Authenticating users on LDAP based on Group name
Jose Torres-Berrocal
jetsystemservices at gmail.com
Thu Mar 26 20:37:09 CET 2015
I found how to run Radius in debug mode in pfsense.
I have made some changes in the config files also.
This are the key settings:
server = "jetsms-srv2003.jetdom.local"
port = "389"
identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
password = Tramontane10520
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = *
compare_check_items = yes
do_xlat = yes
access_attr_used_for_allow = yes
### MS Active Directory Compatibility is disabled ###
In case you are wandering why I have "*" in base_filter and
groupmembership_attribute, is an attempt for Radius to ignore this
settings, otherwise the pfsense default will have set it to the default
which I think do not match with my AD settings. On the wiki, this
parameters are empty, thus ignored.
I think am closer but still fails.
By the way I tried setting compare_check_items = no, but this makes the
Ldap_Group setting to be ignored, all users get Auth-Type = Accept
THIS IS THE DEBUG OUTPUT:
radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built
on Sep 29 2014 at 22:08:50
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf
including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/wimax
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/always
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/cache
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/
detail.example.com
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail.log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/etc_group
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ippool
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/linelog
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/passwd
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/policy
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radrelay
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/redis
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/rediswho
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/replicate
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smsotp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sql_log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf
including files in directory
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
main {
allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/pbi/freeradius-i386"
localstatedir = "/var"
sbindir = "/usr/pbi/freeradius-i386/sbin"
logdir = "/var/log"
run_dir = "/var/run"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
msg_badpass = ""
msg_goodpass = ""
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client squid {
ipaddr = 192.168.56.1
require_message_authenticator = no
secret = "squid4030"
shortname = "squid"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expr
Module: Linked to module rlm_counter
Module: Instantiating module "daily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter daily {
filename = "/var/log/radacct/timecounter/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset
1427428800 [2015-03-27 00:00:00]
Module: Instantiating module "weekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter weekly {
filename = "/var/log/radacct/timecounter/db.weekly"
key = "User-Name"
reset = "weekly"
count-attribute = "Acct-Session-Time"
counter-name = "Weekly-Session-Time"
check-name = "Max-Weekly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Weekly-Session-Time is number 11275
rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset
1427601600 [2015-03-29 00:00:00]
Module: Instantiating module "monthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter monthly {
filename = "/var/log/radacct/timecounter/db.monthly"
key = "User-Name"
reset = "monthly"
count-attribute = "Acct-Session-Time"
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Monthly-Session-Time is number 11277
rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset
1427860800 [2015-04-01 00:00:00]
Module: Instantiating module "forever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter forever {
filename = "/var/log/radacct/timecounter/db.forever"
key = "User-Name"
reset = "never"
count-attribute = "Acct-Session-Time"
counter-name = "Forever-Session-Time"
check-name = "Max-Forever-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Forever-Session-Time is number 11279
rlm_counter: Current Time: 1427396809 [2015-03-26 15:06:49], Next reset 0
[2015-03-26 15:00:00]
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?�(rlm_logintime
modules {
Module: Creating Auth-Type = MOTP
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = LDAP
Module: Creating Autz-Type = Status-Server
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Instantiating module "motp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/motp
exec motp {
wait = yes
program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh
%{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret}
%{reply:MOTP-PIN} %{reply:MOTP-Offset}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap
ldap {
server = "jetsms-srv2003.jetdom.local"
port = 389
password = "Tramontane10520"
expect_password = yes
identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem"
cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/"
certfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt"
keyfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key"
randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
require_cert = "never"
}
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = "*"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = yes
do_xlat = yes
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x285164a0
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/usr/pbi/freeradius-i386/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs"
pem_file_type = yes
private_key_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem"
certificate_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem"
CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem"
private_key_password = "whatever"
dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh"
random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups"
hints = "/usr/pbi/freeradius-i386/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Instantiating module "ntdomain" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
files {
usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users"
acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users"
preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users
Module: Linked to module rlm_checkval
Module: Instantiating module "checkval" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "datacounterdaily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterdaily {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} daily %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterweekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterweekly {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} weekly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacountermonthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacountermonthly {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} monthly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterforever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterforever {
wait = yes
program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} forever %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file
/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.post-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.56.1
port = 1812
}
listen {
type = "acct"
ipaddr = 192.168.56.1
port = 1813
}
Listening on authentication address 192.168.56.1 port 1812
Listening on accounting address 192.168.56.1 port 1813
Listening on proxy address 192.168.56.1 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0
[ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to
jetsms-srv2003.jetdom.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
rlm_ldap::ldap_groupcmp: User found in group internetaccess
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] Pairs do not match. Rejecting user.
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = reject
++} # policy redundant = reject
+} # group authorize = reject
expand: ->
Invalid user ( [ldap] Pairs do not match): [administrator] (from client
squid port 111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 24 to 192.168.56.1 port 1783
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=24,
length=71
Sending duplicate reply to client squid port 1783 - ID: 24
Sending Access-Reject of id 24 to 192.168.56.1 port 1783
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
rlm_ldap::ldap_groupcmp: User found in group internetaccess
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] Pairs do not match. Rejecting user.
