FreeRadius and FreeIpa integration not working in our Lab setup
Krishna Chaitanya
krishna.chaitanya at qi-cap.com
Thu Jul 14 07:07:30 UTC 2022
My Question is like, Why is the request being Ignored?
*Krishna Chaitanya Ala*
*Network and Operations Engineer*
*QI Cap Markets LLP*
*Bangalore,Karnataka*
*Slack : krishna.chaitanya at qi-cap.com <krishna.chaitanya at qi-cap.com>*
On Thu, 14 Jul 2022 at 12:27, Michael Schwartzkopff <ms at sys4.de> wrote:
> What is unclear about the log message:
>
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.136
>
> Muchael
>
> 14.07.2022 08:47:56 Krishna Chaitanya <krishna.chaitanya at qi-cap.com>:
>
> Thanks very much Michael for your help and after making those changes, I
> was able to see an Accept message from FreeRadius.
> However, when trying to authenticate wireless using Freeradius I can see
> something like below.
> Please suggest!!
> ==============================================
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on auth address 127.0.0.1 port 18120 bound to server
> inner-tunnel
> Listening on proxy address * port 34082
> Listening on proxy address :: port 42473
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.89 port 49457 proto udp
> Ready to process requests
> Ignoring request to auth address * port 1812 bound to server default from
> unknown client 122.1.5.136 port 37235 proto udp
> Ready to process requests
>
> Thanks
> Krishna
>
>
>
>
>
> On Wed, 13 Jul 2022 at 17:03, Michael Schwartzkopff <ms at sys4.de> wrote:
>
>> On 13.07.22 12:59, Krishna Chaitanya wrote:
>> > Michael,
>> > The manual search is giving expected results but not sure why I am
>> seeing 2
>> > search results.
>> > Please find the below radtest results along with the manual ldap search
>> > report.
>> >
>> > ================================================================
>> > [admin at freeradius raddb]$ ldapsearch -x uid=*krishnachaitanya*
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base <dc=qi-cap,dc=com> (default) with scope subtree
>> > # filter: uid=krishnachaitanya
>> > # requesting: ALL
>> > #
>> >
>> > # krishnachaitanya, users, compat, qi-cap.com
>> > dn: uid=krishnachaitanya,cn=users,cn=compat,dc=qi-cap,dc=com
>> > objectClass: posixAccount
>> > objectClass: ipaOverrideTarget
>> > objectClass: top
>> > gecos: Krishna Ala
>> > cn: Krishna Ala
>> > uidNumber: 1283800005
>> > gidNumber: 1283800005
>> > loginShell: /bin/sh
>> > homeDirectory: /home/krishnachaitanya
>> > ipaAnchorUUID::
>> > OklQQTpxaS1jYXAuY29tOmY1N2IxYTcyLWZlYjAtMTFlYy04MWYxLTA4MDAyNz
>> > M2ZWMzOQ==
>> > uid: krishnachaitanya
>> >
>> > # krishnachaitanya, users, accounts, qi-cap.com
>> > dn: uid=krishnachaitanya,cn=users,cn=accounts,dc=qi-cap,dc=com
>> > givenName: Krishna
>> > sn: Ala
>> > uid: krishnachaitanya
>> > cn: Krishna Ala
>> > displayName: Krishna Ala
>> > initials: KA
>> > gecos: Krishna Ala
>> > objectClass: top
>> > objectClass: person
>> > objectClass: organizationalperson
>> > objectClass: inetorgperson
>> > objectClass: inetuser
>> > objectClass: posixaccount
>> > objectClass: krbprincipalaux
>> > objectClass: krbticketpolicyaux
>> > objectClass: ipaobject
>> > objectClass: ipasshuser
>> > objectClass: ipaSshGroupOfPubKeys
>> > objectClass: mepOriginEntry
>> > objectClass: ipantuserattrs
>> > loginShell: /bin/sh
>> > homeDirectory: /home/krishnachaitanya
>> > uidNumber: 1283800005
>> > gidNumber: 1283800005
>> > ipaNTSecurityIdentifier: S-1-5-21-2716401607-2924185208-1841578509-1005
>> >
>> > # search result
>> > search: 2
>> > result: 0 Success
>> >
>> > # numResponses: 3
>> > # numEntries: 2
>> >
>> ===============================================================================================
>>
>> > [root at freeradius admin]# radiusd -X
>> > FreeRADIUS Version 3.0.21
>> > Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
>> > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> > PARTICULAR PURPOSE
>> > You may redistribute copies of FreeRADIUS under the terms of the
>> > GNU General Public License
>> > For more information about these matters, see the file named COPYRIGHT
>> > Starting - reading configuration files ...
