captive portal auth with freeradius

Chitrang Srivastava chitrang.srivastava at gmail.com
Wed Apr 17 14:32:20 CEST 2013


I am using LDAP server as datasource
Attaching logs




On Wed, Apr 17, 2013 at 5:58 PM, Russell Mike <radius.sir at gmail.com> wrote:

> Hi,
>
> Can you please revise your question and put it in better way, i am not
> clear, do some more typing. if captive portal (NAS) is CoovaChilli, this
> works for me.
>
> HS_RAD_PROTO=pap
>
>
> Thanks / Regards
>
>
> On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava <
> chitrang.srivastava at gmail.com> wrote:
>
>> I am facing a issue that captive portial server is sending a auth request
>> which is not a EAP message and hence freeradius server is rejecting ,  it
>> goes to users file and found the last line Auth-Type: Reject
>>
>> Anyone can point how to fix this ? I guess if captive portal send a eap
>> message , it will be looked into eap.conf and then a valid authenticate
>> section can be chosen ?
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0001.html>
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host mips64-octeon-linux-gnu, built on Apr 15 2013 at 15:20:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/eap.conf
main {
        allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /etc/raddb/dictionary
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "syslog"
        run_dir = "/var/run"
        libdir = "/usr/lib/radius"
        radacctdir = "/var/radius/radacct"
        hostname_lookups = no
        max_request_time = 120
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = yes
        auth = yes
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 0
        status_server = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = yes
        dead_time = 120
        wake_all_if_all_dead = no
 }
radiusd: #### Loading Clients ####
 client 127.0.0.1 {
        require_message_authenticator = no
        secret = "bQEFAwRBkhBnOJefZN0UarGAiYiK0nwzw2y3n7sm89l2nXHzTM+3i60rVoTpMbjh"
        shortname = "localhost"
 }
 client 192.168.10.101/24 {
        require_message_authenticator = no
        secret = "testing123"
        shortname = "private-network-1"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap_secondary" from file /etc/raddb/radiusd.conf
  ldap ldap_secondary {
        server = "192.168.4.11"
        port = 389
        password = "Symb0l at 123"
        identity = "cn=symbol,cn=users,DC=MotorolaSymbol,dc=local"
        net_timeout = 3
        timeout = 6
        timelimit = 6
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
        basedn = "cn=Users,DC=MotorolaSymbol,dc=local"
        filter = "(sAMAccountName=%{Stripped-User-Name})"
        base_filter = "(objectclass=radiusprofile)"
        password_attribute = "userPassword"
        auto_header = no
        access_attr = "dialupacces"
        access_attr_used_for_allow = no
        chase_referrals = yes
        rebind = yes
        groupname_attribute = "cn"
        groupmembership_filter = "(&(objectClass=Group)(member=%{control:Ldap-UserDn}))"
        groupmembership_attribute = "radiusGroupName"
        dictionary_mapping = "/var/etc/raddb/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        set_auth_type = yes
        group_verification = yes
        dead_period = 120
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_secondary-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_secondary-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_secondary
rlm_ldap: Over-riding set_auth_type, as there is no module ldap_secondary listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /var/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusWirelessAccessGroup mapped to RADIUS Symbol-User-Group
conns: 0x101568c8
 Module: Instantiating module "ldap_primary" from file /etc/raddb/radiusd.conf
  ldap ldap_primary {
        server = "ldap.your.domain"
        port = 389
        password = "secret"
        identity = "cn=Manager,o=SYMBOL,c=INDIA"
        net_timeout = 10
        timeout = 20
        timelimit = 20
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
        basedn = "o=SYMBOL,c=INDIA"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        password_attribute = "userPassword"
        auto_header = no
        access_attr = "dialupacces"
        access_attr_used_for_allow = no
        chase_referrals = yes
        rebind = yes
        groupname_attribute = "cn"
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        groupmembership_attribute = "radiusGroupName"
        dictionary_mapping = "/var/etc/raddb/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        set_auth_type = yes
        group_verification = yes
        dead_period = 120
