LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Wed Jun 11 10:11:04 CEST 2014

Today I realized this about the error I got:

> (5)   foreach &control:LDAP-Group
> (5)    #  Foreach-Variable-1 = "profesores"
> (5)    update reply {
> Bad talloc magic value - unknown value
> talloc abort: Bad talloc magic value - unknown value

In the second line, the variable containing the group name is
Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update
reply {}. I changed it to Foreach-Variable-1 and the error vanished,
everything worked perfectly and FR returned to the client this

Sending Access-Accept Id 17 from to
        Ruckus-User-Groups += 'profesores'
        MS-MPPE-Recv-Key =
        MS-MPPE-Send-Key =
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
        Ruckus-User-Groups += 'profesores'

(Ruckus-User-Groups is there twice because I add it in both authorize and in
post-auth in default server, but it doesn't do any harm)

And the debug part referring to the foreach loop looks like this:

(6)   foreach &control:LDAP-Group
(6)    #  Foreach-Variable-1 = "profesores"
(6)    update reply {
(6) EXPAND %{Foreach-Variable-1}
(6)    --> profesores
(6)     Ruckus-User-Groups += "profesores"
(6)    } # update reply = noop
(6)   } # foreach &control:LDAP-Group = noop

However, if I try to authenticate a user via PEAP with that config, the
group name is in Foreach-Variable-0, as it was before, and the Access-Accept
lacks the group info:

Sending Access-Accept Id 23 from to
        MS-MPPE-Recv-Key =
        MS-MPPE-Send-Key =
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
        Ruckus-User-Groups += ''

The loop part looks like this:

(11)   foreach &control:LDAP-Group
(11)    #  Foreach-Variable-0 = "profesores"
(11)    update reply {
(11) EXPAND %{Foreach-Variable-1}
(11)    -->
(11)    Ruckus-User-Groups += ""
(11)    } # update reply = noop
(11)   } # foreach &control:LDAP-Group = noop

And my task is to get both PEAP and TLS working in the same server, so that
I can let students in via PEAP but keep teachers using TLS for a more secure
network (but that comes later). Is there a way to put the group info into
the Access-Accept packet no matter which method was used?


More information about the Freeradius-Users mailing list