Need some help with Access-Reject messages in upgrade from FreeRadius 1.1.0 to FreeRadius 2.0.5
Good morning, everybody. I am working on an upgrade for our FreeRadius servers, which are currently at 1.1.0. I have configured a test Radius server, which is running FreeRadius 2.0.5. These are both Solaris 10 systems running SPARC, and our backend is LDAP. With FreeRadius 1.1.0, when a user is rejected, the rejection message looks like this on the client side: rad_recv: Access-Reject packet from host x.x.x.x:1645, id=251, length=49 Reply-Message = "Please, call the help desk." No matter what the user, if the user has a static IP, or any other information in his user profile, etc, that's all it has - the reject message. With FreeRadius 2.0.5, when a user is rejected, the rejection message has more information in it: rad_recv: Access-Reject packet from host x.x.x.x:1645, id=74, length=32 Framed-IP-Netmask = 255.255.255.255 Framed-IP-Address = x.x.x.x Admittedly, the configuration file for the 2.0.5 server is a mixture of 1.1.0 config style, and 2.0.5 config style, leaning more towards the 1.1.0 style, so it could simply be a result of old style getting in the way of the new, but I have gone through both configs, and I can't find out where my access-reject message in my users file is being either a)overwritten, or b) ignored outright. I've gone through the docs, and the wiki, but haven't found out what I'm missing. I'm running RADIUS 2.0.5 in debug mode (-XXX), but haven't found anything pointing out what I'm doing wrong. I can comment out the entries in ldap.attrmap, but that also means they don't get sent when the authentication succeeds. Here's the last line of my users file, below all other local users, and default entries: DEFAULT Auth-Type := Reject Reply-Message = "Please, call the help desk." If anybody can help, I'd appreciate it. I'm going to keep looking, but I think I'm just running up against a wall. Adam
Good morning, everybody. I am working on an upgrade for our FreeRadius servers, which are currently at 1.1.0. I have configured a test Radius server, which is running FreeRadius 2.0.5. These are both Solaris 10 systems running SPARC, and our backend is LDAP.
With FreeRadius 1.1.0, when a user is rejected, the rejection message looks like this on the client side:
rad_recv: Access-Reject packet from host x.x.x.x:1645, id=251, length=49 Reply-Message = "Please, call the help desk."
No matter what the user, if the user has a static IP, or any other information in his user profile, etc, that's all it has - the reject message.
That's how things should be (so says RFC).
With FreeRadius 2.0.5, when a user is rejected, the rejection message has more information in it:
rad_recv: Access-Reject packet from host x.x.x.x:1645, id=74, length=32 Framed-IP-Netmask = 255.255.255.255 Framed-IP-Address = x.x.x.x
That's bad. You have done something to the filter in post auth type reject. Put that back the way it was.
Admittedly, the configuration file for the 2.0.5 server is a mixture of 1.1.0 config style, and 2.0.5 config style, leaning more towards the 1.1.0 style, so it could simply be a result of old style getting in the way of the new, but I have gone through both configs, and I can't find out where my access-reject message in my users file is being either a)overwritten, or b) ignored outright.
I've gone through the docs, and the wiki, but haven't found out what I'm missing. I'm running RADIUS 2.0.5 in debug mode (-XXX), but haven't found anything pointing out what I'm doing wrong. I can comment out the entries in ldap.attrmap, but that also means they don't get sent when the authentication succeeds.
Here's the last line of my users file, below all other local users, and default entries:
DEFAULT Auth-Type := Reject Reply-Message = "Please, call the help desk."
Post the debug. It's extremly likely that something before this entry matched but didn't have Fall-Through at the end. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Admittedly, the configuration file for the 2.0.5 server is a mixture of 1.1.0 config style, and 2.0.5 config style, leaning more towards the 1.1.0 style, so it could simply be a result of old style getting in the way of the new, but I have gone through both configs, and I can't find out where my access-reject message in my users file is being either a)overwritten, or b) ignored outright.
