQL you always want to get only ONE result in Directories, thus the filter needs to be as strict as required to only find one user or group. If you would find more how should Radius know which is the correct entry?
The original ldap file says the following about membership_filter
"Filter to find group objects a user is a member of. That is, group objects with attributes that identify members (the inverse of membership_attribute)."
and this about membership_attribute
"The attribute in user objects which contain the names or DNs of groups a user is a member of. Unless a conversion between group name and group DN is needed, there's no requirement for the group objects referenced to actually exist."
That means that if your groups have attributes which contain the names or uids of the users that are member of that group you do not use membership_attribute but membership_filter. If instead your users have attributes containing the names or gids of the groups the user is member of then you use membership_attribute instead of membership_filter.
What is the case in your setup? Could you post an example of a group and as well an user like the one below?
# Guest, Groups, example.com dn: cn=Guest,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: radiusProfile cn: Guest gidNumber: 17068 memberUid: guest memberUid: tobtsc memberUid: marhab
# guest, Users, example.com dn: uid=guest,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile gidNumber: 0 uid: guest uidNumber: 18459 dialupAccess: Yes cn: Guest
As you can see, the attribute "memberUid" is used to store the names of those users who are member of the group Guest, thus membership_attribute is not in use in my setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated succesfully. Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result. By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file. On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
I can't modify the conf files manually. I have to use the pfsense WebGui.
I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs.
Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111)
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.)
LDAP CONF:
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" }
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = InternetAccess
compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes
# # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. #
### MS Active Directory Compatibility is disabled ###
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028
# # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
I forgot to include my last conf files. ########################################################### ldap.conf: ########################################################### ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Tramontane10520 basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" } ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ### # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = memberOf compare_check_items = no do_xlat = yes access_attr_used_for_allow = yes # # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. # ### MS Active Directory Compatibility is disabled ### # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 # # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ################################################## Users.conf: ################################################## /usr/pbi/freeradius-i386/etc/raddb/users "test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group == "InternetAccess", Auth-Type := Accept DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject On Tue, Apr 21, 2015 at 12:07 AM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated succesfully.
Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result.
By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file.
On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
I can't modify the conf files manually. I have to use the pfsense WebGui.
I could authenticate the users of the LDAP succesfully but when I try to authenticate using group membership options it fails with the following logs.
Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests. Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111) Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not match): [administrator] (from client squid port 111)
On pfsense I do not see an option to run in debug mode, but probably you can help me with the pfsense produced ldap conf file. I do not use fancy stuff. After I get it working I may try to add TLS configuration to have encrypted comm or passwords.
The LDAP is an Active Directory on a Windows 2003 Server. The group name is InternetAccess. (Is this case sensitive?) I do not have a radiusprofile, where there is mention of radiusprofile is a default generated line. (In pfsense I may change the line but can not removed it or comment it.)
LDAP CONF:
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap # -*- text -*- # # $
# Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "jetsms-srv2003.jetdom.local" port = "389" identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" password = Mypassword basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/ certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "never" }
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ### ### profile_attribute = "radiusProfileDn" ### ### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = InternetAccess
compare_check_items = yes do_xlat = yes access_attr_used_for_allow = yes
# # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. #
### MS Active Directory Compatibility is disabled ###
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028
# # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
On Apr 21, 2015, at 12:07 AM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated successfully.
So... what does the debug output say? You posted the configuration files, which aren't necessary, and don't help.
Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result.
The correct solution is to fix your policies. They're wrong now. It's best to understand *why* they're wrong, and fix the problem.
By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file.
Then post the debug output here. Alan DeKok.
