Ldap Authentication question

Ramon Escriba escriba at cells.es
Thu Mar 31 12:14:54 CEST 2011 

Alan, please do not get angry ok?,
The line in my answer about the "sarcastical reply" was for Alexander, not
for you.

Note: WIFIDATA & WIFIVOIP do 802.1x EAP+mschapv2 ok.


Here're the logs:

First authentication
--------------------------
(...)
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29,
length=95
        User-Name = "0019B976CC36"
        User-Password = "0019B976CC36"
        NAS-IP-Address = 10.0.0.1
        Service-Type = Login-User
        Calling-Station-Id = "00-19-B9-76-CC-36"
        NAS-Port-Id = "2:18"
        NAS-Port-Type = Ethernet
+- entering group authorize {...}
[preprocess]    expand: %{NAS-Port-Id} -> 2:18
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.0.0.1/auth-detail-20110331
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331
[auth_log]      expand: %t -> Thu Mar 31 11:31:09 2011
++[auth_log] returns ok
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...}
        expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0019B976CC36
++++[request] returns ok
+++- if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- policy rewrite_calling_station_id returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [VOIP] - ldap_xlat
[files]         expand:
ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC3
6
  [VOIP] ldap_get_conn: Checking Id: 0
  [VOIP] ldap_get_conn: Got Id: 0
  [VOIP] attempting LDAP reconnection
  [VOIP] (re)connect to 127.0.0.1:389, authentication 0
  [VOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389
  [VOIP] waiting for bind result ...
  [VOIP] Bind was successful
  [VOIP] performing search in ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com,
with filter uid=0019B976CC36
  [VOIP] object not found
  [VOIP] Search returned not found
  [VOIP] ldap_release_conn: Release Id: 0
[files]         expand:
%{VOIP:ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i}
->
  [WIFIVOIP] - ldap_xlat
[files]         expand:
ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97
6CC36
  [WIFIVOIP] ldap_get_conn: Checking Id: 0
  [WIFIVOIP] ldap_get_conn: Got Id: 0
  [WIFIVOIP] attempting LDAP reconnection
  [WIFIVOIP] (re)connect to 127.0.0.1:389, authentication 0
  [WIFIVOIP] bind as cn=Manager,dc=machine,dc=com/mypassword to
127.0.0.1:389
  [WIFIVOIP] waiting for bind result ...
  [WIFIVOIP] Bind was successful
  [WIFIVOIP] performing search in
ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter
uid=0019B976CC36
  [WIFIVOIP] object not found
  [WIFIVOIP] Search returned not found
  [WIFIVOIP] ldap_release_conn: Release Id: 0
[files]         expand:
%{WIFIVOIP:ldap:///ou=WifiVoip,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?
uid=%i} ->
  [WIFIDATA] - ldap_xlat
[files]         expand:
ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B97
6CC36
  [WIFIDATA] ldap_get_conn: Checking Id: 0
  [WIFIDATA] ldap_get_conn: Got Id: 0
  [WIFIDATA] attempting LDAP reconnection
  [WIFIDATA] (re)connect to 127.0.0.1:389, authentication 0
  [WIFIDATA] bind as cn=Manager,dc=machine,dc=com/mypassword to
127.0.0.1:389
  [WIFIDATA] waiting for bind result ...
  [WIFIDATA] Bind was successful
  [WIFIDATA] performing search in
ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter
uid=0019B976CC36
  [WIFIDATA] object not found
  [WIFIDATA] Search returned not found
  [WIFIDATA] ldap_release_conn: Release Id: 0
[files]         expand:
%{WIFIDATA:ldap:///ou=WifiData,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?
uid=%i} ->
  [STAFF] - ldap_xlat
[files]         expand:
ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC
36
  [STAFF] ldap_get_conn: Checking Id: 0
  [STAFF] ldap_get_conn: Got Id: 0
  [STAFF] attempting LDAP reconnection
  [STAFF] (re)connect to 127.0.0.1:389, authentication 0
  [STAFF] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389
  [STAFF] waiting for bind result ...
  [STAFF] Bind was successful
  [STAFF] performing search in
ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0019B976CC36
  [STAFF] Adding attribute uid, value: 0019B976CC36
  [STAFF] ldap_release_conn: Release Id: 0
  [STAFF] - ldap_xlat end
[files]         expand:
%{STAFF:ldap:///ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i
} -> 0019B976CC36
[files] users: Matched entry DEFAULT at line 219
++[files] returns ok
Found Auth-Type = STAFF
+- entering group STAFF {...}
[STAFF] login attempt by "0019B976CC36" with password "0019B976CC36"
[STAFF] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[STAFF]         ... expanding second conditional
[STAFF]         expand: %{User-Name} -> 0019B976CC36
[STAFF]         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=0019B976CC36)
[STAFF]         expand: ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com ->
ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com
  [STAFF] ldap_get_conn: Checking Id: 0
  [STAFF] ldap_get_conn: Got Id: 0
  [STAFF] performing search in
ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter
(uid=0019B976CC36)
  [STAFF] ldap_release_conn: Release Id: 0
[STAFF] user DN:
uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com
  [STAFF] (re)connect to 127.0.0.1:389, authentication 1
  [STAFF] bind as
uid=0019B976CC36,ou=Staff,ou=VLANS,ou=Radius,dc=machine,dc=com/0019B976CC36
to 127.0.0.1:389
  [STAFF] waiting for bind result ...
  [STAFF] Bind was successful
[STAFF] user 0019B976CC36 authenticated succesfully
++[STAFF] returns ok
Login OK: [0019B976CC36] (from client OFF-Staff-extreme-network port 0 cli
0019B976CC36)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 29 to 10.0.0.1port 32770
        Extreme-Netlogin-Only = Enabled
        Extreme-CLI-Authorization = Disabled
        Extreme-Netlogin-Vlan = "Staff"
        Reply-Message = "OK: STAFF user+device (%u %i) accepted."
        Termination-Action = RADIUS-Request
        Session-Timeout = 3600
Finished request 0.
Going to the next request
Waking up in 9.9 seconds.
rad_recv: Accounting-Request packet from host 10.0.0.1port 32771, id=11,
length=114
        Acct-Status-Type = Start
        User-Name = "0019B976CC36"
        NAS-IP-Address = 10.0.0.1
        Acct-Session-Id = "Thu Mar 31, 2011 10:27:11"
        Service-Type = Login-User
        NAS-Port = 2018
        NAS-Port-Type = Ethernet
        Tunnel-Private-Group-Id:0 = "4000"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2018,Client-IP-Address =
10.0.0.1,NAS-IP-Address = 10.0.0.1,Acct-Session-Id = "Thu Mar 31, 2011
10:27:11",User-Name = "0019B976CC36"'
[acct_unique] Acct-Unique-Session-ID = "1018b7c0059e059b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.0.0.1/detail-20110331
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/10.0.0.1/detail-20110331
[detail]        expand: %t -> Thu Mar 31 11:31:09 2011
++[detail] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> 0019B976CC36
++[radutmp] returns ok
[attr_filter.accounting_response]       expand: %{User-Name} -> 0019B976CC36
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 10.0.0.1port 32771
Finished request 1.
Cleaning up request 1 ID 11 with timestamp +5
Going to the next request
Waking up in 9.9 seconds.

