I have having some problems with ldap group checking. Our students do not have a common group that they are a member of. They are all a member of a group based on their username (ST_Students for every student that has a username that start with st). We then have groups based off each letter of the alphabet (S_Students would contain the SA_Students through SZ_Students groups). We then have another group called students, that has the A_Students through Z_Students groups. I know this is overly complex, but that is how our administrative computing department has set things up. I would like to use the student group to allow access to a wireless network. My current rule is as follows. if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) { noop } When the test user sexample5555 connects, they get denied because their account is a member of the SE_Students group. The SE_Students group is a member of the S_Students group, and that group is a member of the students group....but the user is not a direct member of the students group. Is there an easy solution that I am missing? Here is the full debug output. I know some things are not 100% correct. We are still in the testing phase. freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu, built on Apr 7 2014 at 08:43:37 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/utf8 including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/cui including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/wifi including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } realm LOCAL { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client our-wireless-controller.our.domain { require_message_authenticator = no secret = <<< secret >>> shortname = "ttcbluesocket" virtual_server = "wifi" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv6addr' field found in client our-wireless-controller.our.domain. Please fix your configuration Support for old-style clients will be removed in a future release radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_eap # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_detail # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_exec # Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Loaded module rlm_files # Instantiating module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" usersfile = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain= %{%{mschap:NT-Domain}:-our.domain} --challenge= %{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth_timeout = 10 passchange { } allow_retry = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_always # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/freeradius/mods-enabled/ldap ldap { server = "server.our.domain" port = 636 password = <<< secret >>> identity = "ACCOUNT" user { filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})" scope = "sub" base_dn = "dc=our,dc=domain" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "dc=our,dc=domain" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "dc=our,dc=domain" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server wifi { # from file /etc/freeradius/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server wifi server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Creating Auth-Type = LDAP # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1912 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1912 as server wifi Listening on acct address * port 1813 as server wifi Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 33306 Ready to process requests. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=39, length=174 User-Name = 'DOMAIN\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535 Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (0) authorize { (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (0) update request { (0) EXPAND %{7} (0) --> Test2 (0) Called-Station-SSID := "Test2" (0) } # update request = noop (0) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (0) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (4) (0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (0) --> (cn=sexample5555) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (0) Checking for user in group objects (0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (0) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Waiting for bind result... (0) Bind successful (0) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.dom/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) Search returned no results (0) Search returned not found (0) Checking user object membership (memberOf) attributes (0) Waiting for bind result... (0) Bind successful (0) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP1" (0) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP2" (0) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "SE_students" (0) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP4" (0) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP5" rlm_ (ldap): Deleting connection (4) (0) User is not a member of specified group (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (0) else else { (0) [reject] = reject (0) } # else else = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/wifi (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> DOMAIN\sexample5555 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying reject of request 0 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed reject Sending Access-Reject of id 39 from Radius-Server port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x045c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=40, length=174 User-Name = 'our\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535 Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e (1) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (1) authorize { (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (1) update request { (1) EXPAND %{7} (1) --> Test2 (1) Called-Station-SSID := "Test2" (1) } # update request = noop (1) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (1) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (3) (1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (1) --> (cn=sexample5555) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (1) Checking for user in group objects (1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (1) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Waiting for bind result... (1) Bind successful (1) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) Search returned no results (1) Search returned not found (1) Checking user object membership (memberOf) attributes (1) Waiting for bind result... (1) Bind successful (1) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP1" (1) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP2" (1) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "SE_students" (1) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP4" (1) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP5" rlm_ldap (ldap): Deleting connection (3) (1) User is not a member of specified group (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (1) else else { (1) [reject] = reject (1) } # else else = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/wifi (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> DOMAIN\sexample5555 (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request was previously rejected, inserting EAP-Failure (1) [eap] = updated (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (reply:EAP-Message && reply:Reply-Message) (1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying reject of request 1 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 40 from SERVER-IP port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 39 with timestamp +6 Waking up in 2.6 seconds. Thanks! -Josh
Josh Essar wrote:
I have having some problems with ldap group checking. Our students do not have a common group that they are a member of. They are all a member of a group based on their username (ST_Students for every student that has a username that start with st). We then have groups based off each letter of the alphabet (S_Students would contain the SA_Students through SZ_Students groups). We then have another group called students, that has the A_Students through Z_Students groups.
That is an... inventive approach. I can honestly say I've never seen that before.
I know this is overly complex, but that is how our administrative computing department has set things up. I would like to use the student group to allow access to a wireless network. My current rule is as follows.
if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) { noop }
When the test user sexample5555 connects, they get denied because their account is a member of the SE_Students group. The SE_Students group is a member of the S_Students group, and that group is a member of the students group....but the user is not a direct member of the students group.
