Hello: I am trying to get an HP Procurve 2650 Ethernet switch to use Freeradius 1.0.5 for 802.1x auth. The backend is Sun's directory server with all the necessary SambaNTPassword attributes, etc. to make Samba work. The client is a WinXP system. I am using the builtin supplicant. I can get it to work with the "Automatically use my Windows login..." box _unchecked_, but not with it checked. I would like to use the checked mode as then the user does not need to "click here to select a certificate or credentials for connection to the network". When the box is not checked, I get to type any value I want for the user ID and password. I can then get authenticated and the switch connects me to the proper VLAN. When the box is checked, I cannot get authenticated and the switch puts me on the "guest" VLAN. I should be able to authenticate, but the ID comes across as something like "MALACHITE\gaa". The first part is the netbios hostname and the second is the real ID. I have setup the hints, users and radiusd.conf files with: ---------------------------------------------------------------------------------------------- hints: ... DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)" Hint = "8021XUSER", Stripped-User-Name = `${2}` ... users: ... DEFAULT Hint == "8021XUSER" Fall-Through = 1 ... radiusd.conf: ... ldap { server = "ldap.ulticom.com" basedn = "dc=ulticom,dc=com" filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))" do_xlat = yes base_filter = "(objectclass=*)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ... ---------------------------------------------------------------------------------------------- The problem seems to be that the hostname is not always stripped. If I compare the output of "radiusd -X" between the two scenarios I see that the "unchecked" configuration does a lot of ldap lookups like: ---------------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 172.25.16.9:1025, id=208, length=193 Framed-MTU = 1480 NAS-IP-Address = 172.25.16.9 NAS-Identifier = "hp-50-9" User-Name = "gaa" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-85-40-71-ff" Calling-Station-Id = "00-14-22-dc-9b-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0201000801676161 Message-Authenticator = 0x29393306cb95a1c78586d546cf5eb462 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for gaa radius_xlat: '(&(objectclass=person)(uid=gaa))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.ulticom.com:389, authentication 0 rlm_ldap: bind as / to ldap.ulticom.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa)) rlm_ldap: checking if remote access for gaa is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value ABABABABABABABABABABABABABABABAB & op=21 rlm_ldap: Adding sambaLMPassword as LM-Password, value CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user gaa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 176 users: Matched entry DEFAULT at line 188 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 ---------------------------------------------------------------------------------------------- Eventually somebody is happy with this sequence and I am "in". With the "checked" configuration all the early lookups work, but the last lookup fails: ---------------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 172.25.16.9:1025, id=222, length=254 Framed-MTU = 1480 NAS-IP-Address = 172.25.16.9 NAS-Identifier = "hp-50-9" User-Name = "MALACHITE\\gaa" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-85-40-71-ff" Calling-Station-Id = "00-14-22-dc-9b-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" State = 0xe5aab6b483e09694dcbd98eb81ac64bf EAP-Message = 0x020600291900170301001ef47b2a4c59a72fa63123f178383e6518a535662859ed121d2819831f649f Message-Authenticator = 0x9b8b7d5de51ffffde87cfabe52688fbc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 hints: Matched DEFAULT at 36 radius_xlat: 'gaa' modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=gaa))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa)) rlm_ldap: checking if remote access for MALACHITE\gaa is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value EFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF & op=21 rlm_ldap: Adding sambaLMPassword as LM-Password, value ABABABABABABABABABABABABABABABAB & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user MALACHITE\gaa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rlm_eap: EAP packet type response id 6 length 41 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 157 users: Matched entry DEFAULT at line 176 users: Matched entry DEFAULT at line 188 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - MALACHITE\gaa rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02060012014d414c4143484954455c676161 PEAP: Got tunneled identity of MALACHITE\gaa PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to MALACHITE\gaa PEAP: Sending tunneled request EAP-Message = 0x02060012014d414c4143484954455c676161 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MALACHITE\\gaa" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=MALACHITE))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 modcall: group authorize returns notfound for request 5 ---------------------------------------------------------------------------------------------- So, why don't my regular expressions apply during the group authorize? How can I fix the group authorize? Perhaps I don't need it. Some day I may use it for controlling VLAN assignment, but for now I would be happy to just differentiate between "auth" and "not auth". -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily.
participants (1)
-
Gary Algier