Cleaning up request 0 ID 29 with timestamp +5
Ready to process requests.


----------------SECOND AUTHENTICATION ------------------



rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30,
length=95
        User-Name = "0026B9692F6F"
        User-Password = "0026B9692F6F"
        NAS-IP-Address = 10.0.0.1
        Service-Type = Login-User
        Calling-Station-Id = "00-26-B9-69-2F-6F"
        NAS-Port-Id = "2:35"
        NAS-Port-Type = Ethernet
+- entering group authorize {...}
[preprocess]    expand: %{NAS-Port-Id} -> 2:35
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.0.0.1/auth-detail-20110331
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.0.0.1/auth-detail-20110331
[auth_log]      expand: %t -> Thu Mar 31 11:32:15 2011
++[auth_log] returns ok
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...}
        expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0026B9692F6F
++++[request] returns ok
+++- if (request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0
-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok
+++ ... skipping else for request 2: Preceding "if" was taken
++- policy rewrite_calling_station_id returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [STAFF2] - ldap_xlat
[files]         expand:
ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0026B9692
F6F
  [STAFF2] ldap_get_conn: Checking Id: 0
  [STAFF2] ldap_get_conn: Got Id: 0
  [STAFF2] attempting LDAP reconnection
  [STAFF2] (re)connect to 127.0.0.1:389, authentication 0
  [STAFF2] bind as cn=Manager,dc=machine,dc=com/mypassword to 127.0.0.1:389
  [STAFF2] waiting for bind result ...
  [STAFF2] Bind was successful
  [STAFF2] performing search in
ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com, with filter uid=0026B9692F6F
  [STAFF2] object not found
  [STAFF2] Search returned not found
  [STAFF2] ldap_release_conn: Release Id: 0
[files]         expand:
%{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=
%i} ->
[files] users: Matched entry DEFAULT at line 261
++[files] returns ok
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [0026B9692F6F] (from client OFF-Staff-extreme-network port
0 cli 0026B9692F6F)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 0026B9692F6F
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 30 to 10.0.0.1port 32770
        Reply-Message = "FAIL: REJECTED. Please call the helpdesk."
Waking up in 9.9 seconds.

More information about the Freeradius-Users mailing list