Virtual Hosts conflicting
Nicholas Hall
ngharo at gmail.com
Thu Jan 3 22:03:09 CET 2008
Hello all
*My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously.
*My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL
Accounting.
*Problem*: I'm running a virtual host for each AUTH port. Each works fine
when placed in sites-enabled individually but my CHAP virtualhost fails when
both are enabled. The vhost listening on 1812 appears to be referencing an
LDAP module that is not listed in it's server{ ... } block. You will see
"ou=Dialup" in the debugging output below of a CHAP request to 1812 that is
only contained in the legacy PAP vhost. Any ideas are appreciated!!
I have 4 LDAP servers configured, two point to a different OU on the same
servers for legacy PAP users. Is there maybe a way to change the basedn on
the fly with NAS-IP-Address as the condition? This may be easier than
sorting out my mess.
Right now i'm differentiating requests using clients.conf:
# CHAP NAS
*client x.x.x.x {
secret = test
shortname = test
nastype = other
server = alexssa_dsl
}
*#####################
# Stripped LDAP config #
#####################
*ldap ldap01.alexssa.net {
<snip>
basedn = "ou=users,ou=radius,dc=alexssa,dc=net"
ldap ldap02.alexssa.net {
<snip>
basedn = "ou=users,ou=radius,dc=alexssa,dc=net"
ldap ldap01.alexssa.net_dialin {
<snip>
basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net"
}
ldap ldap02.alexssa.net_dialin {
<snip>
basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net"
}*
##############################
# Below is my DSL (CHAP) vhost #
##############################
*server alexssa_dsl {
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
authorize {
if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
preprocess
auth_log
files
redundant-load-balance {
ldap01.alexssa.net
ldap02.alexssa.net
}
daily
chap
}
authenticate {
Auth-Type CHAP {
chap
}
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
acct_unique
files
}
#
# Accounting. Log the accounting data.
#
accounting {
# acctdetail
sql
# daily
radutmp
attr_filter.accounting_response
}
# Session database, used for checking Simultaneous-Use. Either the
radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
} # dsl server block*
######################
# Dialin (PAP) vhost #
######################
*server alexssa_dialin {
listen {
ipaddr = *
port = 1645
type = auth
}
listen {
ipaddr = *
port = 1646
type = acct
}
authorize {
if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
preprocess
auth_log
files
redundant-load-balance {
ldap01.alexssa.net_dialin
ldap02.alexssa.net_dialin
}
daily
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
acct_unique
files
}
#
# Accounting. Log the accounting data.
#
accounting {
# acctdetail
sql
# daily
dialup
radutmp
attr_filter.accounting_response
}
# Session database, used for checking Simultaneous-Use. Either the
radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}*
} # dialin server block
#######################################
# debugging output of CHAP request to 1812 #
#######################################
Listening on authentication address * port 1812 as server alexssa_dsl
Listening on accounting address * port 1813 as server alexssa_dsl
Listening on authentication address * port 1645 as server alexssa_dialin
Listening on accounting address * port 1646 as server alexssa_dialin
Ready to process requests.
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 38.119.185.62 port 3563, id=15,
length=63
User-Name = "1000copyme at alexssa.net"
CHAP-Password = 0x0f4e646219d84c7c72d88e920c879d2a01
server alexssa_dsl {
+- entering group authorize
++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/)
expand: %{User-Name} -> 1000copyme at alexssa.net
? Evaluating ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE
++? if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/)
expand: %{1} -> 1000copyme
+++[request] returns notfound
++- if ("%{User-Name}" =~ /^([^@]+)@alexssa.net$/) returns notfound
++[preprocess] returns ok
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103
expand: %t -> Thu Jan 3 15:19:46 2008
++[auth_log] returns ok
rlm_ldap: Entering ldap_groupcmp()
expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net ->
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net
expand: %{Stripped-User-Name} -> 1000copyme
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0
rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to
ldap02.alexssa.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net ->
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net
expand: %{Stripped-User-Name} -> 1000copyme
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 16
++[files] returns ok
++- entering redundant-load-balance group
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 1000copyme at alexssa.net
expand: %{Stripped-User-Name} -> 1000copyme
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=1000copyme)
expand: ou=users,ou=radius,dc=alexssa,dc=net ->
ou=users,ou=radius,dc=alexssa,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0
rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to
ldap02.alexssa.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with
filter (uid=1000copyme)
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password
== "test1234"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 1000copyme at alexssa.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap02.alexssa.net] returns ok
++- redundant-load-balance group returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP
++[chap] returns noop
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [1000copyme at alexssa.net/<CHAP-Password>] (from client test
port 0)
} # server alexssa_dsl
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> 1000copyme at alexssa.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 38.119.185.62 port 3563
Reply-Message = "Please call the helpdesk. Alexssa can be reached
at 262-338-3742"
Waking up in 4 seconds...
Cleaning up request 0 ID 15 with timestamp +17
Nothing to do. Sleeping until we see a request.
--
Nicholas Hall
ngharo at gmail.com
262.208.6271
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080103/df6706d0/attachment.html>
More information about the Freeradius-Users
mailing list