captive portal auth with freeradius
Chitrang Srivastava
chitrang.srivastava at gmail.com
Wed Apr 17 14:32:20 CEST 2013
I am using LDAP server as datasource
Attaching logs
On Wed, Apr 17, 2013 at 5:58 PM, Russell Mike <radius.sir at gmail.com> wrote:
> Hi,
>
> Can you please revise your question and put it in better way, i am not
> clear, do some more typing. if captive portal (NAS) is CoovaChilli, this
> works for me.
>
> HS_RAD_PROTO=pap
>
>
> Thanks / Regards
>
>
> On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava <
> chitrang.srivastava at gmail.com> wrote:
>
>> I am facing a issue that captive portial server is sending a auth request
>> which is not a EAP message and hence freeradius server is rejecting , it
>> goes to users file and found the last line Auth-Type: Reject
>>
>> Anyone can point how to fix this ? I guess if captive portal send a eap
>> message , it will be looked into eap.conf and then a valid authenticate
>> section can be chosen ?
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0001.html>
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host mips64-octeon-linux-gnu, built on Apr 15 2013 at 15:20:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "syslog"
run_dir = "/var/run"
libdir = "/usr/lib/radius"
radacctdir = "/var/radius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 0
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
require_message_authenticator = no
secret = "bQEFAwRBkhBnOJefZN0UarGAiYiK0nwzw2y3n7sm89l2nXHzTM+3i60rVoTpMbjh"
shortname = "localhost"
}
client 192.168.10.101/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "private-network-1"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap_secondary" from file /etc/raddb/radiusd.conf
ldap ldap_secondary {
server = "192.168.4.11"
port = 389
password = "Symb0l at 123"
identity = "cn=symbol,cn=users,DC=MotorolaSymbol,dc=local"
net_timeout = 3
timeout = 6
timelimit = 6
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "cn=Users,DC=MotorolaSymbol,dc=local"
filter = "(sAMAccountName=%{Stripped-User-Name})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr = "dialupacces"
access_attr_used_for_allow = no
chase_referrals = yes
rebind = yes
groupname_attribute = "cn"
groupmembership_filter = "(&(objectClass=Group)(member=%{control:Ldap-UserDn}))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/var/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
group_verification = yes
dead_period = 120
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_secondary-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_secondary-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_secondary
rlm_ldap: Over-riding set_auth_type, as there is no module ldap_secondary listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /var/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusWirelessAccessGroup mapped to RADIUS Symbol-User-Group
conns: 0x101568c8
Module: Instantiating module "ldap_primary" from file /etc/raddb/radiusd.conf
ldap ldap_primary {
server = "ldap.your.domain"
port = 389
password = "secret"
identity = "cn=Manager,o=SYMBOL,c=INDIA"
net_timeout = 10
timeout = 20
timelimit = 20
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "o=SYMBOL,c=INDIA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr = "dialupacces"
access_attr_used_for_allow = no
chase_referrals = yes
rebind = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/var/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
group_verification = yes
dead_period = 120
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_primary-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_primary-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_primary
rlm_ldap: Over-riding set_auth_type, as there is no module ldap_primary listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /var/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusWirelessAccessGroup mapped to RADIUS Symbol-User-Group
conns: 0x10157f40
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/radiusd.conf
logintime {
reply-message = "Outside"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = ldap_primary
Module: Creating Auth-Type = ldap_secondary
Module: Creating Auth-Type = DUAL-LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-respo"
allow_retry = yes
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 30
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/var/etc/raddb/cacerts"
pem_file_type = yes
private_key_file = "/etc2/CertMgr/certs/default-trustpoint/privkey.pem"
certificate_file = "/etc2/CertMgr/certs/default-trustpoint/servcert.pem"
private_key_password = "whatever"
dh_file = "/etc2/raddb/dh"
random_file = "/etc2/raddb/random"
fragment_size = 1024
include_length = yes
check_crl = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 1
max_entries = 128
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/var/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix_oblic" from file /etc/raddb/radiusd.conf
realm suffix_oblic {
format = "suffix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "suffix_oblic_fs" from file /etc/raddb/radiusd.conf
realm suffix_oblic_fs {
format = "suffix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "prefix_oblic" from file /etc/raddb/radiusd.conf
realm prefix_oblic {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "prefix_oblic_fs" from file /etc/raddb/radiusd.conf
realm prefix_oblic_fs {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "suffix_at" from file /etc/raddb/radiusd.conf
realm suffix_at {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "prefix_at" from file /etc/raddb/radiusd.conf
realm prefix_at {
format = "prefix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "suffix_percent" from file /etc/raddb/radiusd.conf
realm suffix_percent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "prefix_percent" from file /etc/raddb/radiusd.conf
realm prefix_percent {
format = "prefix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_attr_rewrite
