Greetings, I've been using the documentation here: http://wiki.freeradius.org/Virtual_server attempting to create 2 virtual servers on the same socket each associated with a client. I have already configured the ldap module, as well as added some lines to the users file. Before "virtualizing" I am able to authenticate my ldap users via radtest. Here's the config that works against LDAP, before trying to add to a virtual server: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 1812 } listen { ipaddr = * port = 1813 type = acct } client 192.168.1.0/24 { secret = testing123 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = no msg_goodpass = "Great Success!" msg_badpass = "I'm sorry but you appear to have entered a incorrect password or you may not be authorized to access this equipment" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ ...And the output from a test in debug mode (edited out passwords and password hashes): [ldap] Entering ldap_groupcmp() [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 rlm_ldap::ldap_groupcmp: User found in group NOC [ldap] ldap_release_conn: Release Id: 0 [ldap] performing user authorization for cjohnson [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap] sambaLmPassword -> LM-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user cjohnson authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 [ldap] login attempt by "cjohnson" with password "s3cret" [ldap] user DN: uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com [ldap] (re)connect to 192.168.1.99:389, authentication 1 [ldap] bind as uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com/s3cret to 192.168.1.99:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user cjohnson authenticated succesfully Login OK: [cjohnson] (from client 192.168.1.0/24 port 0) Great Success! Waking up in 4.0 seconds. Here's the changes I made to the config, attempting to add current setup to virtual server "server_one": ... listen { type = auth ipaddr = * port = 1812 } listen { ipaddr = * port = 1813 type = acct } client 192.168.1.0/24 { virtual_server = server_one secret = testing123 } server server_one { } ... The rest of the config is the same. The server will start, but now I can't see my LDAP users, heres the log entry: server server_one { Login incorrect: [cjohnson/s3cret] (from client 192.168.1.0/24 port 0) I'm sorry but you appear to have entered a incorrect password or you may not be authorized to access this equipment } # server server_one Is there something I need to put within server section? It's as if the ldap module and the users file aren't being referenced anymore. Any tips or references to complete examples where virtual servers are set up in this way? If someone could take a moment to point me in the right direction I would certainly appreciate it. Cory J
Cory Johnson wrote:
I have already configured the ldap module, as well as added some lines to the users file. Before "virtualizing" I am able to authenticate my ldap users via radtest.
FreeRADIUS *ships* with multiple virtual servers enabled. It's already "virtualized".
Here's the config that works against LDAP, before trying to add to a virtual server:
If it works, please don't post the configuration.
...And the output from a test in debug mode (edited out passwords and password hashes):
Again, if it works, there's no need to post the debug output, because there is nothing to debug.
Here's the changes I made to the config, attempting to add current setup to virtual server "server_one": ... server server_one { }
Um... the virtual server needs to have *some* content. See the examples on the Wiki page. See raddb/sites-available/inner-tunnel. See the other virtual servers in raddb/sites-available.
The rest of the config is the same. The server will start, but now I can't see my LDAP users, heres the log entry: server server_one { Login incorrect: [cjohnson/s3cret] (from client 192.168.1.0/24 port 0) I'm sorry but you appear to have entered a incorrect password or you may not be authorized to access this equipment } # server server_one
Exactly. There is NOTHING inside of that virtual server.
Is there something I need to put within server section? It's as if the ldap module and the users file aren't being referenced anymore.
Yes. There is NOTHING inside of that virtual server.
Any tips or references to complete examples where virtual servers are set up in this way? If someone could take a moment to point me in the right direction I would certainly appreciate it.
The server SHIPS with 10+ examples of virtual servers. Go read them. Alan DeKok.
participants (2)
-
Alan DeKok -
Cory Johnson