Authenticating users checking Huntgroup-Name in unlang
suggestme IT
suggest_me at hotmail.com
Wed Dec 5 16:27:34 CET 2012
Hi,
I have set FreeRadius 2.1.12 Server, and configured it to authorize and authenticate users that are in Active Directory and users file. I have tested in real wireless environment to authenticate users from Active Directory & users file and it is successful. But according to our organization's requirement I need to authenticate users to allow or reject users for wireless or VPN access checking huntgroups and attribute in AD or users file accordingly so, I have configured huntgroup name in huntgroups "wirelesstest" and have configured my NAS-IP-Address as: (Some names & IP Address are edited for privacy)
/usr/local/etc/raddb/huntgroups
wirelesstest NAS-IP-Address == IP Address
wirelesstest NAS-IP-Address == IP Address
wirelesstest NAS-IP-Address == IP Address
Clients are configured in clients.conf file as:
/usr/local/etc/raddb/clients.conf
client Primary_controller{
ipaddr = IP Address
secret = password
shortname = primary
nastype = enterasys
}
In default & inner_tunnel files configurations, unlang conditional checking are done under ldap & files sub-sections of "authorize" section
/usr/local/etc/raddb/sites-enabled/default and /usr/local/etc/raddb/sites-enabled/inner-tunnel
authorize {
.............
............
ldap
if ("%{Huntgroup-Name}" == "wirelesstest"){
if (control:Connect-Type == wireless){
update control {
Auth-Type := "Accept"
}
}
else {
update control {
Auth-Type := "Reject"
}
}
}
files
if ("%{Huntgroup-Name}" == "wirelesstest"){
if (control:Connect-Type == wireless){
update control {
Auth-Type := "Accept"
}
}
else {
update control {
Auth-Type := "Reject"
}
}
}
While testing through radtest it works as expected. Unlang condition is checked, and attribute is also checked against Active Directory or users file and authenticate users if it matches and it rejects if it doesn't match.
But in Real wireless environment testing I don't get any response at Client side, and after long time it says can't connect. But while checking at debug log doing radiusd -X it shows it is checking the condition and sending Access-Accept or Access-Reject accordingly.
I tried different conditional checkings in unlang; checking against shortname as:
if ("%{client:shortname}" =~ /^primary/){
checking against huntgroup as:
if ("%{client:huntgroup}" == "wireless"){
But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent.
Part of debug log is as follows:
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "test"
User-Password = "password"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "test"
User-Password = "password"
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = IP Address
NAS-Port = 116
Framed-MTU = 1400
Called-Station-Id = "00:1e:35:7f:ec:35"
Calling-Station-Id = "00:35:5c:68:c0:08"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "Wireless_Test"
Service-Type = Framed-User
Siemens-AP-Serial = "0600010084050956"
Siemens-AP-Name = "TEST"
Siemens-VNS-Name = "Wireless_Test"
Siemens-SSID = "Wireless_Test"
Siemens-BSS-MAC = "00:1e:35:7f:ec:35"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> test
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test)
[ldap] expand: dc=example,dc=com -> dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=example,dc=com, with filter (sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] extensionAttribute15 -> Connect-Type == "wireless"
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if ("%{Huntgroup-Name}" == "wirelesstest")
expand: %{Huntgroup-Name} ->
? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++- entering if ("%{Huntgroup-Name}" == wirelesstest) {...}
+++? if (control:Connect-Type == wireless)
? Evaluating (control:Connect-Type == wireless) -> TRUE
+++? if (control:Connect-Type == wireless) -> TRUE
+++- entering if (control:Connect-Type == wireless) {...}
++++[control] returns ok
+++- if (control:Connect-Type == wireless) returns ok
+++ ... skipping else for request 1: Preceding "if" was taken
++- if ("%{Huntgroup-Name}" == wirelesstest) returns ok
++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE
++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE
++- entering if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) {...}
expand: %{1} -> Staff
+++[control] returns ok
++- if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) returns ok
[files] users: Matched entry DEFAULT at line 16
[files] expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -> Enterasys:version=1:policy=Staff
++[files] returns ok
++? if ("%{Huntgroup-Name}" == "wirelesstest")
expand: %{Huntgroup-Name} ->
? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group LDAP {...}
[ldap] login attempt by "test" with password "password"
[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
[ldap] (re)connect to example.com:389, authentication 1
[ldap] bind as CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/test to example.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35 via TLS tunnel)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[reply_log] expand: /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/reply-detail-20121204
[reply_log] /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/reply-detail-20121204
[reply_log] expand: %t -> Tue Dec 4 13:50:45 2012
++[reply_log] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Filter-Id := "Enterasys:version=1:policy=Staff"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 239 to IP Address port 57700
Filter-Id := "Enterasys:version=1:policy=Staff"
MS-MPPE-Recv-Key = 0xfc711ebb1ff8ea41b4f0d9bf76e424796aca3d9b7518154f00ab6f1e4d0cc474
MS-MPPE-Send-Key = 0x9fb92d6b82ec067b31dacae9e16e63ff86d702501266713701a377f220e4cbbb
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
Finished request 5.
Going to the next request
Waking up in 2.4 seconds.
Cleaning up request 0 ID 231 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 1 ID 252 with timestamp +6
Cleaning up request 2 ID 86 with timestamp +7
Cleaning up request 3 ID 227 with timestamp +7
Waking up in 0.3 seconds.
Cleaning up request 4 ID 169 with timestamp +7
Waking up in 1.0 seconds.
Cleaning up request 5 ID 239 with timestamp +7
Ready to process requests.
In /usr/local/var/log/radius/radius.log I see log message as:
Tue Dec 4 15:02:56 2012 : Auth: Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)
I don't get log as "Login OK via TLS tunnel".
But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent. Any Idea if I am missing something in my configuration that is preventing me to get response at Client side? I am using SecureW2 supplicant with EAP-PAP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121205/f6384f3b/attachment-0001.html>
More information about the Freeradius-Users
mailing list