Freeradius + Ldap - Authorise OK but NO dynamic VLANs
Matthew Pulis
mpulis at gmail.com
Thu Aug 18 12:10:02 CEST 2016
Hi,
Fixed the syntax error. But now authentication is not working. Would truly
appreciate your help :)
This is
ttester: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:24 2016 : Debug: Listening on proxy address * port 1814
Thu Aug 18 12:01:24 2016 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35174, id=199,
length=77
User-Name = "ttester"
User-Password = "openldap"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x8d240eb2d64bf34cbd940c5728a88e14
Thu Aug 18 12:01:29 2016 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Thu Aug 18 12:01:29 2016 : Info: +group authorize {
Thu Aug 18 12:01:29 2016 : Info: ++[preprocess] = ok
Thu Aug 18 12:01:29 2016 : Info: ++[chap] = noop
Thu Aug 18 12:01:29 2016 : Info: ++[mschap] = noop
Thu Aug 18 12:01:29 2016 : Info: ++[digest] = noop
Thu Aug 18 12:01:29 2016 : Info: [suffix] No '@' in User-Name = "ttester",
looking up realm NULL
Thu Aug 18 12:01:29 2016 : Info: [suffix] No such realm "NULL"
Thu Aug 18 12:01:29 2016 : Info: ++[suffix] = noop
Thu Aug 18 12:01:29 2016 : Info: [eap] No EAP-Message, not doing EAP
Thu Aug 18 12:01:29 2016 : Info: ++[eap] = noop
Thu Aug 18 12:01:29 2016 : Info: ++[files] = noop
Thu Aug 18 12:01:29 2016 : Info: [ldap] performing user authorization for
ttester
Thu Aug 18 12:01:29 2016 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Thu Aug 18 12:01:29 2016 : Info: [ldap] ... expanding second
conditional
Thu Aug 18 12:01:29 2016 : Info: [ldap] expand: %{User-Name} ->
ttester
Thu Aug 18 12:01:29 2016 : Info: [ldap] expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ttester)
Thu Aug 18 12:01:29 2016 : Info: [ldap] expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] attempting LDAP reconnection
Thu Aug 18 12:01:29 2016 : Debug: [ldap] (re)connect to
seminary.local:389, authentication 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] bind as
cn=admin,dc=seminary,dc=local/S3m1n4ry to seminary.local:389
Thu Aug 18 12:01:29 2016 : Debug: [ldap] waiting for bind result ...
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Bind was successful
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester)
Thu Aug 18 12:01:29 2016 : Info: [ldap] No default NMAS login sequence
Thu Aug 18 12:01:29 2016 : Info: [ldap] looking for check items in
directory...
Thu Aug 18 12:01:29 2016 : Debug: [ldap] userPassword ->
Password-With-Header == "{SSHA}T4sU9zSLN/Auop+ImthH4nLyLG/rPU0R"
Thu Aug 18 12:01:29 2016 : Info: [ldap] looking for reply items in
directory...
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Info: ++[ldap] = ok
Thu Aug 18 12:01:29 2016 : Info: ++[expiration] = noop
Thu Aug 18 12:01:29 2016 : Info: ++[logintime] = noop
Thu Aug 18 12:01:29 2016 : Info: ++[pap] = updated
Thu Aug 18 12:01:29 2016 : Info: +} # group authorize = updated
Thu Aug 18 12:01:29 2016 : Info: Found Auth-Type = PAP
Thu Aug 18 12:01:29 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Thu Aug 18 12:01:29 2016 : Info: +group PAP {
Thu Aug 18 12:01:29 2016 : Info: [pap] login attempt with password
"openldap"
Thu Aug 18 12:01:29 2016 : Info: [pap] Using SSHA encryption.
