Freeradius + Ldap - Authorise OK but NO dynamic VLANs
Matthew Pulis
mpulis at gmail.com
Tue Aug 16 20:36:02 CEST 2016
Dear Buxley,
Thanks for your reply.
I want to assign the VLAN according to which cn in LDAP is the user
assigned. So ttester since he is in
cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
he should get VLAN ID 12.
I only have one virtual-server so I guess the default should work no?
I took your advice to upgrade and this is the new version: freeradius:
FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016
at 13:40:43
which shows not a single sign of policy to set the VLAN <- this is why
I am so lost as to why it is not working :S
Some configs which I guess you might find useful to help me please:
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "seminary.local"
port = 389
password = "FAKEPASS"
expect_password = yes
identity = "cn=admin,dc=seminary,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "ou=SeminaryOU,dc=seminary,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
Thanks for your support :)
Matthew Pulis
web: www.matthewpulis.info
mob: +356 79539404
On Tue, Aug 16, 2016 at 11:14 AM, Matthew Pulis <mpulis at gmail.com> wrote:
> Hi all,
>
> I am trying to have dynamic VLAN assignment on Freeradius based on LDAP.
> The connection between Freeradius and LDAP works fine. If I test with a
> user I get the Authorise packet but not the dynamic VLAN assignment. We
> will be testing using this LDAP user:
>
> # ttester, SeminaryAdmin, SeminaryOU, seminary.local
> dn: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
> cn: ttester
> givenName: Test
> gidNumber: 505
> homeDirectory: /home/users/ttester
> sn: Tester
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> uidNumber: 1002
> uid: ttester
>
>
> This is the received reply:
> radius at daloradius:~$ radtest -x ttester openldap localhost 1812
> testing456 Sending Access-Request of id 30 to 127.0.0.1 port 1812
> User-Name = "ttester"
> User-Password = "openldap"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=30,
> length=20
>
> Freeradius version:
> FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 27
> 2015 at 12:38:34
>
> This is an extract of the Freeradius debug:
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 38281, id=59,
> length=77
> User-Name = "ttester"
> User-Password = "openldap"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> Message-Authenticator = 0xbe303901f2b855fb146f2f1fda9cd3fd
> # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "ttester", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [ldap] performing user authorization for ttester
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] ... expanding second conditional
> [ldap] expand: %{User-Name} -> ttester
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=ttester)
> [ldap] expand: ou=SeminaryOU,dc=seminary,dc=local ->
> ou=SeminaryOU,dc=seminary,dc=local
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to seminary.local:389, authentication 0
> [ldap] bind as cn=admin,dc=seminary,dc=local/FalseBINDINGPASS to
> seminary.local:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> * [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with
> filter (uid=ttester)*
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] userPassword -> Password-With-Header == "{SSHA}T4sU9zSLN/Auop+
> ImthH4nLyLG/rPU0R"
> [ldap] looking for reply items in directory...
> [ldap] user ttester authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "openldap"
> [pap] Using SSHA encryption.
> [pap] Normalizing SSHA1-Password from base64 encoding
> [pap] User authenticated successfully
> ++[pap] returns ok
> Login OK: [ttester] (from client localhost port 1812)
> # Executing section post-auth from file /etc/freeradius/sites-enabled/
> default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 59 to 127.0.0.1 port 38281
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 59 with timestamp +5
> Ready to process requests.
>
>
> In any tutorials I am following this line: [ldap] performing search in
> ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester) .... should
> have the filter but in mine this is not coming.
>
> I am following this tutorial mainly: https://system-eng.blogspot.
> com.mt/2015/12/setting-up-freeradius-in-debian-with_28.
> html?showComment=1470925094566
>
> My config files:
>
> /etc/freeradius/modules/ldap : http://paste.ubuntu.com/23060929/
> /etc/freeradius/sites-available/inner-tunnel : http://paste.ubuntu.com/
> 23060930/
> /etc/freeradius/sites-available/default : http://paste.ubuntu.com/
> 23060931/
> /etc/freeradius/users : http://paste.ubuntu.com/23060935/
>
> Any idea where I should start looking at the problem please?
>
> Thanks and best regards
>
> Matthew
>
>
> Matthew Pulis
> web: www.matthewpulis.info
> mob: +356 79539404
>
More information about the Freeradius-Users
mailing list