Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id
François Lacombe
fl.infosreseaux at gmail.com
Fri Dec 11 20:18:59 CET 2015
Thank you Alan for your help
Le 11 déc. 2015 1:37 AM, "Alan DeKok" <aland at deployingradius.com> a écrit :
>
>
> > The LDAP module is configured to let the user connect when the
> > diallupAccess is set to true.
> > But it let any users connect to any network my VPN server is offering access to.
>
> And... what does the debug output say?
It works normally, no problem IMHO.
Debug output from freeradius 3.0.10 :
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: --> (uid=*my_login*)
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND TMPL LITERAL
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Performing search in
"ou=users,... ldap root..." with filter "(uid=*my_login*)", scope
"sub"
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Waiting for search result...
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: User object found at DN
"uid=*my_login,ou=users,... ldap root..."
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Processing user attributes
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap:
control:Password-With-Header += '....'
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: control:NT-Password := 0x....
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: control:LM-Password := 0x....
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute
"radiusControlAttribute" not found in LDAP object
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute
"radiusRequestAttribute" not found in LDAP object
Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: Attribute
"radiusReplyAttribute" not found in LDAP object
Fri Dec 11 20:05:09 2015 : Debug: rlm_ldap (ldap): Released connection (1)
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
returned from ldap (rlm_ldap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [ldap] = updated
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
calling eap (rlm_eap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Peer sent EAP Response
(code 2) ID 1 length 67
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: No EAP Start, assuming it's
an on-going EAP conversation
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
returned from eap (rlm_eap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [eap] = updated
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
calling pap (rlm_pap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Converted:
Password-With-Header = '.....' -> Crypt-Password = '....'
Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Removing
&control:Password-With-Header
Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Normalizing NT-Password
from hex encoding, 32 bytes -> 16 bytes
Fri Dec 11 20:05:09 2015 : Debug: (1) pap: Normalizing LM-Password
from hex encoding, 32 bytes -> 16 bytes
Fri Dec 11 20:05:09 2015 : WARNING: (1) pap: Auth-Type already set.
Not setting to PAP
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
returned from pap (rlm_pap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [pap] = noop
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
calling expiration (rlm_expiration) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
returned from expiration (rlm_expiration) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [expiration] = noop
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
calling logintime (rlm_logintime) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authorize]:
returned from logintime (rlm_logintime) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [logintime] = noop
Fri Dec 11 20:05:09 2015 : Debug: (1) } # authorize = updated
Fri Dec 11 20:05:09 2015 : Debug: (1) Found Auth-Type = EAP
Fri Dec 11 20:05:09 2015 : Debug: (1) # Executing group from file
/etc/freeradius/sites-enabled/mercure_def.ldap
Fri Dec 11 20:05:09 2015 : Debug: (1) authenticate {
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]:
calling eap (rlm_eap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Expiring EAP session with
state 0xab2a5c78ab2b464c
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Finished EAP session with
state 0xab2a5c78ab2b464c
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Previous EAP request found
for state 0xab2a5c78ab2b464c, released from the list
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Peer sent packet with
method EAP MSCHAPv2 (26)
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Calling submodule
eap_mschapv2 to process data
Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2: # Executing group
from file /etc/freeradius/sites-enabled/mercure_def.ldap
Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2: Auth-Type MS-CHAP {
Fri Dec 11 20:05:09 2015 : Debug: (1) eap_mschapv2:
modsingle[authenticate]: calling mschap (rlm_mschap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Found NT-Password
Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Found LM-Password
Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Creating challenge hash
with username: *my_login*
Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Client is using MS-CHAPv2
Fri Dec 11 20:05:09 2015 : Debug: (1) mschap: Adding MS-CHAPv2 MPPE keys
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]:
returned from mschap (rlm_mschap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [mschap] = ok
Fri Dec 11 20:05:09 2015 : Debug: (1) } # Auth-Type MS-CHAP = ok
Fri Dec 11 20:05:09 2015 : Debug: (1) MSCHAP Success
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: Sending EAP Request (code
1) ID 2 length 51
Fri Dec 11 20:05:09 2015 : Debug: (1) eap: EAP session adding
&reply:State = 0xab2a5c78aa28464c
Fri Dec 11 20:05:09 2015 : Debug: (1) modsingle[authenticate]:
returned from eap (rlm_eap) for request 1
Fri Dec 11 20:05:09 2015 : Debug: (1) [eap] = handled
Fri Dec 11 20:05:09 2015 : Debug: (1) } # authenticate = handled
Fri Dec 11 20:05:09 2015 : Debug: (1) Using Post-Auth-Type Challenge
Fri Dec 11 20:05:09 2015 : Debug: (1) Post-Auth-Type sub-section not
found. Ignoring.
Fri Dec 11 20:05:09 2015 : Debug: (1) # Executing group from file
/etc/freeradius/sites-enabled/mercure_def.ldap
Fri Dec 11 20:05:09 2015 : Debug: (1) session-state: Nothing to cache
Fri Dec 11 20:05:09 2015 : Debug: (1) Sent Access-Challenge Id 74 length 0
Fri Dec 11 20:05:09 2015 : Debug: (1) EAP-Message =
0x010200331a0301002e533d46343036424236353131394133333632313543433342323030384533444645414545454435393844
Fri Dec 11 20:05:09 2015 : Debug: (1) Message-Authenticator =
0x00000000000000000000000000000000
Fri Dec 11 20:05:09 2015 : Debug: (1) State =
0xab2a5c78aa28464c6d6710904a42a679
Fri Dec 11 20:05:09 2015 : Debug: (1) Finished request
>
> > What is the best method to filter users depending on which NAS-Port-Id
> > they are using ?
>
> You can check for the value of the NAS-Port-Id attribute.
>
> What do you want to do? Do you have an example?
>
> > It will allow me to authorize several users to access any networks
> > they need to access without puting any network configuration in the
> > LDAP.
>
> Typically you control access by NAS IP address, not NAS Port-Id.
My NAS has always the same IP when only the NAS Port-Id takes different values.
I can only differentiate the networks my users try to reach by NAS Port-Id
Furthermore, RFC2865 say that we shouldn't use NAS-Identifier to find
the shared secret but we'd better deal with NAS-IP Address.
Is this the same with NAS-Port Id?
Should I take care of that ?
> As always, run the server in debug mode to see what the server is receiving. Then, write rules to match those attributes, and go from there.
Ok, so I can write things like :
user {
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(accessNetwork=%{request:NAS-Port-Id}))"
}
instead of
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
in my freeradius/mods-available/ldap file ?
accessNetwork is a multi-valued attribute of a custom LDAP schema I
wrote a few months ago.
All the best
François L.
More information about the Freeradius-Users
mailing list