Migrating configuration. Users file
Hello, In my version 2 config I had a users file that was working fine. In my version 3 config I have moved the content of this file to mods-config/files/authorize My huntsgroup file is working, or at least I see Huntgroup-Name attribute in my Auth-Detail logging. there are a few things I don't see at the moment and they are all related to my users /authorize file: - User to group mappings. - Aruba attributes are not added to an authenticated user - Users in my users file (phones etc) are not able to authenticate. In version 2 I had use_tunneled_reply = yes in my config. In version 3 this is depricated and now I have to do something with update outer.session-state in my inner-tunnel config. In version 2 I had to add some information regarding groups to the /etc/raddb/dictionary file. This file is in my config tree, but I have the idea that it is not being accessed. What could I be missing? Attached is my radiusd -X output file. Jan Hugo Prins
Attachement was not inline. Lets just put it inline. FreeRADIUS Version 3.0.15 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/cache including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/preprocess including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/policy.conf including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/control including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/betterbe main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm betterbe.com { nostrip } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client aruba01 { ipaddr = 172.30.20.47 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client pppoe { ipaddr = 172.30.20.48 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client radius01 { ipaddr = 172.30.20.16 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client radius02 { ipaddr = 172.30.20.17 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client infranode01 { ipaddr = 172.30.20.52 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client infranode02 { ipaddr = 172.30.20.53 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client tc03st01sw1 { ipaddr = 192.168.202.41 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client av140st01 { ipaddr = 192.168.202.40 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client tc03st02sw1 { ipaddr = 192.168.202.61 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client inframon01 { ipaddr = 172.30.20.10 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client inframon02 { ipaddr = 172.30.20.11 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client inframon03 { ipaddr = 172.30.20.18 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_ldap # Loading module "betterbe" from file /etc/raddb/mods-enabled/ldap ldap betterbe { server = "ldap.svc.be.nl" sasl { } edir = no edir_autz = no user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name}))" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute betterbe-LDAP-Group # Loading module "tcwifi" from file /etc/raddb/mods-enabled/ldap ldap tcwifi { server = "ldap.svc.be.nl" sasl { } edir = no edir_autz = no user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name}))" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute tcwifi-LDAP-Group # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_cache # Loading module "cache" from file /etc/raddb/mods-enabled/cache cache { driver = "rlm_cache_rbtree" key = "%{User-Name}" ttl = 10 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_exec # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } instantiate { } # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "betterbe" from file /etc/raddb/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20444 rlm_ldap (betterbe): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (betterbe): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (betterbe): Initialising connection pool pool { start = 5 min = 5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (betterbe): Opening additional connection (0), 1 of 10 pending slots used rlm_ldap (betterbe): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (betterbe): Waiting for bind result... rlm_ldap (betterbe): Bind successful rlm_ldap (betterbe): Opening additional connection (1), 1 of 9 pending slots used rlm_ldap (betterbe): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (betterbe): Waiting for bind result... rlm_ldap (betterbe): Bind successful rlm_ldap (betterbe): Opening additional connection (2), 1 of 8 pending slots used rlm_ldap (betterbe): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (betterbe): Waiting for bind result... rlm_ldap (betterbe): Bind successful rlm_ldap (betterbe): Opening additional connection (3), 1 of 7 pending slots used rlm_ldap (betterbe): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (betterbe): Waiting for bind result... rlm_ldap (betterbe): Bind successful rlm_ldap (betterbe): Opening additional connection (4), 1 of 6 pending slots used rlm_ldap (betterbe): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (betterbe): Waiting for bind result... rlm_ldap (betterbe): Bind successful # Instantiating module "tcwifi" from file /etc/raddb/mods-enabled/ldap rlm_ldap (tcwifi): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (tcwifi): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (tcwifi): Initialising connection pool pool { start = 5 min = 5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (tcwifi): Opening additional connection (0), 1 of 10 pending slots used rlm_ldap (tcwifi): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (tcwifi): Waiting for bind result... rlm_ldap (tcwifi): Bind successful rlm_ldap (tcwifi): Opening additional connection (1), 1 of 9 pending slots used rlm_ldap (tcwifi): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (tcwifi): Waiting for bind result... rlm_ldap (tcwifi): Bind successful rlm_ldap (tcwifi): Opening additional connection (2), 1 of 8 pending slots used rlm_ldap (tcwifi): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (tcwifi): Waiting for bind result... rlm_ldap (tcwifi): Bind successful rlm_ldap (tcwifi): Opening additional connection (3), 1 of 7 pending slots used rlm_ldap (tcwifi): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (tcwifi): Waiting for bind result... rlm_ldap (tcwifi): Bind successful rlm_ldap (tcwifi): Opening additional connection (4), 1 of 6 pending slots used rlm_ldap (tcwifi): Connecting to ldap://ldap.svc.be.nl:389 rlm_ldap (tcwifi): Waiting for bind result... rlm_ldap (tcwifi): Bind successful # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh2048.