LDAP Group Membership
peter.geiser at id.unibe.ch
peter.geiser at id.unibe.ch
Fri Apr 25 08:02:53 CEST 2014
When you use AD then the following simple query will do all the hard workŠ
Recursive Group Memberships
(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
Or as config snipped:
group {
base_dn = 'dc=foo,dc=bar'
scope = 'sub'
name_attribute = cn
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes"
cacheable_dn = "no"
}
- Peter
Am 24.04.14 23:13 schrieb "Josh Essar" unter <jessar at kvcc.edu>:
>I have having some problems with ldap group checking. Our students do
>not have a common group that they are a member of. They are all a member
>of a group based on their username (ST_Students for every student that
>has a username that start with st). We then have groups based off each
>letter of the alphabet (S_Students would contain the SA_Students through
>SZ_Students groups). We then have another group called students, that
>has the A_Students through Z_Students groups.
>
>I know this is overly complex, but that is how our administrative
>computing department has set things up. I would like to use the student
>group to allow access to a wireless network. My current rule is as
>follows.
>
>if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) {
> noop
>}
>
>When the test user sexample5555 connects, they get denied because their
>account is a member of the SE_Students group. The SE_Students group is a
>member of the S_Students group, and that group is a member of the
>students group....but the user is not a direct member of the students
>group.
>
>
>Is there an easy solution that I am missing?
>
>
>Here is the full debug output. I know some things are not 100% correct.
>We are still in the testing phase.
>
>freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu,
>built on Apr 7 2014 at 08:43:37
>Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License
>For more information about these matters, see the file named COPYRIGHT
>Starting - reading configuration files ...
>including dictionary file /usr/share/freeradius/dictionary
>including dictionary file /etc/freeradius/dictionary
>including configuration file /etc/freeradius/radiusd.conf
>including configuration file /etc/freeradius/proxy.conf
>including configuration file /etc/freeradius/clients.conf
>including files in directory /etc/freeradius/mods-enabled/
>including configuration file /etc/freeradius/mods-enabled/eap
>including configuration file /etc/freeradius/mods-enabled/preprocess
>including configuration file /etc/freeradius/mods-enabled/expiration
>including configuration file /etc/freeradius/mods-enabled/replicate
>including configuration file /etc/freeradius/mods-enabled/sradutmp
>including configuration file /etc/freeradius/mods-enabled/detail.log
>including configuration file /etc/freeradius/mods-enabled/exec
>including configuration file /etc/freeradius/mods-enabled/realm
>including configuration file /etc/freeradius/mods-enabled/ntlm_auth
>including configuration file /etc/freeradius/mods-enabled/logintime
>including configuration file /etc/freeradius/mods-enabled/attr_filter
>including configuration file /etc/freeradius/mods-enabled/files
>including configuration file /etc/freeradius/mods-enabled/radutmp
>including configuration file /etc/freeradius/mods-enabled/mschap
>including configuration file /etc/freeradius/mods-enabled/cache_eap
>including configuration file /etc/freeradius/mods-enabled/always
>including configuration file /etc/freeradius/mods-enabled/chap
>including configuration file /etc/freeradius/mods-enabled/unpack
>including configuration file /etc/freeradius/mods-enabled/ldap
>including configuration file /etc/freeradius/mods-enabled/detail
>including configuration file /etc/freeradius/mods-enabled/echo
>including configuration file /etc/freeradius/mods-enabled/linelog
>including configuration
>file /etc/freeradius/mods-enabled/dynamic_clients
>including configuration file /etc/freeradius/mods-enabled/utf8
>including files in directory /etc/freeradius/policy.d/
>including configuration file /etc/freeradius/policy.d/eap
>including configuration file /etc/freeradius/policy.d/filter
>including configuration file /etc/freeradius/policy.d/canonicalization
>including configuration file /etc/freeradius/policy.d/operator-name
>including configuration file /etc/freeradius/policy.d/dhcp
>including configuration file /etc/freeradius/policy.d/control
>including configuration file /etc/freeradius/policy.d/accounting
>including configuration file /etc/freeradius/policy.d/cui
>including files in directory /etc/freeradius/sites-enabled/
>including configuration file /etc/freeradius/sites-enabled/wifi
>including configuration file /etc/freeradius/sites-enabled/inner-tunnel
>including configuration file /etc/freeradius/sites-enabled/default
>main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
>}
>main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
>}
>radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
> realm LOCAL {
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
>radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client our-wireless-controller.our.domain {
> require_message_authenticator = no
> secret = <<< secret >>>
> shortname = "ttcbluesocket"
