Help PLease

Adam Schappell aschappell at clearedgeit.com
Mon Mar 30 15:19:46 CEST 2015 

How do I get  Reject when I am connecting with the same user as I did to
connect LDAP??? I get bind successful so why is this not successful?

rad_recv: Access-Request packet from host 10.0.1.56 port 62107, id=21,
length=46

User-Name = "radius"

User-Password = "ceadmin"

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radius", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[files] users: Matched entry DEFAULT at line 67

++[files] returns ok

[sql] expand: %{User-Name} -> radius

[sql] sql_set_user escaped user --> 'radius'

rlm_sql (sql): Reserving sql socket id: 4

[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'radius'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = 'radius'
        ORDER BY priority

rlm_sql (sql): Released sql socket id: 4

[sql] User radius not found

++[sql] returns notfound

[ldap] performing user authorization for radius

[ldap] expand: %{Stripped-User-Name} ->

[ldap] ... expanding second conditional

[ldap] expand: %{User-Name} -> radius

[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)

[ldap] expand: dc=corp,dc=clearedgeit,dc=com ->
dc=corp,dc=clearedgeit,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 0

  [ldap] bind as
cn=radius,ou=users,ou=jessup,ou=clearedge,dc=corp,dc=clearedgeit,dc=com/ceadmin
to dc1.corp.clearedgeit.com:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(uid=radius)

  [ldap] rebind to URL ldap://
ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com

  [ldap] rebind to URL ldap://
DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com

  [ldap] rebind to URL ldap://
corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com

  [ldap] object not found

[ldap] search failed

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = LDAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group LDAP {...}

[ldap] login attempt by "radius" with password "ceadmin"

[ldap] expand: %{Stripped-User-Name} ->

[ldap] ... expanding second conditional

[ldap] expand: %{User-Name} -> radius

[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)

[ldap] expand: dc=corp,dc=clearedgeit,dc=com ->
dc=corp,dc=clearedgeit,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter
(uid=radius)

  [ldap] rebind to URL ldap://
ForestDnsZones.corp.clearedgeit.com/DC=ForestDnsZones,DC=corp,DC=clearedgeit,DC=com

  [ldap] rebind to URL ldap://
DomainDnsZones.corp.clearedgeit.com/DC=DomainDnsZones,DC=corp,DC=clearedgeit,DC=com

  [ldap] rebind to URL ldap://
corp.clearedgeit.com/CN=Configuration,DC=corp,DC=clearedgeit,DC=com

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns notfound

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> radius

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.7 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 21 to 10.0.1.56 port 62107

Waking up in 4.9 seconds.

Adam Schappell
System Administrator II
Clearedge IT Solutions, LLC
10620 Guilford Road
Jessup, MD 20794
Office:443-212-4712
Fax:443-212-4809
www.ClearEdgeIT.com <http://www.clearedgeit.com/>


On Fri, Mar 27, 2015 at 2:33 PM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:

> On Fri, Mar 27, 2015 at 02:18:06PM -0400, Adam Schappell wrote:
> > I get that and see that but there is no ldap in radius.conf, do you all
> see
> > anything wrong with my bind dn?
>
> Ah... there is only one config file: radius.conf. This includes
> all the other configuration, so look in your ldap config.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list