Some users can't login after upgrade!
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) authenticating to Novell eDirectory using LDAP. All was fine... I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log files simply show: Tue Nov 6 15:06:40 2007 : Auth: Login incorrect: [<user>] (from client vpn3000 port 13712 cli X.X.X.X) We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login! User names are alphabetic only and less than 8 characters, passwords are alpha-numeric only and 8 characters. I am reasonably new to RADIUS and cannot figure out why these two users are being singled out! I thought at first it might be because we have "edir_account_policy_check=yes" and that given the ChangeLog for 1.1.7 says "Added more eDirectory support.", and the two users possibly have extra attributes as they are sysadmins, that something was being checked that was not with 1.1.4 and that was preventing login. However later in radiusd.conf in the post-auth section the LDAP server entries are commented out. and it says: # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. So does this mean this feature is not in operation? Has anyone any ideas where I should start looking? Thanks. --------------- Barry Dean Networks Team University of Liverpool
Dean, Barry wrote:
We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login!
Can you post the output of debugging mode for 1.1.4 where it works, and 1.1.7 where it doesn't, all for the same user? Alan DeKok.
The debug output (private data masked) can be picked up from: Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt They are reasonably long so I did not want to post them as a long email! My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 and an "OK" to 1.1.4 for the same user account! The debug traces contained the password, so I was able to check it was the same, it was. --------------- Barry Dean Networks Team -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 08 November 2007 16:21 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote:
We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login!
Can you post the output of debugging mode for 1.1.4 where it works, and 1.1.7 where it doesn't, all for the same user? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dean, Barry wrote:
The debug output (private data masked) can be picked up from:
Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt
They are reasonably long so I did not want to post them as a long email!
My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 and an "OK" to 1.1.4 for the same user account!
Novell contributed a patch to allow changing the eDirectory NMAS authentication option. In the source, they look for "<No Default>". In the debug logs you provide, eDirectory returns "------No default------". Try changinging "sasDefaultLoginSequence" to "<No Default>" for the user. In short, the Novell patch doesn't seem to agree with the behavior of Novell's eDirectory server. Alan DeKok.
Our Novell experts have looked into the LDAP database and found that the affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact only a handful of accounts have it. They are testing now. I will let you all know what happens. --------------- Barry Dean Networks Team -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 09 November 2007 15:11 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote:
The debug output (private data masked) can be picked up from:
Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt
They are reasonably long so I did not want to post them as a long email!
My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 and an "OK" to 1.1.4 for the same user account!
Novell contributed a patch to allow changing the eDirectory NMAS authentication option. In the source, they look for "<No Default>". In the debug logs you provide, eDirectory returns "------No default------". Try changinging "sasDefaultLoginSequence" to "<No Default>" for the user. In short, the Novell patch doesn't seem to agree with the behavior of Novell's eDirectory server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This fixed the problem for these users. Thanks to the list, and special thanks to Alan for solving this. --------------- Barry Dean Networks Team -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Dean, Barry Sent: 13 November 2007 09:31 To: FreeRadius users mailing list Subject: RE: Some users can't login after upgrade! Our Novell experts have looked into the LDAP database and found that the affected accounts do indeed have the sasDefaultLoginSequence attribute, in fact only a handful of accounts have it. They are testing now. I will let you all know what happens. --------------- Barry Dean Networks Team -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 09 November 2007 15:11 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote:
The debug output (private data masked) can be picked up from:
Version 1.1.4 (Works): http://pcwww.liv.ac.uk/~bvd/radius/114.txt Version 1.1.7 (Broken): http://pcwww.liv.ac.uk/~bvd/radius/117.txt
They are reasonably long so I did not want to post them as a long email!
My reading of them indicates that the eDirectory returns a "NOT OK" to 1.1.7 and an "OK" to 1.1.4 for the same user account!
Novell contributed a patch to allow changing the eDirectory NMAS authentication option. In the source, they look for "<No Default>". In the debug logs you provide, eDirectory returns "------No default------". Try changinging "sasDefaultLoginSequence" to "<No Default>" for the user. In short, the Novell patch doesn't seem to agree with the behavior of Novell's eDirectory server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Dean, Barry