FreeRADIUS 3.0.12 + openLDAP + Apple access point?

Tobias Balle-Petersen tobiasbp at gmail.com
Thu Dec 7 12:47:10 CET 2017 

> The debug output shows you what attributes are available in the inner
> tunnel...
>

I'm looking here, but I can't see it.

Thu Dec  7 12:37:39 2017 : Debug: (10) Virtual server inner-tunnel received
request
Thu Dec  7 12:37:39 2017 : Debug: (10)   EAP-Message = 0x023000061a03
Thu Dec  7 12:37:39 2017 : Debug: (10)   FreeRADIUS-Proxied-To = 127.0.0.1
Thu Dec  7 12:37:39 2017 : Debug: (10)   User-Name = "bj"
Thu Dec  7 12:37:39 2017 : Debug: (10)   State =
0x9aa53a9f9b95204846eab62797564f73
Thu Dec  7 12:37:39 2017 : WARNING: (10) Outer and inner identities are the
same.  User privacy is compromised.
Thu Dec  7 12:37:39 2017 : Debug: (10) server inner-tunnel {
Thu Dec  7 12:37:39 2017 : Debug: (10)   session-state: No cached attributes
Thu Dec  7 12:37:39 2017 : Debug: (10)   # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
Thu Dec  7 12:37:39 2017 : Debug: (10)     authorize {
Thu Dec  7 12:37:39 2017 : Debug: (10)       policy filter_username {
Thu Dec  7 12:37:39 2017 : Debug: (10)         if (&User-Name) {
Thu Dec  7 12:37:39 2017 : Debug: (10)         if (&User-Name)  -> TRUE
Thu Dec  7 12:37:39 2017 : Debug: (10)         if (&User-Name)  {
Thu Dec  7 12:37:39 2017 : Debug: (10)           if (&User-Name =~ / /) {
Thu Dec  7 12:37:39 2017 : Debug: (10)           if (&User-Name =~ / /)  ->
FALSE
Thu Dec  7 12:37:39 2017 : Debug: (10)           if (&User-Name =~
/@[^@]*@/ ) {
Thu Dec  7 12:37:39 2017 : Debug: (10)           if (&User-Name =~
/@[^@]*@/ )  -> FALSE
Thu Dec  7 12:37:39 2017 : Debug: (10)           if (&User-Name =~ /\.\./ )
{


Or, maybe it's here, and only two attributes exist in the tunnel?

Thu Dec  7 12:37:39 2017 : Debug: (1) ldap: Waiting for search result...
Thu Dec  7 12:37:39 2017 : Debug: (1) ldap: User object found at DN
"uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=examplet,dc=com"
Thu Dec  7 12:37:39 2017 : Debug: (1) ldap: Processing user attributes
Thu Dec  7 12:37:39 2017 : Debug: (1) ldap: control:Password-With-Header +=
'{CRYPT}****'
Thu Dec  7 12:37:39 2017 : Debug: (1) ldap: control:NT-Password := 0x****



You need to copy the attribute from the outer to the inner so that you
> can use it. Either use the old (deprecated) method of setting
> 'copy_request_to_tunnel' in the eap configuration, or the current way
> of just copying the attribute you need


copy_request_to_tunnel = yes in the eap file, did not solve the problem. I
had gotten that far by myself.



>   update request {
>     Huntgroup-Name := &outer.Huntgroup-Name
>   }
>
> before calling 'files' in the inner tunnel should do it.
>

That worked. Thank you for taking the time to help me out!

I wonder why "copy_request_to_tunnel = yes" did not work? Is Huntgroup-Name
actually a part of the request, as It's not sent by the client?


Regards,
Tobias

More information about the Freeradius-Users mailing list