FreeRadius 3 OpenLDAP and MAC based Auth

Fri Jan 4 08:35:01 CET 2019

Hi folks,
I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.

So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
rlm_ldap: radiusAuthType -> Auth-Type == Accept
along with the other attributes stored in the directory.
I do have a the dictionary_mapping file and the entries in the enabled ldap module. I am fighting the whole day with this issue but can't even find hint in he running environment.
The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.

With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.

###
redundant_ldap{
ok = return
}

if (!ok) {
reject
}
else {
update control {
Auth-Type := Accept
}
}

radiusd -X
(1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240
(1) User-Name = "106530670342"
(1) User-Password = "106530670342"
(1) NAS-IP-Address = 192.168.0.7
(1) NAS-Identifier = "SWSG1AP1-7-v161121"
(1) NAS-Port = 16879715
(1) NAS-Port-Id = "slot=1;subslot=0;port=25;vlanid=99"
(1) NAS-Port-Type = Ethernet
(1) Service-Type = Call-Check
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = "10-65-30-67-03-42"
(1) Acct-Session-Id = "10101121726a6010"
(1) Huawei-Connect-ID = 675841
(1) Huawei-Product-ID = "H3C S5120-52C-EI"
(1) Huawei-Startup-Stamp = 956750420
(1) Attr-26.43.230 = 0x4769676162697445746865726e6574312f302f3235
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}%{2}%{3}%{4}%{5}%{6}}
(1) --> 106530670342
(1) &Calling-Station-Id := 106530670342
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "106530670342", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 195
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) redundant redundant_ldap {
rlm_ldap (ldap1): Reserved connection (1)
(1) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap1: --> (cn=106530670342)
(1) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
(1) ldap1: Waiting for search result...
(1) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
rlm_ldap (ldap1): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap1): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap1): Connecting to ldap://radldap1-215:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap1): Waiting for bind result...
rlm_ldap (ldap1): Bind successful
(1) [ldap1] = ok
(1) } # redundant redundant_ldap = ok
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> 106530670342
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds