Autz-type LDAP, Auth-Type MSCHAP possible ? (for vlan assignment)

LEOSI radius at pronetis.fr
Wed Feb 18 11:33:16 CET 2009


Hi,
I’m trying to set up Freeradius to use the LDAP module for the authorization
and process authentication with MSCHAPv2.
My goal is to assign vlans from some Organizational Units in AD.
I wanted to use into the users files the argument “huntgroups” because it
could check OU.
Last time I tried MSCHAPv2 for both autz and auth with “ntlm_auth …
--require-membership-of” but I could get only 2 vlans (depending is the user
is in the group or not).
So my question is it possible? And if yes, how to do that?
Thanks,

My files configuration files :

-	sites-enabled/default & inner-tunnel
authorize {
  Autz-Type LDAP {
		ldap
	}
  ..
  ldap
}
authenticate {
  ..
  #Auth-Type LDAP {
  # ldap
  #}
}

- users
DEFAULT Autz-Type := LDAP, Auth-Type := MSCHAP

- eap.conf
eap {
  default_eap_type = peap
  ..
}
peap {
  default_eap_type = mschapv2
  ..
}

- modules/ldap
ldap {
  server = "test.fr"
  identity = "cn=bindradius,cn=Users,dc=test,dc=fr"
  password = bindradius
  basedn = "cn=Users,dc=test,dc=fr"
  filter = "(samaccountname=%{User-Name})"
  ..
}
password_attribute = userPassword 


