Freeradius Upgrade from 3.0.1 to 3.2.2

Steven Walters steven.walters1 at gmail.com
Tue Feb 21 21:47:05 UTC 2023 

Hi

I am in the process of upgrading our radius servers but have one issue
outstanding.

Basically we receive in the radius request from mobile a MSISDN. We then go
do a lookup to find the username on LDAP matching the MSISDN.

In the old version everything works fine but after upgrading the radius
responds with access rejection even though MSISDN finds a username on LDAP.

Below are extracts from the mobile virtual server file and ldap file.

mobile virtual server:

        #  The ldap module reads passwords from the LDAP database.
        -ldap-mobile
        if (!ok) {
                reject

ldap:

        user {
                #   Where to start searching in the tree for users
                base_dn = "${..base_dn}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                #filter =
"(mobileradiusCallingStationId=%{Calling-Station-Id})"
                filter =
"(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))"

Below is debug from version 3.0.1

rlm_ldap (ldap-mobile): Reserved connection (11)
(9) ldap-mobile :       expand:
"(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" ->
'(&(mobileradiusCallingStationId=27671946862)(status=10100))'
(9) ldap-mobile :       expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp'
(9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter
'(&(mobileradiusCallingStationId=27671946862)(status=10100))'
(9) ldap-mobile : Waiting for search result...
(9) ldap-mobile : User object found at DN "uid=onyebilanma at telkomsa.net
,cn=radius,ou=isp"
(9) ldap-mobile : Processing user attributes
(9) ldap-mobile :               reply:User-Name := 'onyebilanma at telkomsa.net
'
(9) ldap-mobile :               control:User-Name := '
onyebilanma at telkomsa.net'
rlm_ldap (ldap-mobile): Released connection (11)
rlm_ldap (ldap-mobile): Opening additional connection (12)
rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap-mobile): Waiting for bind result...
rlm_ldap (ldap-mobile): Bind successful
(9)   [-ldap-mobile] = ok
(9)   ? if (!ok)
(9)   ? if (!ok)  -> FALSE
(9)  } #  authorize = ok
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli
27671946862)
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/mobile
(9)   post-auth {
(9)   [exec] = noop
(9)   remove_reply_message_if_eap remove_reply_message_if_eap {
(9)    ? if (reply:EAP-Message && reply:Reply-Message)
(9)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(9)    else else {
(9)     [noop] = noop
(9)    } # else else = noop
(9)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9)   update reply {
(9)             Acct-Interim-Interval = 14400
(9)   } # update reply = noop
(9)  } #  post-auth = noop
Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to
105.187.248.220 port 4017
        User-Name = 'onyebilanma at telkomsa.net'
        Acct-Interim-Interval = 14400

Below is debug from version 3.2.2

rlm_ldap (ldap-mobile): Reserved connection (2)
(5) ldap-mobile: EXPAND
(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))
(5) ldap-mobile:    -->
(&(mobileradiusCallingStationId=27659066168)(status=10100))
(5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter
"(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope "sub"
(5) ldap-mobile: Waiting for search result...
(5) ldap-mobile: User object found at DN "uid=ahmed.elhefnawy at telkomsa.net
,cn=radius,ou=isp"
(5) ldap-mobile: Processing user attributes
(5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy at telkomsa.net'
(5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy at telkomsa.net'
rlm_ldap (ldap-mobile): Released connection (2)
Need 4 more connections to reach min connections (8)
Need more connections to reach 16 spares
rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28 pending
slots used
rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389
rlm_ldap (ldap-mobile): Waiting for bind result...
rlm_ldap (ldap-mobile): Bind successful
(5)     [ldap-mobile] = updated
(5)     if (!ok) {
(5)     if (!ok)  -> TRUE
(5)     if (!ok)  {
(5)       [reject] = reject
(5)     } # if (!ok)  = reject
(5)   } # authorize = reject
(5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli
27659066168)
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/mobile
(5)   Post-Auth-Type REJECT {
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = noop
(5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0 cli
27659066168)
(5) Delaying response for 2.000000 seconds

Any advice would be appreciated?

Regards
Steven

More information about the Freeradius-Users mailing list