Debug output NOT using group options: radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built on Sep 29 2014 at 22:08:50 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/wimax including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/always including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cache including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/counter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ detail.example.com including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/digest including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/etc_group including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/files including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5 including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/linelog including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/passwd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/policy including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radrelay including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/realm including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/redis including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/rediswho including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/replicate including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smsotp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sql_log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/counter.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/pbi/freeradius-i386" localstatedir = "/var" sbindir = "/usr/pbi/freeradius-i386/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client squid { ipaddr = 192.168.56.1 require_message_authenticator = no secret = "squid4030" shortname = "squid" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/pbi/freeradius-i386/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1429673113 [2015-04-21 23:25:13], Next reset 1429675200 [2015-04-22 00:00:00] Module: Instantiating module "weekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1429673113 [2015-04-21 23:25:13], Next reset 1430020800 [2015-04-26 00:00:00] Module: Instantiating module "monthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1429673113 [2015-04-21 23:25:13], Next reset 1430452800 [2015-05-01 00:00:00] Module: Instantiating module "forever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1429673113 [2015-04-21 23:25:13], Next reset 0 [2015-04-21 23:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ?�(rlm_logintime modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/motp exec motp { wait = yes program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/pbi/freeradius-i386/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap ldap { server = "jetsms-srv2003.jetdom.local" port = 389 password = "Tramontane10520" expect_password = yes identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem" cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/" certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt" keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key" randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" require_cert = "never" } basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x28516580 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/pbi/freeradius-i386/etc/raddb/eap.conf eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem" certificate_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem" CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem" private_key_password = "whatever" dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh" random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups" hints = "/usr/pbi/freeradius-i386/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/pbi/freeradius-i386/etc/raddb/modules/files files { usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users" acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users" preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/pbi/freeradius-i386/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "lamp.jetdom.local" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@lamp.jetdom.local:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/pbi/freeradius-i386/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.56.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.56.1 port = 1813 } Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 5829, id=3, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "jet10520b" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user administrator authenticated succesfully ++[ldap] = ok +} # group LDAP = ok expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 3 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +47 Ready to process requests. On Tue, Apr 21, 2015 at 9:44 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 21, 2015, at 12:07 AM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated successfully.
So... what does the debug output say? You posted the configuration files, which aren't necessary, and don't help.
Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result.
The correct solution is to fix your policies. They're wrong now. It's best to understand *why* they're wrong, and fix the problem.
By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file.
Then post the debug output here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug output using group options: radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built on Sep 29 2014 at 22:08:50 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/wimax including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/always including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cache including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/counter including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ detail.example.com including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/digest including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/etc_group including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/files including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ippool including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5 including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/linelog including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/passwd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/policy including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radrelay including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/realm including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/redis including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/rediswho including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/replicate including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smsotp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sql_log including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/counter.conf including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf including files in directory /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/ including configuration file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/pbi/freeradius-i386" localstatedir = "/var" sbindir = "/usr/pbi/freeradius-i386/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client squid { ipaddr = 192.168.56.1 require_message_authenticator = no secret = "squid4030" shortname = "squid" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/pbi/freeradius-i386/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 1429675200 [2015-04-22 00:00:00] Module: Instantiating module "weekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 1430020800 [2015-04-26 00:00:00] Module: Instantiating module "monthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 1430452800 [2015-05-01 00:00:00] Module: Instantiating module "forever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 0 [2015-04-21 23:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ?�(rlm_logintime modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/motp exec motp { wait = yes program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/pbi/freeradius-i386/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap ldap { server = "jetsms-srv2003.jetdom.local" port = 389 password = "Tramontane10520" expect_password = yes identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem" cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/" certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt" keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key" randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" require_cert = "never" } basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x28516580 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/pbi/freeradius-i386/etc/raddb/eap.conf eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem" certificate_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem" CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem" private_key_password = "whatever" dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh" random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups" hints = "/usr/pbi/freeradius-i386/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/pbi/freeradius-i386/etc/raddb/modules/files files { usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users" acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users" preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/pbi/freeradius-i386/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "lamp.jetdom.local" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@lamp.jetdom.local:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/pbi/freeradius-i386/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.56.1 port = 1812 } listen { type = "acct" ipaddr = 192.168.56.1 port = 1813 } Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 5829, id=1, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 1 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +71 Ready to process requests. On Tue, Apr 21, 2015 at 9:44 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 21, 2015, at 12:07 AM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
I noticed that my problem is that when using group options I get authorized successfully but does not get authenticated (Using Compare Check Items = No results in Access-Accept). When not using group options I get authorized and authenticated successfully.
So... what does the debug output say? You posted the configuration files, which aren't necessary, and don't help.
Is there a way to do a two pass process? If I could run the first pass without group options and the second pass if authenticated run with group options, I will get my desired result.
The correct solution is to fix your policies. They're wrong now. It's best to understand *why* they're wrong, and fix the problem.
