FreeRadius 3 OpenLDAP and MAC based Auth

Alan DeKok aland at
Fri Jan 4 20:01:03 CET 2019

On Jan 4, 2019, at 2:35 AM, J├╝rgen Northe <jn at> wrote:
> I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.

  Did you follow the instructions in raddb/README.rst?  There is detail documentation on how to upgrade.

> So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
> rlm_ldap: radiusAuthType -> Auth-Type == Accept
> along with the other attributes stored in the directory.

  What did you change?  The default configuration works, and returns all attributes it finds in LDAP.

  And what information is in LDAP?

> I do have a the dictionary_mapping file and the entries in the enabled ldap module

  There is no "dictionary_mapping" file in the LDAP module configuration for v3.  This is one thing that changed...

  You can't just copy your v2 configuration to v3, and expect it to work.  That's what major version number changes mean... the configurations are *not* 100% compatible.

> . I am fighting the whole day with this issue but can't even find hint in he running environment.
> The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.
> With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.

  You're making random changes without really understanding what's going on.  That's not going to work.

> radiusd -X
> (1) Received Access-Request Id 186 from to length 240

  No, that's an *edited* version of the debug output.  You've deleted information which may be important.  Don't do that.

  Alan DeKok.

More information about the Freeradius-Users mailing list