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no check_cert_cn = "%{User-Name}" cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel-betterbe" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel-betterbe" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "cache" from file /etc/raddb/mods-enabled/cache rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/betterbe # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel-betterbe { # from file /etc/raddb/sites-enabled/betterbe # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel-betterbe radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel-betterbe Ready to process requests (0) Received Access-Request Id 30 from 172.30.20.47:51209 to 172.30.20.22:1812 length 210 (0) NAS-IP-Address = 172.30.27.1 (0) NAS-Port = 0 (0) NAS-Port-Type = Wireless-802.11 (0) User-Name = "jprins@betterbe.com" (0) Service-Type = Login-User (0) Calling-Station-Id = "0.0.0.0" (0) Called-Station-Id = "000B86B798F7" (0) MS-CHAP-Challenge = 0x03149e4ad8879031d0430f0d6c372268 (0) MS-CHAP2-Response = 0x0000369995e2e57a8779b6c14bc6514e34250000000000000000549cd2bd59355c8b53f05461d806198484d3dbf886af35f4 (0) Aruba-Location-Id = "N/A" (0) Aruba-AP-Group = "N/A" (0) Message-Authenticator = 0x17d68338287db939d0496243403b9bbf (0) # Executing section authorize from file /etc/raddb/sites-enabled/betterbe (0) authorize { (0) policy optional_realm { (0) if (User-Name =~ /(.+)@(.+)/) { (0) if (User-Name =~ /(.+)@(.+)/) -> TRUE (0) if (User-Name =~ /(.+)@(.+)/) { (0) update request { (0) EXPAND %{1} (0) --> jprins (0) &Stripped-User-Name := jprins (0) EXPAND %{tolower:%{2}} (0) --> betterbe.com (0) &Realm = betterbe.com (0) } # update request = noop (0) [updated] = updated (0) } # if (User-Name =~ /(.+)@(.+)/) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy optional_realm = updated (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/172.30.20.47/auth-detail-20170921 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.30.20.47/auth-detail-20170921 (0) auth_log: EXPAND %t (0) auth_log: --> Thu Sep 21 18:12:15 2017 (0) [auth_log] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Request already has destination realm set. Ignoring (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) if ( Realm == "betterbe.com" ) { (0) if ( Realm == "betterbe.com" ) -> TRUE (0) if ( Realm == "betterbe.com" ) { rlm_ldap (betterbe): Reserved connection (0) (0) betterbe: EXPAND (mailLocalAddress=%{User-Name}) (0) betterbe: --> (mailLocalAddress=jprins@betterbe.com) (0) betterbe: Performing search in "ou=better.be,dc=betterbe,dc=com" with filter "(mailLocalAddress=jprins@betterbe.com)", scope "sub" (0) betterbe: Waiting for search result... (0) betterbe: User object found at DN "cn=jprins,ou=Users,ou=Better.be,dc=betterbe,dc=com" (0) betterbe: Processing user attributes (0) betterbe: control:NT-Password := 0x4441363434333737304643363235333537343731443945353931314144373637 (0) betterbe: control:LM-Password := 0x4234383933444442334443444145414638423045413541374446313335423033 rlm_ldap (betterbe): Released connection (0) (0) [betterbe] = updated (0) } # if ( Realm == "betterbe.com" ) = updated (0) if ( Realm == "transportcentrum.wifi" ) { (0) if ( Realm == "transportcentrum.wifi" ) -> FALSE (0) [expiration] = noop (0) [logintime] = noop (0) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (0) pap: Normalizing LM-Password from hex encoding, 32 bytes -> 16 bytes (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = updated (0) Found Auth-Type = MS-CHAP (0) # Executing group from file /etc/raddb/sites-enabled/betterbe (0) Auth-Type MS-CHAP { (0) mschap: Found NT-Password (0) mschap: Found LM-Password (0) mschap: Creating challenge hash with username: jprins@betterbe.com (0) mschap: Client is using MS-CHAPv2 (0) mschap: Adding MS-CHAPv2 MPPE keys (0) [mschap] = ok (0) } # Auth-Type MS-CHAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/betterbe (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) reply_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/radius/radacct/172.30.20.47/reply-detail-20170921 (0) reply_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/172.30.20.47/reply-detail-20170921 (0) reply_log: EXPAND %t (0) reply_log: --> Thu Sep 21 18:12:15 2017 (0) [reply_log] = ok (0) [exec] = noop (0) update reply { (0) EXPAND %{TLS-Cert-Serial} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Cert-Expiration} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Cert-Subject} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Cert-Issuer} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Cert-Common-Name} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Cert-Subject-Alt-Name-Email} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Serial} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Expiration} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Subject} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Issuer} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Common-Name} (0) --> (0) &Reply-Message += (0) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Email} (0) --> (0) &Reply-Message += (0) } # update reply = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 30 from 172.30.20.22:1812 to 172.30.20.47:51209 length 0 (0) MS-CHAP2-Success = 0x00533d35433731413646333730393746314238333844444532364443394133383341353042384138453846 (0) MS-MPPE-Recv-Key = 0xefa3bfa6d21ed431a4d4df07e49e8553 (0) MS-MPPE-Send-Key = 0x86ce295bd32908709066864538d00b8f (0) MS-MPPE-Encryption-Policy = Encryption-Allowed (0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Reply-Message += "" (0) Finished request Waking up in 4.9 seconds. On 09/21/2017 06:18 PM, jan hugo prins wrote:
Hello,
In my version 2 config I had a users file that was working fine. In my version 3 config I have moved the content of this file to mods-config/files/authorize
My huntsgroup file is working, or at least I see Huntgroup-Name attribute in my Auth-Detail logging.
