Ldap/freeradius gidnumber attribute check issue

Matthew Newton mcn4 at leicester.ac.uk
Fri Sep 4 11:20:03 CEST 2015

On Thu, Sep 03, 2015 at 11:06:17PM -0500, David Francisco Rodriguez Perez wrote:
> Sorry it was my first post and only one week with the openldap and
> freeradius. Thanks for the feedback and patience.

You're doing pretty well if you've only just started with both
these and got that far in one week.

> Now going back to the output below (too big), where I put at the users file
> DEFAULT GroupNumber == 5000
> Filter-Id :="test"

You're calling 'ldap' after 'files', so this check will happen
first before GroupNumber has been defined, hence you don't get a

> Sending tunneled request
>         EAP-Message = 0x0205000a016461766964
>         FreeRADIUS-Proxied-To =
>         User-Name = "david"
> server inner-tunnel {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> +- entering group authorize {...}
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "david", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 5 length 10
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop

^^^^^ files

vvvvv ldap

> [ldap] performing user authorization for david
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> david
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david)
> [ldap]  expand: dc=testexample,dc=com -> dc=testexample,dc=com
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to localhost:389, authentication 0
>   [ldap] bind as cn=admin,dc=testexample,dc=com/test2004 to localhost:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in dc=testexample,dc=com, with filter (uid=david)
> [ldap] checking if remote access for david is allowed by dialupAccess
> [ldap] Added User-Password = david in check items
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
>   [ldap] gidNumber -> GroupNumber == 5000

Try putting "files" after "ldap" in the inner-tunnel.

You'll need "use_tunneled_reply = yes" in your eap.conf peap{}

> But I do not see that the match is working. Even I tried to put in the
> authorize part of default file
> update reply {
>             Filter-Id:= %(GroupNumber)
> }

update reply {
  Filter-Id := "%{GroupNumber}"

after "ldap" in the inner-tunnel.

To get the Ldap-Group things working which, as Alan said is
probably the cleanest way to do it, configure the "group
membership checking" section in the modules/ldap config.

When you paste the debug output, please paste it all from the top
starting at

FreeRADIUS Version 3.0.6 (git #3e7556c), for host x86_64-unknown-linux-gnu, built on Dec 15 2014 at 15:29:17
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

otherwise we don't get to see most of the useful information about
the server configuration.

On Thu, Sep 03, 2015 at 09:42:35AM -0500, David Francisco Rodriguez Perez wrote:
> I am using freeradius to do 802.1x authentication (Peap/mschapv2) to an
> LDAP (openldap). Freeradius version 2.1.10 in Ubuntu 12.04.  This is a

Note that this version is ancient. You should run the latest 2.2.8
version, or preferably if you are just starting then go straight
for 3.0.9, as 2.2 is end of life now. Building packages for Ubuntu
is easy - see the wiki.



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list