>> > including dictionary file /usr/share/freeradius/dictionary
>> > including dictionary file /usr/share/freeradius/dictionary.dhcp
>> > including dictionary file /usr/share/freeradius/dictionary.vqp
>> > including dictionary file /etc/raddb/dictionary
>> > including configuration file /etc/raddb/radiusd.conf
>> > including configuration file /etc/raddb/proxy.conf
>> > including configuration file /etc/raddb/clients.conf
>> > including files in directory /etc/raddb/mods-enabled/
>> > including configuration file /etc/raddb/mods-enabled/always
>> > including configuration file /etc/raddb/mods-enabled/attr_filter
>> > including configuration file /etc/raddb/mods-enabled/cache_eap
>> > including configuration file /etc/raddb/mods-enabled/chap
>> > including configuration file /etc/raddb/mods-enabled/date
>> > including configuration file /etc/raddb/mods-enabled/detail
>> > including configuration file /etc/raddb/mods-enabled/detail.log
>> > including configuration file /etc/raddb/mods-enabled/digest
>> > including configuration file /etc/raddb/mods-enabled/dynamic_clients
>> > including configuration file /etc/raddb/mods-enabled/eap
>> > including configuration file /etc/raddb/mods-enabled/echo
>> > including configuration file /etc/raddb/mods-enabled/exec
>> > including configuration file /etc/raddb/mods-enabled/expiration
>> > including configuration file /etc/raddb/mods-enabled/expr
>> > including configuration file /etc/raddb/mods-enabled/files
>> > including configuration file /etc/raddb/mods-enabled/linelog
>> > including configuration file /etc/raddb/mods-enabled/logintime
>> > including configuration file /etc/raddb/mods-enabled/mschap
>> > including configuration file /etc/raddb/mods-enabled/ntlm_auth
>> > including configuration file /etc/raddb/mods-enabled/pap
>> > including configuration file /etc/raddb/mods-enabled/passwd
>> > including configuration file /etc/raddb/mods-enabled/preprocess
>> > including configuration file /etc/raddb/mods-enabled/radutmp
>> > including configuration file /etc/raddb/mods-enabled/realm
>> > including configuration file /etc/raddb/mods-enabled/replicate
>> > including configuration file /etc/raddb/mods-enabled/soh
>> > including configuration file /etc/raddb/mods-enabled/sradutmp
>> > including configuration file /etc/raddb/mods-enabled/unix
>> > including configuration file /etc/raddb/mods-enabled/unpack
>> > including configuration file /etc/raddb/mods-enabled/utf8
>> > including configuration file /etc/raddb/mods-enabled/ldap
>> > including files in directory /etc/raddb/policy.d/
>> > including configuration file /etc/raddb/policy.d/accounting
>> > including configuration file /etc/raddb/policy.d/canonicalization
>> > including configuration file /etc/raddb/policy.d/control
>> > including configuration file /etc/raddb/policy.d/cui
>> > including configuration file /etc/raddb/policy.d/debug
>> > including configuration file /etc/raddb/policy.d/dhcp
>> > including configuration file /etc/raddb/policy.d/eap
>> > including configuration file /etc/raddb/policy.d/filter
>> > including configuration file /etc/raddb/policy.d/operator-name
>> > including configuration file /etc/raddb/policy.d/rfc7542
>> > including files in directory /etc/raddb/sites-enabled/
>> > including configuration file /etc/raddb/sites-enabled/default
>> > including configuration file /etc/raddb/sites-enabled/inner-tunnel
>> > main {
>> > security {
>> > user = "radiusd"
>> > group = "radiusd"
>> > allow_core_dumps = no
>> > }
>> > name = "radiusd"
>> > prefix = "/usr"
>> > localstatedir = "/var"
>> > logdir = "/var/log/radius"
>> > run_dir = "/var/run/radiusd"
>> > }
>> > main {
>> > name = "radiusd"
>> > prefix = "/usr"
>> > localstatedir = "/var"
>> > sbindir = "/usr/sbin"
>> > logdir = "/var/log/radius"
>> > run_dir = "/var/run/radiusd"
>> > libdir = "/usr/lib64/freeradius"
>> > radacctdir = "/var/log/radius/radacct"
>> > hostname_lookups = no
>> > max_request_time = 30
>> > cleanup_delay = 5
>> > max_requests = 16384
>> > pidfile = "/var/run/radiusd/radiusd.pid"
>> > checkrad = "/usr/sbin/checkrad"
>> > debug_level = 0
>> > proxy_requests = yes
>> > log {
>> > stripped_names = no
>> > auth = no
>> > auth_badpass = no
>> > auth_goodpass = no
>> > colourise = yes
>> > msg_denied = "You are already logged in - access denied"
>> > }
>> > resources {
>> > }
>> > security {
>> > max_attributes = 200
>> > reject_delay = 1.000000
>> > status_server = yes
>> > }
>> > }
>> > radiusd: #### Loading Realms and Home Servers ####
>> > proxy server {
>> > retry_delay = 5
>> > retry_count = 3
>> > default_fallback = no
>> > dead_time = 120
>> > wake_all_if_all_dead = no
>> > }
>> > home_server localhost {
>> > ipaddr = 127.0.0.1
>> > port = 1812
>> > type = "auth"
>> > secret = <<< secret >>>
>> > response_window = 20.000000
>> > response_timeouts = 1
>> > max_outstanding = 65536
>> > zombie_period = 40
>> > status_check = "status-server"
>> > ping_interval = 30
>> > check_interval = 30
>> > check_timeout = 4
>> > num_answers_to_alive = 3
>> > revive_interval = 120
>> > limit {
>> > max_connections = 16
>> > max_requests = 0
>> > lifetime = 0
>> > idle_timeout = 0
>> > }
>> > coa {
>> > irt = 2
>> > mrt = 16
>> > mrc = 5
>> > mrd = 30
>> > }
>> > }
>> > home_server_pool my_auth_failover {
>> > type = fail-over
>> > home_server = localhost
>> > }
>> > realm example.com {
>> > auth_pool = my_auth_failover
>> > }
>> > realm LOCAL {
>> > }
>> > radiusd: #### Loading Clients ####
>> > client localhost {
>> > ipaddr = 122.1.5.84
>> > require_message_authenticator = no
>> > secret = <<< secret >>>
>> > nas_type = "other"
>> > proto = "*"
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > client localhost_ipv6 {
>> > ipv6addr = ::1
>> > require_message_authenticator = no
>> > secret = <<< secret >>>
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > Debugger not attached
>> > # Creating Auth-Type = mschap
>> > # Creating Auth-Type = digest
>> > # Creating Auth-Type = eap
>> > # Creating Auth-Type = PAP
>> > # Creating Auth-Type = CHAP
>> > # Creating Auth-Type = MS-CHAP
>> > # Creating Auth-Type = LDAP
