FreeRADIUS 3.0.12 + openLDAP + Apple access point?
Matthew Newton
mcn at freeradius.org
Thu Dec 7 12:16:33 CET 2017
On Thu, 2017-12-07 at 08:47 +0000, Tobias Balle-Petersen wrote:
> It seems like the problem is with my huntgroup.
Yes
> In users:
>
> This will allow me to log in from the access point:
> DEFAULT Ldap-Group == "wifi-cph"
>
> With this definition I am rejected:
> DEFAULT Ldap-Group == "wifi-cph", Huntgroup-Name == "accesspoints-
> lan"
You can see in the debug output that the user was found in one of the
LDAP searches, so the only logical conclusion here is that any other
checks with it are failing.
> The huntgroup from the huntgroups file
> # Group of accesspoint. Login from those, and you needi
> # to be a member of the wifi-copenhagen group (LDAP)
> accesspoints-lan NAS-IP-Address == 172.22.33.11
> accesspoints-lan NAS-IP-Address == 172.22.33.22
> accesspoints-lan NAS-IP-Address == 172.22.33.30
> accesspoints-lan NAS-IP-Address == 172.22.33.33
> accesspoints-lan NAS-IP-Address == 172.22.33.34
>
> This is what I get when the access point connects:
> Thu Dec 7 09:28:15 2017 : Debug: (11) User-Name = "***"
> Thu Dec 7 09:28:15 2017 : Debug: (11) NAS-IP-Address =
> 172.22.33.33
>
> Maybe the NAS-IP-Address is not available in the inner tunnel?
The debug output shows you what attributes are available in the inner
tunnel...
You need to copy the attribute from the outer to the inner so that you
can use it. Either use the old (deprecated) method of setting
'copy_request_to_tunnel' in the eap configuration, or the current way
of just copying the attribute you need, so
update request {
Huntgroup-Name := &outer.Huntgroup-Name
}
before calling 'files' in the inner tunnel should do it.
--
Matthew
More information about the Freeradius-Users
mailing list