FreeRadius 3 OpenLDAP and MAC based Auth

Jürgen Northe jn at northe-online.de
Fri Jan 4 08:36:08 CET 2019 

.. and the output with the statement mentioned below....

Any help appreciated!!


Thank you in advance.
Jürgen


rlm_ldap (ldap1): Waiting for bind result...
rlm_ldap (ldap1): Bind successful
(0) [ldap1] = ok
(0) } # redundant redundant_ldap = ok
(0) if (!ok) {
(0) if (!ok) -> FALSE
(0) else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else = noop
(0) } # authorize = updated
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 189 from 192.168.0.215:1812 to 192.168.0.7:3437 length 0
(0) Framed-Protocol = PPP
(0) Framed-Compression = Van-Jacobson-TCP-IP
(0) Finished request
Waking up in 4.9 seconds.


> Hi folks,
> I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.
>
> So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
> rlm_ldap: radiusAuthType -> Auth-Type == Accept
> along with the other attributes stored in the directory.
> I do have a the dictionary_mapping file and the entries in the enabled ldap module. I am fighting the whole day with this issue but can't even find hint in he running environment.
> The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.
>
> With the following statement in default, I do get an "Accept", but also without the required attributes.
> redundant_ldap{
> ok = return
> }
>
> if (!ok) {
> reject
> }
> else {
> update control {
> Auth-Type := Accept
> }
> }
>
>
>
> radiusd -X
> (1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240
> (1) User-Name = "106530670342"
> (1) User-Password = "106530670342"
> (1) NAS-IP-Address = 192.168.0.7
> (1) NAS-Identifier = "SWSG1AP1-7-v161121"
> (1) NAS-Port = 16879715
> (1) NAS-Port-Id = "slot=1;subslot=0;port=25;vlanid=99"
> (1) NAS-Port-Type = Ethernet
> (1) Service-Type = Call-Check
> (1) Framed-Protocol = PPP
> (1) Calling-Station-Id = "10-65-30-67-03-42"
> (1) Acct-Session-Id = "10101121726a6010"
> (1) Huawei-Connect-ID = 675841
> (1) Huawei-Product-ID = "H3C S5120-52C-EI"
> (1) Huawei-Startup-Stamp = 956750420
> (1) Attr-26.43.230 = 0x4769676162697445746865726e6574312f302f3235> (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) policy rewrite_calling_station_id {
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
> (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (1) update request {
> (1) EXPAND %{toupper:%{1}%{2}%{3}%{4}%{5}%{6}}
> (1) --> 106530670342
> (1) &Calling-Station-Id := 106530670342
> (1) } # update request = noop
> (1) [updated] = updated
> (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
> (1) ... skipping else: Preceding "if" was taken
> (1) } # policy rewrite_calling_station_id = updated
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "106530670342", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1) [eap] = noop
> (1) files: users: Matched entry DEFAULT at line 195
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
> (1) pap: WARNING: Authentication will fail unless a "known good" password is available
> (1) [pap] = noop
> (1) redundant redundant_ldap {
> rlm_ldap (ldap1): Reserved connection (1)
> (1) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap1: --> (cn=106530670342)
> (1) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
> (1) ldap1: Waiting for search result...
> (1) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
> rlm_ldap (ldap1): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_ldap (ldap1): Opening additional connection (6), 1 of 26 pending slots used
> rlm_ldap (ldap1): Connecting to ldap://radldap1-215:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap1): Waiting for bind result...
> rlm_ldap (ldap1): Bind successful
> (1) [ldap1] = ok
> (1) } # redundant redundant_ldap = ok
> (1) } # authorize = ok
> (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> 106530670342
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds

More information about the Freeradius-Users mailing list