>> > radiusd: #### Instantiating modules ####
>> > modules {
>> > # Loaded module rlm_always
>> > # Loading module "reject" from file /etc/raddb/mods-enabled/always
>> > always reject {
>> > rcode = "reject"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "fail" from file /etc/raddb/mods-enabled/always
>> > always fail {
>> > rcode = "fail"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "ok" from file /etc/raddb/mods-enabled/always
>> > always ok {
>> > rcode = "ok"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "handled" from file /etc/raddb/mods-enabled/always
>> > always handled {
>> > rcode = "handled"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "invalid" from file /etc/raddb/mods-enabled/always
>> > always invalid {
>> > rcode = "invalid"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "userlock" from file /etc/raddb/mods-enabled/always
>> > always userlock {
>> > rcode = "userlock"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "notfound" from file /etc/raddb/mods-enabled/always
>> > always notfound {
>> > rcode = "notfound"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "noop" from file /etc/raddb/mods-enabled/always
>> > always noop {
>> > rcode = "noop"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loading module "updated" from file /etc/raddb/mods-enabled/always
>> > always updated {
>> > rcode = "updated"
>> > simulcount = 0
>> > mpp = no
>> > }
>> > # Loaded module rlm_attr_filter
>> > # Loading module "attr_filter.post-proxy" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > attr_filter attr_filter.post-proxy {
>> > filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
>> > key = "%{Realm}"
>> > relaxed = no
>> > }
>> > # Loading module "attr_filter.pre-proxy" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > attr_filter attr_filter.pre-proxy {
>> > filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
>> > key = "%{Realm}"
>> > relaxed = no
>> > }
>> > # Loading module "attr_filter.access_reject" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > attr_filter attr_filter.access_reject {
>> > filename = "/etc/raddb/mods-config/attr_filter/access_reject"
>> > key = "%{User-Name}"
>> > relaxed = no
>> > }
>> > # Loading module "attr_filter.access_challenge" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > attr_filter attr_filter.access_challenge {
>> > filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
>> > key = "%{User-Name}"
>> > relaxed = no
>> > }
>> > # Loading module "attr_filter.accounting_response" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > attr_filter attr_filter.accounting_response {
>> > filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
>> > key = "%{User-Name}"
>> > relaxed = no
>> > }
>> > # Loaded module rlm_cache
>> > # Loading module "cache_eap" from file
>> /etc/raddb/mods-enabled/cache_eap
>> > cache cache_eap {
>> > driver = "rlm_cache_rbtree"
>> > key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>> > ttl = 15
>> > max_entries = 0
>> > epoch = 0
>> > add_stats = no
>> > }
>> > # Loaded module rlm_chap
>> > # Loading module "chap" from file /etc/raddb/mods-enabled/chap
>> > # Loaded module rlm_date
>> > # Loading module "date" from file /etc/raddb/mods-enabled/date
>> > date {
>> > format = "%b %e %Y %H:%M:%S %Z"
>> > utc = no
>> > }
>> > # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
>> > date wispr2date {
>> > format = "%Y-%m-%dT%H:%M:%S"
>> > utc = no
>> > }
>> > # Loaded module rlm_detail
>> > # Loading module "detail" from file /etc/raddb/mods-enabled/detail
>> > detail {
>> > filename =
>> >
>> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>>
>> > header = "%t"
>> > permissions = 384
>> > locking = no
>> > escape_filenames = no
>> > log_packet_header = no
>> > }
>> > # Loading module "auth_log" from file
>> /etc/raddb/mods-enabled/detail.log
>> > detail auth_log {
>> > filename =
>> >
>> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>>
>> > header = "%t"
>> > permissions = 384
>> > locking = no
>> > escape_filenames = no
>> > log_packet_header = no
>> > }
>> > # Loading module "reply_log" from file
>> /etc/raddb/mods-enabled/detail.log
>> > detail reply_log {
>> > filename =
>> >
>> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>>
>> > header = "%t"
>> > permissions = 384
>> > locking = no
>> > escape_filenames = no
>> > log_packet_header = no
>> > }
>> > # Loading module "pre_proxy_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > detail pre_proxy_log {
>> > filename =
>> >
>> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>>
>> > header = "%t"
>> > permissions = 384
>> > locking = no
>> > escape_filenames = no
>> > log_packet_header = no
>> > }
>> > # Loading module "post_proxy_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > detail post_proxy_log {
>> > filename =
>> >
>> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>>
>> > header = "%t"
>> > permissions = 384
>> > locking = no
>> > escape_filenames = no
>> > log_packet_header = no
>> > }
>> > # Loaded module rlm_digest
>> > # Loading module "digest" from file /etc/raddb/mods-enabled/digest
>> > # Loaded module rlm_dynamic_clients
>> > # Loading module "dynamic_clients" from file
>> > /etc/raddb/mods-enabled/dynamic_clients
>> > # Loaded module rlm_eap
>> > # Loading module "eap" from file /etc/raddb/mods-enabled/eap
>> > eap {
>> > default_eap_type = "md5"
>> > timer_expire = 60
>> > ignore_unknown_eap_types = no
>> > cisco_accounting_username_bug = no
>> > max_sessions = 16384
>> > }
>> > # Loaded module rlm_exec
>> > # Loading module "echo" from file /etc/raddb/mods-enabled/echo
>> > exec echo {
>> > wait = yes
>> > program = "/bin/echo %{User-Name}"
>> > input_pairs = "request"
>> > output_pairs = "reply"
>> > shell_escape = yes
>> > }
>> > # Loading module "exec" from file /etc/raddb/mods-enabled/exec
>> > exec {
>> > wait = no
>> > input_pairs = "request"
>> > shell_escape = yes
>> > timeout = 10
>> > }
>> > # Loaded module rlm_expiration
>> > # Loading module "expiration" from file
>> /etc/raddb/mods-enabled/expiration
>> > # Loaded module rlm_expr
>> > # Loading module "expr" from file /etc/raddb/mods-enabled/expr
