Hello everyone, I'm using freeradius 2.0.4 with a ldap server as a backend for authentication of users to our wireless network. I've defined two ldap "servers" in the radiusd.conf file: ..... ldap ldap_uba { server = "ldap_server" basedn = "dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } ldap ldap_ccc { server = "ldap_server" basedn = "ou=CCC,dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } .............. I want to switch between them based on the NAS-IP-Address of the arriving request, so I've used unlang in the authorize section: authorize { unix mschap eap { ok = return } files switch "%{NAS-IP-Address}" { case 192.168.168.11 { ldap_ccc } case { ldap_uba } } expiration logintime auth_log pap } Well, my problem is that freeradius doesn't assign or expand the NAS-IP-Address attribute with the correct value of the NAS IP which is requesting for authentication, could anyone help me with this little issue? POST of the debug mode of freeradius: rad_recv: Access-Request packet from host 192.168.168.11 port 1041, id=6, length=279 Message-Authenticator = 0x341f20c2e434d8cbd92d85defa321b38 Service-Type = Framed-User User-Name = "diego@ccc.uba.ar\000" Framed-MTU = 1488 State = 0x12b38bc817b592297c4cea524b70e440 Called-Station-Id = "00-13-46-7A-DB-63:REDI-UBA VLAN12" Calling-Station-Id = "00-02-72-78-90-5B" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b1900170301003091d34cda32a72417c4e5e093d71f2d82fc67e0f1f3dc1483aec15e433d54c5c950e88c2f64c3fd6d8ddf656af63496d1 NAS-IP-Address = 192.168.168.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "ccc.uba.ar" for User-Name = "diego@ccc.uba.ar" rlm_realm: No such realm "ccc.uba.ar" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 59 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - diego@ccc.uba.ar PEAP: Got tunneled EAP-Message EAP-Message = 0x0206001501646965676f406363632e7562612e6172 PEAP: Got tunneled identity of diego@ccc.uba.ar PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to diego@ccc.uba.ar PEAP: Sending tunneled request EAP-Message = 0x0206001501646965676f406363632e7562612e6172 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "diego@ccc.uba.ar" server inner-tunnel { +- entering group authorize ++[unix] returns notfound ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{NAS-IP-Address} -> ++- entering switch %{NAS-IP-Address} +++- entering case rlm_ldap: - authorize rlm_ldap: performing user authorization for diego@ccc.uba.ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}})) -> (&(description=wireless)(mail=diego@ccc.uba.ar)) expand: dc=uba,dc=ar -> dc=uba,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.ccc.uba.ar:389, authentication 0 rlm_ldap: bind as / to ldap.ccc.uba.ar:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=uba,dc=ar, with filter (&(description=wireless)(mail=diego@ccc.uba.ar)) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "pepe1234" rlm_ldap: looking for reply items in directory... rlm_ldap: user diego@ccc.uba.ar authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++++[ldap_uba] returns ok +++- case returns ok ++- switch %{NAS-IP-Address} returns ok ++[expiration] returns noop ++[logintime] returns noop expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528 expand: %t -> Thu May 28 12:33:26 2009 ++[auth_log] returns ok rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x48fe8ac948f9909b9915b8554a615778 PEAP: Processing from tunneled session code 0x8623f78 11 EAP-Message = 0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x48fe8ac948f9909b9915b8554a615778 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.168.11 port 1041 EAP-Message = 0x0107004b190017030100409a85d96e6b404149561fbe6dfb464b692f986263d5215ec98e2d84f3c1961a462dbd097150d5bba0e0f8b29fe80e038f691dee73f0352576d1cec4fe36d9a3eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12b38bc814b492297c4cea524b70e440 Finished request 6. After making some test, debugging and drink lot of coffee I've solved the problem usign this fragment of code: switch "%{Client-IP-Address}" { case 192.168.168.11 { ldap_ccc } case { ldap_uba } } Freeradius does expand the Client-IP-Address attribute, however, I would like to know why it doesn't expand the NAS-IP-Adress attribute. Sorry for my english and lot of thanks......... -- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires
Diego Martín Capello wrote:
Hello everyone, I'm using freeradius 2.0.4 with a ldap server as a backend for authentication of users to our wireless network. I've defined two ldap "servers" in the radiusd.conf file: .. I want to switch between them based on the NAS-IP-Address of the arriving request, so I've used unlang in the authorize section:
... of the file raddb/sites-enabled/inner-tunnel.
POST of the debug mode of freeradius:
Which shows it's *not* copying the request to the tunnel. See eap.conf. ...
PEAP: Sending tunneled request EAP-Message = 0x0206001501646965676f406363632e7562612e6172 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "diego@ccc.uba.ar"
See? No NAS-IP-Address. Alan DeKok.
Alan DeKok escribió:
..
I want to switch between them based on the NAS-IP-Address of the arriving request, so I've used unlang in the authorize section:
... of the file raddb/sites-enabled/inner-tunnel.
Exactly, but the path is /etc/freeradius/sites-enabled/inner-tunnel, because i'm using Linux Debian 5.0 (Lenny).
POST of the debug mode of freeradius:
Which shows it's *not* copying the request to the tunnel. See eap.conf.
Yes, definitly it shows that, so, in order to fix that, i've added the following line to the sections ttls and peap in the file eap.conf: copy_request_to_tunnel = yes So, I provide support to EAP-TTLS and PEAP-MSCHAPv2 on the wireless network.
...
PEAP: Sending tunneled request EAP-Message = 0x0206001501646965676f406363632e7562612e6172 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "diego@ccc.uba.ar"
See? No NAS-IP-Address.
Yes, I see! And lot of thanks......
Alan DeKok.
-- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires
participants (2)
-
Alan DeKok -
Diego Martín Capello