FreeRadius 3 OpenLDAP and MAC based Auth

James freeradius at gallian.co.uk
Wed Jan 9 13:19:33 CET 2019 

Hi Jürgen,



On Wed, 9 Jan 2019 at 11:42, Jürgen Northe <jn at northe-online.de> wrote:

> Here the debug output and below a closer look at the ldap section with
> more verbosity.
>

You send an Access-Request with  User-Name and User-Password

(0) Received Access-Request Id 165 from 192.168.0.7:3437 to
> 192.168.0.215:1812 length 241
> (0)   User-Name = "106530670342"
> (0)   User-Password = "106530670342"
>

You check the user but there's no password

(0)     redundant redundant_ldap {
> rlm_ldap (ldap1): Reserved connection (0)
> (0) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap1:    --> (cn=106530670342)
> (0) ldap1: Performing search in "dc=firma,dc=de" with filter
> "(cn=106530670342)", scope "sub"
> (0) ldap1: Waiting for search result...
> (0) ldap1: User object found at DN
> "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP
> Config,dc=firma,dc=de"
> (0) ldap1: Processing user attributes
> (0) ldap1: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (0) ldap1: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
>

So Access-Reject is sent

>
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
>
> (0) Sent Access-Reject Id 165 from 192.168.0.215:1812 to 192.168.0.7:3437
> length 20
>
> closer look...
>
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Performing search in
> "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Waiting for search result...
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: User object found at DN
> "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP
> Config,dc=firma,dc=de"
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Processing user attributes
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Attribute "userPassword" not
> found in LDAP object
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Attribute
> "radiusControlAttribute" not found in LDAP object
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Attribute
> "radiusRequestAttribute" not found in LDAP object
> Wed Jan  9 12:32:33 2019 : Debug: (0) ldap1: Attribute
> "radiusReplyAttribute" not found in LDAP object
>

Maybe you need to populate userPassword ?

The attributes which where not found are not stored in the directory object
> (laptop), thats true when I query with ldapsearch.
> Wed Jan  9 12:32:33 2019 : Debug: (0) # Executing group from file
> /etc/raddb/sites-enabled/default
> Wed Jan  9 12:32:33 2019 : Debug: (0)   Post-Auth-Type REJECT {
> Wed Jan  9 12:32:33 2019 : Debug: (0)     modsingle[post-auth]: calling
> attr_filter.access_reject (rlm_attr_filter)
> Wed Jan  9 12:32:33 2019 : Debug: %{User-Name}
> Wed Jan  9 12:32:33 2019 : Debug: Parsed xlat tree:
>

More information about the Freeradius-Users mailing list