Hi all, I have my freeradius deploy (2.0.2) configured to authenticate users against Active Directory and that is working fine. But I want to retrieve user's profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to Access-Accept reply. I really don't know how to do this and I could find a clear solution, either in documentation (rlm_ldap) ot by googling. So I would appreciate if someone could give me a hand on this. What I've done so far is to add this entry to ldap.attrmap file: "replyItem radiusProfileDn memberOf". The profile I want to retrieve is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting this error: ++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} -> figo expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> (sAMAccountName=figo) expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Failed to create the pair: Invalid octet string "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> figo expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo ++[files] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil port 0 cli 02-00-00-00-00-01) Sending Access-Accept of id 17 to 192.168.10.200 port 33000 User-Name = "figo" MS-MPPE-Recv-Key = 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5 MS-MPPE-Send-Key = 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 Is this the way I to achieve or I want or am I completely wrong? Thnx, Nelson Vale
Ok I finally realise what I was doing wrong. To retrieve one Active Directory user's group it's not necessary to use de replyItem in ldap.attrmap. It's only necessary to configure "correctly" the ldap module. So I resolved this using the following configuration: Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu:
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users against Active Directory and that is working fine. But I want to retrieve user's profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to Access-Accept reply.
I really don't know how to do this and I could find a clear solution, either in documentation (rlm_ldap) ot by googling. So I would appreciate if someone could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file: "replyItem radiusProfileDn memberOf". The profile I want to retrieve is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting this error:
++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} -> figo expand: (sAMAccountName= %{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> (sAMAccountName=figo) expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Failed to create the pair: Invalid octet string "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> figo expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo ++[files] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil port 0 cli 02-00-00-00-00-01) Sending Access-Accept of id 17 to 192.168.10.200 port 33000 User-Name = "figo" MS-MPPE-Recv-Key = 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5 MS-MPPE-Send-Key = 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000
Sorry, my last message was sent before time :). I was betrayed by a very sensitive touchpad... Now the complete message: Ok I finally realise what I was doing wrong. To retrieve one Active Directory user's group it's not necessary to use de replyItem in ldap.attrmap. It's only necessary to configure "correctly" the ldap module. So I resolved this by using the following configuration: In radius.conf: ldap { server = "192.168.100.173:389" basedn = "dc=ldaptest,dc=com" password = XXXXXXXX identity = "cn=manager,cn=users,dc=ldaptest,dc=com" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_attribute = memberOf groupmembership_filter = "(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 } NOTE: The %{Ldap-UserDn} attribute was replaced by %{check:LDAP-UserDn} since 2.0 ( I lost a lot of time here because I was using %{Ldap-UserDn} as stated in documentation) In users file: (one entry to each group) DEFAULT Ldap-Group == "CN=groupX,DC=ldaptest,DC=com" Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = "3" Now the reply is like: rad_recv: Access-Request packet from host 192.168.10.200 port 33073, id=17, length=217 User-Name = "LDAPTEST.COM\\figo" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02080050190017030100205178b4a5223790b6da72bc08db63ad2293c28106a590b25833bd4a70ba08f8d91703010020ff2d3faaec5ab346aaebb253b110da880ba6c5c55a27deaad76e9ddeb9016be6 State = 0x7491a0427399b9e1f10398e7556e31d5 Message-Authenticator = 0x342892f124c4b5b005c0d5810e0b5ba9 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "LDAPTEST.COM\figo", skipping NULL due to config. ++[suffix] returns noop rlm_realm: Looking up realm "LDAPTEST.COM" for User-Name = "LDAPTEST.COM\figo" rlm_realm: Found realm "LDAPTEST.COM" rlm_realm: Adding Stripped-User-Name = "figo" rlm_realm: Proxying request from user figo to realm LDAPTEST.COM rlm_realm: Adding Realm = "LDAPTEST.COM" rlm_realm: Authentication realm is LOCAL. ++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} -> figo expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> (sAMAccountName=figo) expand: dc=ldaptest,dc=com -> dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop rlm_ldap: Entering ldap_groupcmp() expand: dc=ldaptest,dc=com -> dc=ldaptest,dc=com expand: (|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=grupo1,DC=ldaptest,DC=com, with filter (|(&(objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))) rlm_ldap::ldap_groupcmp: User found in group CN=grupo1,DC=ldaptest,DC=pt rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 8 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil port 0 cli 02-00-00-00-00-01) Sending Access-Accept of id 17 to 192.168.10.200 port 33073 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "3" User-Name = "figo" MS-MPPE-Recv-Key = 0x0a5a3f68acda5e41d86f92d25677f47777c6cae58d68d17724b9426cf14e0a0b MS-MPPE-Send-Key = 0xaf14b9e531c2b4d9102d5c247af581386c17fb4d9ce223f9f452b77d18faa33a EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu:
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users against Active Directory and that is working fine. But I want to retrieve user's profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to Access-Accept reply.
I really don't know how to do this and I could find a clear solution, either in documentation (rlm_ldap) ot by googling. So I would appreciate if someone could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file: "replyItem radiusProfileDn memberOf". The profile I want to retrieve is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in radius debug I'm getting this error:
++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} -> figo expand: (sAMAccountName= %{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> (sAMAccountName=figo) expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Failed to create the pair: Invalid octet string "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> figo expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> figo ++[files] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client portatil port 0 cli 02-00-00-00-00-01) Sending Access-Accept of id 17 to 192.168.10.200 port 33000 User-Name = "figo" MS-MPPE-Recv-Key = 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5 MS-MPPE-Send-Key = 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000
participants (2)
-
Nelson Vale -
nf-vale