>> > expr {
>> > safe_characters =
>> > "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> > /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>> > }
>> > # Loaded module rlm_files
>> > # Loading module "files" from file /etc/raddb/mods-enabled/files
>> > files {
>> > filename = "/etc/raddb/mods-config/files/authorize"
>> > acctusersfile = "/etc/raddb/mods-config/files/accounting"
>> > preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
>> > }
>> > # Loaded module rlm_linelog
>> > # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
>> > linelog {
>> > filename = "/var/log/radius/linelog"
>> > escape_filenames = no
>> > syslog_severity = "info"
>> > permissions = 384
>> > format = "This is a log message for %{User-Name}"
>> > reference = "messages.%{%{reply:Packet-Type}:-default}"
>> > }
>> > # Loading module "log_accounting" from file
>> > /etc/raddb/mods-enabled/linelog
>> > linelog log_accounting {
>> > filename = "/var/log/radius/linelog-accounting"
>> > escape_filenames = no
>> > syslog_severity = "info"
>> > permissions = 384
>> > format = ""
>> > reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>> > }
>> > # Loaded module rlm_logintime
>> > # Loading module "logintime" from file
>> /etc/raddb/mods-enabled/logintime
>> > logintime {
>> > minimum_timeout = 60
>> > }
>> > # Loaded module rlm_mschap
>> > # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
>> > mschap {
>> > use_mppe = yes
>> > require_encryption = no
>> > require_strong = no
>> > with_ntdomain_hack = yes
>> > passchange {
>> > }
>> > allow_retry = yes
>> > winbind_retry_with_normalised_username = no
>> > }
>> > # Loading module "ntlm_auth" from file
>> /etc/raddb/mods-enabled/ntlm_auth
>> > exec ntlm_auth {
>> > wait = yes
>> > program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
>> > --username=%{mschap:User-Name} --password=%{User-Password}"
>> > shell_escape = yes
>> > }
>> > # Loaded module rlm_pap
>> > # Loading module "pap" from file /etc/raddb/mods-enabled/pap
>> > pap {
>> > normalise = yes
>> > }
>> > # Loaded module rlm_passwd
>> > # Loading module "etc_passwd" from file
>> /etc/raddb/mods-enabled/passwd
>> > passwd etc_passwd {
>> > filename = "/etc/passwd"
>> > format = "*User-Name:Crypt-Password:"
>> > delimiter = ":"
>> > ignore_nislike = no
>> > ignore_empty = yes
>> > allow_multiple_keys = no
>> > hash_size = 100
>> > }
>> > # Loaded module rlm_preprocess
>> > # Loading module "preprocess" from file
>> /etc/raddb/mods-enabled/preprocess
>> > preprocess {
>> > huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
>> > hints = "/etc/raddb/mods-config/preprocess/hints"
>> > with_ascend_hack = no
>> > ascend_channels_per_line = 23
>> > with_ntdomain_hack = no
>> > with_specialix_jetstream_hack = no
>> > with_cisco_vsa_hack = no
>> > with_alvarion_vsa_hack = no
>> > }
>> > # Loaded module rlm_radutmp
>> > # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
>> > radutmp {
>> > filename = "/var/log/radius/radutmp"
>> > username = "%{User-Name}"
>> > case_sensitive = yes
>> > check_with_nas = yes
>> > permissions = 384
>> > caller_id = yes
>> > }
>> > # Loaded module rlm_realm
>> > # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
>> > realm IPASS {
>> > format = "prefix"
>> > delimiter = "/"
>> > ignore_default = no
>> > ignore_null = no
>> > }
>> > # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
>> > realm suffix {
>> > format = "suffix"
>> > delimiter = "@"
>> > ignore_default = no
>> > ignore_null = no
>> > }
>> > # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
>> > realm bangpath {
>> > format = "prefix"
>> > delimiter = "!"
>> > ignore_default = no
>> > ignore_null = no
>> > }
>> > # Loading module "realmpercent" from file
>> /etc/raddb/mods-enabled/realm
>> > realm realmpercent {
>> > format = "suffix"
>> > delimiter = "%"
>> > ignore_default = no
>> > ignore_null = no
>> > }
>> > # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
>> > realm ntdomain {
>> > format = "prefix"
>> > delimiter = "\\"
>> > ignore_default = no
>> > ignore_null = no
>> > }
>> > # Loaded module rlm_replicate
>> > # Loading module "replicate" from file
>> /etc/raddb/mods-enabled/replicate
>> > # Loaded module rlm_soh
>> > # Loading module "soh" from file /etc/raddb/mods-enabled/soh
>> > soh {
>> > dhcp = yes
>> > }
>> > # Loading module "sradutmp" from file
>> /etc/raddb/mods-enabled/sradutmp
>> > radutmp sradutmp {
>> > filename = "/var/log/radius/sradutmp"
>> > username = "%{User-Name}"
>> > case_sensitive = yes
>> > check_with_nas = yes
>> > permissions = 420
>> > caller_id = no
>> > }
>> > # Loaded module rlm_unix
>> > # Loading module "unix" from file /etc/raddb/mods-enabled/unix
>> > unix {
>> > radwtmp = "/var/log/radius/radwtmp"
>> > }
>> > Creating attribute Unix-Group
>> > # Loaded module rlm_unpack
>> > # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
>> > # Loaded module rlm_utf8
>> > # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
>> > # Loaded module rlm_ldap
>> > # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
>> > ldap {
>> > server = "122.1.5.84"
>> > sasl {
>> > }
>> > user_dn = "LDAP-UserDn"
>> > user {
>> > scope = "sub"
>> > access_positive = yes
>> > sasl {
>> > }
>> > }
>> > group {
>> > filter = "(objectClass=posixGroup)"
>> > scope = "sub"
>> > name_attribute = "cn"
>> > membership_attribute = "memberOf"
>> > cacheable_name = no
>> > cacheable_dn = no
>> > allow_dangling_group_ref = no
>> > }
>> > client {
>> > filter = "(objectClass=radiusClient)"
>> > scope = "sub"
>> > base_dn = "O=QI-CAP.COM,CN=Certificate
>> > Authority,cn=users,cn=accounts,dc=qi-cap,uid=krishnachaitanya,dc=com"
>> > }
>> > profile {
>> > }
>> > options {
>> > ldap_debug = 40
>> > chase_referrals = yes
>> > rebind = yes
>> > net_timeout = 1
>> > res_timeout = 10
>> > srv_timelimit = 3
>> > idle = 60
>> > probes = 3
>> > interval = 3
>> > }
>> > tls {
>> > start_tls = no
>> > }
>> > }
>> > Creating attribute LDAP-Group
>> > instantiate {
>> > }
>> > # Instantiating module "reject" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "fail" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