I've gone through the docs, and the wiki, but haven't found out what I'm missing. I'm running RADIUS 2.0.5 in debug mode (-XXX), but haven't found anything pointing out what I'm doing wrong. I can comment out the entries in ldap.attrmap, but that also means they don't get sent when the authentication succeeds.
Here's the last line of my users file, below all other local users, and default entries:
DEFAULT Auth-Type := Reject Reply-Message = "Please, call the help desk."
Post the debug. It's extremly likely that something before this entry matched but didn't have Fall-Through at the end.
Ivan Kalik Kalik Informatika ISP
I decided it would be easier (in the long run) to simply start with a default freeRadius 2.0.5 config file, and then adjust it to match our setup. This has so far been going well, except now I've run into a problem where variables in my users file are not being expanded. Example from the user's file: DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m, User-Profile := "uid=dsl10m,ou =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=domain ,dc=com` Fall-Through = no I have an ldap server named "serveriron"; if I remove the "serveriron-" from the Ldap-Group, my profiles aren't processed at all. With the serveriron-Ldap-Group, it will search through the profiles, find the right profile, and then attempt to authenticate the user. This is what debug shows: Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: login attempt by "testuser" with password "thisisnotapass" Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: user DN: uid=%{User-Name},ou=dsl,dc=domain,dc=com Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: bind as uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net/thisisnotapass to x.x.x.x:389 So, it's not actually turning the %{User-Name} into "testuser" - it's trying to authenticate with a uid of "%{User-Name}", which isn't right. I've read through the docs online, and using either backticks or double-quotes is supposed to turn the variable name into the value of the variable. It is worth noting that if I take the line in the users file for that profile and replace %{User-Name} with testuser, the user can authenticate fine, so the users file isn't being processed, having the variables replaced with the values... If I solve that, things will likely start working completely. I do have another question, though: If I have multiple LDAP servers, do I need multiple DEFAULTs in the users file, one for each LDAP server, for Ldap-Group? I'm unclear on that. I haven't tested a failure of the serveriron ldap server, so I don't know if that fails, if the next server down the line will have no Ldap-Group defined for it, and be unable to locate the profile. Adam
Adam Bultman wrote:
I decided it would be easier (in the long run) to simply start with a default freeRadius 2.0.5 config file, and then adjust it to match our setup. This has so far been going well, except now I've run into a problem where variables in my users file are not being expanded.
I suggest using 2.1.1, or the "stable" tree. See git.freeradius.org.
Example from the user's file: DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m, User-Profile := "uid=dsl10m,ou =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=domain ,dc=com` Fall-Through = no
This won't work because the "users" file doesn't dynamically expand everything. I suggest using "unlang": if ((Huntgroup-Nmae == "dsl") && (serveridon... == ...)) { update control { User-Profile := "uid=..." LDAP-UserDN := "uid=%{User-Name},ou=..." } } That will cause the %{User-Name} to be expanded properly. Alan DeKok.
Alan DeKok wrote:
Adam Bultman wrote:
I decided it would be easier (in the long run) to simply start with a default freeRadius 2.0.5 config file, and then adjust it to match our setup. This has so far been going well, except now I've run into a problem where variables in my users file are not being expanded.
I suggest using 2.1.1, or the "stable" tree. See git.freeradius.org.
Done; I've compiled and installed 2.1.1 on my test server.
Example from the user's file: DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m, User-Profile := "uid=dsl10m,ou =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=domain ,dc=com` Fall-Through = no
This won't work because the "users" file doesn't dynamically expand everything. I suggest using "unlang":
if ((Huntgroup-Nmae == "dsl") && (serveridon... == ...)) { update control { User-Profile := "uid=..." LDAP-UserDN := "uid=%{User-Name},ou=..." } }
That will cause the %{User-Name} to be expanded properly.
