Virtual Hosts conflicting
Hello all *My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously. *My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL Accounting. *Problem*: I'm running a virtual host for each AUTH port. Each works fine when placed in sites-enabled individually but my CHAP virtualhost fails when both are enabled. The vhost listening on 1812 appears to be referencing an LDAP module that is not listed in it's server{ ... } block. You will see "ou=Dialup" in the debugging output below of a CHAP request to 1812 that is only contained in the legacy PAP vhost. Any ideas are appreciated!! I have 4 LDAP servers configured, two point to a different OU on the same servers for legacy PAP users. Is there maybe a way to change the basedn on the fly with NAS-IP-Address as the condition? This may be easier than sorting out my mess. Right now i'm differentiating requests using clients.conf: # CHAP NAS *client x.x.x.x { secret = test shortname = test nastype = other server = alexssa_dsl } *##################### # Stripped LDAP config # ##################### *ldap ldap01.alexssa.net { <snip> basedn = "ou=users,ou=radius,dc=alexssa,dc=net" ldap ldap02.alexssa.net { <snip> basedn = "ou=users,ou=radius,dc=alexssa,dc=net" ldap ldap01.alexssa.net_dialin { <snip> basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net" } ldap ldap02.alexssa.net_dialin { <snip> basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net" }* ############################## # Below is my DSL (CHAP) vhost # ############################## *server alexssa_dsl { listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } authorize { if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) { update request { Stripped-User-Name = "%{1}" } } preprocess auth_log files redundant-load-balance { ldap01.alexssa.net ldap02.alexssa.net } daily chap } authenticate { Auth-Type CHAP { chap } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique files } # # Accounting. Log the accounting data. # accounting { # acctdetail sql # daily radutmp attr_filter.accounting_response } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } } # dsl server block* ###################### # Dialin (PAP) vhost # ###################### *server alexssa_dialin { listen { ipaddr = * port = 1645 type = auth } listen { ipaddr = * port = 1646 type = acct } authorize { if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) { update request { Stripped-User-Name = "%{1}" } } preprocess auth_log files redundant-load-balance { ldap01.alexssa.net_dialin ldap02.alexssa.net_dialin } daily pap } authenticate { Auth-Type PAP { pap } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique files } # # Accounting. Log the accounting data. # accounting { # acctdetail sql # daily dialup radutmp attr_filter.accounting_response } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } }* } # dialin server block ####################################### # debugging output of CHAP request to 1812 # ####################################### Listening on authentication address * port 1812 as server alexssa_dsl Listening on accounting address * port 1813 as server alexssa_dsl Listening on authentication address * port 1645 as server alexssa_dialin Listening on accounting address * port 1646 as server alexssa_dialin Ready to process requests. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 38.119.185.62 port 3563, id=15, length=63 User-Name = "1000copyme@alexssa.net" CHAP-Password = 0x0f4e646219d84c7c72d88e920c879d2a01 server alexssa_dsl { +- entering group authorize ++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) expand: %{User-Name} -> 1000copyme@alexssa.net ? Evaluating ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE ++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE ++- entering if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) expand: %{1} -> 1000copyme +++[request] returns notfound ++- if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) returns notfound ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103 expand: %t -> Thu Jan 3 15:19:46 2008 ++[auth_log] returns ok rlm_ldap: Entering ldap_groupcmp() expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net -> ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0 rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to ldap02.alexssa.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net -> ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 16 ++[files] returns ok ++- entering redundant-load-balance group rlm_ldap: - authorize rlm_ldap: performing user authorization for 1000copyme@alexssa.net expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) expand: ou=users,ou=radius,dc=alexssa,dc=net -> ou=users,ou=radius,dc=alexssa,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0 rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to ldap02.alexssa.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "test1234" rlm_ldap: looking for reply items in directory... rlm_ldap: user 1000copyme@alexssa.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap02.alexssa.net] returns ok ++- redundant-load-balance group returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP ++[chap] returns noop rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [1000copyme@alexssa.net/<CHAP-Password>] (from client test port 0) } # server alexssa_dsl Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1000copyme@alexssa.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Sending delayed reject for request 0 Sending Access-Reject of id 15 to 38.119.185.62 port 3563 Reply-Message = "Please call the helpdesk. Alexssa can be reached at 262-338-3742" Waking up in 4 seconds... Cleaning up request 0 ID 15 with timestamp +17 Nothing to do. Sleeping until we see a request. -- Nicholas Hall ngharo@gmail.com 262.208.6271
Nicholas Hall wrote:
*My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously.
All you need to do is to configure two "listen" sections. This can be done in 1.1.7. You don't need two virtual servers.
*My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL Accounting.
Please don't use -pre2. I'll be removing it from the web site soon, as we plan on releasing 2.0.0 within a *very* short while. i.e. grab a copy of the source from CVS, and use that.
*Problem*: I'm running a virtual host for each AUTH port. Each works fine when placed in sites-enabled individually but my CHAP virtualhost fails when both are enabled. The vhost listening on 1812 appears to be referencing an LDAP module that is not listed in it's server{ ... } block. You will see "ou=Dialup" in the debugging output below of a CHAP request to 1812 that is only contained in the legacy PAP vhost. Any ideas are appreciated!!
Please read the *entire* debug log. It's not just doing an LDAP query at random. It's doing an LDAP query because you're using the LDAP-Group attribute in line 16 of the "users" file. If you don't want a virtual server to do LDAP lookups, don't configure it to use the LDAP-Group attribute. Alan DeKok.
On Jan 3, 2008 3:31 PM, Alan DeKok <aland@deployingradius.com> wrote:
Nicholas Hall wrote:
*My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously.
All you need to do is to configure two "listen" sections. This can be done in 1.1.7. You don't need two virtual servers.
The problem is that my PAP users are in a different location in LDAP. This is why I created two more instances of the LDAP module pointing to a different basedn.
*My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL Accounting.
Please don't use -pre2. I'll be removing it from the web site soon, as we plan on releasing 2.0.0 within a *very* short while. i.e. grab a copy of the source from CVS, and use that.
I'm actually running a CVS snapshot from a while back. It seems to be working fine -- my plan was to continue running it until 2.0.0 is released.
*Problem*: I'm running a virtual host for each AUTH port. Each works fine when placed in sites-enabled individually but my CHAP virtualhost fails when both are enabled. The vhost listening on 1812 appears to be referencing an LDAP module that is not listed in it's server{ ... } block. You will see "ou=Dialup" in the debugging output below of a CHAP request to 1812 that is only contained in the legacy PAP vhost. Any ideas are appreciated!!
Please read the *entire* debug log. It's not just doing an LDAP query at random. It's doing an LDAP query because you're using the LDAP-Group attribute in line 16 of the "users" file.
If you don't want a virtual server to do LDAP lookups, don't configure it to use the LDAP-Group attribute.
Thanks. Things are working after removing the LDAP-Group attribute. I'm not 100% sure why but for now I'm not going to worry about it! -- Nicholas Hall ngharo@gmail.com 262.208.6271
Please don't use -pre2. I'll be removing it from the web site soon, as we plan on releasing 2.0.0 within a *very* short while. i.e. grab a copy of the source from CVS, and use that. AH, now you tell me :) Just installed 2.0.0pre2 Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS.
Hi,
Is the HUP issues fixed? Just noticed it wasn't working, but didn't try CVS.
the latest CVS handles HUP a lot better - various modules are now HUP friendly. why are you HUP'ing? what will HUP achieve that a service restart wont? how are you testing the config is sane before restarting the daemon with new information/config? alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Duane Cox -
Nicholas Hall