Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Pulis mpulis at gmail.com
Tue Aug 16 20:36:02 CEST 2016


Dear Buxley,

Thanks for your reply.

I want to assign the VLAN according to which cn in LDAP is the user
assigned. So ttester since he is in
cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
he should get VLAN ID 12.

I only have one virtual-server so I guess the default should work no?

I took your advice to upgrade and this is the new version: freeradius:
FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016
at 13:40:43

which shows not a single sign of policy to set the VLAN <- this is why
I am so lost as to why it is not working :S


Some configs which I guess you might find useful to help me please:


radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
        radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }

 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
   }

Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
  ldap {
        server = "seminary.local"
        port = 389
        password = "FAKEPASS"
        expect_password = yes
        identity = "cn=admin,dc=seminary,dc=local"
        net_timeout = 1
        timeout = 4
        timelimit = 3
        max_uses = 0
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
   tls {
        start_tls = no
        require_cert = "allow"
   }
        basedn = "ou=SeminaryOU,dc=seminary,dc=local"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        auto_header = no
        access_attr_used_for_allow = yes
        groupname_attribute = "cn"
        groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = "radiusGroupName"
        dictionary_mapping = "/etc/freeradius/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        edir_account_policy_check = no
        set_auth_type = yes
   keepalive {
        idle = 60
        probes = 3
        interval = 3
   }
  }

Thanks for your support :)




Matthew Pulis
web:   www.matthewpulis.info
mob:   +356 79539404

On Tue, Aug 16, 2016 at 11:14 AM, Matthew Pulis <mpulis at gmail.com> wrote:

> Hi all,
>
> I am trying to have dynamic VLAN assignment on Freeradius based on LDAP.
> The connection between Freeradius and LDAP works fine. If I test with a
> user I get the Authorise packet but not the dynamic VLAN assignment. We
> will be testing using this LDAP user:
>
> # ttester, SeminaryAdmin, SeminaryOU, seminary.local
> dn: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
> cn: ttester
> givenName: Test
> gidNumber: 505
> homeDirectory: /home/users/ttester
> sn: Tester
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> uidNumber: 1002
> uid: ttester
>
>
> This is the received reply:
> radius at daloradius:~$ radtest -x ttester openldap localhost 1812
> testing456      Sending Access-Request of id 30 to 127.0.0.1 port 1812
>         User-Name = "ttester"
>         User-Password = "openldap"
>         NAS-IP-Address = 127.0.1.1
>         NAS-Port = 1812
>         Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=30,
> length=20
>
> Freeradius version:
> FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 27
> 2015 at 12:38:34
>
> This is an extract of the Freeradius debug:
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 38281, id=59,
> length=77
>         User-Name = "ttester"
>         User-Password = "openldap"
>         NAS-IP-Address = 127.0.1.1
>         NAS-Port = 1812
>         Message-Authenticator = 0xbe303901f2b855fb146f2f1fda9cd3fd
> # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "ttester", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [ldap] performing user authorization for ttester
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> ttester
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=ttester)
> [ldap]  expand: ou=SeminaryOU,dc=seminary,dc=local ->
> ou=SeminaryOU,dc=seminary,dc=local
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to seminary.local:389, authentication 0
>   [ldap] bind as cn=admin,dc=seminary,dc=local/FalseBINDINGPASS to
> seminary.local:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
> *  [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with
> filter (uid=ttester)*
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
>   [ldap] userPassword -> Password-With-Header == "{SSHA}T4sU9zSLN/Auop+
> ImthH4nLyLG/rPU0R"
> [ldap] looking for reply items in directory...
> [ldap] user ttester authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "openldap"
> [pap] Using SSHA encryption.
> [pap] Normalizing SSHA1-Password from base64 encoding
> [pap] User authenticated successfully
> ++[pap] returns ok
> Login OK: [ttester] (from client localhost port 1812)
> # Executing section post-auth from file /etc/freeradius/sites-enabled/
> default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 59 to 127.0.0.1 port 38281
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 59 with timestamp +5
> Ready to process requests.
>
>
> In any tutorials I am following this line:   [ldap] performing search in
> ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester) .... should
> have the filter but in mine this is not coming.
>
> I am following this tutorial mainly: https://system-eng.blogspot.
> com.mt/2015/12/setting-up-freeradius-in-debian-with_28.
> html?showComment=1470925094566
>
> My config files:
>
> /etc/freeradius/modules/ldap : http://paste.ubuntu.com/23060929/
> /etc/freeradius/sites-available/inner-tunnel  : http://paste.ubuntu.com/
> 23060930/
> /etc/freeradius/sites-available/default : http://paste.ubuntu.com/
> 23060931/
> /etc/freeradius/users : http://paste.ubuntu.com/23060935/
>
> Any idea where I should start looking at the problem please?
>
> Thanks and best regards
>
> Matthew
>
>
> Matthew Pulis
> web:   www.matthewpulis.info
> mob:   +356 79539404
>


More information about the Freeradius-Users mailing list