NAS-IP-Address modified during Access-Request process

kevin leblanc kevinzebeste at gmail.com
Thu Jun 18 11:35:21 CEST 2009


Hi everybody,
I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and
today it's the third day i'm looking for a solution :(
Here is the problem:
I configured Freeradius to look in openldap directory to auth and auth an
user.
The authentication phase is OK
During the auth phase, a ldap search is done : if the user is member of a
group identified by the host ip he wants to connect, the user is authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !

Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?

Thanks for any helpful idea

Here are
/etc/raddb/users (I also tried with ldap-group == "%{NAS-IP-Address}" )
--------------------------------------------------------
DEFAULT ldap-group == "%{Client-Ip-Address}", Auth-Type := LDAP
        Service-Type = 1,
        Fall-Through = no

DEFAULT Auth-Type := Reject
        Fall-Through = no,
        Reply-Message = "You are not authorized to log in to this host :("
--------------------------------------------------------

/etc/raddb/clients.conf
--------------------------------------------------------
client 126.50.0.0/8 {
    secret = secretsecret
    shortname = shortname
}
--------------------------------------------------------

radius LOG (with radiusd -X)
--------------------------------------------------------
rad_recv: Access-Request packet from host *126.50.0.148*:1645, id=17,
length=82
        NAS-IP-Address = *126.50.0.148*
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "testadmin"
        Calling-Station-Id = "XX.XX.XX.XX"
        User-Password = "XXXXXXXXX"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=example,dc=com'
radius_xlat:  '(uid=testadmin)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as uid=radius,ou=applications,dc=example,dc=com/radiuspass to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (&(cn=*
126.50.0.147*
)(|(&(objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))))
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 3
  modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testadmin
radius_xlat:  '(uid=testadmin)'
radius_xlat:  'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testadmin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testadmin" with password "XXXXXXXXX"
rlm_ldap: user DN: uid=testAdmin,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testAdmin,uid=test01,ou=users,dc=example,dc=com/XXXXXXXXX to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testadmin authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 4
modcall: leaving group LDAP (returns ok) for request 4
Login OK: [testadmin/XXXXXXXXX] (from client petitnom port 1 cli
126.100.100.6)
Sending Access-Accept of id 17 to 126.50.0.148 port 1645
        Service-Type = Login-User
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--------------------------------------------------------


-- 
KeV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090618/53541c07/attachment.html>


More information about the Freeradius-Users mailing list