Is there an easy solution that I am missing?
Don't use ridiculously complicated group memberships.
(0) Searching for user in group "students" ... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful
The repeated rebinds mean that the information isn't in one LDAP directory, it's scattered across many directories. i.e. Active Directory. Your design is *slow*. Doing multiple binds just to discover a user is very problematic.
(0) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP5" rlm_ (ldap): Deleting connection (4) (0) User is not a member of specified group
<shrug> That seems definitive. You LDAP design is way too complicated. The multiple LDAP directories and groups buried within groups makes it nearly impossible to create a working RADIUS system. Maybe someone more familiar with LDAP magic can say more. But my $0.02 is to ensure that your database actually stores user data. All of it. In a sane format. Even if you do fix the group membership issue, the repeated LDAP searches will DESTROY performance. You'll be lucky to get 10 authentications per second out of it. Alan DeKok.
On 24 Apr 2014, at 23:20, Alan DeKok <aland@deployingradius.com> wrote:
Josh Essar wrote:
I have having some problems with ldap group checking. Our students do not have a common group that they are a member of. They are all a member of a group based on their username (ST_Students for every student that has a username that start with st). We then have groups based off each letter of the alphabet (S_Students would contain the SA_Students through SZ_Students groups). We then have another group called students, that has the A_Students through Z_Students groups.
That is an... inventive approach. I can honestly say I've never seen that before.
(0) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP5" rlm_ (ldap): Deleting connection (4) (0) User is not a member of specified group
Debug FTW!
<shrug> That seems definitive.
You LDAP design is way too complicated. The multiple LDAP directories and groups buried within groups makes it nearly impossible to create a working RADIUS system.
Maybe someone more familiar with LDAP magic can say more. But my $0.02 is to ensure that your database actually stores user data. All of it. In a sane format.
Even if you do fix the group membership issue, the repeated LDAP searches will DESTROY performance. You'll be lucky to get 10 authentications per second out of it.
Depends. If the child groups reference the parent in some way, it's only one extra search. But that only gets you one level of nesting. Anything beyond that gets insanely slow. Anyway it's not supported currently and I don't think it'd be a sensible thing to add support for. I think Phil mentioned something about a magic attribute you could search for in AD (with all those rebinds i'm guessing this is AD) which supported nested grouping. I started to look at adding it, and wrote most of the code, but didn't have time to finish it. If Phil can confirm that, that feature would help in this situation, I'll finish it off and merge the code. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 25/04/14 00:19, Arran Cudbard-Bell wrote:
I think Phil mentioned something about a magic attribute you could search for in AD (with all those rebinds i'm guessing this is AD) which supported nested grouping.
I started to look at adding it, and wrote most of the code, but didn't have time to finish it.
If Phil can confirm that, that feature would help in this situation, I'll finish it off and merge the code.
That was the tokenGroups magic/virtual attribute, which is *only* queriable from a "base" scope query on the user DN. The values are binary-encoded SIDs which then need to be resolved to the groups via objectSid lookups. The latter bit was moderately hard which is why I didn't roll a patch. Someone else has already mentioned the other magic "deref nested groups" control OID you can put in the filter. Both are useful IMO.
Alan DeKok wrote:
Don't use ridiculously complicated group memberships.
That is the approach I have decided to take. It's time to cleanup our group structure anyway.
The repeated rebinds mean that the information isn't in one LDAP directory, it's scattered across many directories. i.e. Active Directory.
Your design is *slow*. Doing multiple binds just to discover a user is very problematic.
You LDAP design is way too complicated. The multiple LDAP directories and groups buried within groups makes it nearly impossible to create a working RADIUS system.
Yes, we use Active Directory. I'm assuming it is an active directory configuration change that will need to be made to reduce the number of rebinds. Is there a configuration change I could make in freeradius to make this process more efficient?
Even if you do fix the group membership issue, the repeated LDAP searches will DESTROY performance. You'll be lucky to get 10 authentications per second out of it.
Would if be better to setup an openldap server and used that for freeradius lookups? I had already thought about doing that when I started this project.
When you use AD then the following simple query will do all the hard workŠ Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}) Or as config snipped: group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" cacheable_name = "yes" cacheable_dn = "no" } - Peter Am 24.04.14 23:13 schrieb "Josh Essar" unter <jessar@kvcc.edu>:
I have having some problems with ldap group checking. Our students do not have a common group that they are a member of. They are all a member of a group based on their username (ST_Students for every student that has a username that start with st). We then have groups based off each letter of the alphabet (S_Students would contain the SA_Students through SZ_Students groups). We then have another group called students, that has the A_Students through Z_Students groups.