By the way I found how to run in debug mode in pfsense and do some custome changes in the Users.conf file.
Then post the debug output here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 21, 2015, at 11:31 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
Debug output using group options:
While posting the debug output is nice, it would help for *you* to look at them, too. Just dumping them here and expecting us to do all the work is... not nice. You can use tools like "diff" to see what the differences are. Then, post the *differences* here, and ask for clarification. i.e. if you're not going to read the debug output, we're not going to read it, either. Alan DeKok.
Here is the Debug output differences with some context lines. As I said on previous email, when using group options I can see on the debug that is not authenticating only authorizing, while not using group options is indeed authenticating. I can see that there is also something different about PAP. ============================================================================================================================= Debug diff sections using group options with some context lines: ============================================================================================================================= basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:06:58') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 1 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +71 Ready to process requests. ============================================================================================================================= Debug diff sections NOT using group options with some context lines: ============================================================================================================================= basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group InternetAccess not found or user is not a member. ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "jet10520b" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user administrator authenticated succesfully ++[ldap] = ok +} # group LDAP = ok expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-21 23:26:00') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 3 to 192.168.56.1 port 5829 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +47 Ready to process requests. On Wed, Apr 22, 2015 at 6:51 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 21, 2015, at 11:31 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
Debug output using group options:
While posting the debug output is nice, it would help for *you* to look at them, too. Just dumping them here and expecting us to do all the work is... not nice.
You can use tools like "diff" to see what the differences are. Then, post the *differences* here, and ask for clarification.
i.e. if you're not going to read the debug output, we're not going to read it, either.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 22, 2015, at 12:08 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
Here is the Debug output differences with some context lines.
It's still difficult to see what's going on.
As I said on previous email, when using group options I can see on the debug that is not authenticating only authorizing, while not using group options is indeed authenticating. I can see that there is also something different about PAP.
Both debug outputs return Access-Accept. What's the problem? Be SPECIFIC. Don't just say "the output is different". Say I expected it to do X, and it did Y instead". Alan DeKok.
In the current two scenarios both return Access-Accept. But: 1. Not using group options if I enter the wrong password the result is Reject for any user in the LDAP database, and using the correct password the result is Accept for any group. 2. Using group options, result is Reject if does not belong to the group, but Accept to the users in the group even if they enter wrong password because is not Authenticating. What I need is get a result of Accept only if belongs to the group and enter the correct password. In a way I could say that I need to Authorize by Group and Authenticate by User. On Wed, Apr 22, 2015 at 12:30 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 22, 2015, at 12:08 PM, Jose Torres-Berrocal < jetsystemservices@gmail.com> wrote:
Here is the Debug output differences with some context lines.
It's still difficult to see what's going on.
As I said on previous email, when using group options I can see on the debug that is not authenticating only authorizing, while not using group options is indeed authenticating. I can see that there is also something different about PAP.
Both debug outputs return Access-Accept.
What's the problem?
Be SPECIFIC. Don't just say "the output is different". Say I expected it to do X, and it did Y instead".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 22, 2015, at 3:25 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
In the current two scenarios both return Access-Accept.
Yes... it helps to be clear from the *start*. If you had posted a good description earlier, the problem would have been solved earlier. By keeping the description secret, you've made it difficult for people to help you.
But: 1. Not using group options if I enter the wrong password the result is Reject for any user in the LDAP database, and using the correct password the result is Accept for any group.
What does "not using group options" mean?
2. Using group options, result is Reject if does not belong to the group, but Accept to the users in the group even if they enter wrong password because is not Authenticating.
What the heck does that mean? It returns Access-Accept even when it's not authenticating the user? Just what have you done to butcher the configuration?
What I need is get a result of Accept only if belongs to the group and enter the correct password. In a way I could say that I need to Authorize by Group and Authenticate by User.