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_primary-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_primary-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_primary
rlm_ldap: Over-riding set_auth_type, as there is no module ldap_primary listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /var/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusWirelessAccessGroup mapped to RADIUS Symbol-User-Group
conns: 0x10157f40
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/raddb/radiusd.conf
  logintime {
        reply-message = "Outside"
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = ldap_primary
  Module: Creating Auth-Type = ldap_secondary
  Module: Creating Auth-Type = DUAL-LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = yes
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-respo"
        allow_retry = yes
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
        default_eap_type = "ttls"
        timer_expire = 30
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/var/etc/raddb/cacerts"
        pem_file_type = yes
        private_key_file = "/etc2/CertMgr/certs/default-trustpoint/privkey.pem"
        certificate_file = "/etc2/CertMgr/certs/default-trustpoint/servcert.pem"
        private_key_password = "whatever"
        dh_file = "/etc2/raddb/dh"
        random_file = "/etc2/raddb/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 1
        max_entries = 128
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
  preprocess {
        huntgroups = "/etc/raddb/huntgroups"
        hints = "/var/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix_oblic" from file /etc/raddb/radiusd.conf
  realm suffix_oblic {
        format = "suffix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "suffix_oblic_fs" from file /etc/raddb/radiusd.conf
  realm suffix_oblic_fs {
        format = "suffix"
        delimiter = "\"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "prefix_oblic" from file /etc/raddb/radiusd.conf
  realm prefix_oblic {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "prefix_oblic_fs" from file /etc/raddb/radiusd.conf
  realm prefix_oblic_fs {
        format = "prefix"
        delimiter = "\"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "suffix_at" from file /etc/raddb/radiusd.conf
  realm suffix_at {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "prefix_at" from file /etc/raddb/radiusd.conf
  realm prefix_at {
        format = "prefix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "suffix_percent" from file /etc/raddb/radiusd.conf
  realm suffix_percent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
 Module: Instantiating module "prefix_percent" from file /etc/raddb/radiusd.conf
  realm prefix_percent {
        format = "prefix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_attr_rewrite
 Module: Instantiating module "copy_user_name" from file /etc/raddb/radiusd.conf
  attr_rewrite copy_user_name {
        attribute = "Stripped-User-Name"
        searchfor = ""
        searchin = "packet"
        replacewith = "%{User-Name}"
        append = no
        ignore_case = yes
        new_attribute = yes
        max_matches = 10
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
  files {
        usersfile = "/etc/raddb/users"
        acctusersfile = "/etc/raddb/acct_users"
        compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
  detail {
        detailfile = "/var/radius/radacct/accounting.log"
        header = "%t"
        detailperm = 438
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Checking post-proxy {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
        bind_address = *
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
        User-Name = "symbol"
        Acct-Session-Id = "6885ADE4-0026CC77E7C2-0000000010"
        Calling-Station-Id = "00-26-CC-77-E7-C2"
        Called-Station-Id = "00-23-68-73-61-00:chits_cap_test"
        Symbol-Wlan-Index = "chits_cap_test"
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1400
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.10.15
        NAS-Identifier = "ap650-85ADE4"
        NAS-Port-Id = "radio1"
        Connect-Info = "CONNECT 54Mbps 802.11bg"
        User-Password = "Symb0l at 123"
# Executing section authorize from file /etc/raddb/radiusd.conf
+- entering group authorize {...}
++[preprocess] returns ok
[suffix_oblic] No '/' in User-Name = "symbol", looking up realm NULL
[suffix_oblic] No such realm "NULL"
++[suffix_oblic] returns noop
[suffix_oblic_fs] No '\' in User-Name = "symbol", looking up realm NULL
[suffix_oblic_fs] No such realm "NULL"
++[suffix_oblic_fs] returns noop
[prefix_oblic] No '/' in User-Name = "symbol", looking up realm NULL
[prefix_oblic] No such realm "NULL"