I know this is overly complex, but that is how our administrative computing department has set things up. I would like to use the student group to allow access to a wireless network. My current rule is as follows.
if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) { noop }
When the test user sexample5555 connects, they get denied because their account is a member of the SE_Students group. The SE_Students group is a member of the S_Students group, and that group is a member of the students group....but the user is not a direct member of the students group.
Is there an easy solution that I am missing?
Here is the full debug output. I know some things are not 100% correct. We are still in the testing phase.
freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu, built on Apr 7 2014 at 08:43:37 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/utf8 including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/cui including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/wifi including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } realm LOCAL { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client our-wireless-controller.our.domain { require_message_authenticator = no secret = <<< secret >>> shortname = "ttcbluesocket" virtual_server = "wifi" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv6addr' field found in client our-wireless-controller.our.domain. Please fix your configuration Support for old-style clients will be removed in a future release radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_eap # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_detail # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_exec # Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Loaded module rlm_files # Instantiating module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" usersfile = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain= %{%{mschap:NT-Domain}:-our.domain} --challenge= %{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth_timeout = 10 passchange { } allow_retry = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_always # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/freeradius/mods-enabled/ldap ldap { server = "server.our.domain" port = 636 password = <<< secret >>> identity = "ACCOUNT" user { filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})" scope = "sub" base_dn = "dc=our,dc=domain" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "dc=our,dc=domain" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "dc=our,dc=domain" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server wifi { # from file /etc/freeradius/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server wifi server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Creating Auth-Type = LDAP # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1912 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1912 as server wifi Listening on acct address * port 1813 as server wifi Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 33306 Ready to process requests. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=39, length=174 User-Name = 'DOMAIN\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535 Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (0) authorize { (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (0) update request { (0) EXPAND %{7} (0) --> Test2 (0) Called-Station-SSID := "Test2" (0) } # update request = noop (0) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (0) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (4) (0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (0) --> (cn=sexample5555) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (0) Checking for user in group objects (0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (0) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Waiting for bind result... (0) Bind successful (0) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.dom/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) Search returned no results (0) Search returned not found (0) Checking user object membership (memberOf) attributes (0) Waiting for bind result... (0) Bind successful (0) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our ,DC=domain', scope 'base' (0) Waiting for search result... (0) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP1" (0) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP2" (0) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "SE_students" (0) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP4" (0) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP5" rlm_ (ldap): Deleting connection (4) (0) User is not a member of specified group (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (0) else else { (0) [reject] = reject (0) } # else else = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/wifi (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> DOMAIN\sexample5555 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying reject of request 0 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed reject Sending Access-Reject of id 39 from Radius-Server port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x045c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=40, length=174 User-Name = 'our\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535 Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e (1) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (1) authorize { (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (1) update request { (1) EXPAND %{7} (1) --> Test2 (1) Called-Station-SSID := "Test2" (1) } # update request = noop (1) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (1) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (3) (1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (1) --> (cn=sexample5555) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (1) Checking for user in group objects (1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (1) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Waiting for bind result... (1) Bind successful (1) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) Search returned no results (1) Search returned not found (1) Checking user object membership (memberOf) attributes (1) Waiting for bind result... (1) Bind successful (1) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our ,DC=domain', scope 'base' (1) Waiting for search result... (1) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP1" (1) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP2" (1) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "SE_students" (1) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP4" (1) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP5" rlm_ldap (ldap): Deleting connection (3) (1) User is not a member of specified group (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (1) else else { (1) [reject] = reject (1) } # else else = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/wifi (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> DOMAIN\sexample5555 (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request was previously rejected, inserting EAP-Failure (1) [eap] = updated (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (reply:EAP-Message && reply:Reply-Message) (1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying reject of request 1 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 40 from SERVER-IP port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 39 with timestamp +6 Waking up in 2.6 seconds.
Thanks! -Josh
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 25 Apr 2014, at 07:02, <peter.geiser@id.unibe.ch> <peter.geiser@id.unibe.ch> wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes" cacheable_dn = "no" }
Woha, crazy. I don't even want to know what black magic that's invoking. Do you have any documentation on it? It'd be good to include a note in the default config. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Fri, Apr 25, 2014 at 5:36 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Apr 2014, at 07:02, <peter.geiser@id.unibe.ch> <peter.geiser@id.unibe.ch> wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes" cacheable_dn = "no" }
Woha, crazy. I don't even want to know what black magic that's invoking.