>> > # Instantiating module "handled" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "invalid" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "userlock" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "notfound" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "noop" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "updated" from file
>> /etc/raddb/mods-enabled/always
>> > # Instantiating module "attr_filter.post-proxy" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
>> > # Instantiating module "attr_filter.pre-proxy" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
>> > # Instantiating module "attr_filter.access_reject" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
>> > # Instantiating module "attr_filter.access_challenge" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > reading pairlist file
>> /etc/raddb/mods-config/attr_filter/access_challenge
>> > # Instantiating module "attr_filter.accounting_response" from file
>> > /etc/raddb/mods-enabled/attr_filter
>> > reading pairlist file
>> /etc/raddb/mods-config/attr_filter/accounting_response
>> > # Instantiating module "cache_eap" from file
>> > /etc/raddb/mods-enabled/cache_eap
>> > rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
>> rlm_cache_rbtree)
>> > loaded and linked
>> > # Instantiating module "detail" from file
>> /etc/raddb/mods-enabled/detail
>> > # Instantiating module "auth_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
>> > detail output
>> > # Instantiating module "reply_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > # Instantiating module "pre_proxy_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > # Instantiating module "post_proxy_log" from file
>> > /etc/raddb/mods-enabled/detail.log
>> > # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
>> > # Linked to sub-module rlm_eap_md5
>> > # Linked to sub-module rlm_eap_leap
>> > # Linked to sub-module rlm_eap_gtc
>> > gtc {
>> > challenge = "Password: "
>> > auth_type = "PAP"
>> > }
>> > # Linked to sub-module rlm_eap_tls
>> > tls {
>> > tls = "tls-common"
>> > }
>> > tls-config tls-common {
>> > verify_depth = 0
>> > ca_path = "/etc/raddb/certs"
>> > pem_file_type = yes
>> > private_key_file = "/etc/raddb/certs/server.pem"
>> > certificate_file = "/etc/raddb/certs/server.pem"
>> > ca_file = "/etc/raddb/certs/ca.pem"
>> > private_key_password = <<< secret >>>
>> > dh_file = "/etc/raddb/certs/dh"
>> > fragment_size = 1024
>> > include_length = yes
>> > auto_chain = yes
>> > check_crl = no
>> > check_all_crl = no
>> > ca_path_reload_interval = 0
>> > cipher_list = "PROFILE=SYSTEM"
>> > cipher_server_preference = no
>> > reject_unknown_intermediate_ca = no
>> > ecdh_curve = "prime256v1"
>> > disable_tlsv1 = yes
>> > disable_tlsv1_1 = yes
>> > tls_max_version = "1.2"
>> > tls_min_version = "1.2"
>> > cache {
>> > enable = no
>> > lifetime = 24
>> > max_entries = 255
>> > }
>> > verify {
>> > skip_if_ocsp_ok = no
>> > }
>> > ocsp {
>> > enable = no
>> > override_cert_url = yes
>> > url = "http://127.0.0.1/ocsp/"
>> > use_nonce = yes
>> > timeout = 0
>> > softfail = no
>> > }
>> > }
>> > tls: Please use 'tls_min_version' and 'tls_max_version' instead of
>> > 'disable_tlsv1'
>> > tls: Please use 'tls_min_version' and 'tls_max_version' instead of
>> > 'disable_tlsv1_1'
>> > tls: Setting DH parameters from /etc/raddb/certs/dh - this is no longer
>> > necessary.
>> > tls: You should comment out the 'dh_file' configuration item.
>> > # Linked to sub-module rlm_eap_ttls
>> > ttls {
>> > tls = "tls-common"
>> > default_eap_type = "md5"
>> > copy_request_to_tunnel = no
>> > use_tunneled_reply = no
>> > virtual_server = "inner-tunnel"
>> > include_length = yes
>> > require_client_cert = no
>> > }
>> > tls: Using cached TLS configuration from previous invocation
>> > # Linked to sub-module rlm_eap_peap
>> > peap {
>> > tls = "tls-common"
>> > default_eap_type = "mschapv2"
>> > copy_request_to_tunnel = no
>> > use_tunneled_reply = no
>> > proxy_tunneled_request_as_eap = yes
>> > virtual_server = "inner-tunnel"
>> > soh = no
>> > require_client_cert = no
>> > }
>> > tls: Using cached TLS configuration from previous invocation
>> > # Linked to sub-module rlm_eap_mschapv2
>> > mschapv2 {
>> > with_ntdomain_hack = no
>> > send_error = no
>> > }
>> > # Instantiating module "expiration" from file
>> > /etc/raddb/mods-enabled/expiration
>> > # Instantiating module "files" from file
>> /etc/raddb/mods-enabled/files
>> > reading pairlist file /etc/raddb/mods-config/files/authorize
>> > reading pairlist file /etc/raddb/mods-config/files/accounting
>> > reading pairlist file /etc/raddb/mods-config/files/pre-proxy
>> > # Instantiating module "linelog" from file
>> /etc/raddb/mods-enabled/linelog
>> > # Instantiating module "log_accounting" from file
>> > /etc/raddb/mods-enabled/linelog
>> > # Instantiating module "logintime" from file
>> > /etc/raddb/mods-enabled/logintime
>> > # Instantiating module "mschap" from file
>> /etc/raddb/mods-enabled/mschap
>> > rlm_mschap (mschap): using internal authentication
>> > # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
>> > # Instantiating module "etc_passwd" from file
>> > /etc/raddb/mods-enabled/passwd
>> > rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>> > # Instantiating module "preprocess" from file
>> > /etc/raddb/mods-enabled/preprocess
>> > reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
>> > reading pairlist file /etc/raddb/mods-config/preprocess/hints
>> > # Instantiating module "IPASS" from file
>> /etc/raddb/mods-enabled/realm
>> > # Instantiating module "suffix" from file
>> /etc/raddb/mods-enabled/realm
>> > # Instantiating module "bangpath" from file
>> /etc/raddb/mods-enabled/realm
>> > # Instantiating module "realmpercent" from file
>> > /etc/raddb/mods-enabled/realm
>> > # Instantiating module "ntdomain" from file
>> /etc/raddb/mods-enabled/realm
>> > # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
>> > rlm_ldap: libldap vendor: OpenLDAP, version: 20459
>> > accounting {
>> > reference = "%{tolower:type.%{Acct-Status-Type}}"
>> > }
>> > post-auth {
>> > reference = "."
