Re: Error while authenticating users on Wifi.
Dear Alan, As per your recommendation, have configured ldap module for wifi, users to be allowed through clients.conf & wifi virtual server. While testing a user over wifi, authentication fails due to LDAP search criteria missing into ldap server config. Error: rlm_ldap (ldapwifi): Waiting for bind result... rlm_ldap (ldapwifi): Bind successful (0) [ldapwifi] = ok (0) if ((ok || updated) && User-Password) { (0) if ((ok || updated) && User-Password) -> TRUE (0) if ((ok || updated) && User-Password) { (0) update { (0) control:Auth-Type := LDAP (0) } # update = noop (0) } # if ((ok || updated) && User-Password) = noop (0) } # elsif ( Airespace-Wlan-Id == 2 ) = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = LDAP (0) # Executing group from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) Auth-Type LDAP { rlm_ldap (ldapwifi): Reserved connection (1) (0) ldapwifi: Login attempt by "u5496622" (0) ldapwifi: Using user DN from request "uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com" (0) ldapwifi: Waiting for bind result... (0) ldapwifi: Bind successful (0) ldapwifi: Bind as user "uid=u5496622, ou=Wifiusers,ou=Partners,o= mydomain.com" was successful rlm_ldap (ldapwifi): Released connection (1) (0) [ldapwifi] = ok (0) } # Auth-Type LDAP = ok (0) # Executing section post-auth from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) post-auth { (0) if ( Airespace-Wlan-Id == 2 ) { (0) if ( Airespace-Wlan-Id == 2 ) -> TRUE (0) if ( Airespace-Wlan-Id == 2 ) { (0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) { (0) EXPAND %{control:LDAP-UserDN} (0) --> uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com (0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o= mydomain.com$/i ) -> FALSE (0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) { (0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) -> FALSE (0) else { (0) [reject] = reject (0) } # else = reject (0) } # if ( Airespace-Wlan-Id == 2 ) = reject (0) } # post-auth = reject (0) Using Post-Auth-Type Reject (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) Rejected in post-auth: [u5496622] (from client WLC1 port 13 cli 00-28-f8-10-56-35) (0) Login incorrect: [u5496622] (from client WLC1 port 13 cli 00-28-f8-10-56-35) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 16 from 192.168.154.96:1812 to 172.18.40.40:32774 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 16 with timestamp +27 For existing working access: # Executing section post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi +group post-auth { ++? if (Airespace-Wlan-Id == 2 ) ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE ++? if (Airespace-Wlan-Id == 2 ) -> TRUE ++if (Airespace-Wlan-Id == 2 ) { +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) expand: %{control:LDAP-UserDN} -> uid=u5496622,# Executing section post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi +group post-auth { ++? if (Airespace-Wlan-Id == 2 ) ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE ++? if (Airespace-Wlan-Id == 2 ) -> TRUE ++if (Airespace-Wlan-Id == 2 ) { +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) expand: %{control:LDAP-UserDN} -> uid=u5496622, ou=Wifiusers,ou=Partners,o=mydomain.com ? Evaluating ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i) -> FALSE +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) -> FALSE +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) [ldapwifi2] Entering ldap_groupcmp() expand: o=mydomain.com -> o=mydomain.com expand: (&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) -> (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\ 3dmydomain.com)) [ldapwifi2] ldap_get_conn: Checking Id: 0 [ldapwifi2] ldap_get_conn: Got Id: 0 [ldapwifi2] performing search in cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com, with filter (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\ 3dmydomain.com)) rlm_ldap::ldap_groupcmp: User found in group cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com [ldapwifi2] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE +++elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) { ++++[noop] = noop +++} # elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) = noop +++ ... skipping else for request 1: Preceding "if" was taken ++} # if (Airespace-Wlan-Id == 2 ) = noop Existing version is 2.0.x & new version is 3.0.17. Could you please help us with correct method to search LDAP directory from radius...? ---- *Thanks & Kind Regards,* Saurabh LAHOTI.
for 3.x you need to use the new config - you cant just cut and paste v2 ldap config onto a v3 server On 25 May 2018 at 06:48, Saurabh Lahoti <saurabh.astronomy@gmail.com> wrote:
Dear Alan,
As per your recommendation, have configured ldap module for wifi, users to be allowed through clients.conf & wifi virtual server.
While testing a user over wifi, authentication fails due to LDAP search criteria missing into ldap server config.