++[prefix_oblic] returns noop
[prefix_oblic_fs] No '\' in User-Name = "symbol", looking up realm NULL
[prefix_oblic_fs] No such realm "NULL"
++[prefix_oblic_fs] returns noop
[suffix_at] No '@' in User-Name = "symbol", looking up realm NULL
[suffix_at] No such realm "NULL"
++[suffix_at] returns noop
[prefix_at] No '@' in User-Name = "symbol", looking up realm NULL
[prefix_at] No such realm "NULL"
++[prefix_at] returns noop
[suffix_percent] No '%' in User-Name = "symbol", looking up realm NULL
[suffix_percent] No such realm "NULL"
++[suffix_percent] returns noop
[prefix_percent] No '%' in User-Name = "symbol", looking up realm NULL
[prefix_percent] No such realm "NULL"
++[prefix_percent] returns noop
[copy_user_name]        expand: %{User-Name} -> symbol
copy_user_name: Added attribute Stripped-User-Name with value 'symbol'
++[copy_user_name] returns ok
++[mschap] returns noop
  [ldap_secondary] Entering ldap_groupcmp()
[files]         expand: cn=Users,DC=MotorolaSymbol,dc=local -> cn=Users,DC=MotorolaSymbol,dc=local
[files]         expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=symbol)
  [ldap_secondary] ldap_get_conn: Checking Id: 0
  [ldap_secondary] ldap_get_conn: Got Id: 0
  [ldap_secondary] attempting LDAP reconnection
  [ldap_secondary] (re)connect to 192.168.4.11:389, authentication 0
Apr 17 16:59:36 2013: %DAEMON-6-INFO: lighttpd[1611]: 192.168.10.64 192.168.10.101:880 - "POST /cgi-bin/hslogin.cgi HTTP/1.1" 200 726 "http://192.168.10.101"
Apr 17 16:59:36 2013: ap650-85ADE4 : %CAPTIVE-PORTAL-6-AUTH_FAILED: Captive-portal authentication failed for client 00-26-CC-77-E7-C2(192.168.10.64)
Apr 17 16:59:37 2013: %DAEMON-6-INFO: lighttpd[1611]: 192.168.10.64 192.168.10.101:880 - "GET /test/fail.html?hs_server=192.168.10.101?Qv=it_qpmjdz=uftu at bbb"
  [ldap_secondary] bind as cn=symbol,cn=users,DC=MotorolaSymbol,dc=local/Symb0l at 123 to 192.168.4.11:389
  [ldap_secondary] waiting for bind result ...
  [ldap_secondary] Bind was successful
  [ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (sAMAccountName=symbol)
  [ldap_secondary] ldap_release_conn: Release Id: 0
[files]         expand: (&(objectClass=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(member=CN\3dsymbol\2cCN\3dUsers\2cDC\3dMotorolaSymbol)
  [ldap_secondary] ldap_get_conn: Checking Id: 0
  [ldap_secondary] ldap_get_conn: Got Id: 0
  [ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (&(cn=test)(&(objectClass=Group)(member=CN\3dsymbol\2cCN\3dUsers\2c)
rlm_ldap::ldap_groupcmp: User found in group test
  [ldap_secondary] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 18
++[files] returns ok
++- entering policy redundant {...}
[ldap_secondary] rlm_ldap: performing user authorization for symbol
[ldap_secondary]        expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=symbol)
[ldap_secondary]        expand: cn=Users,DC=MotorolaSymbol,dc=local -> cn=Users,DC=MotorolaSymbol,dc=local
  [ldap_secondary] ldap_get_conn: Checking Id: 0
  [ldap_secondary] ldap_get_conn: Got Id: 0
  [ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (sAMAccountName=symbol)
[ldap_secondary] looking for check items in directory...
[ldap_secondary] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap_secondary] user symbol authorized to use remote access
  [ldap_secondary] ldap_release_conn: Release Id: 0
+++[ldap_secondary] returns ok
++- policy redundant returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
rlm_logintime: Checking Login-Time: 'Any0000-2359'
rlm_logintime: timestr returned unlimited
++[logintime] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
auth: Failed to validate the user.: [symbol] (from client private-network-1 port 1 cli 00-26-CC-77-E7-C2)
Login incorrect: [symbol] (from client private-network-1 port 1 cli 00-26-CC-77-E7-C2)
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
        Symbol-User-Group = "test"
        Symbol-Downlink-Limit-Kbps = 0
        Symbol-Uplink-Limit-Kbps = 0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
Sending duplicate reply to client private-network-1 port 34356 - ID: 6
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.15 port 34356, id=6, length=232
Sending duplicate reply to client private-network-1 port 34356 - ID: 6
Sending Access-Reject of id 6 to 192.168.10.15 port 34356
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +6
Ready to process requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: users
Type: application/octet-stream
Size: 234 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.conf
Type: application/octet-stream
Size: 7176 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130417/125ade4c/attachment-0003.obj>


More information about the Freeradius-Users mailing list