Error while authenticating users on Wifi.

Saurabh Lahoti saurabh.astronomy at gmail.com
Fri May 25 07:48:11 CEST 2018


Dear Alan,

As per your recommendation, have configured ldap module for wifi, users to
be allowed through clients.conf & wifi virtual server.

While testing a user over wifi, authentication fails due to LDAP search
criteria missing into ldap server config.

Error:
rlm_ldap (ldapwifi): Waiting for bind result...
rlm_ldap (ldapwifi): Bind successful
(0)       [ldapwifi] = ok
(0)       if ((ok || updated) && User-Password) {
(0)       if ((ok || updated) && User-Password)  -> TRUE
(0)       if ((ok || updated) && User-Password)  {
(0)         update {
(0)           control:Auth-Type := LDAP
(0)         } # update = noop
(0)       } # if ((ok || updated) && User-Password)  = noop
(0)     } # elsif ( Airespace-Wlan-Id == 2 )  = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0)   Auth-Type LDAP {
rlm_ldap (ldapwifi): Reserved connection (1)
(0) ldapwifi: Login attempt by "u5496622"
(0) ldapwifi: Using user DN from request
"uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com"
(0) ldapwifi: Waiting for bind result...
(0) ldapwifi: Bind successful
(0) ldapwifi: Bind as user "uid=u5496622, ou=Wifiusers,ou=Partners,o=
mydomain.com" was successful
rlm_ldap (ldapwifi): Released connection (1)
(0)     [ldapwifi] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0)   post-auth {
(0)     if ( Airespace-Wlan-Id == 2 ) {
(0)     if ( Airespace-Wlan-Id == 2 )  -> TRUE
(0)     if ( Airespace-Wlan-Id == 2 )  {
(0)       if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i
) {
(0)       EXPAND %{control:LDAP-UserDN}
(0)          --> uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com
(0)       if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o= mydomain.com$/i
)  -> FALSE
(0)       elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" ) {
(0)       elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" )  -> FALSE
(0)       else {
(0)         [reject] = reject
(0)       } # else = reject
(0)     } # if ( Airespace-Wlan-Id == 2 )  = reject
(0)   } # post-auth = reject
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file
/usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
(0) Rejected in post-auth: [u5496622] (from client WLC1 port 13 cli
00-28-f8-10-56-35)
(0) Login incorrect: [u5496622] (from client WLC1 port 13 cli
00-28-f8-10-56-35)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 16 from 192.168.154.96:1812 to 172.18.40.40:32774
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 16 with timestamp +27


For existing working access:
# Executing section post-auth from file
/usr/app/radius/prod-corp-internal//sites-enabled/wifi
+group post-auth {
++? if (Airespace-Wlan-Id == 2 )
? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
++? if (Airespace-Wlan-Id == 2 ) -> TRUE
++if (Airespace-Wlan-Id == 2 ) {
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
        expand: %{control:LDAP-UserDN} -> uid=u5496622,# Executing section
post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi
+group post-auth {
++? if (Airespace-Wlan-Id == 2 )
? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
++? if (Airespace-Wlan-Id == 2 ) -> TRUE
++if (Airespace-Wlan-Id == 2 ) {
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
        expand: %{control:LDAP-UserDN} -> uid=u5496622,
ou=Wifiusers,ou=Partners,o=mydomain.com
? Evaluating ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i)
-> FALSE
+++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
-> FALSE
+++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com" )
  [ldapwifi2] Entering ldap_groupcmp()
        expand: o=mydomain.com -> o=mydomain.com
        expand:
(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})) ->
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\
3dmydomain.com))
  [ldapwifi2] ldap_get_conn: Checking Id: 0
  [ldapwifi2] ldap_get_conn: Got Id: 0
  [ldapwifi2] performing search in cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com, with filter
(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\2cou\3dWifiusers\2cou\3dPartners\2co\
3dmydomain.com))
rlm_ldap::ldap_groupcmp: User found in group cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o=mydomain.com
  [ldapwifi2] ldap_release_conn: Release Id: 0
? Evaluating (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
+++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
+++elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) {
++++[noop] = noop
+++} # elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
Groups,ou=Groups,ou=staff,o= mydomain.com " ) = noop
+++ ... skipping else for request 1: Preceding "if" was taken
++} # if (Airespace-Wlan-Id == 2 ) = noop

Existing version is 2.0.x & new version is 3.0.17. Could you please help us
with correct method to search LDAP directory from radius...?

----

*Thanks & Kind Regards,*
Saurabh LAHOTI.


More information about the Freeradius-Users mailing list