LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Wed Jun 11 10:11:04 CEST 2014 

Today I realized this about the error I got:

> (5)   foreach &control:LDAP-Group
> (5)    #  Foreach-Variable-1 = "profesores"
> (5)    update reply {
> Bad talloc magic value - unknown value
> talloc abort: Bad talloc magic value - unknown value
> CAUGHT SIGNAL: Aborted

In the second line, the variable containing the group name is
Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update
reply {}. I changed it to Foreach-Variable-1 and the error vanished,
everything worked perfectly and FR returned to the client this
Access-Accept:

Sending Access-Accept Id 17 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        MS-MPPE-Recv-Key =
0xc404bde0c6ee79a3f4664284f0f50f4d79c0e4d813f8054eb85ca706f6bd827d
        MS-MPPE-Send-Key =
0xe5e783a3df73eb314335cc2cc0a855f886336766c0fdf826b9b69d461de87df8
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
        Ruckus-User-Groups += 'profesores'

(Ruckus-User-Groups is there twice because I add it in both authorize and in
post-auth in default server, but it doesn't do any harm)

And the debug part referring to the foreach loop looks like this:

(6)   foreach &control:LDAP-Group
(6)    #  Foreach-Variable-1 = "profesores"
(6)    update reply {
(6) EXPAND %{Foreach-Variable-1}
(6)    --> profesores
(6)     Ruckus-User-Groups += "profesores"
(6)    } # update reply = noop
(6)   } # foreach &control:LDAP-Group = noop

However, if I try to authenticate a user via PEAP with that config, the
group name is in Foreach-Variable-0, as it was before, and the Access-Accept
lacks the group info:

Sending Access-Accept Id 23 from 192.168.50.62:1812 to 192.168.60.1:1028
        MS-MPPE-Recv-Key =
0xc139d6ab71743cb1cc6b8ff635207b82e102b646bbd6988df2c044fc7a9217db
        MS-MPPE-Send-Key =
0x61f3d096f5e3924bc006f36fb88fd590d55705c1fe77f105b0abaa81ccb34539
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
        Ruckus-User-Groups += ''

The loop part looks like this:

(11)   foreach &control:LDAP-Group
(11)    #  Foreach-Variable-0 = "profesores"
(11)    update reply {
(11) EXPAND %{Foreach-Variable-1}
(11)    -->
(11)    Ruckus-User-Groups += ""
(11)    } # update reply = noop
(11)   } # foreach &control:LDAP-Group = noop

And my task is to get both PEAP and TLS working in the same server, so that
I can let students in via PEAP but keep teachers using TLS for a more secure
network (but that comes later). Is there a way to put the group info into
the Access-Accept packet no matter which method was used?

Thanks!

More information about the Freeradius-Users mailing list