Ldap Authentication question
Hi, I've a freeradius-server-2.1.9-1.7.x86_64 running in opensuse 11.3. My authentication frontend is an openldap2-2.4.21-9.1.x86_64. I have correct mac address authentication, but *ONLY* the first try, the later always fail. I'm using 3 devices, the first one that connects logs in fine, but the others fail. Has any one a clue of what I did wrong? I've multiple rules in users file, all of them with Auth-Type = <ldap instace name>, one "rule/ldap instance" per vlan. With radius -X I see a correct first authentication, but the others fail. Kind regards.
Ramon Escriba <escriba@cells.es> wrote:
Has any one a clue of what I did wrong?
<attempts to read Ramon's mind> <attempts to use remote viewing to see output of debugging> Actually, forget it... http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Regards -- Alexander Clouter .sigmonster says: Conscience is what hurts when everything else feels so good.
Thank you very much for the sarcastical reply, it was really usefull & instructive indeed. It was just a conceptual question, but seems it was not clear enought, my fault. Let's specify a bit more, should the next users file work or it's flawed by design: Note: 0.- In ldap, I've uid=<mac address>,ou=VLAN-Xn,ou=Radius,dc=machine,dc=com 1.- first I'm tring to check if the client mac address exists in ldap subtree. 2.- second ldap "authentication", match user<mac>+pass<mac>, in our case ¿Is macX == macX? via ldap. DEFAULT Calling-Station-Id == "%{VLAN-X1:ldap:///ou=VLAN-X1,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}", Auth-Type = VLAN-X ##------------------------------------------------------------# Extreme-Netlogin-Only = Enabled, Extreme-CLI-Authorization = Disabled, Extreme-Netlogin-Vlan = "VLAN-X", Termination-Action = 1, Session-Timeout =3600, Fall-Through = no DEFAULT Calling-Station-Id == "%{VLAN-X2:ldap:///ou=VLAN-X2,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}", Auth-Type = VLAN-2 ##------------------------------------------------------------# Extreme-Netlogin-Only = Enabled, Extreme-CLI-Authorization = Disabled, Extreme-Netlogin-Vlan = "VLAN-X", Termination-Action = 1, Session-Timeout =3600, Fall-Through = no (....) DEFAULT Calling-Station-Id == "%{VLAN-Xn:ldap:///ou=VLAN-Xn,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}", Auth-Type = VLAN-n ##------------------------------------------------------------# Extreme-Netlogin-Only = Enabled, Extreme-CLI-Authorization = Disabled, Extreme-Netlogin-Vlan = "VLAN-n", Termination-Action = 1, Session-Timeout =3600, Fall-Through = no It's normal that the first authentication goes though them & send the access-accept to the switch, so radius it's ok & the switch opens the port as spected, but later all or near all authentication are refused? Radius.log (...) Wed Mar 30 17:15:17 2011 : Auth: Login OK: [008098A6B5A2](from client OFF-network port 0 cli 008098A6B5A2) Wed Mar 30 17:15:17 2011 : Auth: Login OK: [0019B43718D3] (from client OFF-network port 0 cli 0019B43718D3) Wed Mar 30 17:15:17 2011 : Auth: Login incorrect: [002437A858DB] (from client OFF-network port 0 cli 002437A858DB) Wed Mar 30 17:21:17 2011 : Auth: Login incorrect: [002437A858DB] (from client OFF-network port 0 cli 002437A858DB) Wed Mar 30 17:22:38 2011 : Info: Exiting normally. Wed Mar 30 17:22:39 2011 : Info: Loaded virtual server inner-tunnel Wed Mar 30 17:22:39 2011 : Info: Loaded virtual server <default> Wed Mar 30 17:22:39 2011 : Info: Ready to process requests. <just a daemon restart + switch ports restart> Wed Mar 30 17:22:53 2011 : Auth: Login OK: [sadm] (from client OFF-network port 0) Wed Mar 30 17:23:10 2011 : Auth: Login OK: [sadm] (from client OFF-network port 0) Wed Mar 30 17:23:11 2011 : Auth: Login OK: [002437A858DB] (from client OFF-Staff-extreme-network port 0 cli 002437A858DB) Wed Mar 30 17:23:16 2011 : Auth: Login incorrect: [0019B43718D3] (from client OFF-network port 0 cli 0019B43718D3) Wed Mar 30 17:23:38 2011 : Auth: Login incorrect: [008098A6B5A2] (from client OFF-network port 0 cli 008098A6B5A2) Wed Mar 30 17:29:17 2011 : Auth: Login incorrect: [0019B43718D3] (from client OFF-network port 0 cli 0019B43718D3) Wed Mar 30 17:29:29 2011 : Auth: Login incorrect: [008098A6B5A2] (from client OFF-network port 0 cli 008098A6B5A2) Wed Mar 30 17:31:56 2011 : Info: Exiting normally. Kind regards. -----Original Message----- From: freeradius-users-bounces+escriba=cells.es@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells.es@lists.freeradius.org] On Behalf Of Alexander Clouter Sent: miércoles, 30 de marzo de 2011 17:49 To: freeradius-users@lists.freeradius.org Subject: Re: Ldap Authentication question Ramon Escriba <escriba@cells.es> wrote:
Has any one a clue of what I did wrong?
