LDAP Groups to Freeradius and then Ruckus Wireless?
Fajar A. Nugraha
list at fajar.net
Wed Jun 11 10:46:34 CEST 2014
On Wed, Jun 11, 2014 at 3:11 PM, Enrique Sainz Baixauli
<enriquesainz.beca at intef.educacion.es> wrote:
> Today I realized this about the error I got:
>
>> (5) foreach &control:LDAP-Group
>> (5) # Foreach-Variable-1 = "profesores"
>> (5) update reply {
>> Bad talloc magic value - unknown value
>> talloc abort: Bad talloc magic value - unknown value
>> CAUGHT SIGNAL: Aborted
>
> In the second line, the variable containing the group name is
> Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update
> reply {}. I changed it to Foreach-Variable-1 and the error vanished,
> everything worked perfectly and FR returned to the client this
> Access-Accept:
>
> Sending Access-Accept Id 17 from 192.168.50.62:1812 to 192.168.60.1:1024
> Ruckus-User-Groups += 'profesores'
> MS-MPPE-Recv-Key =
> 0xc404bde0c6ee79a3f4664284f0f50f4d79c0e4d813f8054eb85ca706f6bd827d
> MS-MPPE-Send-Key =
> 0xe5e783a3df73eb314335cc2cc0a855f886336766c0fdf826b9b69d461de87df8
> EAP-Message = 0x03060004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = 'juan'
> Ruckus-User-Groups += 'profesores'
>
> (Ruckus-User-Groups is there twice because I add it in both authorize and in
> post-auth in default server, but it doesn't do any harm)
>
> And the debug part referring to the foreach loop looks like this:
>
> (6) foreach &control:LDAP-Group
> (6) # Foreach-Variable-1 = "profesores"
> (6) update reply {
> (6) EXPAND %{Foreach-Variable-1}
> (6) --> profesores
> (6) Ruckus-User-Groups += "profesores"
> (6) } # update reply = noop
> (6) } # foreach &control:LDAP-Group = noop
>
> However, if I try to authenticate a user via PEAP with that config, the
> group name is in Foreach-Variable-0, as it was before, and the Access-Accept
> lacks the group info:
>
> Sending Access-Accept Id 23 from 192.168.50.62:1812 to 192.168.60.1:1028
> MS-MPPE-Recv-Key =
> 0xc139d6ab71743cb1cc6b8ff635207b82e102b646bbd6988df2c044fc7a9217db
> MS-MPPE-Send-Key =
> 0x61f3d096f5e3924bc006f36fb88fd590d55705c1fe77f105b0abaa81ccb34539
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = 'juan'
> Ruckus-User-Groups += ''
>
> The loop part looks like this:
>
> (11) foreach &control:LDAP-Group
> (11) # Foreach-Variable-0 = "profesores"
> (11) update reply {
> (11) EXPAND %{Foreach-Variable-1}
> (11) -->
> (11) Ruckus-User-Groups += ""
> (11) } # update reply = noop
> (11) } # foreach &control:LDAP-Group = noop
>
> And my task is to get both PEAP and TLS working in the same server, so that
> I can let students in via PEAP but keep teachers using TLS for a more secure
> network (but that comes later). Is there a way to put the group info into
> the Access-Accept packet no matter which method was used?
>From "man unlang" (or
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/man/man5/unlang.5):
"
Inside of the "foreach" block, the attribute which is being looped
over can be referenced as "Foreach-Variable-#". Where "#" is the
depth of the loop, starting at "0". e.g. "Foreach-Variable-0". The
loops can be nested up to eight (8) deep, though this is not
recommended.
"
Does your tls config somehow has nested foreach, so that
Foreach-Variable-1 is used instead Foreach-Variable-0?
--
Fajar
More information about the Freeradius-Users
mailing list