FreeRadius LDAP group verification
Stefan Sundberg
timewind at hotmail.com
Wed Dec 14 23:11:27 CET 2016
Hi
I am using FreeRadius 3 to authenicate Wifi users with WPA2 enterprise which are then checked in a OpenLDAP directory. This is working fine as long as I accept that all users in base_dn = 'ou=People,dc=example,dc=se' can use the Wifi. To guard againt this I have worked to implement LDAP Group checking in FreeRadius 3 and this seems not to to be working. Even if I mess up the filter settings under the ”Group” section in /usr/local/etc/raddb/mods-enabled/ldap, FreeRadius gladly accepts the user as long as the user/password is OK. The Group section does not seem to affect the process at all.
I am using FreeRadius 3.0.12 and OpenLDAP 2.4.44 which are running happily on FreeBSD 10.3 i386.
Best Regards Stefan Sundberg
User section of the FreeRadius ldap file:
user {
# Where to start searching in the tree for users
base_dn = 'ou=People,dc=example,dc=se'
# Filter for user objects, should be specific enough
# to identify a single user object.
#
# For Active Directory, you should use
# "samaccountname=" instead of "uid="
#
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
Group section of the FreeRadius ldap file:
group {
# Where to start searching in the tree for groups
base_dn = 'ou=Groups,dc=example,dc=se'
# Filter for group objects, should match all available
# group objects a user might be a member of.
# Radius is an existing LDAP Group under 'ou=Groups,dc=example,dc=se'
filter = '(cn=Radius)'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
name_attribute = cn
# Filter to find group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute in user objects which contain the names
# or DNs of groups a user is a member of.
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
membership_attribute = 'memberUid'
}
Debug print of radiusd -X:
(0) Received Access-Request Id 48 from 192.168.5.250:3759 to 192.168.5.249:1812 length 117
(0) User-Name = "myuser"
(0) Acct-Session-Id = "1481748386W82ujh"
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Identifier = "Localhost"
(0) NAS-Port = 0
(0) Calling-Station-Id = "1115551212"
(0) User-Password = "password"
(0) Message-Authenticator = 0x5e20b42290bb652cd15b5355b41d0b4d
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "myuser", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=myuser)
(0) ldap: Performing search in "ou=People,dc=example,dc=se" with filter "(uid=myuser)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=myuser,ou=People,dc=example,dc=se"
(0) ldap: Processing user attributes
(0) ldap: control:Password-With-Header += 'password'
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = updated
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(0) pap: Removing &control:Password-With-Header
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Login OK: [myuser/password] (from client ts01 port 0 cli 1115551212)
(0) Sent Access-Accept Id 48 from 192.168.5.249:1812 to 192.168.5.250:3759 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 48 with timestamp +33
Ready to process requests
More information about the Freeradius-Users
mailing list