there are a few things I don't see at the moment and they are all related to my users /authorize file:
- User to group mappings. - Aruba attributes are not added to an authenticated user - Users in my users file (phones etc) are not able to authenticate.
In version 2 I had use_tunneled_reply = yes in my config. In version 3 this is depricated and now I have to do something with update outer.session-state in my inner-tunnel config.
In version 2 I had to add some information regarding groups to the /etc/raddb/dictionary file. This file is in my config tree, but I have the idea that it is not being accessed.
What could I be missing? Attached is my radiusd -X output file.
Jan Hugo Prins
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 21, 2017, at 12:18 PM, jan hugo prins <jhp@jhprins.org> wrote:
In my version 2 config I had a users file that was working fine. In my version 3 config I have moved the content of this file to mods-config/files/authorize
That should mostly be OK. There are some changes...
My huntsgroup file is working, or at least I see Huntgroup-Name attribute in my Auth-Detail logging.
there are a few things I don't see at the moment and they are all related to my users /authorize file:
- User to group mappings. - Aruba attributes are not added to an authenticated user - Users in my users file (phones etc) are not able to authenticate.
If you read the debug output, you will see: (0) [files] = noop So nothing in the "users" file is being matched.
In version 2 I had use_tunneled_reply = yes in my config. In version 3 this is depricated and now I have to do something with update outer.session-state in my inner-tunnel config.
You can still use it. It's deprecated, as in "other functionality is better", but it still works.
In version 2 I had to add some information regarding groups to the /etc/raddb/dictionary file. This file is in my config tree, but I have the idea that it is not being accessed.
It should be in /etc/raddb/dictionary If the attributes are in the "users" file, and the server starts, then the dictionary entries are being used. The recommended upgrade method is to test one thing at a time. Don't port all of your configuration, and expect everything to work. It might, but it might not. And if it doesn't work, then it's *very* difficult for you to tell why things are broken. Because it could be anything. The other recommendation is to ACTUALLY DESCRIBE WHAT YOU'RE DOING. If you're asking questions about "users" file entries... post an entry. Otherwise, the questions are largely "I tried stuff and and it didn't work. What changes do I make?" Well, we have no idea what you did, because you didn't tell us. So tell us what you did (and try things one step at a time). Maybe then we can help you. Alan DeKok.
Hi Alan, You are absolutely right that changing one thing at the time is the best way to go. the first thing I changes was the version of FreeRadius so I had to rebuild my complete config file. Most things are working fine again. But in the rebuilding of the config file some things actually changed a lot because the old syntax was simply not working anymore. Anyway, now for the users file and the group mapping: My ldap configuration looks like this: ldap betterbe { server = "ldap.fqdn" base_dn = "ou=better.be,dc=betterbe,dc=com" user { base_dn = "${..base_dn}" filter = "(mailLocalAddress=%{User-Name})" } group { base_dn = "${..base_dn}" filter = "(objectClass=posixGroup)" name_attribute = cn membership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name}))" } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' } edir = no edir_autz = no } Some entry out of my authorize file: DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm == "betterbe.com", Huntgroup-Name == "wireless" Aruba-User-Vlan = 101, Aruba-User-Role = "authenticated" And the corresponding enrty out of my dictionary file: ATTRIBUTE ldap_betterbe-Ldap-Group 3000 string In the past the user was found based on it's Stripped-User-Name. As you can see in my previous debug logging, I'm able to authenticate with an user out of my ldap environment, the only thing is that some attributes are not populated. Jan Hugo Prins On 09/21/2017 06:53 PM, Alan DeKok wrote:
On Sep 21, 2017, at 12:18 PM, jan hugo prins <jhp@jhprins.org> wrote:
In my version 2 config I had a users file that was working fine. In my version 3 config I have moved the content of this file to mods-config/files/authorize That should mostly be OK. There are some changes...