<attempts to read Ramon's mind> <attempts to use remote viewing to see output of debugging> Actually, forget it... http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Regards -- Alexander Clouter .sigmonster says: Conscience is what hurts when everything else feels so good. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramon Escriba wrote:
Thank you very much for the sarcastical reply, it was really usefull & instructive indeed.
It got you to follow the instructions in the documentation. Why didn't you follow them for your first message? Or for this one?
It's normal that the first authentication goes though them & send the access-accept to the switch, so radius it's ok & the switch opens the port as spected, but later all or near all authentication are refused?
Because something changes.
Radius.log
And again, you've refused to follow the instructions in the documentation. Why? Post the debug log as suggested in the FAQ, README, INSTALL, "man" page, web pages, Wiki, and daily on this list. It's not hard. The "sarcastic" reply you got is simply a response to the tone of your first message. It read like this: "Hi, I have stuff going wrong, but I haven't bothered to read the existing documentation, or to follow it's instructions. Tell me how to fix it!" The response: "GO READ THE DOCUMENTATION AND FOLLOW THE INSTRUCTIONS." Alan DeKok.
Alan, please do not get angry ok?, The line in my answer about the "sarcastical reply" was for Alexander, not for you. Note: WIFIDATA & WIFIVOIP do 802.1x EAP+mschapv2 ok. Here're the logs: First authentication -------------------------- (...) Listening on authentication interface eth0 address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29, length=95 User-Name = "0019B976CC36" User-Password = "0019B976CC36" NAS-IP-Address = 10.0.0.1 Service-Type = Login-User Calling-Station-Id = "00-19-B9-76-CC-36" NAS-Port-Id = "2:18" NAS-Port-Type = Ethernet +- entering group authorize {...} [preprocess] expand: %{NAS-Port-Id} -> 2:18 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] expand: %t -> Thu Mar 31 11:31:09 2011 ++[auth_log] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0019B976CC36 ++++[request] returns ok +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [VOIP] - ldap_xlat [files] expand: ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC3 6 [VOIP] ldap_get_conn: Checking Id: 0 [VOIP] ldap_get_conn: Got Id: 0 [VOIP] attempting LDAP reconnection [VOIP] (re)connect to 127.0.0.1:389, authentication 0 [VOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [VOIP] waiting for bind result ... [VOIP] Bind was successful [VOIP] performing search in ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [VOIP] object not found [VOIP] Search returned not found [VOIP] ldap_release_conn: Release Id: 0 [files] expand: %{VOIP:ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i} -> [WIFIVOIP] - ldap_xlat [files] expand: ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97 6CC36 [WIFIVOIP] ldap_get_conn: Checking Id: 0 [WIFIVOIP] ldap_get_conn: Got Id: 0 [WIFIVOIP] attempting LDAP reconnection [WIFIVOIP] (re)connect to 127.0.0.1:389, authentication 0 [WIFIVOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [WIFIVOIP] waiting for bind result ... [WIFIVOIP] Bind was successful [WIFIVOIP] performing search in ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [WIFIVOIP] object not found [WIFIVOIP] Search returned not found [WIFIVOIP] ldap_release_conn: Release Id: 0 [files] expand: %{WIFIVOIP:ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one? uid=%i} -> [WIFIDATA] - ldap_xlat [files] expand: ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97 6CC36 [WIFIDATA] ldap_get_conn: Checking Id: 0 [WIFIDATA] ldap_get_conn: Got Id: 0 [WIFIDATA] attempting LDAP reconnection [WIFIDATA] (re)connect to 127.0.0.1:389, authentication 0 [WIFIDATA] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [WIFIDATA] waiting for bind result ... [WIFIDATA] Bind was successful [WIFIDATA] performing search in ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [WIFIDATA] object not found [WIFIDATA] Search returned not found [WIFIDATA] ldap_release_conn: Release Id: 0 [files] expand: %{WIFIDATA:ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one? uid=%i} -> [STAFF] - ldap_xlat [files] expand: ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC 36 [STAFF] ldap_get_conn: Checking Id: 0 [STAFF] ldap_get_conn: Got Id: 0 [STAFF] attempting LDAP reconnection [STAFF] (re)connect to 127.0.0.1:389, authentication 0 [STAFF] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [STAFF] waiting for bind result ... [STAFF] Bind was successful [STAFF] performing search in ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36 [STAFF] Adding attribute uid, value: 0019B976CC36 [STAFF] ldap_release_conn: Release Id: 0 [STAFF] - ldap_xlat end [files] expand: %{STAFF:ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i } -> 0019B976CC36 [files] users: Matched entry DEFAULT at line 219 ++[files] returns ok Found Auth-Type = STAFF +- entering group STAFF {...} [STAFF] login attempt by "0019B976CC36" with password "0019B976CC36" [STAFF] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [STAFF] ... expanding second conditional [STAFF] expand: %{User-Name} -> 0019B976CC36 [STAFF] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=0019B976CC36) [STAFF] expand: ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com -> ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com [STAFF] ldap_get_conn: Checking Id: 0 [STAFF] ldap_get_conn: Got Id: 0 [STAFF] performing search in ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter (uid=0019B976CC36) [STAFF] ldap_release_conn: Release Id: 0 [STAFF] user DN: uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com [STAFF] (re)connect to 127.0.0.1:389, authentication 1 [STAFF] bind as uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com/0019B976CC36 to 127.0.0.1:389 [STAFF] waiting for bind result ... [STAFF] Bind was successful [STAFF] user 0019B976CC36 authenticated succesfully ++[STAFF] returns ok Login OK: [0019B976CC36] (from client OFF-Staff-extreme-network port 0 cli 0019B976CC36) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 29 to 10.0.0.1port 32770 Extreme-Netlogin-Only = Enabled Extreme-CLI-Authorization = Disabled Extreme-Netlogin-Vlan = "Staff" Reply-Message = "OK: STAFF user+device (%u %i) accepted." Termination-Action = RADIUS-Request Session-Timeout = 3600 Finished request 0. Going to the next request Waking up in 9.9 seconds. rad_recv: Accounting-Request packet from host 10.0.0.1port 32771, id=11, length=114 Acct-Status-Type = Start User-Name = "0019B976CC36" NAS-IP-Address = 10.0.0.1 Acct-Session-Id = "Thu Mar 31, 2011 10:27:11" Service-Type = Login-User NAS-Port = 2018 NAS-Port-Type = Ethernet Tunnel-Private-Group-Id:0 = "4000" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2018,Client-IP-Address = 10.0.0.1,NAS-IP-Address = 10.0.0.1,Acct-Session-Id = "Thu Mar 31, 2011 10:27:11",User-Name = "0019B976CC36"' [acct_unique] Acct-Unique-Session-ID = "1018b7c0059e059b". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/detail-20110331 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/detail-20110331 [detail] expand: %t -> Thu Mar 31 11:31:09 2011 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 0019B976CC36 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 0019B976CC36 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 10.0.0.1port 32771 Finished request 1. Cleaning up request 1 ID 11 with timestamp +5 Going to the next request Waking up in 9.9 seconds. Cleaning up request 0 ID 29 with timestamp +5 Ready to process requests. ----------------SECOND AUTHENTICATION ------------------ rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30, length=95 User-Name = "0026B9692F6F" User-Password = "0026B9692F6F" NAS-IP-Address = 10.0.0.1 Service-Type = Login-User Calling-Station-Id = "00-26-B9-69-2F-6F" NAS-Port-Id = "2:35" NAS-Port-Type = Ethernet +- entering group authorize {...