WPA Enterprise with Radius assigned VLAN from LDAP (Samba Active Directory)

Christian Uhlmann christian at uhlmann.it
Thu Mar 21 21:48:42 CET 2019


Hello Alan,

Thank you for the info.

Am 17.03.2019 um 15:13 schrieb Alan DeKok:
>    That's may be wrong.  It should likely be:
> 
> 		membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

I have changed the setting as specified by you, unfortunately it does 
not work anyway.

>    If it doesn't work, I'd blame AD.

I would like to continue analyzing, even if my problem here on the list 
has nothing to do now.
I think from the debug this area is where the error happens:

(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x01b98a12064b9307
(9) eap: Finished EAP session with state 0x01b98a12064b9307
(9) eap: Previous EAP request found for state 0x01b98a12064b9307, 
released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 242 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9)} # authenticate = ok
(9) # Executing section post-auth from file 
/etc/freeradius/3.0/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9)} # update = noop
(9) [ldap] = noop
(9) if (LDAP-Group == "wlan-guest") {
(9) Searching for user in group "wlan-guest"
rlm_ldap (ldap): Reserved connection (2)
(9) Performing unfiltered search in "", scope "sub"
(9) Waiting for search result ...
(9) The specified DN was not found
(9) Search returned no results
rlm_ldap (ldap): Released connection (2)
(9) if (LDAP-Group == "wlan-guest") -> FALSE
(9) elsif (ldap-group == "wlan-kinder") {
(9) Searching for user in group "wlan-children"
rlm_ldap (ldap): Reserved connection (3)
(9) Performing unfiltered search in "", scope "sub"
(9) Waiting for search result ...
(9) The specified DN was not found
(9) Search returned no results
rlm_ldap (ldap): Released connection (3)
(9) elsif (ldap-group == "wlan-kinder") -> FALSE
(9) else {
(9) update reply {
(9) tunnel-type = VLAN
(9) tunnel-medium-type = IEEE-802
(9) tunnel private group id = 999
(9)} # update reply = noop
(9)} # else = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (& reply: EAP-Message && & reply: Reply-Message) {
(9) if (& reply: EAP-Message && & reply: Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9)} # else = noop
(9)} # policy remove_reply_message_if_eap = noop
(9)} # post-auth = noop
(9) Login OK: [testgast / <via Auth-Type = eap>] (from client unifi port 
0 cli 48-BF-6B-47-56-EC)
(9) Sent Access-Accept Id 227 from 192.168.127.37:1812 to 
192.168.127.197:54036 length 0
(9) MS-MPPE-Recv-Key = 
0x19a77ae380df1d5293501b8c1c2c8d36212dd5c98e1019f9ba1a6b26c66a3d7e
(9) MS-MPPE Send Key = 
0x7a6ccc2807ea006f4bb39a6080f462b71c9831ee5cc9e54607452273cdafeebd
(9) EAP message = 0x03f20004
(9) Message Authenticator = 0x00000000000000000000000000000000
(9) User name = "test guest"
(9) Tunnel Type = VLAN
(9) Tunnel Medium Type = IEEE-802
(9) Tunnel private group id = "999"
(9) Finished request

Particularly:
"Performing unfiltered search in" ", scope" sub ""

or the entire block:
rlm_ldap (ldap): Reserved connection (3)
(9) Performing unfiltered search in "", scope "sub"
(9) Waiting for search result ...
(9) The specified DN was not found
(9) Search returned no results

Should not something stand here which has relation to my ldap config?
How can I view the LDAP request in more detail here? Are there any more 
debug possibilities.

Thanks and Greetings
Christian






More information about the Freeradius-Users mailing list