I want to add a checkitem from an ldap request and use it, when later the users file is processed. Therefore I added checkItem User-Category primaryGroupID to ldap.attrmap The users file contains nothing but: ###################################### HOST/lnxad.tde002.sitest.net User-Category != 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net User-Category == 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net Auth-Type := Reject ###################################### radiusd -AX : .... rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values ..... ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values rlm_ldap: looking for reply items in directory... ldap_get_values ... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category = 515 ldap_get_values rlm_ldap: user HOST/lnxad.tde002.sitest.net authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 users: Matched entry HOST/lnxad.tde002.sitest.net at line 12 This is the last entry of the users file with Auth-Type := Reject Neither of the entries containing the checkitem User-Category matches. Am I doing something wrong? Norbert Wegener
###################################### HOST/lnxad.tde002.sitest.net User-Category != 515 Fall-Through = No,
HOST/lnxad.tde002.sitest.net User-Category == 515 Fall-Through = No,
HOST/lnxad.tde002.sitest.net Auth-Type := Reject ######################################
If this is your users file, its incorrect. Notice the placement of commas. The check-items should be on one line seperated by commas. The reply items should be over multiple lines seperated by a comma, except for the last line. HOST/lnxad.tde002.sitest.net, User-Category != 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, User-Category == 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, Auth-Type := Reject
Dusty Doris wrote:
... If this is your users file, its incorrect. Notice the placement of commas. The check-items should be on one line seperated by commas. The reply items should be over multiple lines seperated by a comma, except for the last line.
HOST/lnxad.tde002.sitest.net, User-Category != 515 Fall-Through = no
HOST/lnxad.tde002.sitest.net, User-Category == 515 Fall-Through = no
HOST/lnxad.tde002.sitest.net, Auth-Type := Reject
I changed the users file as you recommended, the ldap.attrmap contains the additional line: checkItem User-Category primaryGroupID Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX ..... rlm_ldap: looking for check items in directory... ldap_get_values .... ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values Any ideas, what's going wrong? Thanks Norbert
I changed the users file as you recommended, the ldap.attrmap contains the additional line:
checkItem User-Category primaryGroupID
Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX ..... rlm_ldap: looking for check items in directory... ldap_get_values .... ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values
Did you get the second email I sent. I don't believe you can use that check item from ldap in the users file. Try the ldap-group options I sent over in the last email. That should work for you.
Dusty Doris wrote:
Did you get the second email I sent. I don't believe you can use that check item from ldap in the users file. Try the ldap-group options I sent over in the last email. That should work for you.
Thank you, I got it and already tried that attribute. The behaviour is a bit better, but does not really lead to the desired result, as the client gets an: Incoming RADIUS packet did not have correct Message-Authenticator - dropped With a users file: ############### DEFAULT Ldap-Group == "515", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject an ldap module: ldap ldap1 { server = "globalcatalogue" port = 3268 #global catalogue server identity = "testrad@TDE002.MYDOM.NET" password = "mypass" basedn = "dc=MYDOM,dc=NET" filter = "(&(servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" ldap_debug= 0xFFFF timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap groupmembership_attribute = "primaryGroupID" } a files section of: files files1 { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } and an authorize section: authorize { preprocess eap ldap1 { notfound = reject } files1 { notfound = reject } } radiusd -AX gives me: .... .... rlm_ldap::ldap_groupcmp: User found in group 515 rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files1" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 0 to 149.246.133.44 port 32770 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = "100" Finished request 0 Seems ok, but unfortunately on the other side, the result is not that good. Alan proposed eapol_test recently for testing of such connections(thank you, very usefull) and this tool shows me: ... Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=0 length=38 Attribute 64 (?Unknown?) length=6 Attribute 65 (?Unknown?) length=6 Attribute 81 (?Unknown?) length=6 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.15 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet EAPOL: startWhen --> 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE Any idea?
Thank you, I got it and already tried that attribute. The behaviour is a bit better, but does not really lead to the desired result, as the client gets an: Incoming RADIUS packet did not have correct Message-Authenticator - dropped
Well, at least you've got the ldap part working. The message-authenticator shouldn't have anything to do with ldap. It has to do with the packet between the radius server and the nas.
Seems ok, but unfortunately on the other side, the result is not that good. Alan proposed eapol_test recently for testing of such connections(thank you, very usefull) and this tool shows me: ... Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=0 length=38 Attribute 64 (?Unknown?) length=6 Attribute 65 (?Unknown?) length=6 Attribute 81 (?Unknown?) length=6 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.15 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet EAPOL: startWhen --> 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE
I can't help on this part. I'd start a new thread with that error, so the subject line might draw some attention from someone that can.
participants (2)
-
Dusty Doris -
Norbert Wegener