>> > }
>> > rlm_ldap (ldap): Initialising connection pool
>> > pool {
>> > start = 5
>> > min = 3
>> > max = 32
>> > spare = 10
>> > uses = 0
>> > lifetime = 0
>> > cleanup_interval = 30
>> > idle_timeout = 60
>> > retry_delay = 30
>> > spread = no
>> > }
>> > rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > } # modules
>> > radiusd: #### Loading Virtual Servers ####
>> > server { # from file /etc/raddb/radiusd.conf
>> > } # server
>> > server default { # from file /etc/raddb/sites-enabled/default
>> > # Loading authenticate {...}
>> > # Loading authorize {...}
>> > Ignoring "sql" (see raddb/mods-available/README.rst)
>> > # Loading preacct {...}
>> > # Loading accounting {...}
>> > # Loading post-proxy {...}
>> > # Loading post-auth {...}
>> > } # server default
>> > server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
>> > # Loading authenticate {...}
>> > # Loading authorize {...}
>> > # Loading session {...}
>> > # Loading post-proxy {...}
>> > # Loading post-auth {...}
>> > # Skipping contents of 'if' as it is always 'false' --
>> > /etc/raddb/sites-enabled/inner-tunnel:341
>> > } # server inner-tunnel
>> > radiusd: #### Opening IP addresses and Ports ####
>> > listen {
>> > type = "auth"
>> > ipaddr = *
>> > port = 0
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > listen {
>> > type = "acct"
>> > ipaddr = *
>> > port = 0
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > listen {
>> > type = "auth"
>> > ipv6addr = ::
>> > port = 0
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > listen {
>> > type = "acct"
>> > ipv6addr = ::
>> > port = 0
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> > listen {
>> > type = "auth"
>> > ipaddr = 127.0.0.1
>> > port = 18120
>> > }
>> > Listening on auth address * port 1812 bound to server default
>> > Listening on acct address * port 1813 bound to server default
>> > Listening on auth address :: port 1812 bound to server default
>> > Listening on acct address :: port 1813 bound to server default
>> > Listening on auth address 127.0.0.1 port 18120 bound to server
>> inner-tunnel
>> > Listening on proxy address * port 43356
>> > Listening on proxy address :: port 50675
>> > Ready to process requests
>> > (0) Received Access-Request Id 11 from 122.1.5.84:43809 to
>> 122.1.5.84:1812
>> > length 86
>> > (0) User-Name = "krishnachaitanya"
>> > (0) User-Password = "Freeip at 1234"
>> > (0) NAS-IP-Address = 122.1.5.84
>> > (0) NAS-Port = 1812
>> > (0) Message-Authenticator = 0x9162e9e3154076ccc69ddab02d33be4e
>> > (0) # Executing section authorize from file
>> /etc/raddb/sites-enabled/default
>> > (0) authorize {
>> > (0) policy filter_username {
>> > (0) if (&User-Name) {
>> > (0) if (&User-Name) -> TRUE
>> > (0) if (&User-Name) {
>> > (0) if (&User-Name =~ / /) {
>> > (0) if (&User-Name =~ / /) -> FALSE
>> > (0) if (&User-Name =~ /@[^@]*@/ ) {
>> > (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> > (0) if (&User-Name =~ /\.\./ ) {
>> > (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> {
>> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> ->
>> > FALSE
>> > (0) if (&User-Name =~ /\.$/) {
>> > (0) if (&User-Name =~ /\.$/) -> FALSE
>> > (0) if (&User-Name =~ /@\./) {
>> > (0) if (&User-Name =~ /@\./) -> FALSE
>> > (0) } # if (&User-Name) = notfound
>> > (0) } # policy filter_username = notfound
>> > (0) [preprocess] = ok
>> > (0) [chap] = noop
>> > (0) [mschap] = noop
>> > (0) [digest] = noop
>> > (0) suffix: Checking for suffix after "@"
>> > (0) suffix: No '@' in User-Name = "krishnachaitanya", looking up realm
>> NULL
>> > (0) suffix: No such realm "NULL"
>> > (0) [suffix] = noop
>> > (0) eap: No EAP-Message, not doing EAP
>> > (0) [eap] = noop
>> > (0) [files] = noop
>> > rlm_ldap (ldap): Reserved connection (0)
>> > (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> > (0) ldap: --> (uid=krishnachaitanya)
>> > (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate
>> > Authority,cn=users,cn=accounts,dc=qi-cap,uid=krishnachaitanya,dc=com"
>> with
>> > filter "(uid=krishnachaitanya)", scope "sub"
>> > (0) ldap: Waiting for search result...
>> > (0) ldap: The specified DN wasn't found
>> > (0) ldap: Search returned no results
>> > rlm_ldap (ldap): Released connection (0)
>> > Need 5 more connections to reach 10 spares
>> > rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
>> slots
>> > used
>> > rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> > rlm_ldap (ldap): Waiting for bind result...