No. Your explanation is *wrong*. Your use of the terminology is wrong, too. That's probably why you're having such a hard time solving this problem. Because you're not using the right words... and you're not understanding the concepts... and your "solution" is based on misunderstanding. When you use "ldap" in the "authorize" section, FreeRADIUS will read any password configured for that user. That password will then be used to authenticate the user. I'm presuming that's how you want the server to authenticate users. Is that right? And then what do you want for LDAP groups? Saying "using group options" is vague to the point of being meaningless. Say EXACTLY what you mean: - I want users in group X to be authenticated, and users in group Y to be rejected. Is that it? Right now, all I know is that you want to do things with LDAP groups. Well, that doesn't mean anything. And it's starting to be frustrating that I'm trying to help you, and you're doing everything EXCEPT give a clear explanation of what you want. How about I give you a "solution" which is as vague as your question? I suggest you do stuff with LDAP groups. That will fix it! Not helpful. Alan DeKok.
OK. Lets try again. I think one coffusion is that Radius has a setting called Groupname attribute. I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. Let say that the AD/LDAP groups are called Wingroups, and Wingroup name is for instance Domain Admins. In my case I want to use the Wingroup InternetAccess. I do not know how to make aside the conffusion on Authorization and Authentication, but let say that Authentication is having a process where the username/password combination values that are received in the connection request is verified against the LDAP and if found it is say to be Authenticated succesfully otherwise failed. I know there are other types of Authentications but I want to keep it simple. Now, Authorization is the process to allow or denied the request to connect. I now there are branches to this, but for simplicity I would like to keep it in that. Then, I want to allow connection to requests that have a username/password combination authenticated succesfully against an LDAP (Windows AD) and which user belongs to Wingroup InternetAccess. I have being succesfull allowing connection by username/password or by the user belonging to Wingroup, but not at the same time. Those are the debugs I already sent you. When I set the Group name attribute, groupmembership_filter and groupmembership_attribute (Which is what I call using group options) I am succesfull allowing/denied connection by the user belonging to the Wingroup, but it currently ignores the password. When I comment the Group name attribute, groupmembership_attribute, etc (Which is what I call not using group options), I am succesfull allowing/denied connection by the username/password, but clearly does not work with the Wingroup. I have being playing with the Users.conf file and I think is really close for what I need, not sure if it is the correct way. ==================================================== /usr/pbi/freeradius-i386/etc/raddb/users "test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject Ldap-Group == "InternetAccess", Auth-Type := LDAP ==================================================== Debug output that closely do what I want. Ii is long because is showing on the same run four (4) tests. 1. Username/password combination found in LDAP but NOT in Wingroup. 2. Username/password combination not found in LDAP but in Wingroup 3. Username/password combination found in LDAP and in Wingroup 4. Username/password combination not found in LDAP and not in Wingroup basedn = "cn=Users,dc=jetdom,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=*)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users [/usr/pbi/freeradius-i386/etc/raddb/users]:5 WARNING! Check item "Ldap-Group" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users Listening on authentication address 192.168.56.1 port 1812 Listening on accounting address 192.168.56.1 port 1813 Listening on proxy address 192.168.56.1 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29, length=65 User-Name = "normal1" User-Password = "Tramontane10520" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "normal1", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "normal1", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> normal1 [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=normal1) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=normal1) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dNormaluser\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Normaluser,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> normal1 [sql] sql_set_user escaped user --> 'normal1' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'normal1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'normal1' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User normal1 not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for normal1 [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> normal1 [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=normal1) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=normal1) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. expand: -> Login incorrect: [normal1] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> normal1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 29 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=29, length=65 Sending duplicate reply to client squid port 1140 - ID: 29 Sending Access-Reject of id 29 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 0 ID 29 with timestamp +25 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30, length=71 User-Name = "administrator" User-Password = "password" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "password" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/password to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ++[ldap] = reject +} # group LDAP = reject Failed to authenticate the user. expand: -> Login incorrect ( [ldap] Bind as user failed): [administrator] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 30 to 192.168.56.1 port 1140 rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=30, length=71 Sending duplicate reply to client squid port 1140 - ID: 30 Sending Access-Reject of id 30 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 1 ID 30 with timestamp +35 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=31, length=71 User-Name = "administrator" User-Password = "jet10520b" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "administrator", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "administrator", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> administrator [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local, with filter (objectclass=*) [ldap] performing search in CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter (cn=InternetAccess) rlm_ldap::ldap_groupcmp: User found in group InternetAccess [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'administrator' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'administrator' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User administrator not found +++[sql] = notfound ++} # policy redundant = notfound ++policy redundant { [ldap] performing user authorization for administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> administrator [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=administrator) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=administrator) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "administrator" with password "jet10520b" [ldap] user DN: CN=Administrator,CN=Users,DC=jetdom,DC=local [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 1 [ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random [ldap] bind as CN=Administrator,CN=Users,DC=jetdom,DC=local/jet10520b to jetsms-srv2003.jetdom.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user administrator authenticated succesfully ++[ldap] = ok +} # group LDAP = ok expand: -> Login OK: [administrator] (from client squid port 111) # Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group post-auth { ++policy redundant { [sql] expand: %{User-Name} -> administrator [sql] sql_set_user escaped user --> 'administrator' [sql] expand: %{User-Password} -> jet10520b [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-22 17:13:08') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'administrator', 'jet10520b', 'Access-Accept', '2015-04-22 17:13:08') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 +++[sql] = ok ++} # policy redundant = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 31 to 192.168.56.1 port 1140 Finished request 2. Going to the next request Waking up in 4.8 seconds. Cleaning up request 2 ID 31 with timestamp +46 Ready to process requests. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32, length=64 User-Name = "carlos" User-Password = "casas" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.56.1 # Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "carlos", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "carlos", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> carlos [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=carlos) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=carlos) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 5 ++[files] = ok ++policy redundant { [sql] expand: %{User-Name} -> carlos [sql] sql_set_user escaped user --> 'carlos' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlos' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'carlos' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'carlos' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 +++[sql] = ok ++} # policy redundant = ok ++policy redundant { [ldap] performing user authorization for carlos [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> carlos [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=carlos) [ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter (sAMAccountName=carlos) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = notfound ++} # policy redundant = notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. expand: -> Login incorrect ( [ldap] User not found): [carlos] (from client squid port 111) Using Post-Auth-Type REJECT # Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> carlos attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 32 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.56.1 port 1140, id=32, length=64 Sending duplicate reply to client squid port 1140 - ID: 32 Sending Access-Reject of id 32 to 192.168.56.1 port 1140 Waking up in 4.9 seconds. Cleaning up request 3 ID 32 with timestamp +74 Ready to process requests.
On Apr 23, 2015, at 4:24 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
I think one coffusion is that Radius has a setting called Groupname attribute.
FreeRADIUS has an LDAP-Group attribute. Is that what you mean?
I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. Let say that the AD/LDAP groups are called Wingroups, and Wingroup name is for instance Domain Admins. In my case I want to use the Wingroup InternetAccess.
Please don't invent new terminology. That makes it more confusing. FreeRADIUS uses LDAP-Group to check.... groups in LDAP. In your case, AD. That should be clear.
I do not know how to make aside the conffusion on Authorization and Authentication, but let say that Authentication is having a process where the username/password combination values that are received in the connection request is verified against the LDAP and if found it is say to be Authenticated succesfully otherwise failed.
Don't re-define existing terminology. Authentication is where users are authenticated. And no, their connection request is not verified against LDAP. You're again using vague and imprecise terminology. Please stop.
I know there are other types of Authentications but I want to keep it simple. Now, Authorization is the process to allow or denied the request to connect. I now there are branches to this, but for simplicity I would like to keep it in that.
Requests don't connect. Users connect. This difference MATTERS.
Then, I want to allow connection to requests that have a username/password combination authenticated succesfully against an LDAP (Windows AD) and which user belongs to Wingroup InternetAccess.
This is really the first simple explanation I've seen. It shouldn't be that hard to do, to be honest.
I have being succesfull allowing connection by username/password or by the user belonging to Wingroup, but not at the same time. Those are the debugs I already sent you.
There's hundreds of lines of output, but it's not clear what you want. So... it's hard to say what's going wrong in the debug output.
When I set the Group name attribute, groupmembership_filter and groupmembership_attribute (Which is what I call using group options)
Again, you're inventing terminology. Stop it. You're confusing yourself, and making the problem worse. MUCH worse.
I am succesfull allowing/denied connection by the user belonging to the Wingroup, but it currently ignores the password.
Well, no. You didn't do what you said. Instead, you checked for the group, and if the user was in the group, you set Auth-Type := Accept. That's a bit different.
When I comment the Group name attribute, groupmembership_attribute, etc (Which is what I call not using group options), I am succesfull allowing/denied connection by the username/password, but clearly does not work with the Wingroup.
