Re: Freeradius-Users Digest, Vol 241, Issue 34
Hello Alan, I don't know how I missed this but the solution to my problem was very straight forward. Quick recap, we have a FreeRADIUS v3.0.21 configured for EAP-TTLS/PAP with OpenLDAP. I had an issue where if a user miss spelled their username ldap could not find the user and thus didn't return a "known good" for pap, resulting ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject This message was then logged to radius.log because we use auth = yes in radius.conf for logging (no custom linelogs for us), it made trouble shooting longer than it needed to be. We wanted to log a custom message in the inner-tunnel Post-Auth-Type Reject, if ldap returned notfound. I added the following to our inner-tunnel authorize stanza, turns out I just had to update the &request:Module-Failure-Message with my message. -ldap if (notfound){ update control { &request:Module-Failure-Message := "[ldap] user not found" } } Now I get the custom message when a user tries to login with a wrong username, without any custom linelogs or extra outputs to the radius.log file. Login incorrect ([ldap] user not found): [johndo@lab.local] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thanks for the tip ! Thomas On Wed, May 28, 2025 at 2:00 PM <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. LDAP and module messages (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 27 May 2025 13:14:00 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: LDAP and module messages Message-ID: <D812D7AD-AB1F-4511-A528-C941750391D8@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 27, 2025, at 11:15?AM, thomas <thomas.nodon@gmail.com> wrote:
I believe in v2, it was due to our config, which set Auth-Type to ldap, and since it failed to retrieve a non existent user from ldap it would log the ldap failure error.
For our new config, we refrained from setting the Auth-Type to ldap as recommended by the documentation.
In most cases, the LDAP server can be queried, and can return the password to FreeRADIUS.
If the LDAP server can't (or won't) do that, then you have to set Auth-Type to LDAP.
I could not find which attribute/variable to update with my message, since there is no failure in the authorize santza.
You can add an attribute to raddb/dictionary, and then set a value in an "update" section.
For now I have made the following linelog.
linelog log_ldap_user_notfound { filename = ${logdir}/radius.log permissions = 0640 format = "%t : Login incorrect: (ldap: user %{User-Name} not found) Client-Mac = %{Calling-Station-Id}" }
And added the following in the authorize santza after ldap.
ldap if (notfound){ log_ldap_user_notfound }
That works, too.
But this outputs an extra line in the radius.log since we use the auth = yes radius.conf.
If there is better way to do this let know, in the mean time if I find a better solution I will post it to the mailing list.
See raddb/radiusd.conf, and the "log" section. You can edit the "msg_goodpass" configuration item to include more text, or another attribute.
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 241, Issue 34 *************************************************
participants (1)
-
thomas