DEFAULT entry in users file (1.0.5-->1.1.7)
Hi everybody, sorry to ask, but I don' get it. I'm still trying to upgrade from 1.0.5 to 1.1.7. Previously, my users fiel looked like this: [some static entries for special users] [some entries with Auth-Type=Reject for special conditions] DEFAULT Auth-Type = LDAP, Called-Station-Id == "our-dialup-number" Service-Type = Framed-User, Framed-Protocol = PPP, [more reply-items for dialup users] # All other requests: simply match against LDAP # Replace 'outer' attribute User-Name with value from variable # ==> This yields the true username from inside the tunnel in case of # anonymous outer identification with 802.1x DEFAULT Auth-Type = LDAP User-Name = `%{User-Name}`, Reply-Message = "Matched DEFAULT user entry in staff-RADIUS" So all my normal users' passwords are checked against LDAP, using LDAP bind-as-user. There's a properly configured LDAP section in radiusd.conf, of course. With 1.1.7 (and perhaps with any version >=1.1.4), Auth-Type = LDAP seems to be gone, but what on earth do put there instead? The static entries (with cleartext-password for 1.1.7) work fine, With a users file like DEFAULT User-Name = `%{User-Name}` the server complains loudly about the missing Auth-Type when asking with radtest: rad_recv: Access-Request packet from host 127.0.0.1:41995, id=59, length=58 User-Name = "martin" User-Password = "testpass" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "pauly0", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pauly0" rlm_realm: Proxying request from user pauly0 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 69 radius_xlat: 'pauly0' modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. So how do I direct the server to use LDAP without setting Auth-Type? Or is radtest somehow the wrong test tool in the new scenario?? Thanks, Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Uncomment ldap in authorize and authenticate sections of radiusd.conf. Problem solved -- I think I'm beginning to understand things a bit better now ... (Hey, when will Alan's book be out? Should be something to read somewhere off-the-daily-business)
Thanks a lot Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (2)
-
Martin Pauly -
tnt@kalik.co.yu