Error while authenticating users on Wifi.
Saurabh Lahoti
saurabh.astronomy at gmail.com
Fri May 25 07:48:11 CEST 2018
Dear Alan,
As per your recommendation, have configured ldap module for wifi, users to
be allowed through clients.conf & wifi virtual server.
While testing a user over wifi, authentication fails due to LDAP search
criteria missing into ldap server config.
Error:
rlm_ldap (ldapwifi): Waiting for bind result...
rlm_ldap (ldapwifi): Bind successful
(0) [ldapwifi] = ok
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> TRUE
(0) if ((ok || updated) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated) && User-Password) = noop
(0) } # elsif ( Airespace-Wlan-Id == 2 ) = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0) Auth-Type LDAP {
rlm_ldap (ldapwifi): Reserved connection (1)
(0) ldapwifi: Login attempt by "u5496622"
(0) ldapwifi: Using user DN from request
"uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com"
(0) ldapwifi: Waiting for bind result...
(0) ldapwifi: Bind successful
(0) ldapwifi: Bind as user "uid=u5496622, ou=Wifiusers,ou=Partners,o=
mydomain.com" was successful
rlm_ldap (ldapwifi): Released connection (1)
(0) [ldapwifi] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0) post-auth {
(0) if ( Airespace-Wlan-Id == 2 ) {
(0) if ( Airespace-Wlan-Id == 2 ) -> TRUE
(0) if ( Airespace-Wlan-Id == 2 ) {
(0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i
) {
(0) EXPAND %{control:LDAP-UserDN}
(0) --> uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com
(0) if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o= mydomain.com$/i
) -> FALSE
(0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" ) {
(0) elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" ) -> FALSE
(0) else {
(0) [reject] = reject
(0) } # else = reject
(0) } # if ( Airespace-Wlan-Id == 2 ) = reject
(0) } # post-auth = reject
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0) Rejected in post-auth: [u5496622] (from client WLC1 port 13 cli
00-28-f8-10-56-35)
(0) Login incorrect: [u5496622] (from client WLC1 port 13 cli
00-28-f8-10-56-35)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 16 from 192.168.154.96:1812 to 172.18.40.40:32774
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 16 with timestamp +27
For existing working access:
# Executing section post-auth from file
/usr/app/radius/prod-corp-internal//sites-enabled/wifi
+group post-auth {
++? if (Airespace-Wlan-Id == 2 )
? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
++? if (Airespace-Wlan-Id == 2 ) -> TRUE
++if (Airespace-Wlan-Id == 2 ) {
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
expand: %{control:LDAP-UserDN} -> uid=u5496622,# Executing section
post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi
+group post-auth {
++? if (Airespace-Wlan-Id == 2 )
? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
++? if (Airespace-Wlan-Id == 2 ) -> TRUE
++if (Airespace-Wlan-Id == 2 ) {
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
expand: %{control:LDAP-UserDN} -> uid=u5496622,
ou=Wifiusers,ou=Partners,o=mydomain.com
? Evaluating ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i)
-> FALSE
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
-> FALSE
+++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" )
[ldapwifi2] Entering ldap_groupcmp()
expand: o=mydomain.com -> o=mydomain.com
expand:
(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) ->
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\
3dmydomain.com))
[ldapwifi2] ldap_get_conn: Checking Id: 0
[ldapwifi2] ldap_get_conn: Got Id: 0
[ldapwifi2] performing search in cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com, with filter
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\
3dmydomain.com))
rlm_ldap::ldap_groupcmp: User found in group cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com
[ldapwifi2] ldap_release_conn: Release Id: 0
? Evaluating (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
+++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
+++elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) {
++++[noop] = noop
+++} # elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) = noop
+++ ... skipping else for request 1: Preceding "if" was taken
++} # if (Airespace-Wlan-Id == 2 ) = noop
Existing version is 2.0.x & new version is 3.0.17. Could you please help us
with correct method to search LDAP directory from radius...?
----
*Thanks & Kind Regards,*
Saurabh LAHOTI.
More information about the Freeradius-Users
mailing list