Freeradius 3.0.12 not processing LDAP control/check items

Jan Baumann freeradius at cyberways.net
Fri Apr 13 22:31:46 CEST 2018


Good evening,

I have a well running freeradius 3.0.12 (Debian 9 package) with mysql und openldap backends.
Usernames are of course unique and exist either only in ldap or mysql.

Everything works for ldap and mysql users, except one thing:

If I add a check-item into mysql radcheck table it works as expected.
If I add the same item into openldap, it is not taken care of and access is always permitted if the item matches the request or not.
But... if I add a reply-item to openldap is is delivered as part of the radius access accept message.

debug output:

 (0) ldap: User object found at DN „uid=jbaumann,ou=people,dc=cyberways,dc=net"
 (0) ldap: Processing user attributes
 (0) ldap: control:Cleartext-Password := '12345'
 (0) ldap: Attribute "radiusExpiration" not found in LDAP object
 (0) ldap: control:NAS-Identifier := 'myWifiSSID'
 (0) ldap: Attribute "radiusSimultaneousUse" not found in LDAP object
 (0) ldap: Attribute "radiusReplyMessage" not found in LDAP object
 (0) ldap: Attribute "radiusTunnelType" not found in LDAP object
 (0) ldap: Attribute "radiusTunnelMediumType" not found in LDAP object
 (0) ldap: reply:Tunnel-Private-Group-ID := '1336'
 (0) ldap: Attribute "radiusControlAttribute" not found in LDAP object
 (0) ldap: Attribute "radiusRequestAttribute" not found in LDAP object
 (0) ldap: Attribute "radiusReplyAttribute" not found in LDAP object
 rlm_ldap (ldap): Released connection (1)

Radius pulls the NAS-Identifier control item from ldap correctly, but does not reject the request if it does not match.
For the cleartext password it works.
I don’t see any hints of processing NAS-Identifier in the debug output at all, regardless which operator (=, := or +=) I try.
It also pulls the Tunnel-Private-Group-ID reply item from ldap and successfully puts it into the reply message.
So my ldap users can successfully log in with PEAP, but into any wifi SSID. Mysql users are correctly rejected if the NAS-Identifier does not match.


config of ldap module:

 compare_check_items = yes
 update {
         control:Cleartext-Password      := 'userPassword'
         control:Expiration              := 'radiusExpiration'
         control:NAS-Identifier          := 'radiusNASIdentifier'
         control:Simultaneous-Use        := 'radiusSimultaneousUse'
         reply:Reply-Message             := 'radiusReplyMessage'
         reply:Tunnel-Type               := 'radiusTunnelType'
         reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
         reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

         #  Where only a list is specified as the RADIUS attribute,
         #  the value of the LDAP attribute is parsed as a valuepair
         #  in the same format as the 'valuepair_attribute' (above).
         control:                        += 'radiusControlAttribute'
         request:                        += 'radiusRequestAttribute'
         reply:                          += 'radiusReplyAttribute'
 }


I am trying to fix this for the entire past week, so may I please ask the experts here.
How are ldap check items meant to be configured and work in freeradius 3? 

Special thanks!

Jan




More information about the Freeradius-Users mailing list