LDAP Groups and EAP

Brian Wilson briw111 at yahoo.com
Fri Jan 11 21:57:26 CET 2008 

Hi all:

     I am running Freeradius 1.1.0 and am trying to get Ldap-Groups to work with EAP/PEAP/MSCHAPv2, but have been running into issues.  I'm trying to permit authentication to a wireless SSID based on an LDAP group.  Here is my configuration:

Radiusd.conf:

      authorize{
            preprocess
           auth_log
            files {
                notfound = return
            }
            eap
            redundant-load-balance {
                        ldap1
                        ldap2
            }


         authenticate {
            Auth-Type LDAP {
                redundant-load-balance {
                    ldap1
                    ldap2
                }
            Auth-Type EAP {
                eap
           }

hints:
            DEFAULT Called-Station-Id =~ ".*:ssid"
                                    Called-Station-Id := "ssid"

huntgroups:
            restrict    Called-Station-Id == ssid
          all          NAS-IP-Address == xxx

users:
            DEFAULT    Huntgroup-Name == restrict, Ldap-group == "cn=something,ou=something"
           DEFAULT   Huntgroup-Name == all


    When I try to authenticate, the radius server receives about 7 Access-requests.  Each time it receives one, the Radius server checks the LDAP store to verify that the user exists in the ldap group (is this normal?  can this be reduced? 7 LDAP binds per authentication attempt seems high), and each module returns OK.  On the 6th attempt though, it attempts to decode the EAP tunnel, and this happens:

       rlm_dap::ldap_groupcmp: User found in group cn=something,ou=something
blah blah blah
       Processing the authenticate section
blah blah blah
        rlm_eap_peap: EAPTLS_OK
       rlm_eap_peap: Session established.  Decoding tunneled attributes.
       rlm_eap_peap: Identity - XXX
        rlm_eap_peap: Tunneled data is valid
        PEAP: Got tunneled identity of XXX
        PEAP: Setting default EAP type for tunneled EAP session
       PEAP: Setting User-Name to XXX
       Processing the authorize section
       modcall[authorize]: module "preprocess" returns ok for request 6
blah blah blah
       modcall[authorize]: module "auth_log" returns ok for request 6
        modcall[authorize]: module "files" returns notfound for request 6

       Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module.  Since I have set "files { notfound = return}," the user fails to authenticate despite being accepted 5 times previously with ldap_group.  If I remove "notfound = return", the user can authenticate REGARDLESS of the ldap-group I set, even when ldap_group returns notfound.

     Is there something i'm missing in the configuration file? 

     




      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080111/54619f30/attachment.html>

More information about the Freeradius-Users mailing list