My huntsgroup file is working, or at least I see Huntgroup-Name attribute in my Auth-Detail logging.
there are a few things I don't see at the moment and they are all related to my users /authorize file:
- User to group mappings. - Aruba attributes are not added to an authenticated user - Users in my users file (phones etc) are not able to authenticate. If you read the debug output, you will see:
(0) [files] = noop
So nothing in the "users" file is being matched.
In version 2 I had use_tunneled_reply = yes in my config. In version 3 this is depricated and now I have to do something with update outer.session-state in my inner-tunnel config. You can still use it. It's deprecated, as in "other functionality is better", but it still works.
In version 2 I had to add some information regarding groups to the /etc/raddb/dictionary file. This file is in my config tree, but I have the idea that it is not being accessed. It should be in /etc/raddb/dictionary
If the attributes are in the "users" file, and the server starts, then the dictionary entries are being used.
The recommended upgrade method is to test one thing at a time. Don't port all of your configuration, and expect everything to work. It might, but it might not. And if it doesn't work, then it's *very* difficult for you to tell why things are broken. Because it could be anything.
The other recommendation is to ACTUALLY DESCRIBE WHAT YOU'RE DOING. If you're asking questions about "users" file entries... post an entry. Otherwise, the questions are largely "I tried stuff and and it didn't work. What changes do I make?"
Well, we have no idea what you did, because you didn't tell us. So tell us what you did (and try things one step at a time). Maybe then we can help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just tested a plaintext user in the authorize file and that one works as well. So, at the moment the only thing not working seems to be my LDAP group matching. Jan Hugo Prins On 09/21/2017 07:16 PM, jan hugo prins wrote:
Hi Alan,
You are absolutely right that changing one thing at the time is the best way to go. the first thing I changes was the version of FreeRadius so I had to rebuild my complete config file. Most things are working fine again. But in the rebuilding of the config file some things actually changed a lot because the old syntax was simply not working anymore.
Anyway, now for the users file and the group mapping:
My ldap configuration looks like this:
ldap betterbe { server = "ldap.fqdn" base_dn = "ou=better.be,dc=betterbe,dc=com" user { base_dn = "${..base_dn}" filter = "(mailLocalAddress=%{User-Name})" } group { base_dn = "${..base_dn}" filter = "(objectClass=posixGroup)" name_attribute = cn membership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name}))" } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' } edir = no edir_autz = no }
Some entry out of my authorize file:
DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm == "betterbe.com", Huntgroup-Name == "wireless" Aruba-User-Vlan = 101, Aruba-User-Role = "authenticated"
And the corresponding enrty out of my dictionary file:
ATTRIBUTE ldap_betterbe-Ldap-Group 3000 string
In the past the user was found based on it's Stripped-User-Name.
As you can see in my previous debug logging, I'm able to authenticate with an user out of my ldap environment, the only thing is that some attributes are not populated.
Jan Hugo Prins
On 09/21/2017 06:53 PM, Alan DeKok wrote:
On Sep 21, 2017, at 12:18 PM, jan hugo prins <jhp@jhprins.org> wrote:
In my version 2 config I had a users file that was working fine. In my version 3 config I have moved the content of this file to mods-config/files/authorize That should mostly be OK. There are some changes...
My huntsgroup file is working, or at least I see Huntgroup-Name attribute in my Auth-Detail logging.
there are a few things I don't see at the moment and they are all related to my users /authorize file:
- User to group mappings. - Aruba attributes are not added to an authenticated user - Users in my users file (phones etc) are not able to authenticate. If you read the debug output, you will see:
(0) [files] = noop
So nothing in the "users" file is being matched.
In version 2 I had use_tunneled_reply = yes in my config. In version 3 this is depricated and now I have to do something with update outer.session-state in my inner-tunnel config. You can still use it. It's deprecated, as in "other functionality is better", but it still works.
In version 2 I had to add some information regarding groups to the /etc/raddb/dictionary file. This file is in my config tree, but I have the idea that it is not being accessed. It should be in /etc/raddb/dictionary
If the attributes are in the "users" file, and the server starts, then the dictionary entries are being used.
