Failed retrieving values required to evaluate condition
Dear Freeradius-Users, I am not an experienced radius admin, so maybe you can give me a hint. I read the manuals, the logs and google, but without success. My wlan users authenticate themselves against eap/ldap. But for guests I generate a file with credentials. This worked for some years now. Because of changing root certificates I had to introduce two different eap-configurations (eap and eapoldca). These are used in the default site and inner-tunnel site via switch that decides on the outer User-Name which certificates are used. So I changed eap { ok = return } to if (&User-Name == "eduroam@uni-koblenz.de") { eap { ok = return } } else { eapoldca { ok = return } } This works for all wlan users except guests. If a guest tries to authenticate, at the end I get (8) if (&Called-Station-SSID == "ubnt") { (8) ERROR: Failed retrieving values required to evaluate condition This is because Called-Station-SSID is unset at this point. I don't think this is the root cause, instead the reason seems to be, that the "ok = return" statements exit the if ()-clause but not the authorize section. But as I said, I am not an expert ... You will find sites-enabled/{default,inner-tunnel}, mods-enabled/eap und a log file here: https://cloud.uni-koblenz-landau.de/s/cBrpcCgCAp9JjTr The radius log was generated while trying to connect to SSID ubnt using test/test as authentication. Any help is greatly appreciated. -- Kind regards Christoph _________________________________________ Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
Hi Christoph, your log shows the cause of the problem: --------8<--------8<--------8<--------8<-------- (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=test) (8) ldap: Performing search in "dc=uni-koblenz,dc=de" with filter "(uid=test)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (8) [ldap] = notfound (8) } # else = notfound (8) } # else = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eapoldca (8) Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject --------8<--------8<--------8<--------8<-------- The user "test" is not found in your LDAP directory and is hence rejected. I haven't looked at the rest of the configuration but it's safe to say that for this particular connection attempt, that's the root cause of the client not being able to connect. The PEAP tunnel is established successfully, the inner authentication seems to run as well (though I don't understand why you need the "if (&User-Name == "eduroam...")" statement in the inner-tunnel configuration because you only need it for the TLS handshake of the outer tunnel). Kind regards, Christian Strauf -- Dipl.-Math. Christian Strauf Clausthal Univ. of Technology E-Mail: strauf@rz.tu-clausthal.de Rechenzentrum Web: www.rz.tu-clausthal.de Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086 D-38678 Clausthal-Zellerfeld
participants (2)
-
Christian Strauf -
Christoph Litauer