Ldap Authentication question

Ramon Escriba escriba at cells.es
Thu Mar 31 14:56:45 CEST 2011


 
> Here're the logs:
> 
> First authentication
...
> rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=29,
> length=95
>         User-Name = "0019B976CC36"
>         User-Password = "0019B976CC36"
...
> ----------------SECOND AUTHENTICATION ------------------
...
> rad_recv: Access-Request packet from host 10.0.0.1port 32770, id=30,
> length=95
>         User-Name = "0026B9692F6F"
>         User-Password = "0026B9692F6F"

>>  The requests are different.  That's why they're being treated
differently.

Yes, they are different machines connected to different ports, but both macs
are stored in the same
ldap subtree.




> [files]         expand:
> %{STAFF2:ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?on
> e?uid=
> %i} ->

>>  That would seem to be useful to look at.

This subtree it's empty, there is not a single uid=<mac> inside.	
I commented STAFF2 lines in users file, but now it gets stacked @ the last
catch all reject.

++[mschap] returns noop
[suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 261
++[files] returns ok
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [0026B9692F6F] (from client OFF-Staff-extreme-network port
0 cli 0026B9692F6F)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 0026B9692F6F






>>  Compare that to the similar line from the previous authentication.

They are near the same until eaps return noop, mac differences of course:

(... Auth 1 ...)
++- policy rewrite_calling_station_id returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "0019B976CC36", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0019B976CC36", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [VOIP] - ldap_xlat
[files]         expand:
ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=VOIP,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0019B976CC3
6
  [VOIP] ldap_get_conn: Checking Id: 0
(...)


(.... Auth 2 ...)
++- policy rewrite_calling_station_id returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "0026B9692F6F", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "0026B9692F6F", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [STAFF2] - ldap_xlat
[files]         expand:
ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=%i ->
ldap:///ou=Staff2,ou=VLANS,ou=Radius,dc=machine,dc=com?uid?one?uid=0026B9692
F6F
  [STAFF2] ldap_get_conn: Checking Id: 0
(...)



  i.e. the debug output looks scary, but it's not.  Treat it as a sequence
of nonsense lines.  Compare the two results line by line.  The differences
are why one succeeds, and the other fails.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list