> virtual_server = "wifi"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>No 'ipaddr' or 'ipv6addr' field found in client
>our-wireless-controller.our.domain. Please fix your configuration
>Support for old-style clients will be removed in a future release
>radiusd: #### Instantiating modules ####
> instantiate {
> }
> modules {
> # Loaded module rlm_eap
> # Instantiating module "eap" from
>file /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> mod_accounting_username_bug = no
> max_sessions = 4096
> }
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> ca_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/server.pem"
> certificate_file = "/etc/freeradius/certs/server.pem"
> ca_file = "/etc/freeradius/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/freeradius/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = yes
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
>Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_method = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
>Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Loaded module rlm_preprocess
> # Instantiating module "preprocess" from
>file /etc/freeradius/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
> hints = "/etc/freeradius/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
>reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
>reading pairlist file /etc/freeradius/mods-config/preprocess/hints
> # Loaded module rlm_expiration
> # Instantiating module "expiration" from
>file /etc/freeradius/mods-enabled/expiration
> # Loaded module rlm_replicate
> # Instantiating module "replicate" from
>file /etc/freeradius/mods-enabled/replicate
> # Loaded module rlm_radutmp
> # Instantiating module "sradutmp" from
>file /etc/freeradius/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/var/log/freeradius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_detail
> # Instantiating module "auth_log" from
>file /etc/freeradius/mods-enabled/detail.log
> detail auth_log {
> filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> dir_permissions = 493
> locking = no
> log_packet_header = no
> }
>rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
>detail output
> # Instantiating module "reply_log" from
>file /etc/freeradius/mods-enabled/detail.log
> detail reply_log {
> filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> dir_permissions = 493
> locking = no
> log_packet_header = no
> }
> # Instantiating module "pre_proxy_log" from
>file /etc/freeradius/mods-enabled/detail.log
> detail pre_proxy_log {
> filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> dir_permissions = 493
> locking = no
> log_packet_header = no
> }
> # Instantiating module "post_proxy_log" from
>file /etc/freeradius/mods-enabled/detail.log
> detail post_proxy_log {
> filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> dir_permissions = 493
> locking = no
> log_packet_header = no
> }
> # Loaded module rlm_exec
> # Instantiating module "exec" from
>file /etc/freeradius/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_realm
> # Instantiating module "IPASS" from
>file /etc/freeradius/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "suffix" from
>file /etc/freeradius/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "realmpercent" from
>file /etc/freeradius/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntdomain" from
>file /etc/freeradius/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntlm_auth" from
>file /etc/freeradius/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain
>--username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_logintime
> # Instantiating module "logintime" from
>file /etc/freeradius/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_attr_filter
> # Instantiating module "attr_filter.post-proxy" from
>file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
>reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from
>file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
>reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from
>file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from
>file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from
>file /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename =
>"/etc/freeradius/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
>reading pairlist
>file /etc/freeradius/mods-config/attr_filter/accounting_response
> # Loaded module rlm_files
> # Instantiating module "files" from
>file /etc/freeradius/mods-enabled/files
> files {
> filename = "/etc/freeradius/mods-config/files/authorize"
> usersfile = "/etc/freeradius/mods-config/files/authorize"
> acctusersfile = "/etc/freeradius/mods-config/files/accounting"
> preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
> compat = "no"
> }
>reading pairlist file /etc/freeradius/mods-config/files/authorize
>reading pairlist file /etc/freeradius/mods-config/files/authorize
>reading pairlist file /etc/freeradius/mods-config/files/accounting
>reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
> # Instantiating module "radutmp" from
>file /etc/freeradius/mods-enabled/radutmp
> radutmp {
> filename = "/var/log/freeradius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_mschap
> # Instantiating module "mschap" from
