Hello list, I'm testing FreeRADIUS ldap authentication and ldap authorization, in the default server config I defined: authorize { ... redundant-load-balance { ldap1 ldap2 ldap3 } # Allow only members of AD-Group "cn=radius.users,ou=Groups,dc=test,dc=local" ! if(Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") { ...several Ldap-Group queries to decide which attributes will be returned } ... } authenticate { ... Auth-Type LDAP { redundant-load-balance { ldap1 ldap2 ldap3 } } ... } The three ldap modules are well configured, I hope so. See freeradius -X output below. During FreeRADIUS performance test as described in /usr/share/doc/freeradius/performance-testing.gz I noticed that FR does for the ldap-group query above (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") no load-balancing or fall-through to other ldap modules. Every time only ldap module ldap3 is taken to do this ldap-group query. When I disable the nic of the ldap server referenced in ldap module ldap3 and authenticate with an existing user in AD I get an Access-Accept but without the return RADIUS Attributes I configured for special ldap-group membership inside the nested if bracket. No fail-over to the other ldap modules happens, although the other two ldap servers are up and running and reachable. Why FR doesn't load balance for this ldap-query? Thanks in advance, Tobias Hachmer Output of freeradius -X is a lot: root@asaradius1:/etc/freeradius# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Oct 24 2011 at 15:27:27 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ldap2 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap1 including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ldap3 including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/status including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/control-socket main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client Test1 { ipaddr = 192.168.72.11 netmask = 32 require_message_authenticator = no secret = "testing123" shortname = "Test" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/sites-enabled/default modules { Module: Creating Auth-Type = LDAP Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "ldap1" from file /etc/freeradius/modules/ldap1 ldap ldap1 { server = "ldaps://testwdc1.test.local" port = 636 password = "abc321!" identity = "cn=Free RADIUS,cn=Users,dc=test,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/freeradius/certs/cacert.pem" require_cert = "allow" } basedn = "ou=Frankfurt,dc=test,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 40 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap1-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap1-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap1 rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xc9fae0 Module: Instantiating module "ldap2" from file /etc/freeradius/modules/ldap2 ldap ldap2 { server = "ldaps://testwdc2.test.local" port = 636 password = "abc321!" identity = "cn=Free RADIUS,cn=Users,dc=test,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/freeradius/certs/cacert.pem" require_cert = "demand" } basedn = "ou=Frankfurt,dc=test,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap2-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap2-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap2 rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xca2090 Module: Instantiating module "ldap3" from file /etc/freeradius/modules/ldap3 ldap ldap3 { server = "ldaps://testwdc3.test.local" port = 636 password = "abc321!" identity = "cn=Free RADIUS,cn=Users,dc=test,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/freeradius/cacert.pem" require_cert = "demand" } basedn = "ou=Frankfurt,dc=test,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap3-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap3-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap3 rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xca4640 Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log detail auth_log { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_always Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server status { # from file /etc/freeradius/sites-enabled/status modules { Module: Creating Autz-Type = Status-Server Module: Checking authorize {...} for more modules to load Module: Instantiating module "ok" from file /etc/freeradius/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" uid = "freerad" gid = "freerad" mode = "rw" } } listen { type = "status" ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "adminsecret" } } ... adding new socket proxy address * port 44399 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=155, length=52 User-Name = "fkd" User-Password = "hhbea" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:47 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for fkd [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> fkd [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=fkd) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] attempting LDAP reconnection [ldap1] (re)connect to ldaps://testwdc1.test.local, authentication 0 [ldap1] setting TLS CACert File to /etc/freeradius/certs/cacert.pem [ldap1] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc1.test.local [ldap1] waiting for bind result ... [ldap1] Bind was successful [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=fkd) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> fkd expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=fkd) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> fkd attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 155 to 192.168.72.11 port 52586 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=106, length=53 User-Name = "vfyg" User-Password = "aiuqnb" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:48 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for vfyg [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> vfyg [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vfyg) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] attempting LDAP reconnection [ldap2] (re)connect to ldaps://testwdc2.test.local, authentication 0 [ldap2] setting TLS CACert File to /etc/freeradius/certs/cacert.pem [ldap2] setting TLS Require Cert to demand [ldap2] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc2.test.local [ldap2] waiting for bind result ... [ldap2] Bind was successful [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=vfyg) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> vfyg expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vfyg) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vfyg attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 106 to 192.168.72.11 port 52586 Finished request 1. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=2, length=55 User-Name = "daboib" User-Password = "tqfblh" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:49 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for daboib [ldap3] expand: %{Stripped-User-Name} -> [ldap3] ... expanding second conditional [ldap3] expand: %{User-Name} -> daboib [ldap3] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=daboib) [ldap3] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed [ldap3] search failed [ldap3] ldap_release_conn: Release Id: 0 +++[ldap3] returns fail [ldap1] performing user authorization for daboib [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> daboib [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=daboib) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=daboib) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> daboib expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=daboib) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> daboib attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 2 to 192.168.72.11 port 52586 Finished request 2. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=79, length=52 User-Name = "qyc" User-Password = "bpd" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:51 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for qyc [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> qyc [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=qyc) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=qyc) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> qyc expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=qyc) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> qyc attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 79 to 192.168.72.11 port 52586 Finished request 3. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=160, length=52 User-Name = "xlb" User-Password = "shu" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:52 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for xlb [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> xlb [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=xlb) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=xlb) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> xlb expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=xlb) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> xlb attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Cleaning up request 0 ID 155 with timestamp +57 Sending delayed reject for request 4 Sending Access-Reject of id 160 to 192.168.72.11 port 52586 Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=4, length=54 User-Name = "vxtva" User-Password = "rafjwdr" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:53 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for vxtva [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> vxtva [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vxtva) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=vxtva) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> vxtva expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vxtva) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vxtva attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 4 to 192.168.72.11 port 52586 Finished request 5. Going to the next request Cleaning up request 1 ID 106 with timestamp +58 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=173, length=54 User-Name = "nquna" User-Password = "hffe" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:54 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for nquna [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> nquna [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=nquna) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=nquna) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> nquna expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=nquna) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nquna attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 173 to 192.168.72.11 port 52586 Finished request 6. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=115, length=57 User-Name = "vlsagjxx" User-Password = "hihmb" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:55 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for vlsagjxx [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> vlsagjxx [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vlsagjxx) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=vlsagjxx) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> vlsagjxx expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=vlsagjxx) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vlsagjxx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Cleaning up request 2 ID 2 with timestamp +59 Sending delayed reject for request 7 Sending Access-Reject of id 115 to 192.168.72.11 port 52586 Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=90, length=54 User-Name = "bcrtp" User-Password = "ficei" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:56 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for bcrtp [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> bcrtp [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=bcrtp) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=bcrtp) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> bcrtp expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=bcrtp) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bcrtp attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 90 to 192.168.72.11 port 52586 Finished request 8. Going to the next request Cleaning up request 3 ID 79 with timestamp +61 rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=176, length=54 User-Name = "dkova" User-Password = "skmlqw" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:57 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for dkova [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> dkova [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=dkova) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=dkova) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> dkova expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=dkova) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dkova attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 176 to 192.168.72.11 port 52586 Finished request 9. Going to the next request Cleaning up request 4 ID 160 with timestamp +62 rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=106, length=54 User-Name = "fnenl" User-Password = "kjbjclqw" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:58 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for fnenl [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> fnenl [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=fnenl) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=fnenl) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> fnenl expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=fnenl) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> fnenl attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Cleaning up request 5 ID 4 with timestamp +63 Sending delayed reject for request 10 Sending Access-Reject of id 106 to 192.168.72.11 port 52586 Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=54, length=53 User-Name = "txhj" User-Password = "qdmjrgrm" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:05:59 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for txhj [ldap3] expand: %{Stripped-User-Name} -> [ldap3] ... expanding second conditional [ldap3] expand: %{User-Name} -> txhj [ldap3] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=txhj) [ldap3] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed [ldap3] search failed [ldap3] ldap_release_conn: Release Id: 0 +++[ldap3] returns fail [ldap1] performing user authorization for txhj [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> txhj [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=txhj) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=txhj) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> txhj expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=txhj) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> txhj attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 54 to 192.168.72.11 port 52586 Finished request 11. Going to the next request Cleaning up request 6 ID 173 with timestamp +64 Cleaning up request 7 ID 115 with timestamp +65 rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=59, length=54 User-Name = "nhgwh" User-Password = "qmbtw" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:01 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for nhgwh [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> nhgwh [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=nhgwh) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=nhgwh) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> nhgwh expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=nhgwh) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nhgwh attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Cleaning up request 8 ID 90 with timestamp +66 Sending delayed reject for request 12 Sending Access-Reject of id 59 to 192.168.72.11 port 52586 Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=11, length=55 User-Name = "kaiaur" User-Password = "chdyo" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:02 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for kaiaur [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> kaiaur [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=kaiaur) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=kaiaur) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> kaiaur expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=kaiaur) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kaiaur attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 11 to 192.168.72.11 port 52586 Finished request 13. Going to the next request Cleaning up request 9 ID 176 with timestamp +67 Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=160, length=54 User-Name = "kmvbu" User-Password = "uegu" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:03 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for kmvbu [ldap3] expand: %{Stripped-User-Name} -> [ldap3] ... expanding second conditional [ldap3] expand: %{User-Name} -> kmvbu [ldap3] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=kmvbu) [ldap3] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed [ldap3] search failed [ldap3] ldap_release_conn: Release Id: 0 +++[ldap3] returns fail [ldap1] performing user authorization for kmvbu [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> kmvbu [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=kmvbu) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=kmvbu) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> kmvbu expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=kmvbu) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kmvbu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 160 to 192.168.72.11 port 52586 Finished request 14. Going to the next request Cleaning up request 10 ID 106 with timestamp +68 rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=61, length=54 User-Name = "aydps" User-Password = "cnx" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:05 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for aydps [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> aydps [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=aydps) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=aydps) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> aydps expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=aydps) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> aydps attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 61 to 192.168.72.11 port 52586 Finished request 15. Going to the next request Cleaning up request 11 ID 54 with timestamp +69 Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=184, length=54 User-Name = "jiumn" User-Password = "qwdwmc" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:06 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap2] performing user authorization for jiumn [ldap2] expand: %{Stripped-User-Name} -> [ldap2] ... expanding second conditional [ldap2] expand: %{User-Name} -> jiumn [ldap2] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=jiumn) [ldap2] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap2] ldap_get_conn: Checking Id: 0 [ldap2] ldap_get_conn: Got Id: 0 [ldap2] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=jiumn) [ldap2] object not found [ldap2] search failed [ldap2] ldap_release_conn: Release Id: 0 +++[ldap2] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> jiumn expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=jiumn) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jiumn attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 184 to 192.168.72.11 port 52586 Finished request 16. Going to the next request Cleaning up request 12 ID 59 with timestamp +71 rad_recv: Access-Request packet from host 192.168.72.11 port 52586, id=86, length=55 User-Name = "anolpf" User-Password = "phxf" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.72.11/auth-detail-20120419 [auth_log] expand: %t -> Thu Apr 19 13:06:07 2012 ++[auth_log] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for anolpf [ldap3] expand: %{Stripped-User-Name} -> [ldap3] ... expanding second conditional [ldap3] expand: %{User-Name} -> anolpf [ldap3] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=anolpf) [ldap3] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed [ldap3] search failed [ldap3] ldap_release_conn: Release Id: 0 +++[ldap3] returns fail [ldap1] performing user authorization for anolpf [ldap1] expand: %{Stripped-User-Name} -> [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> anolpf [ldap1] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=anolpf) [ldap1] expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Frankfurt,dc=test,dc=local, with filter (sAMAccountName=anolpf) [ldap1] object not found [ldap1] search failed [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns notfound ++- redundant-load-balance group redundant-load-balance returns notfound ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") [ldap3] Entering ldap_groupcmp() expand: ou=Frankfurt,dc=test,dc=local -> ou=Frankfurt,dc=test,dc=local expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> anolpf expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=anolpf) [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://testwdc3.test.local, authentication 0 [ldap3] setting TLS CACert File to /etc/freeradius/cacert.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=Free RADIUS,cn=Users,dc=test,dc=local/abc321! to ldaps://testwdc3.test.local [ldap3] cn=Free RADIUS,cn=Users,dc=test,dc=local bind to ldaps://testwdc3.test.local failed: Can't contact LDAP server [ldap3] (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed [ldap3] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE ++? if (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") -> FALSE [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> anolpf attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 86 to 192.168.72.11 port 52586 Finished request 17. Going to the next request Cleaning up request 13 ID 11 with timestamp +72 Waking up in 0.9 seconds. Cleaning up request 14 ID 160 with timestamp +73 Waking up in 1.0 seconds. Cleaning up request 15 ID 61 with timestamp +75 Waking up in 1.0 seconds. Cleaning up request 16 ID 184 with timestamp +76 Waking up in 1.9 seconds. Cleaning up request 17 ID 86 with timestamp +77 Ready to process requests.
Tobias Hachmer wrote:
During FreeRADIUS performance test as described in /usr/share/doc/freeradius/performance-testing.gz I noticed that FR does for the ldap-group query above (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") no load-balancing or fall-through to other ldap modules. Every time only ldap module ldap3 is taken to do this ldap-group query.
That's how it works. The LDAP-Group queries are not load balanced.
Why FR doesn't load balance for this ldap-query?
Because the code to do it hasn't been written. Feel free to submit a patch. Alan DeKok.
Am 19.04.2012 13:44, schrieb Alan DeKok:
Tobias Hachmer wrote:
During FreeRADIUS performance test as described in /usr/share/doc/freeradius/performance-testing.gz I noticed that FR does for the ldap-group query above (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") no load-balancing or fall-through to other ldap modules. Every time only ldap module ldap3 is taken to do this ldap-group query.
That's how it works. The LDAP-Group queries are not load balanced.
Hmm, but then there is no big benefit instantiating multiple ldap modules inside a redundant-load-balance group. I recognized that the last referred module inside the group is taken to do the query. Can I affect this in a different way as changing the order?
Why FR doesn't load balance for this ldap-query?
Because the code to do it hasn't been written.
Feel free to submit a patch.
I would if I could, but I have no advanced know-how to any programming language, sorry. Regards, Tobias Hachmer
-----Original Message----- Tobias Hachmer
Am 19.04.2012 13:44, schrieb Alan DeKok:
Tobias Hachmer wrote:
During FreeRADIUS performance test as described in /usr/share/doc/freeradius/performance-testing.gz I noticed that FR does for the ldap-group query above (Ldap-Group == "cn=radius.users,ou=Groups,dc=test,dc=local") no load-balancing or fall-through to other ldap modules. Every time only ldap module ldap3 is taken to do this ldap-group query.
That's how it works. The LDAP-Group queries are not load balanced.
Hmm, but then there is no big benefit instantiating multiple ldap modules inside a redundant-load-balance group. I recognized that the last referred module inside the group is taken to do the query. Can I affect this in a different way as changing the order?
Create a single RRDNS entry for your LDAP servers and use a single LDAP definition. The DNS name(s) in the LDAP definition is sent to directly to the underlying LDAP library and should be looked up for each connection instantiated; FreeRADIUS does not resolve it internally before use, even when using LDAPS. You can also enter the RRDNS entry multiple times in a space separated string, which should allow for statistically probable failover, e.g.: ldap rrdns_ldap { # If 1/2 servers are down this should only fail 1/8th of the time server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site" ... } (Whether that works may depend on the internal implementation of the LDAP libraries and/or the way DNS is set up on the server on which FreeRADIUS is running.) This all assumes there are no differences in the schema used between the servers, though.
