i don't know if this was asked before but here it goes : we are currently using FreeRADIUS Version 1.1.1 that authenticates local users via LDAP I am trying to setup an IPASS realm for another company and can't get any success .. here is what i have done so far: i have the following in radiusd.conf realm IPASS { format = prefix delimiter = "/" ignore_default = yes ignore_null = yes } i also uncommented IPASS in authorize and preacct and this is what i have in proxy.conf realm IPASS { type = radius authhost = server.ip.here:1812 accthost = server.ip.here:1813 secret = **** retry_delay = 10 retry_count = 3 dead_time = 1 nostrip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL } this what i get when i run radiusd in debug : rad_recv: Access-Request packet from host nas.ip.address:1645, id=82, length=168 Framed-Protocol = PPP User-Name = "IPASS/user@company.com" User-Password = "somepassword" Called-Station-Id = "5143174746" Calling-Station-Id = "5148776026" Cisco-NAS-Port = "Async1/8/97" NAS-Port = 3013 NAS-Port-Type = Async Service-Type = Framed-User NAS-IP-Address = nas.ip.address Acct-Session-Id = "0017A2FD" NAS-Identifier = "NAS01.MTLCNDS." rlm_ldap: Entering ldap_groupcmp() rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for IPASS/user@company.com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Reject of id 82 to 206.80.253.252 port 1645 i am sure i am missing something .. if i understand radius is trying to validate it in LDAP before sending the proxy request to the other server any help would be very appreciated thanks seb
You should also uncommed or add IPASS under authorizes section and preacct section. Good luck! ----- Original Message ---- From: Sebastien Boucher <cannibalist@gmail.com> To: freeradius-users@lists.freeradius.org Sent: Thursday, March 26, 2009 12:05:22 AM Subject: proxy questions i don't know if this was asked before but here it goes : we are currently using FreeRADIUS Version 1.1.1 that authenticates local users via LDAP I am trying to setup an IPASS realm for another company and can't get any success .. here is what i have done so far: i have the following in radiusd.conf realm IPASS { format = prefix delimiter = "/" ignore_default = yes ignore_null = yes } i also uncommented IPASS in authorize and preacct and this is what i have in proxy.conf realm IPASS { type = radius authhost = server.ip.here:1812 accthost = server.ip.here:1813 secret = **** retry_delay = 10 retry_count = 3 dead_time = 1 nostrip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL } this what i get when i run radiusd in debug : rad_recv: Access-Request packet from host nas.ip.address:1645, id=82, length=168 Framed-Protocol = PPP User-Name = "IPASS/user@company.com" User-Password = "somepassword" Called-Station-Id = "5143174746" Calling-Station-Id = "5148776026" Cisco-NAS-Port = "Async1/8/97" NAS-Port = 3013 NAS-Port-Type = Async Service-Type = Framed-User NAS-IP-Address = nas.ip.address Acct-Session-Id = "0017A2FD" NAS-Identifier = "NAS01.MTLCNDS." rlm_ldap: Entering ldap_groupcmp() rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for IPASS/user@company.com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Reject of id 82 to 206.80.253.252 port 1645 i am sure i am missing something .. if i understand radius is trying to validate it in LDAP before sending the proxy request to the other server any help would be very appreciated thanks seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sebastien Boucher wrote:
we are currently using FreeRADIUS Version 1.1.1 that authenticates local users via LDAP
Um... upgrade. Really.
I am trying to setup an IPASS realm for another company and can't get any success .. here is what i have done so far:
i have the following in radiusd.conf
... realm configuration
this what i get when i run radiusd in debug : ... rlm_ldap: object not found or got ambiguous search result
Ok... so you've showed us the realm configuration, and are then asking why the LDAP module doesn't work.
i am sure i am missing something .. if i understand radius is trying to validate it in LDAP before sending the proxy request to the other server
Yes. That's what you configured it to do. If you don't want it to look up the user in LDAP, update the configuration so that it doesn't look them up in LDAP. This is easy to do in 2.x. Alan DeKok.
thanks for your answer alan, i do want our users to be authenticated by LDAP ( and it works fine ) .. but my question now is where do i change the config to tell it not to use ldap for the IPASS realm or what document or man page do i need to read. it is definitively in our plans to upgrade to 2.x in the near future seb On Wed, Mar 25, 2009 at 12:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sebastien Boucher wrote:
we are currently using FreeRADIUS Version 1.1.1 that authenticates local users via LDAP
Um... upgrade. Really.
I am trying to setup an IPASS realm for another company and can't get any success .. here is what i have done so far:
i have the following in radiusd.conf
... realm configuration
this what i get when i run radiusd in debug : ... rlm_ldap: object not found or got ambiguous search result
Ok... so you've showed us the realm configuration, and are then asking why the LDAP module doesn't work.
i am sure i am missing something .. if i understand radius is trying to validate it in LDAP before sending the proxy request to the other server
Yes. That's what you configured it to do. If you don't want it to look up the user in LDAP, update the configuration so that it doesn't look them up in LDAP.
This is easy to do in 2.x.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sebastien Boucher wrote:
thanks for your answer alan,
i do want our users to be authenticated by LDAP ( and it works fine ) .. but my question now is where do i change the config to tell it not to use ldap for the IPASS realm or what document or man page do i need to read.
In 2.1, the "unlang" manual page explains how to conditionally call modules. Alan DeKok.
thanks !! unfortunately i was not the one who installed our current freeradius and i have to add that i am quickly learning how to use it :) i installed v2.x on another server works like a charm .. but i have to make it work on the current one for the moment, would adding an entry in the users file help ? thanks again seb On Wed, Mar 25, 2009 at 1:17 PM, Alan DeKok <aland@deployingradius.com> wrote:
Sebastien Boucher wrote:
thanks for your answer alan,
i do want our users to be authenticated by LDAP ( and it works fine ) .. but my question now is where do i change the config to tell it not to use ldap for the IPASS realm or what document or man page do i need to read.
In 2.1, the "unlang" manual page explains how to conditionally call modules.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unfortunately i was not the one who installed our current freeradius and i have to add that i am quickly learning how to use it :)
i installed v2.x on another server works like a charm .. but i have to make it work on the current one for the moment, would adding an entry in the users file help ?
In old version you had to make Autz-Types and force them in users file. It's nowhere near what unlang can do. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
piston -
Sebastien Boucher -
tnt@kalik.net