VLAN Post Auth

Richard Laing richard.laing at armourcomms.com
Thu Apr 20 19:04:54 CEST 2017


Hello and thank you to everyone that helped me with my issue.

I was able to get permissions working as Alan kindly pointed out that the admin did not have permission to read the password, I however manged to find a blog post by one of the developers for 389 Directory which is the LDAP server for FreeIPA.

Please check this link https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html

Thank you for other advice and I will look into following up on those topics, also I did get my version updated onto 3.0.12, looking into the issues with x.13 I had however I feel that is a separate topic so I will not post that here.

Please consider this one solved, if I have an further issues I will open a new item and improve my posting, thank you for the feedback.

On 19/04/17 17:07, Richard Laing wrote:

Hi Alan thank you for taking a look at the output for me on the last
message.

1. Never said it doesn't work, said no VLAN on application of more than
one group.

2. I will update to a newer version as the standard one in the repos is
a little out of date.

3. You ignored the following output, if I use an incorrect password then
I will get a fail. I looking for the user have its request authorized
and have the VLAN assigned over to that user correctly.

WARNING: pap : Authentication will fail unless a "known good" password
is available
(0)   [pap] = noop
(0)  } #  authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Auth-Type LDAP {
(0)  ldap : Login attempt by "richardl"
rlm_ldap (ldap): Reserved connection (4)
(0)  ldap : Using user DN from request
"uid=richardl,cn=users,cn=compat,dc=acskype,dc=com"
(0)  ldap : Waiting for bind result...
(0)  ldap : Bind successful
(0)  ldap : Bind as user
"uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" was successful
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)  } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)   [exec] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message)
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } #  post-auth = noop
(0) Sending Access-Accept packet to host 192.168.10.8 port 53461,
id=114, length=0
Sending Access-Accept Id 114 from 192.168.10.2:1812 to 192.168.10.8:53461
(0) Finished request


Also if I run radtest the user seems to work just not on the group
memberships

radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101
Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812
    User-Name = 'richardl'
    User-Password = 'Testing 101'
    NAS-IP-Address = 192.168.10.2
    NAS-Port = 1812
    Message-Authenticator = 0x00
Received Access-Accept Id 198 from 192.168.10.2:1812 to
192.168.10.2:41248 length 20

4. I will update into the latest version and hopeful have a follow up
soon, would interested in hearing your ideas on the best method of
securing free-radius & LDAP together



--
Richard Laing , Network Administrator

[Armour Comms]

www.armourcomms.com <https://www.armourcomms.com/>




Armour Communications Limited
1st Floor Millbank Tower, London, SW1P 4QP, United Kingdom
E: richard.laing at armourcomms.com<mailto:richard.laing at armourcomms.com>
T: +44 (0)203 637 3801<tel:+442036373801> | M: +44 (0)758 423 6423<tel:+447584236423>
Regd. in England and Wales No. 09322680. Reg. Office 1st Floor, Millbank Tower, London, SW1P 4QP, England
NOTICE: If you are not the intended recipient of this transmission, any disclosure, copying, distribution or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply email or by calling the phone numbers above.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ACemailLogo.png
Type: image/png
Size: 6048 bytes
Desc: ACemailLogo.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170420/6daed397/attachment-0001.png>


More information about the Freeradius-Users mailing list