Ldap Authentication question

Ramon Escriba escriba at cells.es
Thu Mar 31 09:41:25 CEST 2011 


Thank you very much for the sarcastical reply, it was really usefull &
instructive indeed.


It was just a conceptual question, but seems it was not clear enought, my
fault.

Let's specify a bit more, should the next users file work or it's flawed by
design:

Note: 0.- In ldap, I've uid=<mac
address>,ou=VLAN-Xn,ou=Radius,dc=machine,dc=com
	1.- first I'm tring to check if the client mac address exists in
ldap subtree.
	2.- second ldap "authentication", match user<mac>+pass<mac>, in our
case ¿Is  macX ==  macX? via ldap.


DEFAULT Calling-Station-Id ==
"%{VLAN-X1:ldap:///ou=VLAN-X1,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}",
Auth-Type = VLAN-X
##------------------------------------------------------------#
        Extreme-Netlogin-Only = Enabled,
        Extreme-CLI-Authorization = Disabled,
        Extreme-Netlogin-Vlan = "VLAN-X",
        Termination-Action = 1,
        Session-Timeout =3600,
        Fall-Through = no

DEFAULT Calling-Station-Id ==
"%{VLAN-X2:ldap:///ou=VLAN-X2,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}",
Auth-Type = VLAN-2
##------------------------------------------------------------#
        Extreme-Netlogin-Only = Enabled,
        Extreme-CLI-Authorization = Disabled,
        Extreme-Netlogin-Vlan = "VLAN-X",
        Termination-Action = 1,
        Session-Timeout =3600,
        Fall-Through = no

(....)


DEFAULT Calling-Station-Id ==
"%{VLAN-Xn:ldap:///ou=VLAN-Xn,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}",
Auth-Type = VLAN-n
##------------------------------------------------------------#
        Extreme-Netlogin-Only = Enabled,
        Extreme-CLI-Authorization = Disabled,
        Extreme-Netlogin-Vlan = "VLAN-n",
        Termination-Action = 1,
        Session-Timeout =3600,
        Fall-Through = no


It's normal that the first authentication goes though them & send the
access-accept to the switch, so radius it's ok
& the switch opens the port as spected, but later all or near all
authentication are refused?


Radius.log
(...)

Wed Mar 30 17:15:17 2011 : Auth: Login OK: [008098A6B5A2](from client
OFF-network port 0 cli 008098A6B5A2)
Wed Mar 30 17:15:17 2011 : Auth: Login OK: [0019B43718D3] (from client
OFF-network port 0 cli 0019B43718D3)
Wed Mar 30 17:15:17 2011 : Auth: Login incorrect: [002437A858DB] (from
client OFF-network port 0 cli 002437A858DB)
Wed Mar 30 17:21:17 2011 : Auth: Login incorrect: [002437A858DB] (from
client OFF-network port 0 cli 002437A858DB)
Wed Mar 30 17:22:38 2011 : Info: Exiting normally.
Wed Mar 30 17:22:39 2011 : Info: Loaded virtual server inner-tunnel
Wed Mar 30 17:22:39 2011 : Info: Loaded virtual server <default>
Wed Mar 30 17:22:39 2011 : Info: Ready to process requests.

<just a daemon restart + switch ports restart>

Wed Mar 30 17:22:53 2011 : Auth: Login OK: [sadm] (from client OFF-network
port 0)
Wed Mar 30 17:23:10 2011 : Auth: Login OK: [sadm] (from client OFF-network
port 0)
Wed Mar 30 17:23:11 2011 : Auth: Login OK: [002437A858DB] (from client
OFF-Staff-extreme-network port 0 cli 002437A858DB)
Wed Mar 30 17:23:16 2011 : Auth: Login incorrect: [0019B43718D3] (from
client OFF-network port 0 cli 0019B43718D3)
Wed Mar 30 17:23:38 2011 : Auth: Login incorrect: [008098A6B5A2] (from
client OFF-network port 0 cli 008098A6B5A2)
Wed Mar 30 17:29:17 2011 : Auth: Login incorrect: [0019B43718D3] (from
client OFF-network port 0 cli 0019B43718D3)
Wed Mar 30 17:29:29 2011 : Auth: Login incorrect: [008098A6B5A2] (from
client OFF-network port 0 cli 008098A6B5A2)
Wed Mar 30 17:31:56 2011 : Info: Exiting normally.


Kind regards.

-----Original Message-----
From: freeradius-users-bounces+escriba=cells.es at lists.freeradius.org
[mailto:freeradius-users-bounces+escriba=cells.es at lists.freeradius.org] On
Behalf Of Alexander Clouter
Sent: miércoles, 30 de marzo de 2011 17:49
To: freeradius-users at lists.freeradius.org
Subject: Re: Ldap Authentication question

Ramon Escriba <escriba at cells.es> wrote:
> 
> Has any one a clue of what I did wrong?
> 
<attempts to read Ramon's mind>

<attempts to use remote viewing to see output of debugging>

Actually, forget it...

http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

Regards

--
Alexander Clouter
.sigmonster says: Conscience is what hurts when everything else feels so
good.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list