Module: Instantiating module "copy_user_name" from file /etc/raddb/radiusd.conf
attr_rewrite copy_user_name {
attribute = "Stripped-User-Name"
searchfor = ""
searchin = "packet"
replacewith = "%{User-Name}"
append = no
ignore_case = yes
new_attribute = yes
max_matches = 10
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/var/radius/radacct/accounting.log"
header = "%t"
detailperm = 438
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
User-Name = "symbol"
Acct-Session-Id = "6885ADE4-0026CC77E7C2-0000000010"
Calling-Station-Id = "00-26-CC-77-E7-C2"
Called-Station-Id = "00-23-68-73-61-00:chits_cap_test"
Symbol-Wlan-Index = "chits_cap_test"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
Service-Type = Framed-User
NAS-IP-Address = 192.168.10.15
NAS-Identifier = "ap650-85ADE4"
NAS-Port-Id = "radio1"
Connect-Info = "CONNECT 54Mbps 802.11bg"
User-Password = "Symb0l at 123"
# Executing section authorize from file /etc/raddb/radiusd.conf
+- entering group authorize {...}
++[preprocess] returns ok
[suffix_oblic] No '/' in User-Name = "symbol", looking up realm NULL
[suffix_oblic] No such realm "NULL"
++[suffix_oblic] returns noop
[suffix_oblic_fs] No '\' in User-Name = "symbol", looking up realm NULL
[suffix_oblic_fs] No such realm "NULL"
++[suffix_oblic_fs] returns noop
[prefix_oblic] No '/' in User-Name = "symbol", looking up realm NULL
[prefix_oblic] No such realm "NULL"
++[prefix_oblic] returns noop
[prefix_oblic_fs] No '\' in User-Name = "symbol", looking up realm NULL
[prefix_oblic_fs] No such realm "NULL"
++[prefix_oblic_fs] returns noop
[suffix_at] No '@' in User-Name = "symbol", looking up realm NULL
[suffix_at] No such realm "NULL"
++[suffix_at] returns noop
[prefix_at] No '@' in User-Name = "symbol", looking up realm NULL
[prefix_at] No such realm "NULL"
++[prefix_at] returns noop
[suffix_percent] No '%' in User-Name = "symbol", looking up realm NULL
[suffix_percent] No such realm "NULL"
++[suffix_percent] returns noop
[prefix_percent] No '%' in User-Name = "symbol", looking up realm NULL
[prefix_percent] No such realm "NULL"
++[prefix_percent] returns noop
[copy_user_name] expand: %{User-Name} -> symbol
copy_user_name: Added attribute Stripped-User-Name with value 'symbol'
++[copy_user_name] returns ok
++[mschap] returns noop
[ldap_secondary] Entering ldap_groupcmp()
[files] expand: cn=Users,DC=MotorolaSymbol,dc=local -> cn=Users,DC=MotorolaSymbol,dc=local
[files] expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=symbol)
[ldap_secondary] ldap_get_conn: Checking Id: 0
[ldap_secondary] ldap_get_conn: Got Id: 0
[ldap_secondary] attempting LDAP reconnection
[ldap_secondary] (re)connect to 192.168.4.11:389, authentication 0
Apr 17 16:59:36 2013: %DAEMON-6-INFO: lighttpd[1611]: 192.168.10.64 192.168.10.101:880 - "POST /cgi-bin/hslogin.cgi HTTP/1.1" 200 726 "http://192.168.10.101"
Apr 17 16:59:36 2013: ap650-85ADE4 : %CAPTIVE-PORTAL-6-AUTH_FAILED: Captive-portal authentication failed for client 00-26-CC-77-E7-C2(192.168.10.64)
Apr 17 16:59:37 2013: %DAEMON-6-INFO: lighttpd[1611]: 192.168.10.64 192.168.10.101:880 - "GET /test/fail.html?hs_server=192.168.10.101?Qv=it_qpmjdz=uftu at bbb"
[ldap_secondary] bind as cn=symbol,cn=users,DC=MotorolaSymbol,dc=local/Symb0l at 123 to 192.168.4.11:389
[ldap_secondary] waiting for bind result ...
[ldap_secondary] Bind was successful
[ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (sAMAccountName=symbol)
[ldap_secondary] ldap_release_conn: Release Id: 0
[files] expand: (&(objectClass=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(member=CN\3dsymbol\2cCN\3dUsers\2cDC\3dMotorolaSymbol)
[ldap_secondary] ldap_get_conn: Checking Id: 0
[ldap_secondary] ldap_get_conn: Got Id: 0
[ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (&(cn=test)(&(objectClass=Group)(member=CN\3dsymbol\2cCN\3dUsers\2c)
rlm_ldap::ldap_groupcmp: User found in group test
[ldap_secondary] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 18
++[files] returns ok
++- entering policy redundant {...}
[ldap_secondary] rlm_ldap: performing user authorization for symbol
[ldap_secondary] expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=symbol)
[ldap_secondary] expand: cn=Users,DC=MotorolaSymbol,dc=local -> cn=Users,DC=MotorolaSymbol,dc=local
[ldap_secondary] ldap_get_conn: Checking Id: 0
[ldap_secondary] ldap_get_conn: Got Id: 0
[ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (sAMAccountName=symbol)
[ldap_secondary] looking for check items in directory...
[ldap_secondary] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_secondary] user symbol authorized to use remote access
[ldap_secondary] ldap_release_conn: Release Id: 0
+++[ldap_secondary] returns ok
++- policy redundant returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rlm_logintime: Checking Login-Time: 'Any0000-2359'
rlm_logintime: timestr returned unlimited
++[logintime] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
auth: Failed to validate the user.: [symbol] (from client private-network-1 port 1 cli 00-26-CC-77-E7-C2)
Login incorrect: [symbol] (from client private-network-1 port 1 cli 00-26-CC-77-E7-C2)
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
Symbol-User-Group = "test"
Symbol-Downlink-Limit-Kbps = 0
Symbol-Uplink-Limit-Kbps = 0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
Sending duplicate reply to client private-network-1 port 34356 - ID: 6
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
Sending duplicate reply to client private-network-1 port 34356 - ID: 6
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +6
Ready to process requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: users
Type: application/octet-stream
Size: 234 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.conf
Type: application/octet-stream
Size: 7176 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0003.obj>
More information about the Freeradius-Users
mailing list