So... when you don't check groups, it doesn't do group checking? That's not a surprise.
I have being playing with the Users.conf file and I think is really close for what I need, not sure if it is the correct way
It's not a "users.conf" file. Again, you're inventing terminology. What do I need to do in order to convince you that your entire approach is wrong? That inventing things, and changing the meaning of existing words is a PROBLEM? Don't do it. Just... don't.
==================================================== /usr/pbi/freeradius-i386/etc/raddb/users
"test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject Ldap-Group == "InternetAccess", Auth-Type := LDAP ====================================================
That isn't what you have in the file. It's been modified and re-formatted.
Debug output that closely do what I want. Ii is long because is showing on the same run four (4) tests. 1. Username/password combination found in LDAP but NOT in Wingroup. 2. Username/password combination not found in LDAP but in Wingroup 3. Username/password combination found in LDAP and in Wingroup 4. Username/password combination not found in LDAP and not in Wingroup
If you understand what's going on, and don't invent new terminology, it's simple. Just do this: 1) configure the ldap module. ALL of it. Including the groupmembership_attribute, groupmembership_filter, etc. 2) put this into the "users" file, at the TOP of the file: # DEFAULT LDAP-Group == "InternetAccess", Auth-Type := LDAP # 3) be sure there's no "ldap" in the "authorize" section 4) be sure there's "Auth-Type LDAP" in the "authenticate" section Try to connect. Users in the "InternetAccess" group will get authenticated. But ONLY if their name and password is correct. Users NOT in the "InternetAccess" group will not get authenticated. It really is that easy. But you SHOULD NOT invent new terminology. You MUST understand what the existing words mean. You MUST describe what you want in simple, clear, terms. Alan DeKok.
On Thu, Apr 23, 2015 at 4:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2015, at 4:24 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
I think one coffusion is that Radius has a setting called Groupname attribute.
FreeRADIUS has an LDAP-Group attribute. Is that what you mean?
No. I mean Groupname_attribute. In my configuration is set Groupname_attribute = cn.
I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. Let say that the AD/LDAP groups are called Wingroups, and Wingroup name is for instance Domain Admins. In my case I want to use the Wingroup InternetAccess.
Please don't invent new terminology. That makes it more confusing.
OK, then. When I say Group I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. In my case Group = IntenerAccess.
FreeRADIUS uses LDAP-Group to check.... groups in LDAP. In your case, AD. That should be clear.
I do not know how to make aside the conffusion on Authorization and Authentication, but let say that Authentication is having a process where the username/password combination values that are received in the connection request is verified against the LDAP and if found it is say to be Authenticated succesfully otherwise failed.
Don't re-define existing terminology. Authentication is where users are authenticated.
And no, their connection request is not verified against LDAP. You're again using vague and imprecise terminology. Please stop.
OK. Is verified against Active Directory using LDAP. Right?
I know there are other types of Authentications but I want to keep it simple. Now, Authorization is the process to allow or denied the request to connect. I now there are branches to this, but for simplicity I would like to keep it in that.
Requests don't connect. Users connect. This difference MATTERS.
Well, yes, the one who connects is the user but the allow or denied is the answer to a request, signified by the Access-Request packet. In RADIUS, the allow is signified by the Access-Accept, the denied by the Access-Reject, right?
Then, I want to allow connection to requests that have a username/password combination authenticated succesfully against an LDAP (Windows AD) and which user belongs to Wingroup InternetAccess.
This is really the first simple explanation I've seen. It shouldn't be that hard to do, to be honest.
I have being succesfull allowing connection by username/password or by the user belonging to Wingroup, but not at the same time. Those are the debugs I already sent you.
There's hundreds of lines of output, but it's not clear what you want. So... it's hard to say what's going wrong in the debug output.
When I set the Group name attribute, groupmembership_filter and groupmembership_attribute (Which is what I call using group options)
Again, you're inventing terminology. Stop it. You're confusing yourself, and making the problem worse. MUCH worse.
My bad. I should have written groupname_attribute instead of Group name attribute.
I am succesfull allowing/denied connection by the user belonging to the Wingroup, but it currently ignores the password.
