Need help for configuration - LDAP with custom files Failover
Dear All, I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights. I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins) Thanks in advance, Tamas
I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights.
I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins)
Have a look at these: http://wiki.freeradius.org/Fail-over http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP
That's what I've tried. The authorize section: redundant { # if I comment the folloing line out, the password is accepted, but I get "% Authorization failed." from the switch (this is coused by the incorrect "users" file maybe). files ldap ciscopwd # if I uncomment the following line, freerad won't start # ok = return } The users file: DEFAULT Auth-Type := Crypt-Local Service-Type = Login-User What's wrong than? And how can I implement LDAP group filtering? Just with the modules section groupdn? Thanks, Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 27. 18:45 Címzett: FreeRadius users mailing list Tárgy: Re: Need help for configuration - LDAP with custom files Failover
I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights.
I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins)
Have a look at these: http://wiki.freeradius.org/Fail-over http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant { # if I comment the folloing line out, the password is accepted, but I get "% Authorization failed." from the switch (this is coused by the incorrect "users" file maybe).
So, post the debug (radiusd -X).
files ldap ciscopwd # if I uncomment the following line, freerad won't start # ok = return }
The users file:
DEFAULT Auth-Type := Crypt-Local Service-Type = Login-User
You said you have plain text passwords. This will ensure that authentication fails. Delete that Auth-Type. Ivan Kalik Kalik Informatika ISP
Uncommented the "Auth-Type" in users, and the debug output: radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "ldap.mydomain.hu" port = 636 password = "" identity = "" net_timeout = 5 timeout = 4 timelimit = 3 tls_mode = yes start_tls = no tls_cacertfile = "/etc/ssl/mydomain.hu/ca/cacert.pem" tls_require_cert = "never" basedn = "dc=mydomain,dc=hu" filter = "(uid=%{User-Name})" base_filter = "(objectclass=posixAccount)" password_header = "{clear}" password_attribute = "userPassword" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x8816b00 Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" compat = "no" } Module: Linked to module rlm_passwd Module: Instantiating ciscopwd passwd ciscopwd { filename = "/etc/freeradius/ciscopwd" format = "*User-Name:Crypt-Password" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiating ciscoextra passwd ciscoextra { filename = "/etc/freeradius/ciscoextra" format = "*User-Name:=Cisco-AVPair" delimiter = ";" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiating ciscogroup passwd ciscogroup { filename = "/etc/freeradius/ciscogroup" format = "*User-Name:~Group" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_counter Module: Instantiating daily counter daily { filename = "/etc/freeradius/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" allowed-servicetype = "Framed-User" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11276 rlm_counter: Current Time: 1225186760 [2008-10-28 10:39:20], Next reset 1225234800 [2008-10-29 00:00:00] Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80 NAS-IP-Address = myswitchip NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "myusernamer" Calling-Station-Id = "myclientip" User-Password = "myvalid_ldap_password" +- entering group authorize ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/myswitchip/auth-detail-20081028 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/myswitchip/auth-detail-20081028 expand: %t -> Tue Oct 28 10:39:26 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++- entering policy redundant users: Matched entry DEFAULT at line 11 +++[files] returns ok ++- policy redundant returns ok rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items ++[ciscoextra] returns ok ++[ciscogroup] returns notfound rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "myusername" with password "myvalid_ldap_password" expand: (uid=%{User-Name}) -> (uid=myusername) expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/myvalid_ldap_password to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user myusername authenticated succesfully ++[ldap] returns ok Login OK: [myusername/myvalid_ldap_password] (from client myshortname port 1 cli myclientip) Sending Access-Accept of id 139 to myswitchip port 1645 Cisco-AVPair = "shell:priv-lvl=1" Finished request 0. Going to the next request Waking up in 4.9 seconds. The myusername is same in the ciscopwd file and in LDAP, but the passwords are different. ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 10:36 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
redundant { # if I comment the folloing line out, the password is accepted, but I get "% Authorization failed." from the switch (this is coused by the incorrect "users" file maybe).
So, post the debug (radiusd -X).
files ldap ciscopwd # if I uncomment the following line, freerad won't start # ok = return }
The users file:
DEFAULT Auth-Type := Crypt-Local Service-Type = Login-User
You said you have plain text passwords. This will ensure that authentication fails. Delete that Auth-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80 NAS-IP-Address = myswitchip NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "myusernamer" Calling-Station-Id = "myclientip" User-Password = "myvalid_ldap_password" +- entering group authorize .. ++- entering policy redundant users: Matched entry DEFAULT at line 11 +++[files] returns ok ++- policy redundant returns ok
OK. Your redundant section is not going to make much sense if you are going to have matches on DEFAULT entries in files. files will always be used while ldap and ciscopwd - never. On top of that you are setting auth type ldap - remove files from redundant section and delete that auth type entry from it.
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect). Ivan Kalik Kalik Informatika ISP
Now, the users file is empty, and still the same (%Authorization failed on the switch). The log: ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++- entering policy redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for myusername expand: (uid=%{User-Name}) -> (uid=myusername) expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername) rlm_ldap: checking if remote access for viper is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user viper authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- policy redundant returns ok rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items ++[ciscoextra] returns ok ++[ciscogroup] returns notfound rad_check_password: Found Auth-Type ldap auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "myusername" with password "myldappasswd" rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/mypassword to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user myusername authenticated succesfully ++[ldap] returns ok Login OK: [myusername/mypassword] (from client shortname port 1 cli myclientip) Sending Access-Accept of id 142 to myswitchip port 1645 Cisco-AVPair = "shell:priv-lvl=1" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 142 with timestamp +9 Access-Accept, but still error on the switch (% Authorization failed.). As to my previous testing, not all the switches work, if the mentioned users file section (DEFAULT ...) is not present (I mean, authing against files,ciscopwd ). This is some Cisco error, but coudn't find any workaround. Is it not possible to use somehow the users file, with DEAFULT entires and Fall-Through flags?