---------------------------------------------------------------------------------
Freeradius server log :
--------------------------------------------------------------------------------- 
Wed Feb 18 11:11:28 2009 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=7,
length=202
	Framed-MTU = 1480
	NAS-IP-Address = 192.168.1.1
	NAS-Identifier = "SWiTCH"
	User-Name = "philippe"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 17
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "17"
	Called-Station-Id = "00-13-21-a8-24-40"
	Calling-Station-Id = "00-15-c5-06-84-d8"
	Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "4"
	EAP-Message = 0x0201000d017068696c69707065
	Message-Authenticator = 0x5270b68813d479cb9e13dbb933792913
Wed Feb 18 11:11:39 2009 : Info: +- entering group authorize {...}
Wed Feb 18 11:11:39 2009 : Info: ++[preprocess] returns ok
Wed Feb 18 11:11:39 2009 : Info: ++[chap] returns noop
Wed Feb 18 11:11:39 2009 : Info: ++[mschap] returns noop
Wed Feb 18 11:11:39 2009 : Info: [suffix] No '@' in User-Name = "philippe",
looking up realm NULL
Wed Feb 18 11:11:39 2009 : Info: [suffix] No such realm "NULL"
Wed Feb 18 11:11:39 2009 : Info: ++[suffix] returns noop
Wed Feb 18 11:11:39 2009 : Info: [eap] EAP packet type response id 1 length
13
Wed Feb 18 11:11:39 2009 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Feb 18 11:11:39 2009 : Info: ++[eap] returns updated
Wed Feb 18 11:11:39 2009 : Info: ++[unix] returns notfound
Wed Feb 18 11:11:39 2009 : Info: [files] users: Matched entry DEFAULT at
line 1
Wed Feb 18 11:11:39 2009 : Info: ++[files] returns ok
Wed Feb 18 11:11:39 2009 : Info: [ldap] performing user authorization for
philippe
Wed Feb 18 11:11:39 2009 : Info: [ldap] 	expand:
(samaccountname=%{User-Name}) -> (samaccountname=philippe)
Wed Feb 18 11:11:39 2009 : Info: [ldap] 	expand: cn=Users,dc=test,dc=fr ->
cn=Users,dc=test,dc=fr
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: attempting LDAP reconnection
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: (re)connect to test.fr:389,
authentication 0
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: bind as
cn=bindradius,cn=Users,dc=test,dc=fr/bindradius to test.fr:389
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: waiting for bind result ...
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: Bind was successful
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: performing search in
cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe)
Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for check items in
directory...
Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for reply items in
directory...
Wed Feb 18 11:11:39 2009 : Debug: WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
Wed Feb 18 11:11:39 2009 : Info: [ldap] user philippe authorized to use
remote access
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Feb 18 11:11:39 2009 : Info: ++[ldap] returns ok
Wed Feb 18 11:11:39 2009 : Info: ++[expiration] returns noop
Wed Feb 18 11:11:39 2009 : Info: ++[logintime] returns noop
Wed Feb 18 11:11:39 2009 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Wed Feb 18 11:11:39 2009 : Info: ++[pap] returns noop
Wed Feb 18 11:11:39 2009 : Info: Using Autz-Type LDAP
Wed Feb 18 11:11:39 2009 : Info: +- entering group LDAP {...}
Wed Feb 18 11:11:39 2009 : Info: [ldap] performing user authorization for
philippe
Wed Feb 18 11:11:39 2009 : Info: [ldap] 	expand:
(samaccountname=%{User-Name}) -> (samaccountname=philippe)
Wed Feb 18 11:11:39 2009 : Info: [ldap] 	expand: cn=Users,dc=test,dc=fr ->
cn=Users,dc=test,dc=fr
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: performing search in
cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe)
Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for check items in
directory...
Wed Feb 18 11:11:39 2009 : Info: [ldap] looking for reply items in
directory...
Wed Feb 18 11:11:39 2009 : Debug: WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
Wed Feb 18 11:11:39 2009 : Info: [ldap] user philippe authorized to use
remote access
Wed Feb 18 11:11:39 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Feb 18 11:11:39 2009 : Info: ++[ldap] returns ok
Wed Feb 18 11:11:39 2009 : Info: Found Auth-Type = MSCHAP
Wed Feb 18 11:11:39 2009 : Info: +- entering group MS-CHAP {...}
Wed Feb 18 11:11:39 2009 : Info: [mschap] No Cleartext-Password configured. 
Cannot create LM-Password.
Wed Feb 18 11:11:39 2009 : Info: [mschap] No Cleartext-Password configured. 
Cannot create NT-Password.
Wed Feb 18 11:11:39 2009 : Info: [mschap] No MS-CHAP-Challenge in the
request
Wed Feb 18 11:11:39 2009 : Info: ++[mschap] returns reject
Wed Feb 18 11:11:39 2009 : Info: Failed to authenticate the user.
Wed Feb 18 11:11:39 2009 : Info: Using Post-Auth-Type Reject
Wed Feb 18 11:11:39 2009 : Info: +- entering group REJECT {...}
Wed Feb 18 11:11:39 2009 : Info: [attr_filter.access_reject] 	expand:
%{User-Name} -> philippe
Wed Feb 18 11:11:39 2009 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Wed Feb 18 11:11:39 2009 : Info: ++[attr_filter.access_reject] returns
updated
Wed Feb 18 11:11:39 2009 : Info: Delaying reject of request 0 for 1 seconds
Wed Feb 18 11:11:39 2009 : Debug: Going to the next request
Wed Feb 18 11:11:39 2009 : Debug: Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=7,
length=202
Wed Feb 18 11:11:40 2009 : Info: Waiting to send Access-Reject to client
192.168.1.1 port 1024 - ID: 7
Wed Feb 18 11:11:40 2009 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 7 to 192.168.1.1 port 1024
Wed Feb 18 11:11:40 2009 : Debug: Waking up in 4.9 seconds.
Wed Feb 18 11:11:45 2009 : Info: Cleaning up request 0 ID 7 with timestamp
+11
Wed Feb 18 11:11:45 2009 : Debug: Ready to process requests.

-- 
View this message in context: http://www.nabble.com/Autz-type-LDAP%2C-Auth-Type-MSCHAP-possible---%28for-vlan-assignment%29-tp22076072p22076072.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list