Well, no. You didn't do what you said. Instead, you checked for the group, and if the user was in the group, you set Auth-Type := Accept. That's a bit different.
When I comment the Group name attribute, groupmembership_attribute, etc (Which is what I call not using group options), I am succesfull allowing/denied connection by the username/password, but clearly does not work with the Wingroup.
So... when you don't check groups, it doesn't do group checking? That's not a surprise.
I have being playing with the Users.conf file and I think is really close for what I need, not sure if it is the correct way
It's not a "users.conf" file. Again, you're inventing terminology.
My bad. I should have written "Users" file. Is that some files are .conf, others are .cnf and other without extension. There is no standard.
What do I need to do in order to convince you that your entire approach is wrong? That inventing things, and changing the meaning of existing words is a PROBLEM?
Don't do it. Just... don't.
==================================================== /usr/pbi/freeradius-i386/etc/raddb/users
"test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject Ldap-Group == "InternetAccess", Auth-Type := LDAP ====================================================
That isn't what you have in the file. It's been modified and re-formatted.
The initial file that I sent you is not the same as the one I currently have. As I told in the previous email, I have being playing with the Users file ( I written the name wrongly as Users.conf in the sentence) and clearly I change it trying to get closer to what I need. In fact is closer.
Debug output that closely do what I want. Ii is long because is showing on the same run four (4) tests. 1. Username/password combination found in LDAP but NOT in Wingroup. 2. Username/password combination not found in LDAP but in Wingroup 3. Username/password combination found in LDAP and in Wingroup 4. Username/password combination not found in LDAP and not in Wingroup
If you understand what's going on, and don't invent new terminology, it's simple. Just do this:
1) configure the ldap module. ALL of it. Including the groupmembership_attribute, groupmembership_filter, etc.
2) put this into the "users" file, at the TOP of the file:
# DEFAULT LDAP-Group == "InternetAccess", Auth-Type := LDAP #
3) be sure there's no "ldap" in the "authorize" section
4) be sure there's "Auth-Type LDAP" in the "authenticate" section
Try to connect. Users in the "InternetAccess" group will get authenticated. But ONLY if their name and password is correct.
Users NOT in the "InternetAccess" group will not get authenticated.
It really is that easy.
But you SHOULD NOT invent new terminology. You MUST understand what the existing words mean. You MUST describe what you want in simple, clear, terms.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. I will try that configuration. I think the trick, as I call it, is to turn off Authorization for LDAP. Will let you know how it goes.
It works! Thank you very much! And yes the trick was to disable LDAP in Authorize section. In my case I had to do a work around. For a newbe, this makes more difficult to understand this service. See the following comment. Just for information to anyone reading this thread that uses pfsense. In pfsense 2.1.5, there is a bug. You can not disable Authorize LDAP check box on the GUI. If you do, the LDAP connection values are disabled and emptied, so LDAP won't work. You have to make your settings and after every SAVE configuration you have to manually edit the "sites-enable" configuration file, or disable and make the changes in LDAP file. I think is better the first approach. In pfsense 2.1.5 is in "/usr/pbi/freeradius-i386/etc/raddb/sites-enable/default" for i386 platform. There, go to the Authorize section and comment the corresponding LDAP lines. Restart and reload the Freeradius service so it picks the configuration change. On Fri, Apr 24, 2015 at 3:51 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
On Thu, Apr 23, 2015 at 4:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2015, at 4:24 PM, Jose Torres-Berrocal <jetsystemservices@gmail.com> wrote:
I think one coffusion is that Radius has a setting called Groupname attribute.
FreeRADIUS has an LDAP-Group attribute. Is that what you mean?
No. I mean Groupname_attribute. In my configuration is set Groupname_attribute = cn.
I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. Let say that the AD/LDAP groups are called Wingroups, and Wingroup name is for instance Domain Admins. In my case I want to use the Wingroup InternetAccess.
Please don't invent new terminology. That makes it more confusing.
OK, then. When I say Group I am talking about the Group name in Active Directory as Domain Admins, Administrators, etc. In my case Group = IntenerAccess.
FreeRADIUS uses LDAP-Group to check.... groups in LDAP. In your case, AD. That should be clear.