Error: rlm_ldap (ldapwifi): Waiting for bind result... rlm_ldap (ldapwifi): Bind successful (0) [ldapwifi] = ok (0) if ((ok || updated) && User-Password) { (0) if ((ok || updated) && User-Password) -> TRUE (0) if ((ok || updated) && User-Password) { (0) update { (0) control:Auth-Type := LDAP (0) } # update = noop (0) } # if ((ok || updated) && User-Password) = noop (0) } # elsif ( Airespace-Wlan-Id == 2 ) = ok (0) [expiration] = noop (0) [logintime] = noop (0) } # authorize = ok (0) Found Auth-Type = LDAP (0) # Executing group from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) Auth-Type LDAP { rlm_ldap (ldapwifi): Reserved connection (1) (0) ldapwifi: Login attempt by "u5496622" (0) ldapwifi: Using user DN from request "uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com" (0) ldapwifi: Waiting for bind result... (0) ldapwifi: Bind successful (0) ldapwifi: Bind as user "uid=u5496622, ou=Wifiusers,ou=Partners,o= mydomain.com" was successful rlm_ldap (ldapwifi): Released connection (1) (0) [ldapwifi] = ok (0) } # Auth-Type LDAP = ok (0) # Executing section post-auth from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) post-auth { (0) if ( Airespace-Wlan-Id == 2 ) { (0) if ( Airespace-Wlan-Id == 2 ) -> TRUE (0) if ( Airespace-Wlan-Id == 2 ) { (0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain. com$/i ) { (0) EXPAND %{control:LDAP-UserDN} (0) --> uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com (0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o= mydomain.com$/i ) -> FALSE (0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) { (0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) -> FALSE (0) else { (0) [reject] = reject (0) } # else = reject (0) } # if ( Airespace-Wlan-Id == 2 ) = reject (0) } # post-auth = reject (0) Using Post-Auth-Type Reject (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi (0) Rejected in post-auth: [u5496622] (from client WLC1 port 13 cli 00-28-f8-10-56-35) (0) Login incorrect: [u5496622] (from client WLC1 port 13 cli 00-28-f8-10-56-35) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 16 from 192.168.154.96:1812 to 172.18.40.40:32774 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 16 with timestamp +27
For existing working access: # Executing section post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi +group post-auth { ++? if (Airespace-Wlan-Id == 2 ) ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE ++? if (Airespace-Wlan-Id == 2 ) -> TRUE ++if (Airespace-Wlan-Id == 2 ) { +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) expand: %{control:LDAP-UserDN} -> uid=u5496622,# Executing section post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi +group post-auth { ++? if (Airespace-Wlan-Id == 2 ) ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE ++? if (Airespace-Wlan-Id == 2 ) -> TRUE ++if (Airespace-Wlan-Id == 2 ) { +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) expand: %{control:LDAP-UserDN} -> uid=u5496622, ou=Wifiusers,ou=Partners,o=mydomain.com ? Evaluating ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com $/i) -> FALSE +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i ) -> FALSE +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com" ) [ldapwifi2] Entering ldap_groupcmp() expand: o=mydomain.com -> o=mydomain.com expand: (&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) -> (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\ 2cou\3dWifiusers\2cou\3dPartners\2co\ 3dmydomain.com)) [ldapwifi2] ldap_get_conn: Checking Id: 0 [ldapwifi2] ldap_get_conn: Got Id: 0 [ldapwifi2] performing search in cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com, with filter (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\ 2cou\3dWifiusers\2cou\3dPartners\2co\ 3dmydomain.com)) rlm_ldap::ldap_groupcmp: User found in group cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com [ldapwifi2] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE +++elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) { ++++[noop] = noop +++} # elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o= mydomain.com " ) = noop +++ ... skipping else for request 1: Preceding "if" was taken ++} # if (Airespace-Wlan-Id == 2 ) = noop
Existing version is 2.0.x & new version is 3.0.17. Could you please help us with correct method to search LDAP directory from radius...?
----
*Thanks & Kind Regards,* Saurabh LAHOTI. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Dear ALan, User ( uid=u5496622,ou=Techmahindra,ou=Partners,o= mydomain.com)is already a part of the LDAP group(cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=mydomain.com") Does my query: LDAP_Group attribute for searching user in LDAP group is correct..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI.
participants (2)
-
Alan Buxey -
Saurabh Lahoti