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = reject
++} # policy redundant = reject
+} # group authorize = reject
expand: ->
Invalid user ( [ldap] Pairs do not match): [administrator] (from client
squid port 111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 25 to 192.168.56.1 port 1783
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=25,
length=71
Sending duplicate reply to client squid port 1783 - ID: 25
Sending Access-Reject of id 25 to 192.168.56.1 port 1783
Waking up in 1.7 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=internetaccess)(|(&(objectClass=group)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
rlm_ldap::ldap_groupcmp: User found in group internetaccess
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] Pairs do not match. Rejecting user.
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = reject
++} # policy redundant = reject
+} # group authorize = reject
expand: ->
Invalid user ( [ldap] Pairs do not match): [administrator] (from client
squid port 111)
Using Post-Auth-Type REJECT
# Executing group from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 26 to 192.168.56.1 port 1783
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 192.168.56.1 port 1783, id=26,
length=71
Sending duplicate reply to client squid port 1783 - ID: 26
Sending Access-Reject of id 26 to 192.168.56.1 port 1783
Waking up in 0.7 seconds.
Cleaning up request 0 ID 24 with timestamp +13
Waking up in 3.2 seconds.
Cleaning up request 1 ID 25 with timestamp +17
Waking up in 0.9 seconds.
Cleaning up request 2 ID 26 with timestamp +18
Ready to process requests.
On Thu, Mar 26, 2015 at 12:56 PM, Jose Torres-Berrocal <
jetsystemservices at gmail.com> wrote:
> For the group/user attribute properties I see that probably this come from
> Linux. If you can tell me the Linux command used to get that, I can search
> the Web for the MS equivalent.
> On Mar 26, 2015 9:54 AM, "Jose Torres-Berrocal" <
> jetsystemservices at gmail.com> wrote:
>
>> Thank you for the description of the attribute parameter. I began to
>> understand it. If I end using the attribute parameter it would be "cn", and
>> the value "InternetAccess" as that is the group name. In which parameter I
>> should write the value and what syntax on both?
>>
>> In terms of the base_filter, still do not understand it, as I do not have
>> a radiusprofile, but using it in my config as default. On pfsense I leave
>> this parameter empty, but the generated Conf file includes it. Even though
>> I do not have a radiusprofile I successfully match my users/password
>> against AD. So it seems to be ignored.
>>
>> As the Groups/Users attributes example you ask, I need help getting
>> that. I just create the Group with the AD defaults using the MS AD GUI,
>> and assign the user as a member without any fancy stuff.
>> On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben at an3k.de> wrote:
>>
>>> 2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal <
>>> jetsystemservices at gmail.com>:
>>> > I have setup the group in groupmembership_attribute as a naive intent
>>> to
>>> > accomplish my goal. If that is not the correct parameter I will really
>>> > appreciate your help on where I should set my Group and the syntax.
>>>
>>> Well, the setting clearly asks for an attribute such as sAMAccountName
>>> or userPassword. The name of a group is a value, the value of the
>>> attribute cn. So yes, it is not the correct parameter ;)
>>>
>>> > On my first email I included my LDAP.conf file as generated by pfsense.
>>> >
>>> > I think is closed as needed because I was successful matching user/pass
>>> > with AD when group membership_attribute is default, but for all
>>> Users. Now
>>> > I need to change it to consider the Group.
>>>
>>> Setting up user authentication is kind of simple. You just need to
>>> match the basedn, filter and base_filter to your directory and that's
>>> it. After understanding how these settings are merged into a search
>>> request it is also easy to set up group authentication. I did so after
>>> working with XLAT, now it's easy for me but before I had no clue at
>>> all what I was doing :)
>>> What helped me much was the information that unlike in databases like
>>> *SQL you always want to get only ONE result in Directories, thus the
>>> filter needs to be as strict as required to only find one user or
>>> group. If you would find more how should Radius know which is the
>>> correct entry?
>>>
>>> The original ldap file says the following about membership_filter
>>>
>>> "Filter to find group objects a user is a member of. That is, group
>>> objects with attributes that identify members (the inverse of
>>> membership_attribute)."
>>>
>>> and this about membership_attribute
>>>
>>> "The attribute in user objects which contain the names or DNs of
>>> groups a user is a member of. Unless a conversion between group name
>>> and group DN is needed, there's no requirement for the group objects
>>> referenced to actually exist."
>>>
>>> That means that if your groups have attributes which contain the names
>>> or uids of the users that are member of that group you do not use
>>> membership_attribute but membership_filter. If instead your users have
>>> attributes containing the names or gids of the groups the user is
>>> member of then you use membership_attribute instead of
>>> membership_filter.
>>>
>>> What is the case in your setup? Could you post an example of a group
>>> and as well an user like the one below?
>>>
>>> # Guest, Groups, example.com
>>> dn: cn=Guest,ou=Groups,dc=example,dc=com
>>> objectClass: posixGroup
>>> objectClass: top
>>> objectClass: radiusProfile
>>> cn: Guest
>>> gidNumber: 17068
>>> memberUid: guest
>>> memberUid: tobtsc
>>> memberUid: marhab
>>>
>>> # guest, Users, example.com
>>> dn: uid=guest,ou=Users,dc=example,dc=com
>>> objectClass: posixAccount
>>> objectClass: top
>>> objectClass: inetOrgPerson
>>> objectClass: radiusProfile
>>> gidNumber: 0
>>> uid: guest
>>> uidNumber: 18459
>>> dialupAccess: Yes
>>> cn: Guest
>>>
>>> As you can see, the attribute "memberUid" is used to store the names
>>> of those users who are member of the group Guest, thus
>>> membership_attribute is not in use in my setup.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>>
More information about the Freeradius-Users
mailing list