Do you have any documentation on it? It'd be good to include a note in the default config.
Pasting the magic numbers to Google give this link: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx -- Fajar
On 25 Apr 2014, at 11:44, Fajar A. Nugraha <list@fajar.net> wrote:
On Fri, Apr 25, 2014 at 5:36 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Apr 2014, at 07:02, <peter.geiser@id.unibe.ch> <peter.geiser@id.unibe.ch> wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes" cacheable_dn = "no" }
Woha, crazy. I don't even want to know what black magic that's invoking.
Do you have any documentation on it? It'd be good to include a note in the default config.
Pasting the magic numbers to Google give this link: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Again 'Woha'. AD allows bitwise filters?! That's pretty cool. Someone with AD want to test and see if it allows the string form? Not sure whether they're just preprocessor macros, or whether AD will really allow them in the text form. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 25 Apr 2014, at 12:11, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Apr 2014, at 11:44, Fajar A. Nugraha <list@fajar.net> wrote:
On Fri, Apr 25, 2014 at 5:36 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 25 Apr 2014, at 07:02, <peter.geiser@id.unibe.ch> <peter.geiser@id.unibe.ch> wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes" cacheable_dn = "no" }
Woha, crazy. I don't even want to know what black magic that's invoking.
Do you have any documentation on it? It'd be good to include a note in the default config.
Pasting the magic numbers to Google give this link: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Again 'Woha'.
Which is the British spelling of Woah :) Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 25/04/14 12:11, Arran Cudbard-Bell wrote:
Again 'Woha'.
AD allows bitwise filters?! That's pretty cool.
Someone with AD want to test and see if it allows the string form?
Not sure what you mean by "string form". You can definitely do a plain old LDAP query with that syntax. Couple of things to note - the "find all groups a user is in" form is *very* slow for me. The "find if a user is in a group" requires a base DN search against the user object, just like the tokenGroups magic attribute (I assume it does the same thing under the hood).
Phil Mayers wrote:
Couple of things to note - the "find all groups a user is in" form is *very* slow for me.
To be expected. And from the debug output... wow... 3-4 rebinds for every query? That will be *horribly* slow. I'm not joking when I suggest to use a real database. Performance could go up by a factor or 10 to 100. Alan DeKok.
On 25 Apr 2014, at 14:00, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 25/04/14 12:11, Arran Cudbard-Bell wrote:
Again 'Woha'.
AD allows bitwise filters?! That's pretty cool.
Someone with AD want to test and see if it allows the string form?
Not sure what you mean by "string form". You can definitely do a plain old LDAP query with that syntax.
:1.2.840.113556.1.4.1941: == :LDAP_MATCHING_RULE_IN_CHAIN: Just the OID is quite opaque...
Couple of things to note - the "find all groups a user is in" form is *very* slow for me. The "find if a user is in a group" requires a base DN search against the user object, just like the tokenGroups magic attribute (I assume it does the same thing under the hood).
OK Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
:) There is no magic - it's all documented by Microsoft: - MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx - TechNet: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-dir ectory-ldap-syntax-filters.aspx The query is really performant for what it do but on a FreeRadius Server with heavy load you should use it in combination with the cache module. We have this combination in production on Campus on since 6 month without any problems. ~ 250'000 Autentications per day for 802.1x (EduRoam), VPN, ... The complete Example: LDAP-Module: ldap { server = <your LDAP Server> port = 636 identity = <service account> password = <service account password> base_dn = <your base DN> # We need the employeeType (student,staff,...) for EduRoam update { reply:Class := 'employeeType' } user { base_dn = <your user base DN> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" scope = 'sub' } group { base_dn = "dc=campus,dc=unibe,dc=ch" scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" cacheable_name = "yes" cacheable_dn = "no" } options { chase_referrals = no rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no require_cert = "allow" } pool { start = 5 min = 1 max = ${thread[pool].max_servers} spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 } } CACHE-Module cache { key = "%{User-Name}" # Group memberships don't change often so 1 hour is ok ttl = 3600 add_stats = no update { reply:Class := &reply:Class control:Ldap-Group += &control:Ldap-Group } } VIRTUAL-Server ... authorize { suffix update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } update control { Cache-Status-Only := 'no' } cache ... <your other authorization modules> } Then you can use the LDAP-Groups in any post-auth section We have policies created for that: Example for VLAN by empoyeeType: set_eduroam_vlan { foreach Cisco-Avpair { if("%{Foreach-Variable-0}" =~ /ssid=eduroam/i) { update { reply:Tunnel-Type := 'VLAN' reply:Tunnel-Medium-Type := 'IEEE-802' } switch "%{reply:Class}" { case 'staff' { update { reply:Filter-Id := 'staff' reply:Tunnel-Private-Group-Id := <STAFF VLAN> } } case 'student' { update { reply:Filter-Id := 'student' reply:Tunnel-Private-Group-Id := <STUDENT VLAN> } } case { update { reply:Filter-Id := 'external' reply:Tunnel-Private-Group-Id := <EXTERNAL VLAN> } } } break } } } EXAMPLE for Class by AD-Group: set_vpn_class { foreach control:Ldap-Group { switch "%{Foreach-Variable-0}" { case 'AD-GROUP1' { update { reply:Class := 'Group1' } break } case 'AD-GROUP2' { update { reply:Class := 'Group2' } break } } } } - Peter Am 25.04.14 12:36 schrieb "Arran Cudbard-Bell" unter <a.cudbardb@freeradius.org>:
On 25 Apr 2014, at 07:02, <peter.geiser@id.unibe.ch> <peter.geiser@id.unibe.ch> wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes" cacheable_dn = "no" }
Woha, crazy. I don't even want to know what black magic that's invoking.