>> > rlm_ldap (ldap): Bind successful
>> > (0) [ldap] = notfound
>> > (0) if ((ok || updated) && User-Password) {
>> > (0) if ((ok || updated) && User-Password) -> FALSE
>> > (0) [expiration] = noop
>> > (0) [logintime] = noop
>> > (0) pap: WARNING: No "known good" password found for the user. Not
>> setting
>> > Auth-Type
>> > (0) pap: WARNING: Authentication will fail unless a "known good"
>> password
>> > is available
>> > (0) [pap] = noop
>> > (0) } # authorize = ok
>> > (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
>> > Reject
>> > (0) Failed to authenticate the user
>> > (0) Using Post-Auth-Type Reject
>> > (0) # Executing group from file /etc/raddb/sites-enabled/default
>> > (0) Post-Auth-Type REJECT {
>> > (0) attr_filter.access_reject: EXPAND %{User-Name}
>> > (0) attr_filter.access_reject: --> krishnachaitanya
>> > (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> > (0) [attr_filter.access_reject] = updated
>> > (0) [eap] = noop
>> > (0) policy remove_reply_message_if_eap {
>> > (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> > (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> > (0) else {
>> > (0) [noop] = noop
>> > (0) } # else = noop
>> > (0) } # policy remove_reply_message_if_eap = noop
>> > (0) } # Post-Auth-Type REJECT = updated
>> > (0) Delaying response for 1.000000 seconds
>> > Waking up in 0.1 seconds.
>> > Waking up in 0.8 seconds.
>> > (0) Sending delayed response
>> > (0) Sent Access-Reject Id 11 from 122.1.5.84:1812 to 122.1.5.84:43809
>> > length 20
>> > Waking up in 3.9 seconds.
>> > (0) Cleaning up request packet ID 11 with timestamp +10
>> > Ready to process requests
>> >
>> ============================================================================
>>
>> >
>> > *Krishna Chaitanya Ala*
>> > *Network and Operations Engineer*
>> >
>> > *QI Cap Markets LLP*
>> > *Bangalore,Karnataka*
>> > *Slack : krishna.chaitanya at qi-cap.com <krishna.chaitanya at qi-cap.com>*
>> >
>> >
>> >
>> > On Wed, 13 Jul 2022 at 15:25, Michael Schwartzkopff via
>> Freeradius-Users <
>> > freeradius-users at lists.freeradius.org> wrote:
>> >
>> >> On 13.07.22 11:52, Krishna Chaitanya wrote:
>> >>> Matthew,
>> >>> Not really,Somehow, I missed reading all of the debug report.
>> >>> I am very new to Linux and having a hard time interpreting all of the
>> >> Debug
>> >>> report.
>> >>> However, After going through the errors:
>> >>>
>> >>> 1. I can say that the username is not being used twice.Even,
>> created
>> >>> another user profile with username "krishnachaitanya" and
>> getting
>> >> the same
>> >>> error message when running the radtest.
>> >>> 2. In the next test run, modified "base_dn" details as
>> >>> 'O=QI-CAP.COM,CN=Certificate
>> >>> Authority' and the test resulted in the below error.After
>> reviewing
>> >> the
>> >>> highlighted errors, finding it confused to understand and not
>> really
>> >> sure
>> >>> the fix for these errors.As far as I know, PAP can read only
>> clear
>> >> text
>> >>> passwords and in mycase the passwords are not encrypted when
>> running
>> >> the
>> >>> radtest command as "radtest krishnachaitanya *Freeip at 1234
>> >> *122.1.5.84
>> >>> 1812 testing123" and not sure why am seeing PAP password errors.
>> >>> 3. and I am not sure why am seeing the messages "(0) ldap:
>> Waiting
>> >> for
>> >>> search result...
>> >>> (0) ldap: The specified DN wasn't found
>> >>> (0) ldap: Search returned no results" when "rlm_ldap bind is
>> >> successful".
>> >>> Is there any relation between them?
>> >>>
>> >>> *Please help!*
>> >>>
>> >>> [Ready to process requests
>> >>> (0) Received Access-Request Id 252 from 122.1.5.84:55576 to
>> >> 122.1.5.84:1812
>> >>> length 86
>> >>> (0) User-Name = "krishnachaitanya"
>> >>> (0) User-Password = "Freeip at 1234"
>> >>> (0) NAS-IP-Address = 122.1.5.84
>> >>> (0) NAS-Port = 1812
>> >>> (0) Message-Authenticator = 0x7d7802787a4d84809dbcd42a46873fe6
>> >>> (0) # Executing section authorize from file
>> >> /etc/raddb/sites-enabled/default
>> >>> (0) authorize {
>> >>> (0) policy filter_username {
>> >>> (0) if (&User-Name) {
>> >>> (0) if (&User-Name) -> TRUE
>> >>> (0) if (&User-Name) {
>> >>> (0) if (&User-Name =~ / /) {
>> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/)) {
>> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>> >> ->
>> >>> FALSE
>> >>> (0) if (&User-Name =~ /\.$/) {
>> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >>> (0) if (&User-Name =~ /@\./) {
>> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >>> (0) } # if (&User-Name) = notfound
>> >>> (0) } # policy filter_username = notfound
>> >>> (0) [preprocess] = ok
>> >>> (0) [chap] = noop
>> >>> (0) [mschap] = noop
>> >>> (0) [digest] = noop
>> >>> (0) suffix: Checking for suffix after "@"
>> >>> (0) suffix: No '@' in User-Name = "krishnachaitanya", looking up
>> realm
>> >> NULL
>> >>> (0) suffix: No such realm "NULL"
>> >>> (0) [suffix] = noop
>> >>> (0) eap: No EAP-Message, not doing EAP
>> >>> (0) [eap] = noop
>> >>> (0) [files] = noop
>> >>> rlm_ldap (ldap): Reserved connection (0)
>> >>> (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> >>> (0) ldap: --> (uid=krishnachaitanya)
>> >>> (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate
>> Authority"
>> >> with
>> >>> filter "(uid=krishnachaitanya)", scope "sub"
>> >>> (0) ldap: Waiting for search result...
