Virtual Hosts conflicting

Nicholas Hall ngharo at gmail.com
Thu Jan 3 22:03:09 CET 2008


Hello all

*My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously.
*My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL
Accounting.
*Problem*: I'm running a virtual host for each AUTH port.  Each works fine
when placed in sites-enabled individually but my CHAP virtualhost fails when
both are enabled.  The vhost listening on 1812 appears to be referencing an
LDAP module that is not listed in it's server{ ... } block.  You will see
"ou=Dialup" in the debugging output below of a CHAP request to 1812 that is
only contained in the legacy PAP vhost.  Any ideas are appreciated!!

I have 4 LDAP servers configured, two point to a different OU on the same
servers for legacy PAP users.  Is there maybe a way to change the basedn on
the fly with NAS-IP-Address as the condition?  This may be easier than
sorting out my mess.

Right now i'm differentiating requests using clients.conf:
# CHAP NAS
*client x.x.x.x {
  secret    = test
  shortname = test
  nastype   = other
  server    = alexssa_dsl
}

*#####################
# Stripped LDAP config #
#####################
*ldap ldap01.alexssa.net {
    <snip>
    basedn = "ou=users,ou=radius,dc=alexssa,dc=net"

ldap ldap02.alexssa.net {
   <snip>
    basedn = "ou=users,ou=radius,dc=alexssa,dc=net"

ldap ldap01.alexssa.net_dialin {
    <snip>
    basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net"
}

ldap ldap02.alexssa.net_dialin {
    <snip>
    basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net"
}*

##############################
# Below is my DSL (CHAP) vhost  #
##############################
*server alexssa_dsl {
  listen {
    ipaddr = *
    port = 1812
    type = auth
  }

  listen {
    ipaddr = *
    port = 1813
    type = acct
  }

  authorize {
    if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) {
      update request {
        Stripped-User-Name = "%{1}"
      }
    }
    preprocess
    auth_log
    files
    redundant-load-balance {
      ldap01.alexssa.net
      ldap02.alexssa.net
    }
    daily
    chap
  }

  authenticate {
   Auth-Type CHAP {
      chap
    }
  }


  #
  #  Pre-accounting.  Decide which accounting type to use.
  #
  preacct {
    preprocess
    acct_unique
    files
  }

  #
  #  Accounting.  Log the accounting data.
  #
  accounting {
  # acctdetail
    sql
  # daily
    radutmp
    attr_filter.accounting_response
  }


  #  Session database, used for checking Simultaneous-Use. Either the
radutmp
  #  or rlm_sql module can handle this.
  #  The rlm_sql module is *much* faster
  session {
    radutmp
  }


  #  Post-Authentication
  #  Once we KNOW that the user has been authenticated, there are
  #  additional steps we can take.
  post-auth {
    Post-Auth-Type REJECT {
      attr_filter.access_reject
    }
  }

} # dsl server block*

######################
# Dialin (PAP) vhost       #
######################
*server alexssa_dialin {
  listen {
    ipaddr = *
    port = 1645
    type = auth
  }

  listen {
    ipaddr = *
    port = 1646
    type = acct
  }

  authorize {
    if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) {
      update request {
        Stripped-User-Name = "%{1}"
      }
    }
    preprocess
    auth_log
    files
    redundant-load-balance {
      ldap01.alexssa.net_dialin
      ldap02.alexssa.net_dialin
    }
    daily
    pap
  }

  authenticate {
   Auth-Type PAP {
      pap
    }
  }

  #
  #  Pre-accounting.  Decide which accounting type to use.
  #
  preacct {
    preprocess
    acct_unique
    files
  }

  #
  #  Accounting.  Log the accounting data.
  #
  accounting {
  # acctdetail
    sql
  # daily
    dialup
    radutmp
    attr_filter.accounting_response
  }


  #  Session database, used for checking Simultaneous-Use. Either the
radutmp
  #  or rlm_sql module can handle this.
  #  The rlm_sql module is *much* faster
  session {
    radutmp
  }


  #  Post-Authentication
  #  Once we KNOW that the user has been authenticated, there are
  #  additional steps we can take.
  post-auth {
    Post-Auth-Type REJECT {
      attr_filter.access_reject
    }
  }*

} # dialin server block

#######################################
# debugging output of CHAP request to 1812 #
#######################################
Listening on authentication address * port 1812 as server alexssa_dsl
Listening on accounting address * port 1813 as server alexssa_dsl
Listening on authentication address * port 1645 as server alexssa_dialin
Listening on accounting address * port 1646 as server alexssa_dialin
Ready to process requests.
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 38.119.185.62 port 3563, id=15,
length=63
        User-Name = "1000copyme at alexssa.net"
        CHAP-Password = 0x0f4e646219d84c7c72d88e920c879d2a01
server alexssa_dsl {
+- entering group authorize
++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/)
        expand: %{User-Name} -> 1000copyme at alexssa.net
? Evaluating ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE
++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/)
        expand: %{1} -> 1000copyme
+++[request] returns notfound
++- if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) returns notfound
++[preprocess] returns ok
        expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103
        expand: %t -> Thu Jan  3 15:19:46 2008
++[auth_log] returns ok
rlm_ldap: Entering ldap_groupcmp()
        expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net ->
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net
        expand: %{Stripped-User-Name} -> 1000copyme
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0
rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to
ldap02.alexssa.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net ->
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net
        expand: %{Stripped-User-Name} -> 1000copyme
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 16
++[files] returns ok
++- entering redundant-load-balance group
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 1000copyme at alexssa.net
        expand: %{Stripped-User-Name} -> 1000copyme
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
        expand: ou=users,ou=radius,dc=alexssa,dc=net ->
ou=users,ou=radius,dc=alexssa,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0
rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to
ldap02.alexssa.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with
filter (uid=1000copyme)
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password
== "test1234"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 1000copyme at alexssa.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap02.alexssa.net] returns ok
++- redundant-load-balance group  returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
  rlm_chap: WARNING: Auth-Type already set.  Not setting to CHAP
++[chap] returns noop
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [1000copyme at alexssa.net/<CHAP-Password>] (from client test
port 0)
} # server alexssa_dsl
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 1000copyme at alexssa.net
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 38.119.185.62 port 3563
        Reply-Message = "Please call the helpdesk.  Alexssa can be reached
at 262-338-3742"
Waking up in 4 seconds...
Cleaning up request 0 ID 15 with timestamp +17
Nothing to do.  Sleeping until we see a request.

-- 
Nicholas Hall
ngharo at gmail.com
262.208.6271
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080103/df6706d0/attachment.html>


More information about the Freeradius-Users mailing list