Am 19.04.2012 15:46, schrieb Brian Julin:
Create a single RRDNS entry for your LDAP servers and use a single LDAP definition. The DNS name(s) in the LDAP definition is sent to directly to the underlying LDAP library and should be looked up for each connection instantiated; FreeRADIUS does not resolve it internally before use, even when using LDAPS.
You can also enter the RRDNS entry multiple times in a space separated string, which should allow for statistically probable failover, e.g.:
ldap rrdns_ldap { # If 1/2 servers are down this should only fail 1/8th of the time server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site" ... }
Thanks for that suggestion. Sounds quite simple to achieve fail-over for ldap-queries. But I have one problem when I enter my ldap servers like you mentioned because the common name in the ldap server certificate won't match the new defined dns name. I will test this scenario with the following configuration: server = "ldap1.test.local ldap2.test.local ldap3.test.local" Perhaps I can still use multiple ldap modules and adapt only the server directive of the last ldap module (or all ldap modules) in redundant-load-balance group to the format you have mentioned. I will test it tomorrow. Thanks for this idea! Regards, Tobias Hachmer
Thanks for that suggestion. Sounds quite simple to achieve fail-over for ldap-queries. But I have one problem when I enter my ldap servers like you mentioned because the common name in the ldap server certificate won't match the new defined dns name.
I will test this scenario with the following configuration:
server = "ldap1.test.local ldap2.test.local ldap3.test.local"
Perhaps I can still use multiple ldap modules and adapt only the server directive of the last ldap module (or all ldap modules) in redundant-load-balance group to the format you have mentioned. I will test it tomorrow.
Thanks for this idea!
Regards,
Tobias Hachmer
Just recently, I switched over from using a single openldap server to using a pair of multi-master openldap servers that sit behind a third server running haproxy. There also a fourth server also running haproxy and keepalived to take over for the first haproxy server should it fail. I then have my radius server doing its ldap queries through the haproxy so that if either of the ldap servers go down, all queries will be automatically redirected to the other ldap server. This setup has been working quite well so far for radius and for other products that don't handle redundant ldap servers well. Brian
Tobias Hachmer wrote:
Am 19.04.2012 15:46, schrieb Brian Julin:
Create a single RRDNS entry for your LDAP servers and use a single LDAP definition. The DNS name(s) in the LDAP definition is sent to directly to the underlying LDAP library and should be looked up for each connection instantiated; FreeRADIUS does not resolve it internally before use, even when using LDAPS.
You can also enter the RRDNS entry multiple times in a space separated string, which should allow for statistically probable failover, e.g.:
ldap rrdns_ldap { # If 1/2 servers are down this should only fail 1/8th of the time server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site" ... }
Thanks for that suggestion. Sounds quite simple to achieve fail-over for ldap-queries. But I have one problem when I enter my ldap servers like you mentioned because the common name in the ldap server certificate won't match the new defined dns name.
Yes we use a certificate with alternate names for this. Not sure what the tweaking options are as far as OpenLDAP's certificate verification process...
I will test this scenario with the following configuration:
server = "ldap1.test.local ldap2.test.local ldap3.test.local"
The OpenLDAP documentation states that space separated host lists are tried in order, so this would always use ldap1, unless the ldap1 host lookup failed. (An utter hack, if you are locked into the certs you have, would be to cause it to fail occasionally on purpose using iptables.)
Perhaps I can still use multiple ldap modules and adapt only the server directive of the last ldap module (or all ldap modules) in redundant-load-balance group to the format you have mentioned.
I don't see why this would not work; and should allow the initial (non-xlat, non-ldap-group) queries to balance more granularly.
participants (4)
-
Alan DeKok -
Brian Gold -
Brian Julin -
Tobias Hachmer