I do not know how to make aside the conffusion on Authorization and Authentication, but let say that Authentication is having a process where the username/password combination values that are received in the connection request is verified against the LDAP and if found it is say to be Authenticated succesfully otherwise failed.
Don't re-define existing terminology. Authentication is where users are authenticated.
And no, their connection request is not verified against LDAP. You're again using vague and imprecise terminology. Please stop.
OK. Is verified against Active Directory using LDAP. Right?
I know there are other types of Authentications but I want to keep it simple. Now, Authorization is the process to allow or denied the request to connect. I now there are branches to this, but for simplicity I would like to keep it in that.
Requests don't connect. Users connect. This difference MATTERS.
Well, yes, the one who connects is the user but the allow or denied is the answer to a request, signified by the Access-Request packet. In RADIUS, the allow is signified by the Access-Accept, the denied by the Access-Reject, right?
Then, I want to allow connection to requests that have a username/password combination authenticated succesfully against an LDAP (Windows AD) and which user belongs to Wingroup InternetAccess.
This is really the first simple explanation I've seen. It shouldn't be that hard to do, to be honest.
I have being succesfull allowing connection by username/password or by the user belonging to Wingroup, but not at the same time. Those are the debugs I already sent you.
There's hundreds of lines of output, but it's not clear what you want. So... it's hard to say what's going wrong in the debug output.
When I set the Group name attribute, groupmembership_filter and groupmembership_attribute (Which is what I call using group options)
Again, you're inventing terminology. Stop it. You're confusing yourself, and making the problem worse. MUCH worse.
My bad. I should have written groupname_attribute instead of Group name attribute.
I am succesfull allowing/denied connection by the user belonging to the Wingroup, but it currently ignores the password.
Well, no. You didn't do what you said. Instead, you checked for the group, and if the user was in the group, you set Auth-Type := Accept. That's a bit different.
When I comment the Group name attribute, groupmembership_attribute, etc (Which is what I call not using group options), I am succesfull allowing/denied connection by the username/password, but clearly does not work with the Wingroup.
So... when you don't check groups, it doesn't do group checking? That's not a surprise.
I have being playing with the Users.conf file and I think is really close for what I need, not sure if it is the correct way
It's not a "users.conf" file. Again, you're inventing terminology.
My bad. I should have written "Users" file. Is that some files are .conf, others are .cnf and other without extension. There is no standard.
What do I need to do in order to convince you that your entire approach is wrong? That inventing things, and changing the meaning of existing words is a PROBLEM?
Don't do it. Just... don't.
==================================================== /usr/pbi/freeradius-i386/etc/raddb/users
"test" Cleartext-Password := "squidtest" DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject Ldap-Group == "InternetAccess", Auth-Type := LDAP ====================================================
That isn't what you have in the file. It's been modified and re-formatted.
The initial file that I sent you is not the same as the one I currently have. As I told in the previous email, I have being playing with the Users file ( I written the name wrongly as Users.conf in the sentence) and clearly I change it trying to get closer to what I need. In fact is closer.
Debug output that closely do what I want. Ii is long because is showing on the same run four (4) tests. 1. Username/password combination found in LDAP but NOT in Wingroup. 2. Username/password combination not found in LDAP but in Wingroup 3. Username/password combination found in LDAP and in Wingroup 4. Username/password combination not found in LDAP and not in Wingroup
If you understand what's going on, and don't invent new terminology, it's simple. Just do this:
1) configure the ldap module. ALL of it. Including the groupmembership_attribute, groupmembership_filter, etc.
2) put this into the "users" file, at the TOP of the file:
# DEFAULT LDAP-Group == "InternetAccess", Auth-Type := LDAP #
3) be sure there's no "ldap" in the "authorize" section
4) be sure there's "Auth-Type LDAP" in the "authenticate" section
Try to connect. Users in the "InternetAccess" group will get authenticated. But ONLY if their name and password is correct.
Users NOT in the "InternetAccess" group will not get authenticated.
It really is that easy.
But you SHOULD NOT invent new terminology. You MUST understand what the existing words mean. You MUST describe what you want in simple, clear, terms.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. I will try that configuration. I think the trick, as I call it, is to turn off Authorization for LDAP. Will let you know how it goes.
participants (4)
-
Alan DeKok -
Ben Humpert -
Brendan Kearney -
Jose Torres-Berrocal