>file /etc/freeradius/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
>%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=
>%{%{mschap:NT-Domain}:-our.domain} --challenge=
>%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
> ntlm_auth_timeout = 10
> passchange {
> }
> allow_retry = yes
> }
> # Loaded module rlm_cache
> # Instantiating module "cache_eap" from
>file /etc/freeradius/mods-enabled/cache_eap
> cache cache_eap {
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 16384
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_always
> # Instantiating module "reject" from
>file /etc/freeradius/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "fail" from
>file /etc/freeradius/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "ok" from
>file /etc/freeradius/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "handled" from
>file /etc/freeradius/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "invalid" from
>file /etc/freeradius/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "userlock" from
>file /etc/freeradius/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "notfound" from
>file /etc/freeradius/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "noop" from
>file /etc/freeradius/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "updated" from
>file /etc/freeradius/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_chap
> # Instantiating module "chap" from
>file /etc/freeradius/mods-enabled/chap
> # Loaded module rlm_unpack
> # Instantiating module "unpack" from
>file /etc/freeradius/mods-enabled/unpack
> # Loaded module rlm_ldap
> # Instantiating module "ldap" from
>file /etc/freeradius/mods-enabled/ldap
> ldap {
> server = "server.our.domain"
> port = 636
> password = <<< secret >>>
> identity = "ACCOUNT"
> user {
> filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})"
> scope = "sub"
> base_dn = "dc=our,dc=domain"
> access_positive = yes
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> base_dn = "dc=our,dc=domain"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}}))"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=frClient)"
> scope = "sub"
> base_dn = "dc=our,dc=domain"
> attribute {
> identifier = "radiusClientIdentifier"
> shortname = "cn"
> secret = "radiusClientSecret"
> }
> }
> profile {
> filter = "(&)"
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 20
> srv_timelimit = 20
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
>rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 4
> max = 32
> spare = 3
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 1
> spread = no
> }
>rlm_ldap (ldap): Opening additional connection (0)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (1)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (2)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (3)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (4)
>rlm_ldap (ldap): Connecting to server.our.domain:636
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
> # Instantiating module "detail" from
>file /etc/freeradius/mods-enabled/detail
> detail {
> filename =
>"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6
>-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> dir_permissions = 493
> locking = no
> log_packet_header = no
> }
> # Instantiating module "echo" from
>file /etc/freeradius/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_linelog
> # Instantiating module "linelog" from
>file /etc/freeradius/mods-enabled/linelog
> linelog {
> filename = "/var/log/freeradius/linelog"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "%{%{Packet-Type}:-format}"
> }
> # Loaded module rlm_dynamic_clients
> # Instantiating module "dynamic_clients" from
>file /etc/freeradius/mods-enabled/dynamic_clients
> # Loaded module rlm_utf8
> # Instantiating module "utf8" from
>file /etc/freeradius/mods-enabled/utf8
> } # modules
>radiusd: #### Loading Virtual Servers ####
>server { # from file /etc/freeradius/radiusd.conf
>} # server
>server wifi { # from file /etc/freeradius/sites-enabled/wifi
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server wifi
>server inner-tunnel { # from
>file /etc/freeradius/sites-enabled/inner-tunnel
> # Creating Auth-Type = LDAP
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server inner-tunnel
>server default { # from file /etc/freeradius/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>} # server default
>radiusd: #### Opening IP addresses and Ports ####
>listen {
> type = "auth"
> ipaddr = *
> port = 1912
> limit {
> max_connections = 26
> lifetime = 0
> idle_timeout = 30
> }
>}
>listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
>}
>listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
>}
>listen {
> type = "auth"
> ipaddr = *
> port = 1812
> limit {
> max_connections = 26
> lifetime = 0
> idle_timeout = 30
> }
>}
>listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
>}
>Listening on auth address * port 1912 as server wifi
>Listening on acct address * port 1813 as server wifi
>Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
>Listening on auth address * port 1812 as server default
>Listening on acct address * port 1813 as server default
>Opening new proxy socket 'proxy address * port 0'
>Listening on proxy address * port 33306
>Ready to process requests.
>rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
>id=39, length=174
> User-Name = 'DOMAIN\\sexample5555'
> NAS-Port = 0
> Called-Station-Id = '00-19-92-04-7E-81:Test2'
> Calling-Station-Id = '00-26-5E-31-33-3B'
> Framed-MTU = 1400
> Attr-26 = 0x000026ef030302
> NAS-Port-Type = Wireless-802.11
> Connect-Info = 'CONNECT 0Mbps 802.11'
> EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535
> Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923
>(0) # Executing section authorize from
>file /etc/freeradius/sites-enabled/wifi
>(0) authorize {
>(0) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
>(0) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
>(0) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
>(0) update request {
>(0) EXPAND %{7}
>(0) --> Test2
>(0) Called-Station-SSID := "Test2"
>(0) } # update request = noop
>(0) } # if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
>(0) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students"))
>(0) Searching for user in group "students"
>rlm_ldap (ldap): Reserved connection (4)
>(0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
>(0) --> (cn=sexample5555)
>(0) EXPAND dc=our,dc=domain
>(0) --> dc=our,dc=domain
>(0) Performing search in 'dc=our,dc=domain' with filter
>'(cn=sexample5555)', scope 'sub'
>(0) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>User object found at DN
>"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
>(0) Checking for user in group objects
>(0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
>%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}})))
>(0) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
>\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
>\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
>(0) EXPAND dc=our,dc=domain
>(0) --> dc=our,dc=domain
>(0) Waiting for bind result...
>(0) Bind successful
>(0) Performing search in 'dc=our,dc=domain' with filter
>'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
>\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
>\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
>(0) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.dom/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(0) Search returned no results
>(0) Search returned not found
>(0) Checking user object membership (memberOf) attributes
>(0) Waiting for bind result...
>(0) Bind successful
>(0) Performing unfiltered search in
>'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our
>,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Processing group membership value
>"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP1"
>(0) Processing group membership value
>"CN=GROUP2,OU=groups,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP2"
>(0) Processing group membership value
>"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "SE_students"
>(0) Processing group membership value
>"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP4"
>(0) Processing group membership value
>"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
>(0) Converting group DN to group Name
>(0) Performing unfiltered search in
>'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
>(0) Waiting for search result...
>(0) Group name is "GROUP5"
>rlm_ (ldap): Deleting connection (4)
>(0) User is not a member of specified group
>(0) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students")) -> FALSE
>(0) else else {
>(0) [reject] = reject
>(0) } # else else = reject
>(0) } # authorize = reject
>(0) Using Post-Auth-Type Reject
>(0) # Executing group from file /etc/freeradius/sites-enabled/wifi
>(0) Post-Auth-Type REJECT {
>(0) attr_filter.access_reject : EXPAND %{User-Name}
>(0) attr_filter.access_reject : --> DOMAIN\sexample5555
>(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
>(0) [attr_filter.access_reject] = updated
>(0) eap : Request was previously rejected, inserting EAP-Failure
>(0) [eap] = updated
>(0) remove_reply_message_if_eap remove_reply_message_if_eap {
>(0) if (reply:EAP-Message && reply:Reply-Message)
>(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
>(0) else else {
>(0) [noop] = noop
>(0) } # else else = noop
>(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
>(0) } # Post-Auth-Type REJECT = updated
>(0) Delaying reject of request 0 for 1 seconds
>Waking up in 0.2 seconds.
>Waking up in 0.7 seconds.
>(0) Sending delayed reject
>Sending Access-Reject of id 39 from Radius-Server port 1912 to
>WIFI-CONTROLLER-IP port 1034
> EAP-Message = 0x045c0004
> Message-Authenticator = 0x00000000000000000000000000000000
>Waking up in 3.9 seconds.
>rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
>id=40, length=174
> User-Name = 'our\\sexample5555'
> NAS-Port = 0
> Called-Station-Id = '00-19-92-04-7E-81:Test2'
> Calling-Station-Id = '00-26-5E-31-33-3B'
> Framed-MTU = 1400
> Attr-26 = 0x000026ef030302
> NAS-Port-Type = Wireless-802.11
> Connect-Info = 'CONNECT 0Mbps 802.11'
> EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535
> Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e
>(1) # Executing section authorize from
>file /etc/freeradius/sites-enabled/wifi
>(1) authorize {
>(1) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
>(1) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
>(1) if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
>(1) update request {
>(1) EXPAND %{7}
>(1) --> Test2
>(1) Called-Station-SSID := "Test2"
>(1) } # update request = noop
>(1) } # if (Called-Station-Id
>=~
>/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(
>[0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
>(1) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students"))
>(1) Searching for user in group "students"
>rlm_ldap (ldap): Reserved connection (3)
>(1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
>(1) --> (cn=sexample5555)
>(1) EXPAND dc=our,dc=domain
>(1) --> dc=our,dc=domain
>(1) Performing search in 'dc=our,dc=domain' with filter
>'(cn=sexample5555)', scope 'sub'
>(1) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(1) User object found at DN
>"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
>(1) Checking for user in group objects
>(1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
>%{control:Ldap-UserDn})(memberUid=
>%{%{mschap:User-Name}:-%{User-Name}})))
>(1) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
>\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
>\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
>(1) EXPAND dc=our,dc=domain
>(1) --> dc=our,dc=domain
>(1) Waiting for bind result...
>(1) Bind successful
>(1) Performing search in 'dc=our,dc=domain' with filter
>'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
>\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
>\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
>(1) Waiting for search result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Rebinding to URL
>ldaps://our.domain/CN=Configuration,DC=our,DC=domain
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Bind successful
>(1) Search returned no results
>(1) Search returned not found
>(1) Checking user object membership (memberOf) attributes
>(1) Waiting for bind result...
>(1) Bind successful
>(1) Performing unfiltered search in
>'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our
>,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Processing group membership value
>"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP1"
>(1) Processing group membership value
>"CN=GROUP2,OU=groups,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP2"
>(1) Processing group membership value
>"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,
>DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "SE_students"
>(1) Processing group membership value
>"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
>scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP4"
>(1) Processing group membership value
>"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
>(1) Converting group DN to group Name
>(1) Performing unfiltered search in
>'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
>(1) Waiting for search result...
>(1) Group name is "GROUP5"
>rlm_ldap (ldap): Deleting connection (3)
>(1) User is not a member of specified group
>(1) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
>"students")) -> FALSE
>(1) else else {
>(1) [reject] = reject
>(1) } # else else = reject
>(1) } # authorize = reject
>(1) Using Post-Auth-Type Reject
>(1) # Executing group from file /etc/freeradius/sites-enabled/wifi
>(1) Post-Auth-Type REJECT {
>(1) attr_filter.access_reject : EXPAND %{User-Name}
>(1) attr_filter.access_reject : --> DOMAIN\sexample5555
>(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
>(1) [attr_filter.access_reject] = updated
>(1) eap : Request was previously rejected, inserting EAP-Failure
>(1) [eap] = updated
>(1) remove_reply_message_if_eap remove_reply_message_if_eap {
>(1) if (reply:EAP-Message && reply:Reply-Message)
>(1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
>(1) else else {
>(1) [noop] = noop
>(1) } # else else = noop
>(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
>(1) } # Post-Auth-Type REJECT = updated
>(1) Delaying reject of request 1 for 1 seconds
>Waking up in 0.2 seconds.
>Waking up in 0.7 seconds.
>(1) Sending delayed reject
>Sending Access-Reject of id 40 from SERVER-IP port 1912 to
>WIFI-CONTROLLER-IP port 1034
> EAP-Message = 0x04b00004
> Message-Authenticator = 0x00000000000000000000000000000000
>Waking up in 1.3 seconds.
>(0) Cleaning up request packet ID 39 with timestamp +6
>Waking up in 2.6 seconds.
>
>
>
>
>Thanks!
>-Josh
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list