Hi all: I am running Freeradius 1.1.0 and am trying to get Ldap-Groups to work with EAP/PEAP/MSCHAPv2, but have been running into issues. I'm trying to permit authentication to a wireless SSID based on an LDAP group. Here is my configuration: Radiusd.conf: authorize{ preprocess auth_log files { notfound = return } eap redundant-load-balance { ldap1 ldap2 } authenticate { Auth-Type LDAP { redundant-load-balance { ldap1 ldap2 } Auth-Type EAP { eap } hints: DEFAULT Called-Station-Id =~ ".*:ssid" Called-Station-Id := "ssid" huntgroups: restrict Called-Station-Id == ssid all NAS-IP-Address == xxx users: DEFAULT Huntgroup-Name == restrict, Ldap-group == "cn=something,ou=something" DEFAULT Huntgroup-Name == all When I try to authenticate, the radius server receives about 7 Access-requests. Each time it receives one, the Radius server checks the LDAP store to verify that the user exists in the ldap group (is this normal? can this be reduced? 7 LDAP binds per authentication attempt seems high), and each module returns OK. On the 6th attempt though, it attempts to decode the EAP tunnel, and this happens: rlm_dap::ldap_groupcmp: User found in group cn=something,ou=something blah blah blah Processing the authenticate section blah blah blah rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - XXX rlm_eap_peap: Tunneled data is valid PEAP: Got tunneled identity of XXX PEAP: Setting default EAP type for tunneled EAP session PEAP: Setting User-Name to XXX Processing the authorize section modcall[authorize]: module "preprocess" returns ok for request 6 blah blah blah modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "files" returns notfound for request 6 Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module. Since I have set "files { notfound = return}," the user fails to authenticate despite being accepted 5 times previously with ldap_group. If I remove "notfound = return", the user can authenticate REGARDLESS of the ldap-group I set, even when ldap_group returns notfound. Is there something i'm missing in the configuration file? ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Brian Wilson wrote:
I am running Freeradius 1.1.0
Please upgrade to at least 1.1.7. It solves a lot of security issues, *and* helps with the problem you're seeing, too.
When I try to authenticate, the radius server receives about 7 Access-requests.
That's the way EAP works.
Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module.
The *inner* tunnel session doesn't match a huntgroup.
Is there something i'm missing in the configuration file?
I would suggest trying 2.0. The new virtual server feature should make this configuration much simpler. The new "unlang" feature should also simplify the writing of policies. Alan DeKok.
hi, I'd like to add into this that if you upgrade to 2.0 then the EAP is simpler and quicker - and your LDAP wont get hit with each request. it'll only get the bare required outside and then the essential inner tunnel stuff. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian Wilson