Dear freeradiuseers, I have my wireless network working great... PEAP supplicants are authenticated from either LDAP or MySQL and the appropriate Tunnel-Private-Group-ID is set to allocate the correct vlan. I also have a cisco VPN concentrator. I must only allow ldap users to authenticate to this. mysql users mustn't get a look in... I tried making a huntgroup in raddb/huntgroups... ciscovpnc NAS-IP-Address == 10.1.33.4 then in raddb/users... DEFAULT HuntGroup-Name == ciscovpnc Autz-Type = ldap however sql is still checked. Could some body shove me in the right direction.. Cheers Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 077988 72480
Rob Shepherd <rob@techniumcast.com> wrote:
then in raddb/users...
DEFAULT HuntGroup-Name == ciscovpnc Autz-Type = ldap
Run the server in debugging mode. It will tell you that Autz-Type doesn't belong there. Read the "man" page for the "users" file./ Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Rob Shepherd wrote:
Dear freeradiuseers,
I have my wireless network working great... PEAP supplicants are authenticated from either LDAP or MySQL and the appropriate Tunnel-Private-Group-ID is set to allocate the correct vlan.
I also have a cisco VPN concentrator. I must only allow ldap users to authenticate to this. mysql users mustn't get a look in...
I tried making a huntgroup in raddb/huntgroups...
ciscovpnc NAS-IP-Address == 10.1.33.4
then in raddb/users...
DEFAULT HuntGroup-Name == ciscovpnc Autz-Type = ldap
however sql is still checked.
Could some body shove me in the right direction..
Cheers
Rob
TYPO! DEFAULT HuntGroup-Name == ciscovpnc Autz-Type := ldap ...is how it looks in raddb/user. Oh, and I tried various combos of Autz-Type ldap{ ldap } in authorize{ too. No joy. Thanks IA Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 077988 72480
Rob Shepherd wrote: TYPO!
DEFAULT HuntGroup-Name == ciscovpnc Autz-Type := ldap
...is how it looks in raddb/user.
You need to put the Autz-Type on the first line as a check item. DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap If I understand correctly, with the Autz-Type on the second line you are trying to set it as a reply item. However, Autz-Type is a server configuration attribute not a standard RADIUS attribute that a client (NAS) would understand, which is why you need to set it on the first line. I've been using a similar configuration for awhile, except we use multiple ldap modules and I also set Auth-Type as well as the Autz-Type.
Oh, and I tried various combos of
Autz-Type ldap{ ldap }
in authorize{ too. No joy.
This looks fine to me, probably just need to fix the DEFAULT line.
Garrett.Marks@wichita.edu wrote:
Rob Shepherd wrote: TYPO!
DEFAULT HuntGroup-Name == ciscovpnc Autz-Type := ldap
...is how it looks in raddb/user.
You need to put the Autz-Type on the first line as a check item.
DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap
Thanks to Alan D. and Garret M. for their comments.. However , neither ldap nor sql are checked at all in any case now. I've not quite got it right.... I've since ditched declaring raddb/huntgroups, as a simplifying exercise. I'm checking for NAS-IP-Address instead in raddb/users. raddb/users now looks like this DEFAULT Auth-Type := PAP Fall-Through = yes # wlan controller - needs LDAP and MySQL DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Fall-Through = yes # vpn concentrator - only LDAP DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP Fall-Through = yes radiusd has this.. authorize { preprocess eap mschap Autz-Type LDAP { ldap } Autz-Type LDMS { ldap sql } } The modules section is as it was when wireless was working. I can see with -X that the ldap and sql modules are instantiated fine. Here's the only processing that is done. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. If anybody would be so kind as to point me in the right direction.... Thanks IA Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 077988 72480
Rob Shepherd <rob@techniumcast.com> wrote:
If anybody would be so kind as to point me in the right direction....
The "authorize" section doesn't list "files. So... the debug log doesn't show it matching any entries in the "users" file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Where is your "files" declaration in the authorize section? Do you see the server looking at your users file in the debug messages? If the users file is never processed, I don't think Autz-Type will be set as you intend. Try authorize { preprocess files eap mschap Autz-Type LDAP { ldap } Autz-Type LDMS { ldap sql } } Regards, Lin On 9/15/06, Rob Shepherd <rob@techniumcast.com> wrote:
Garrett.Marks@wichita.edu wrote:
Rob Shepherd wrote: TYPO!
DEFAULT HuntGroup-Name == ciscovpnc Autz-Type := ldap
...is how it looks in raddb/user.
You need to put the Autz-Type on the first line as a check item.
DEFAULT HuntGroup-Name == ciscovpnc, Autz-Type := ldap
Thanks to Alan D. and Garret M. for their comments..
However , neither ldap nor sql are checked at all in any case now. I've not quite got it right....
I've since ditched declaring raddb/huntgroups, as a simplifying exercise. I'm checking for NAS-IP-Address instead in raddb/users.
raddb/users now looks like this
DEFAULT Auth-Type := PAP Fall-Through = yes
# wlan controller - needs LDAP and MySQL DEFAULT NAS-IP-Address == 172.16.6.4, Autz-Type := LDMS Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Fall-Through = yes
# vpn concentrator - only LDAP DEFAULT NAS-IP-Address == 10.1.33.4, Autz-Type := LDAP Fall-Through = yes
radiusd has this..
authorize { preprocess eap mschap Autz-Type LDAP { ldap } Autz-Type LDMS { ldap sql } }
The modules section is as it was when wireless was working. I can see with -X that the ldap and sql modules are instantiated fine.
Here's the only processing that is done.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user.
If anybody would be so kind as to point me in the right direction....
Thanks IA
Rob
-- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 077988 72480 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lin Richardson wrote:
Where is your "files" declaration in the authorize section?
Yes of course. My authorize section missed out 'files' so raddb/users was never read. Thanks to Alan D. and Lin R. for pointing this out. Working great now... Thanks again. Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 077988 72480
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Garrett.Marks@wichita.edu -
Lin Richardson -
Rob Shepherd