multiple groups behind one NAS
nl
rusline at atlas.sk
Wed Dec 7 12:39:08 CET 2005
Hi,
I have problem with multiple groups behind one NAS after upgrade from freeradius0.9.x to 1.0.4-1.
There was no problem with this configuration before upgrade.
Scenario:
2 groups: GPRS_1 and GPRS_2
both groups are behind NAS 1.1.1.1
user_1 is member of group GPRS_2 and he and all members of GPRS_2 are rejected.
It looks that only members of first group matched in huntgroups file are positive processed.
####################
my users file:
DEFAULT Huntgroup-Name == DENY, Auth-Type := Reject
Reply-Message = "!!! You are NOT allowed to access the resource !!!"
DEFAULT Huntgroup-Name == GPRS_1, Ldap-Group == "cn=GPRS_1,cn=radius,dc=my,dc=domain"
Fall-Through = no
DEFAULT Huntgroup-Name == GPRS_2, Ldap-Group == "cn=GPRS_2,cn=radius,dc=my,dc=domain"
Fall-Through = no
#(I tried Fall-Through = yes but without success )
####################
my huntgroups file:
GPRS_1 NAS-IP-Address == 1.1.1.1
GPRS_2 NAS-IP-Address == 1.1.1.1
####################
debug>
rad_recv: Access-Request packet from host 1.1.1.1:49152, id=113, length=282
User-Name = "user_1"
User-Password = "*******"
Acct-Session-Id = "C35B9B41550234E2DB"
NAS-IP-Address = 1.1.1.1
Service-Type = Framed-User
Framed-Protocol = GPRS-PDP-Context
Calling-Station-Id = "01234567898"
Called-Station-Id = "apn"
NAS-Port-Type = Wireless-Other
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_checkval: Item Name: NAS-IP-Address, Value: 1.1.1.1
rlm_checkval: Could not find attribute named NAS-IP-Address in check pairs
modcall[authorize]: module "nas-ip" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user_1
radius_xlat: '(uid=user_1)'
radius_xlat: 'cn=radius,dc=my, dc=domain'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=my,dc=domain/******* to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=radius ,dc=my, dc=domain, with filter (uid=user_1)
rlm_ldap: Password header not found in password {MD5}M6SF989545MZxq0dPLluAAoY for user user_1
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 01234567898 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.10.10.10 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11
rlm_ldap: user user_1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'cn=radius ,dc=my, dc=domain'
radius_xlat: '(&(objectClass=groupOfUniqueNames)(uniquemember=uid=user_1,cn=GPRS_1,dc=my,dc=domain))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=GPRS_1,cn=radius,dc=my,dc=domain, with filter (&(objectClass=groupOfUniqueNames)(uniquemember=uid=user_1,cn=GPRS_1,cn=radius,dc=my,dc=domain))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=GPRS_1,cn=radius,dc=my,dc=domain not found or user is not a member.
users: Matched entry DEFAULT at line 128
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Thanx for adviced :)
Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK.
http://mail.atlas.sk
More information about the Freeradius-Users
mailing list