Thu Aug 18 12:01:29 2016 : Info: [pap] Normalizing SSHA1-Password from
base64 encoding
Thu Aug 18 12:01:29 2016 : Info: [pap] User authenticated successfully
Thu Aug 18 12:01:29 2016 : Info: ++[pap] = ok
Thu Aug 18 12:01:29 2016 : Info: +} # group PAP = ok
Thu Aug 18 12:01:29 2016 : Info: # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
Thu Aug 18 12:01:29 2016 : Info: +group post-auth {
Thu Aug 18 12:01:29 2016 : Info: ++? if (Ldap-Group == "Management")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=Management)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group Management
not found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group == "Management")
-> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? if (Ldap-Group == "Management") ->
FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Formators")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=Formators)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group Formators
not found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group == "Formators")
-> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Formators") ->
FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Seminarians")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=Seminarians)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group
Seminarians not found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group == "Seminarians")
-> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Seminarians") ->
FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "SeminaryAdmin")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=SeminaryAdmin)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group
SeminaryAdmin not found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group ==
"SeminaryAdmin") -> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "SeminaryAdmin")
-> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Staff")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=Staff)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group Staff not
found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group == "Staff") ->
FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Staff") -> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Guests")
Thu Aug 18 12:01:29 2016 : Debug: [ldap] Entering ldap_groupcmp()
Thu Aug 18 12:01:29 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Thu Aug 18 12:01:29 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Aug 18 12:01:29 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=Guests)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Thu Aug 18 12:01:29 2016 : Debug: [ldap] object not found
Thu Aug 18 12:01:29 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Aug 18 12:01:29 2016 : Debug: rlm_ldap::ldap_groupcmp: Group Guests not
found or user is not a member.
Thu Aug 18 12:01:29 2016 : Info: ? Evaluating (Ldap-Group == "Guests") ->
FALSE
Thu Aug 18 12:01:29 2016 : Info: ++? elsif (Ldap-Group == "Guests") -> FALSE
Thu Aug 18 12:01:29 2016 : Info: ++else else {
Thu Aug 18 12:01:29 2016 : Info: +++[reject] = reject
Thu Aug 18 12:01:29 2016 : Info: ++} # else else = reject
Thu Aug 18 12:01:29 2016 : Info: +} # group post-auth = reject
Thu Aug 18 12:01:29 2016 : Info: Using Post-Auth-Type Reject
Thu Aug 18 12:01:29 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Thu Aug 18 12:01:29 2016 : Info: +group REJECT {
Thu Aug 18 12:01:29 2016 : Info: [eap] Request didn't contain an
EAP-Message, not inserting EAP-Failure
Thu Aug 18 12:01:29 2016 : Info: ++[eap] = noop
Thu Aug 18 12:01:29 2016 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> ttester
Thu Aug 18 12:01:29 2016 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Thu Aug 18 12:01:29 2016 : Info: ++[attr_filter.access_reject] = updated
Thu Aug 18 12:01:29 2016 : Info: +} # group REJECT = updated
Thu Aug 18 12:01:29 2016 : Info: Delaying reject of request 0 for 1 seconds
Thu Aug 18 12:01:29 2016 : Debug: Going to the next request
Thu Aug 18 12:01:29 2016 : Debug: Waking up in 0.9 seconds.
Thu Aug 18 12:01:30 2016 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 199 to 127.0.0.1 port 35174
Thu Aug 18 12:01:30 2016 : Debug: Waking up in 4.9 seconds.
Thu Aug 18 12:01:35 2016 : Info: Cleaning up request 0 ID 199 with
timestamp +5
Thu Aug 18 12:01:35 2016 : Info: Ready to process requests.
Matthew Pulis
web: www.matthewpulis.info
mob: +356 79539404
On Thu, Aug 18, 2016 at 11:44 AM, Matthew Pulis <mpulis at gmail.com> wrote:
> Is this to what you are referring Alan please?
>
> DEFAULT Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=
> local"
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = "12"
> #Reply-Message = "You are Accepted"
>
>
> and this: in: /sites-enabled/default:
>
> But there is a bug in update-reply .. not sure why:
>
> Thu Aug 18 11:41:05 2016 : Error: /etc/freeradius/sites-enabled/default[465]:
> Failed to find "update-reply" in the "modules" section.
> Thu Aug 18 11:41:05 2016 : Error: /etc/freeradius/sites-enabled/default[465]:
> Failed to parse "update-reply" subsection.
> Thu Aug 18 11:41:05 2016 : Error: /etc/freeradius/sites-enabled/default[461]:
> Errors parsing post-auth section.
>
>
> post-auth {
>
>
> if (Ldap-Group == "Management") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 1
> }
> }
>
>
> elsif (Ldap-Group == "Formators") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 10
> }
> }
>
>
> elsif (Ldap-Group == "Seminarians") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 11
> }
> }
>
>
> elsif (Ldap-Group == "SeminaryAdmin") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 12
> }
> }
>
>
> elsif (Ldap-Group == "Staff") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 13
> }
> }
>
>
> elsif (Ldap-Group == "Guests") {
> update-reply {
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 20
> }
> }
>
> else {
> reject
> }
>
>
>
>
>
More information about the Freeradius-Users
mailing list