The recommended upgrade method is to test one thing at a time. Don't port all of your configuration, and expect everything to work. It might, but it might not. And if it doesn't work, then it's *very* difficult for you to tell why things are broken. Because it could be anything.
The other recommendation is to ACTUALLY DESCRIBE WHAT YOU'RE DOING. If you're asking questions about "users" file entries... post an entry. Otherwise, the questions are largely "I tried stuff and and it didn't work. What changes do I make?"
Well, we have no idea what you did, because you didn't tell us. So tell us what you did (and try things one step at a time). Maybe then we can help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 21, 2017, at 1:16 PM, jan hugo prins <jhp@jhprins.org> wrote:
You are absolutely right that changing one thing at the time is the best way to go. the first thing I changes was the version of FreeRadius so I had to rebuild my complete config file. Most things are working fine again. But in the rebuilding of the config file some things actually changed a lot because the old syntax was simply not working anymore.
Yes. That's why we recommend recreating the config, instead of just copying it.
Anyway, now for the users file and the group mapping:
My ldap configuration looks like this:
That should work.
Some entry out of my authorize file:
DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm == "betterbe.com", Huntgroup-Name == "wireless" Aruba-User-Vlan = 101, Aruba-User-Role = "authenticated"
That should also work.
And the corresponding enrty out of my dictionary file:
ATTRIBUTE ldap_betterbe-Ldap-Group 3000 string
Delete that. It's wrong, and not necessary. Alan DeKok.
If I remove the dictionary line I get the following error in my authorize file during config parse: Thu Sep 21 19:54:56 2017 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize Thu Sep 21 19:54:56 2017 : Error: /etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown name "ldap_betterbe-Ldap-Group" Thu Sep 21 19:54:56 2017 : Error: Failed reading /etc/raddb/mods-config/files/authorize Thu Sep 21 19:54:56 2017 : Error: /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files" Jan Hugo On 09/21/2017 07:44 PM, Alan DeKok wrote:
On Sep 21, 2017, at 1:16 PM, jan hugo prins <jhp@jhprins.org> wrote:
You are absolutely right that changing one thing at the time is the best way to go. the first thing I changes was the version of FreeRadius so I had to rebuild my complete config file. Most things are working fine again. But in the rebuilding of the config file some things actually changed a lot because the old syntax was simply not working anymore. Yes. That's why we recommend recreating the config, instead of just copying it.
Anyway, now for the users file and the group mapping:
My ldap configuration looks like this: That should work.
Some entry out of my authorize file:
DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm == "betterbe.com", Huntgroup-Name == "wireless" Aruba-User-Vlan = 101, Aruba-User-Role = "authenticated" That should also work.
And the corresponding enrty out of my dictionary file:
ATTRIBUTE ldap_betterbe-Ldap-Group 3000 string Delete that. It's wrong, and not necessary.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Found the issue. Got it working. In the migration I renamed the ldap instance ldap_betterbe to betterbe. This resulted in a mismatch between the authorize file and the ldap group objects. Thanks for you help. Jan Hugo Prins On 09/21/2017 07:58 PM, jan hugo prins wrote:
If I remove the dictionary line I get the following error in my authorize file during config parse:
Thu Sep 21 19:54:56 2017 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize Thu Sep 21 19:54:56 2017 : Error: /etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown name "ldap_betterbe-Ldap-Group" Thu Sep 21 19:54:56 2017 : Error: Failed reading /etc/raddb/mods-config/files/authorize Thu Sep 21 19:54:56 2017 : Error: /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"
Jan Hugo
On Sep 21, 2017, at 1:16 PM, jan hugo prins <jhp@jhprins.org> wrote:
You are absolutely right that changing one thing at the time is the best way to go. the first thing I changes was the version of FreeRadius so I had to rebuild my complete config file. Most things are working fine again. But in the rebuilding of the config file some things actually changed a lot because the old syntax was simply not working anymore. Yes. That's why we recommend recreating the config, instead of just copying it.
Anyway, now for the users file and the group mapping:
My ldap configuration looks like this: That should work.
Some entry out of my authorize file:
DEFAULT ldap_betterbe-Ldap-Group == "werkneme-betterbe", Realm == "betterbe.com", Huntgroup-Name == "wireless" Aruba-User-Vlan = 101, Aruba-User-Role = "authenticated" That should also work.
And the corresponding enrty out of my dictionary file:
ATTRIBUTE ldap_betterbe-Ldap-Group 3000 string Delete that. It's wrong, and not necessary.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09/21/2017 07:44 PM, Alan DeKok wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
jan hugo prins