Can Post-Auth-Type REJECT log LDAP user not found
Hello everyone, I have setup up a FreeRADIUS server with EAP-TTLS/PAP and OpenLDAP, the setup works fine. I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting. I get the following log if a user types their username incorrectly : `Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel)` Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x. You can find the debug info below. Thanks in advance ! --Thomas (5) Received Access-Request Id 5 from 127.0.0.1:47099 to 127.0.0.1:1812 length 229 (5) User-Name = "anonymous@lab.local" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02b2005315001703030048688da1ee57de5c653ec5b3ddb3fddaf954b25a2814726949f8960b9c81902198bf3054cc85cee621707608ab4bb4fecdd2dd6c1c55b33338264afb10435abffeb1198b43490adde2 (5) State = 0x5cf4dd435846c8abb4f3a6e2030e9f16 (5) Message-Authenticator = 0x161a97e6923da68704ab1e2c3048d6af (5) Restoring &session-state (5) &session-state:Framed-MTU = 1004 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) if !("%{User-Name}" =~ /@lab.local$/) { (5) EXPAND %{User-Name} (5) --> anonymous@lab.local (5) if !("%{User-Name}" =~ /@lab.local$/) -> FALSE (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "anonymous@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) eap: Peer sent EAP Response (code 2) ID 178 length 83 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x5cf4dd435846c8ab (5) eap: Finished EAP session with state 0x5cf4dd435846c8ab (5) eap: Previous EAP request found for state 0x5cf4dd435846c8ab, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Done initial handshake (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "johndo@lab.local" (5) eap_ttls: User-Password = "johndoe" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "johndo@lab.local" (5) User-Password = "johndoe" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) server inner-tunnel { (5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "johndo@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [expiration] = noop (5) [logintime] = noop rlm_ldap (ldap): Reserved connection (0) (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (uid=johndo@lab.local) (5) ldap: Performing search in "o=univ,dc=lab,dc=local" with filter "(uid=johndo@lab.local)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.lab.local:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) [ldap] = notfound (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> johndo@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel) (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 178 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> anonymous@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous@lab.local] (from client localhost port 0 cli 02-00-00-00-00-01) (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:47099 length 44 (5) EAP-Message = 0x04b20004 (5) Message-Authenticator = 0x00000000000000000000000000000000
On May 19, 2025, at 7:07 AM, thomas <thomas.nodon@gmail.com> wrote:
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting.
You can always check the return code of the LDAP module, and then manually add a message.
Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x.
I don't recall that being part of v2. But it's easy enough to add in unlang: ldap if (notfound) { ... add a message here. } Alan DeKok.
participants (2)
-
Alan DeKok -
thomas