Do you have any documentation on it? It'd be good to include a note in the default config.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28 Apr 2014, at 06:35, peter.geiser@id.unibe.ch wrote:
:) There is no magic - it's all documented by Microsoft:
- MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx - TechNet: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-dir ectory-ldap-syntax-filters.aspx
The query is really performant for what it do but on a FreeRadius Server with heavy load you should use it in combination with the cache module. We have this combination in production on Campus on since 6 month without any problems. ~ 250'000 Autentications per day for 802.1x (EduRoam), VPN, ...
Yes, there's another way to do it automatically too by looking for a special attribute in the user object. I'm just wondering if it's possible to specify the OID by it's text name, some of the other Microsoft documentation suggests it would be. Could someone try it and let me know? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
No it’s not possible, i tried it. The Documentation says: <attribute name>:<matching rule OID>:=<value> So (member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x)) works but (member:LDAP_MATCHING_RULE_IN_CHAIN:=(cn=user1,cn=users,DC=x)) not because „LDAP_MATCHING_RULE_IN_CHAIN“ is a string and not an OID. Which special user attribute do you mean? MemberOf? I think this works only when the user is a direct member and not via nested groups. - Peter Am 28.04.14 13:23 schrieb "Arran Cudbard-Bell" unter <a.cudbardb@freeradius.org>:
On 28 Apr 2014, at 06:35, peter.geiser@id.unibe.ch wrote:
:) There is no magic - it's all documented by Microsoft:
- MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx - TechNet:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-d ir ectory-ldap-syntax-filters.aspx
Yes, there's another way to do it automatically too by looking for a special attribute in the user object.
I'm just wondering if it's possible to specify the OID by it's text name, some of the other Microsoft documentation suggests it would be. Could someone try it and let me know?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Uhh - falsely meantŠ Forward searching from user to group including nested groups also work: (memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com) - Peter Am 28.04.14 13:23 schrieb "Arran Cudbard-Bell" unter <a.cudbardb@freeradius.org>:
On 28 Apr 2014, at 06:35, peter.geiser@id.unibe.ch wrote:
:) There is no magic - it's all documented by Microsoft:
- MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx - TechNet:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-d ir ectory-ldap-syntax-filters.aspx
The query is really performant for what it do but on a FreeRadius Server with heavy load you should use it in combination with the cache module. We have this combination in production on Campus on since 6 month without any problems. ~ 250'000 Autentications per day for 802.1x (EduRoam), VPN, ...
Yes, there's another way to do it automatically too by looking for a special attribute in the user object.
I'm just wondering if it's possible to specify the OID by it's text name, some of the other Microsoft documentation suggests it would be. Could someone try it and let me know?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28 Apr 2014, at 13:02, peter.geiser@id.unibe.ch wrote:
Uhh - falsely meantŠ
Forward searching from user to group including nested groups also work:
(memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com)
Yeah just thought the number of OIDs might be small enough for AD to have text aliases for them. Oh well. Thanks for testing. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Peter Geiser wrote:
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Awesome! That will come in handy in the future. Thank you! Phil Mayers wrote:
Couple of things to note - the "find all groups a user is in" form is *very* slow for me. The "find if a user is in a group" requires a base DN search against the user object, just like the tokenGroups magic attribute (I assume it does the same thing under the hood).
Ah, I see the difference. Much faster. Thank you!
participants (6)
-
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
Josh Essar -
peter.geiser@id.unibe.ch -
Phil Mayers