Freeradius + Ldap - Authorise OK but NO dynamic VLANs
Matthew Pulis
mpulis at gmail.com
Fri Aug 19 11:08:52 CEST 2016
Hi all again,
Thanks for your patience and help. A few more improvements yet I'm still
stuck :(
This is /etc/freeradius/sites-default/inner-tunnel: (the section post_auth)
if (Ldap-Group == "SeminaryAdmin") {
update reply {
Tunnel-Type := "VLAN",
Tunnel-Medium-Type := "802",
Tunnel-Private-Group-ID := "12"
}
}
I tried Ldap-Group == SeminaryAdmin / "SeminaryAdmin"
/ "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" but neither of the
3 options worked.
Can you please suggest further, this is really mind boggling!! :(
This is the debug log:
Fri Aug 19 11:01:56 2016 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Aug 19 11:01:56 2016 : Info: +group authorize {
Fri Aug 19 11:01:56 2016 : Info: ++[preprocess] = ok
Fri Aug 19 11:01:56 2016 : Info: ++[chap] = noop
Fri Aug 19 11:01:56 2016 : Info: ++[mschap] = noop
Fri Aug 19 11:01:56 2016 : Info: ++[digest] = noop
Fri Aug 19 11:01:56 2016 : Info: [suffix] No '@' in User-Name = "ttester",
looking up realm NULL
Fri Aug 19 11:01:56 2016 : Info: [suffix] No such realm "NULL"
Fri Aug 19 11:01:56 2016 : Info: ++[suffix] = noop
Fri Aug 19 11:01:56 2016 : Info: [eap] No EAP-Message, not doing EAP
Fri Aug 19 11:01:56 2016 : Info: ++[eap] = noop
Fri Aug 19 11:01:56 2016 : Info: ++[files] = noop
Fri Aug 19 11:01:56 2016 : Info: [ldap] performing user authorization for
ttester
Fri Aug 19 11:01:56 2016 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Fri Aug 19 11:01:56 2016 : Info: [ldap] ... expanding second
conditional
Fri Aug 19 11:01:56 2016 : Info: [ldap] expand: %{User-Name} ->
ttester
Fri Aug 19 11:01:56 2016 : Info: [ldap] expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ttester)
Fri Aug 19 11:01:56 2016 : Info: [ldap] expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Aug 19 11:01:56 2016 : Debug: [ldap] attempting LDAP reconnection
Fri Aug 19 11:01:56 2016 : Debug: [ldap] (re)connect to
seminary.local:389, authentication 0
Fri Aug 19 11:01:56 2016 : Debug: [ldap] bind as
cn=admin,dc=seminary,dc=local/S3m1n4ry to seminary.local:389
Fri Aug 19 11:01:56 2016 : Debug: [ldap] waiting for bind result ...
Fri Aug 19 11:01:56 2016 : Debug: [ldap] Bind was successful
Fri Aug 19 11:01:56 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester)
Fri Aug 19 11:01:56 2016 : Info: [ldap] No default NMAS login sequence
Fri Aug 19 11:01:56 2016 : Info: [ldap] looking for check items in
directory...
Fri Aug 19 11:01:56 2016 : Debug: [ldap] userPassword ->
Password-With-Header == "{SSHA}T4sU9zSLN/Auop+ImthH4nLyLG/rPU0R"
Fri Aug 19 11:01:56 2016 : Info: [ldap] looking for reply items in
directory...
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Aug 19 11:01:56 2016 : Info: ++[ldap] = ok
Fri Aug 19 11:01:56 2016 : Info: ++[expiration] = noop
Fri Aug 19 11:01:56 2016 : Info: ++[logintime] = noop
Fri Aug 19 11:01:56 2016 : Info: ++[pap] = updated
Fri Aug 19 11:01:56 2016 : Info: +} # group authorize = updated
Fri Aug 19 11:01:56 2016 : Info: Found Auth-Type = PAP
Fri Aug 19 11:01:56 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Aug 19 11:01:56 2016 : Info: +group PAP {
Fri Aug 19 11:01:56 2016 : Info: [pap] login attempt with password
"openldap"
Fri Aug 19 11:01:56 2016 : Info: [pap] Using SSHA encryption.
Fri Aug 19 11:01:56 2016 : Info: [pap] Normalizing SSHA1-Password from
base64 encoding
Fri Aug 19 11:01:56 2016 : Info: [pap] User authenticated successfully
Fri Aug 19 11:01:56 2016 : Info: ++[pap] = ok
Fri Aug 19 11:01:56 2016 : Info: +} # group PAP = ok
Fri Aug 19 11:01:56 2016 : Info: # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
Fri Aug 19 11:01:56 2016 : Info: +group post-auth {
Fri Aug 19 11:01:56 2016 : Info: ++? if (Ldap-Group == SeminaryAdmin)
Fri Aug 19 11:01:56 2016 : Debug: [ldap] Entering ldap_groupcmp()
Fri Aug 19 11:01:56 2016 : Info: expand:
ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
Fri Aug 19 11:01:56 2016 : Info: expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Aug 19 11:01:56 2016 : Debug: [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter
(&(cn=SeminaryAdmin)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
Fri Aug 19 11:01:56 2016 : Debug: [ldap] object not found
Fri Aug 19 11:01:56 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Aug 19 11:01:56 2016 : Debug: rlm_ldap::ldap_groupcmp: Group
SeminaryAdmin not found or user is not a member.
Fri Aug 19 11:01:56 2016 : Info: ? Evaluating (Ldap-Group == SeminaryAdmin)
-> FALSE
Fri Aug 19 11:01:56 2016 : Info: ++? if (Ldap-Group == SeminaryAdmin) ->
FALSE
Fri Aug 19 11:01:56 2016 : Info: ++else else {
Fri Aug 19 11:01:56 2016 : Info: +++[reject] = reject
Fri Aug 19 11:01:56 2016 : Info: ++} # else else = reject
Fri Aug 19 11:01:56 2016 : Info: +} # group post-auth = reject
Fri Aug 19 11:01:56 2016 : Info: Using Post-Auth-Type Reject
Fri Aug 19 11:01:56 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Aug 19 11:01:56 2016 : Info: +group REJECT {
Fri Aug 19 11:01:56 2016 : Info: [eap] Request didn't contain an
EAP-Message, not inserting EAP-Failure
Fri Aug 19 11:01:56 2016 : Info: ++[eap] = noop
Fri Aug 19 11:01:56 2016 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> ttester
Fri Aug 19 11:01:56 2016 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Aug 19 11:01:56 2016 : Info: ++[attr_filter.access_reject] = updated
Fri Aug 19 11:01:56 2016 : Info: +} # group REJECT = updated
Fri Aug 19 11:01:56 2016 : Info: Delaying reject of request 0 for 1 seconds
Fri Aug 19 11:01:56 2016 : Debug: Going to the next request
Fri Aug 19 11:01:56 2016 : Debug: Waking up in 0.9 seconds.
Fri Aug 19 11:01:57 2016 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 4 to 127.0.0.1 port 49728
Fri Aug 19 11:01:57 2016 : Debug: Waking up in 4.9 seconds.
Fri Aug 19 11:02:02 2016 : Info: Cleaning up request 0 ID 4 with timestamp
+3
Fri Aug 19 11:02:02 2016 : Info: Ready to process requests.
More information about the Freeradius-Users
mailing list