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect).
The passwords are different just for testing. The ciscopws should act as backup, if ldap server failes. Thanks, Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 11:25 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80 NAS-IP-Address = myswitchip NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "myusernamer" Calling-Station-Id = "myclientip" User-Password = "myvalid_ldap_password" +- entering group authorize .. ++- entering policy redundant users: Matched entry DEFAULT at line 11 +++[files] returns ok ++- policy redundant returns ok
OK. Your redundant section is not going to make much sense if you are going to have matches on DEFAULT entries in files. files will always be used while ldap and ciscopwd - never. On top of that you are setting auth type ldap - remove files from redundant section and delete that auth type entry from it.
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As I see, that I should provide "Service-Type = Login-User" in the reply. Is it possible somehow? ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: Dajka Tamás [tdajka@geomant.com] Küldve: 2008. október 28. 11:48 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover Now, the users file is empty, and still the same (%Authorization failed on the switch). The log: ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++- entering policy redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for myusername expand: (uid=%{User-Name}) -> (uid=myusername) expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername) rlm_ldap: checking if remote access for viper is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user viper authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- policy redundant returns ok rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items ++[ciscoextra] returns ok ++[ciscogroup] returns notfound rad_check_password: Found Auth-Type ldap auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "myusername" with password "myldappasswd" rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/mypassword to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user myusername authenticated succesfully ++[ldap] returns ok Login OK: [myusername/mypassword] (from client shortname port 1 cli myclientip) Sending Access-Accept of id 142 to myswitchip port 1645 Cisco-AVPair = "shell:priv-lvl=1" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 142 with timestamp +9 Access-Accept, but still error on the switch (% Authorization failed.). As to my previous testing, not all the switches work, if the mentioned users file section (DEFAULT ...) is not present (I mean, authing against files,ciscopwd ). This is some Cisco error, but coudn't find any workaround. Is it not possible to use somehow the users file, with DEAFULT entires and Fall-Through flags?
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect).
The passwords are different just for testing. The ciscopws should act as backup, if ldap server failes. Thanks, Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 11:25 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80 NAS-IP-Address = myswitchip NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "myusernamer" Calling-Station-Id = "myclientip" User-Password = "myvalid_ldap_password" +- entering group authorize .. ++- entering policy redundant users: Matched entry DEFAULT at line 11 +++[files] returns ok ++- policy redundant returns ok
OK. Your redundant section is not going to make much sense if you are going to have matches on DEFAULT entries in files. files will always be used while ldap and ciscopwd - never. On top of that you are setting auth type ldap - remove files from redundant section and delete that auth type entry from it.
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different.
Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Working, thanks. What about LDAP group membership checking? DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject This is not working (inserted after DEFAULT Service-Type = Login-User) Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 12:18 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
As I see, that I should provide "Service-Type = Login-User" in the reply. Is it possible somehow?
DEFAULT Service-Type = Login-User In users file. Or put it in ciscoextra where avpair is. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add Fall-Through = 1 for Service-Type entry. Ivan Kalik Kalik Informatika ISP Dana 28/10/2008, "Dajka Tamás" <tdajka@geomant.com> piše:
Working, thanks. What about LDAP group membership checking?
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
This is not working (inserted after DEFAULT Service-Type = Login-User)
Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 12:18 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
As I see, that I should provide "Service-Type = Login-User" in the reply. Is it possible somehow?
DEFAULT Service-Type = Login-User
In users file. Or put it in ciscoextra where avpair is.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allready tried it, but not working. The users file: DEFAULT Service-Type = Login-User, Fall-Through = 1 DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject In the log, I don't see it, if it ever tries to search for group membership. Does it have to do anything with access_attr = uid? Cheers, Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 13:22 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover Add Fall-Through = 1 for Service-Type entry. Ivan Kalik Kalik Informatika ISP Dana 28/10/2008, "Dajka Tamás" <tdajka@geomant.com> piše:
Working, thanks. What about LDAP group membership checking?
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
This is not working (inserted after DEFAULT Service-Type = Login-User)
Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 12:18 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
As I see, that I should provide "Service-Type = Login-User" in the reply. Is it possible somehow?
DEFAULT Service-Type = Login-User
In users file. Or put it in ciscoextra where avpair is.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
Sorry, this looked like a single line in my webmail. It should be: DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject (all on the same line). Ivan Kalik Kalik Informatika ISP
What's the difference (commas or new lines)? BTW, it's working as it should. Thanks. Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 13:48 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
Sorry, this looked like a single line in my webmail. It should be: DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject (all on the same line). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Those are check items, so they should go on the first line. Ivan Kalik Kalik Informatika ISP Dana 28/10/2008, "Dajka Tamás" <tdajka@geomant.com> piše:
What's the difference (commas or new lines)?
BTW, it's working as it should. Thanks.
Tamas ________________________________________ Feladó: freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org [freeradius-users-bounces+tdajka=geomant.com@lists.freeradius.org], meghatalmazó: tnt@kalik.net [tnt@kalik.net] Küldve: 2008. október 28. 13:48 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
Sorry, this looked like a single line in my webmail. It should be:
DEFAULT Ldap-Group != "cn=routing_admins,ou=groups,dc=mydomain,dc=hu", Auth-Type := Reject
(all on the same line).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Dajka Tamás -
tnt@kalik.net