freeRadius with LDAP for MSCHAP & mac auth

Seferovic Edvin edvin.seferovic at kolp.at
Fri Sep 23 22:42:15 CEST 2005 

Hello everyone...

Ive set up a freeradius server with LDAP backend for MSCHAP, but now I have
to set up a mac based auth on the same server also with the same LDAP
backend ( but the mac info is found in another subtree ). So I have made two
ldap instances under modules including MSCHAP...

modules {

mschap {
         authtype = MS-CHAP
         use_mppe = yes
         require_encryption = yes
         require_strong = yes
        }

ldap ldap_users 
{
	server = "81.yyy.xxx.xxx"
	basedn = "ou=People,dc=xxx,dc=xxx"
	filter = "(&(objectClass=posixAccount)(uid=%u))"
	start_tls = no
	dictionary_mapping = ${raddbdir}/ldap.attrmap
	ldap_connections_number = 10
	timeout = 4
	timelimit = 3
	net_timeout = 1
}

ldap ldap_mac 
{
	server = "81.xxx.xxx.xxx"
      basedn = "ou=Hosts,dc=xxx,dc=xxx"
      filter = "(&(objectClass=ipHost)(ipHostNumber=%u))"
      start_tls = no
      dictionary_mapping = ${raddbdir}/ldap.attrmap
      ldap_connections_number = 10
      timeout = 4
      timelimit = 3
      net_timeout = 1
}
... } // modules end

instantiate {
        weekly_traffic // just a counter
}

authorize {
        mschap
        ldap_users
        ldap_mac
        weekly_traffic
}
 
authenticate {
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
        }
	  
        Auth-Type LDAP {
                ldap_mac
                ldap_users
        }
}

So what I actually need is - when my vpn server sends Access-Request packets
with MS-CHAP attributes, I would like mschap module to use the "ldap_users"
part. And when an Access-Request packet with the mac address is recieved I
would like to use ldap_mac ONLY ! here is a part of my log file... 

rad_recv: Access-Request packet from host 172.19.10.2:1024, id=22,
length=193
        Framed-MTU = 1480
        NAS-IP-Address = 172.19.10.2
        NAS-Identifier = "HP2626-Verwaltung"
        User-Name = "00:0a:e4:22:c5:9d"
        Service-Type = Administrative-User
        Framed-Protocol = PPP
        NAS-Port = 10
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "10"
        Called-Station-Id = "00-14-38-2e-2c-76"
        Calling-Station-Id = "00-0a-e4-22-c5-9d"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        CHAP-Password = 0x1525d56e4e21bbbc83d5e49fa3be8173a5
Debug:   Processing the authorize section of radiusd.conf
Debug: modcall: entering group authorize for request 0
Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request
0
Debug:   modcall[authorize]: module "mschap" returns noop for request 0
Debug:   modsingle[authorize]: calling ldap_users (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:  '(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))'
Debug: radius_xlat:  'ou=People,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=People,dc=kolp,dc=at, with filter
(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: object not found or got ambiguous search result
Debug: rlm_ldap: search failed
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug:   modsingle[authorize]: returned from ldap_users (rlm_ldap) for
request 0
Debug:   modcall[authorize]: module "ldap_users" returns notfound for
request 0
Debug:   modsingle[authorize]: calling ldap_mac (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:
'(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))'
Debug: radius_xlat:  'ou=Hosts,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=Hosts,dc=kolp,dc=at, with filter
(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: rlm_ldap: Adding description as vid, value 20 & op=11
Debug: rlm_ldap: user 00:0a:e4:22:c5:9d authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug:   modsingle[authorize]: returned from ldap_mac (rlm_ldap) for request
0
Debug:   modcall[authorize]: module "ldap_mac" returns ok for request 0
Debug:   modsingle[authorize]: calling weekly_traffic (rlm_counter) for
request 0
Debug: rlm_counter: Entering module authorize code
Debug: rlm_counter: Could not find Check item value pair
Debug:   modsingle[authorize]: returned from weekly_traffic (rlm_counter)
for request 0
Debug:   modcall[authorize]: module "weekly_traffic" returns noop for
request 0
Debug: modcall: group authorize returns ok for request 0
Debug: auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

Sorry for the long mail :(

Thank you in advance !

Regards,

Edvin Seferovic

More information about the Freeradius-Users mailing list