OK; so a few things: 1. I've put my if (..) stuff inside my sites-enabled/ conf file, and groups are working again (yeah!). My users file is a lot more skeletal now. 2. I've read the docs on this now (what precious little there is) about the Ldap-Group stuff in the users file, and I'm still not completely understanding it. If I have three LDAP servers, ldap1, ldap2, and ldap3, and I have in my users file this: DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl10m Then when I try to authenticate, the server can't find my profile (despite having the Huntgroup stuff in my config, as mentioned in #1). It searches for group membership, but it's using some default template (which is NOT in modules/ldap - it's nowhere!) and doesn't find a proper group membership filter, and fails. If I put this: DEFAULT Huntgroup-Name == dsl, ldap1-Ldap-Group == dsl10m Then it *does* use the group membership stuff in the ldap stanza for ldap1 (which I've placed in modules/ldap_cluster) . Of course, if I say, bring down the server for ldap1, all authentication breaks. The same thing applies if I do ldap2-Ldap-Group or ldap3-Ldap-Group. SO the question: Is there a way to make a default group membership filter without having to create DEFAULT lines in the users file for each of my ldap servers? in radiusd.conf, I have redundant-load-balance {} stanzas for my ldap servers, but I can't use the ldap "cluster" I create in there in my users file. Adam
So, there's been no response to my last post. Am I being obtuse , or missing something obvious? If there's no way to avoid listing all four ldap servers, I'm going to have to have probably 25 huge IF statements in order to get the profile set correctly in my radius config. I've already re-done my users file to list all four servers, and it's a bit laborious to do, and it seems like there'd be a better way. Adam Adam Bultman wrote:
Alan DeKok wrote:
Adam Bultman wrote:
I decided it would be easier (in the long run) to simply start with a default freeRadius 2.0.5 config file, and then adjust it to match our setup. This has so far been going well, except now I've run into a problem where variables in my users file are not being expanded.
I suggest using 2.1.1, or the "stable" tree. See git.freeradius.org.
Done; I've compiled and installed 2.1.1 on my test server.
Example from the user's file: DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m, User-Profile := "uid=dsl10m,ou =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=domain ,dc=com` Fall-Through = no
This won't work because the "users" file doesn't dynamically expand everything. I suggest using "unlang":
if ((Huntgroup-Nmae == "dsl") && (serveridon... == ...)) { update control { User-Profile := "uid=..." LDAP-UserDN := "uid=%{User-Name},ou=..." } }
That will cause the %{User-Name} to be expanded properly.
OK; so a few things:
1. I've put my if (..) stuff inside my sites-enabled/ conf file, and groups are working again (yeah!). My users file is a lot more skeletal now.
2. I've read the docs on this now (what precious little there is) about the Ldap-Group stuff in the users file, and I'm still not completely understanding it. If I have three LDAP servers, ldap1, ldap2, and ldap3, and I have in my users file this:
DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl10m
Then when I try to authenticate, the server can't find my profile (despite having the Huntgroup stuff in my config, as mentioned in #1). It searches for group membership, but it's using some default template (which is NOT in modules/ldap - it's nowhere!) and doesn't find a proper group membership filter, and fails. If I put this:
DEFAULT Huntgroup-Name == dsl, ldap1-Ldap-Group == dsl10m
Then it *does* use the group membership stuff in the ldap stanza for ldap1 (which I've placed in modules/ldap_cluster) . Of course, if I say, bring down the server for ldap1, all authentication breaks. The same thing applies if I do ldap2-Ldap-Group or ldap3-Ldap-Group.
SO the question: Is there a way to make a default group membership filter without having to create DEFAULT lines in the users file for each of my ldap servers? in radiusd.conf, I have redundant-load-balance {} stanzas for my ldap servers, but I can't use the ldap "cluster" I create in there in my users file.
Adam
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If there's no way to avoid listing all four ldap servers,
There is no way of check something without checking it.
I'm going to have to have probably 25 huge IF statements in order to get the profile set correctly in my radius config.
Perhaps organize users better not to have so many different profiles.
I've already re-done my users file to list all four servers, and it's a bit laborious to do, and it seems like there'd be a better way.
If checking statements for ldap groups are identical and only thing that changes is server number (1, 2, 3, 4) you can create a for loop in perl and check all four servers with one set of statements. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Adam Bultman -
Alan DeKok -
tnt@kalik.net