} [preprocess] expand: %{NAS-Port-Id} -> 2:35 ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331 [auth_log] expand: %t -> Thu Mar 31 11:32:15 2011 ++[auth_log] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0026B9692F6F ++++[request] returns ok +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 2: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [STAFF2] - ldap_xlat [files] expand: ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0026B9692 F6F [STAFF2] ldap_get_conn: Checking Id: 0 [STAFF2] ldap_get_conn: Got Id: 0 [STAFF2] attempting LDAP reconnection [STAFF2] (re)connect to 127.0.0.1:389, authentication 0 [STAFF2] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389 [STAFF2] waiting for bind result ... [STAFF2] Bind was successful [STAFF2] performing search in ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0026B9692F6F [STAFF2] object not found [STAFF2] Search returned not found [STAFF2] ldap_release_conn: Release Id: 0 [files] expand: %{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid= %i} -> [files] users: Matched entry DEFAULT at line 261 ++[files] returns ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Login incorrect: [0026B9692F6F] (from client OFF-Staff-extreme-network port 0 cli 0026B9692F6F) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0026B9692F6F attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 30 to 10.0.0.1port 32770 Reply-Message = "FAIL: REJECTED. Please call the helpdesk." Waking up in 9.9 seconds.
Ramon Escriba wrote:
Alan, please do not get angry ok?, The line in my answer about the "sarcastical reply" was for Alexander, not for you.
His answer is largely what mine would have been.
Here're the logs:
First authentication ... rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29, length=95 User-Name = "0019B976CC36" User-Password = "0019B976CC36" ... ----------------SECOND AUTHENTICATION ------------------ ... rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30, length=95 User-Name = "0026B9692F6F" User-Password = "0026B9692F6F"
The requests are different. That's why they're being treated differently.
[files] expand: %{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid= %i} ->
That would seem to be useful to look at. Compare that to the similar line from the previous authentication. i.e. the debug output looks scary, but it's not. Treat it as a sequence of nonsense lines. Compare the two results line by line. The differences are why one succeeds, and the other fails. Alan DeKok.
Here're the logs:
First authentication ... rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29, length=95 User-Name = "0019B976CC36" User-Password = "0019B976CC36" ... ----------------SECOND AUTHENTICATION ------------------ ... rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30, length=95 User-Name = "0026B9692F6F" User-Password = "0026B9692F6F"
The requests are different. That's why they're being treated differently.
Yes, they are different machines connected to different ports, but both macs are stored in the same ldap subtree.
[files] expand: %{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?on e?uid= %i} ->
That would seem to be useful to look at.
This subtree it's empty, there is not a single uid=<mac> inside. I commented STAFF2 lines in users file, but now it gets stacked @ the last catch all reject. ++[mschap] returns noop [suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 261 ++[files] returns ok Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Login incorrect: [0026B9692F6F] (from client OFF-Staff-extreme-network port 0 cli 0026B9692F6F) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0026B9692F6F
Compare that to the similar line from the previous authentication.
They are near the same until eaps return noop, mac differences of course: (... Auth 1 ...) ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [VOIP] - ldap_xlat [files] expand: ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC3 6 [VOIP] ldap_get_conn: Checking Id: 0 (...) (.... Auth 2 ...) ++- policy rewrite_calling_station_id returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [STAFF2] - ldap_xlat [files] expand: ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i -> ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0026B9692 F6F [STAFF2] ldap_get_conn: Checking Id: 0 (...) i.e. the debug output looks scary, but it's not. Treat it as a sequence of nonsense lines. Compare the two results line by line. The differences are why one succeeds, and the other fails. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ramon Escriba wrote:
Hi, I've multiple rules in users file, all of them with Auth-Type = <ldap instace name>, one "rule/ldap instance" per vlan.
With radius -X I see a correct first authentication, but the others fail.
Is the debug log a secret? Or, will you post it as suggested in the FAQ, README, INSTALL, "man" page, and daily on this list? Alan DeKok.
participants (3)
-
Alan DeKok -
Alexander Clouter -
Ramon Escriba