>> >>> (0) ldap: The specified DN wasn't found
>> >>> (0) ldap: Search returned no results
>> >>> rlm_ldap (ldap): Released connection (0)
>> >>> Need 5 more connections to reach 10 spares
>> >>> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
>> slots
>> >>> used
>> >>> rlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>> >>> rlm_ldap (ldap): Waiting for bind result...
>> >>> rlm_ldap (ldap): Bind successful
>> >>> (0) [ldap] = notfound
>> >>> (0) if ((ok || updated) && User-Password) {
>> >>> (0) if ((ok || updated) && User-Password) -> FALSE
>> >>> (0) [expiration] = noop
>> >>> (0) [logintime] = noop
>> >>> (0) pap: WARNING: No "known good" password found for the user. Not
>> >> setting
>> >>> Auth-Type
>> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
>> password
>> >>> is available
>> >>> (0) [pap] = noop
>> >>> (0) } # authorize = ok
>> >>> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type
>> =
>> >>> Reject
>> >>> (0) Failed to authenticate the user
>> >>> (0) Using Post-Auth-Type Reject
>> >>> (0) # Executing group from file /etc/raddb/sites-enabled/default
>> >>> (0) Post-Auth-Type REJECT {
>> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >>> (0) attr_filter.access_reject: --> krishnachaitanya
>> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> >>> (0) [attr_filter.access_reject] = updated
>> >>> (0) [eap] = noop
>> >>> (0) policy remove_reply_message_if_eap {
>> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> >>> (0) else {
>> >>> (0) [noop] = noop
>> >>> (0) } # else = noop
>> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >>> (0) } # Post-Auth-Type REJECT = updated
>> >>> (0) Delaying response for 1.000000 seconds
>> >>> Waking up in 0.2 seconds.
>> >>> Waking up in 0.7 seconds.
>> >>> (0) Sending delayed response
>> >>> (0) Sent Access-Reject Id 252 from 122.1.5.84:1812 to
>> 122.1.5.84:55576
>> >>> length 20
>> >>> Waking up in 3.9 seconds.
>> >>> (0) Cleaning up request packet ID 252 with timestamp +5
>> >>> Ready to process requests
>> >>>
>> >>>
>> >>> *Krishna Chaitanya Ala*
>> >>> *Network and Operations Engineer*
>> >>>
>> >>>
>> >>>
>> >>> On Fri, 8 Jul 2022 at 16:27, Matthew Newton <mcn at freeradius.org>
>> wrote:
>> >>>
>> >>>> On 08/07/2022 11:45, Krishna Chaitanya wrote:
>> >>>>> # search result
>> >>>>> search: 2
>> >>>>> result: 0 Success
>> >>>>>
>> >>>>> # numResponses: 3
>> >>>>> # numEntries: 2
>> >>>>> *(0) ldap: ERROR: Ambiguous search result, returned 2 unsorted
>> entries
>> >>>>> (should return 1 or 0). Enable sorting, or specify a more
>> restrictive
>> >>>>> base_dn, filter or scope(0) ldap: ERROR: The following entries were
>> >>>>> returned:(0) ldap: ERROR:
>> >>>>> uid=admin,cn=users,cn=compat,dc=qi-cap,dc=com(0) ldap: ERROR:
>> >>>>> uid=admin,cn=users,cn=accounts,dc=qi-cap,dc=com*
>> >>>>> rlm_ldap (ldap): Released connection (0)
>> >>>>> Need 5 more connections to reach 10 spares
>> >>>> Did you read the debug output?
>> >>>>
>> >>>> You have two users with the same uid. FreeRADIUS won't have any idea
>> >>>> which one you want.
>> >>>>
>> >>>> So you need to either not use the same username twice, or configure
>> >>>> FreeRADIUS with a more restrictive base DN so that it only finds one
>> of
>> >>>> them.
>> >>>>
>> >>>> --
>> >>>> Matthew
>> >>>> -
>> >>>> List info/subscribe/unsubscribe? See
>> >>>> http://www.freeradius.org/list/users.html
>> >>>>
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >>
>> >>
>> >>
>> >> (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate
>> Authority"
>> >> with
>> >> filter "(uid=krishnachaitanya)", scope "sub"
>> >> (0) ldap: Waiting for search result...
>> >> (0) ldap: The specified DN wasn't found
>> >> (0) ldap: Search returned no results
>> >>
>> >> The user is not found in the LDAP. Do you use uid? oder cn? Wrong part
>> of
>> >> the tree? Whif is the LDIF of your user?
>> >> Can you do a manual ldapsearch for the user?
>> >>
>> >>
>> >> Mit freundlichen Grüßen,
>> >>
>> >> --
>> >>
>> >> [*] sys4 AG
>> >>
>> >> https://sys4.de, +49 (89) 30 90 46 64
>> >> Schleißheimer Straße 26/MG,80333 München
>> >>
>> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> >> Aufsichtsratsvorsitzender: Florian Kirstein
>> >>
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >>
>>
>> With ldapsearch you find the object in:
>>
>> dn: uid=krishnachaitanya,cn=users,cn=compat,dc=qi-cap,dc=com
>>
>>
>> FR searches in (from the logging):
>>
>> (0) ldap: Performing search in "O=QI-CAP.COM,CN=Certificate
>> Authority,cn=users,cn=accounts,dc=qi-cap,uid=krishnachaitanya,dc=com"
>> with
>> filter "(uid=krishnachaitanya)", scope "sub"
>>
>> You see the difference?
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
More information about the Freeradius-Users
mailing list