Can Post-Auth-Type REJECT log LDAP user not found
thomas
thomas.nodon at gmail.com
Mon May 19 12:07:19 UTC 2025
Hello everyone,
I have setup up a FreeRADIUS server with EAP-TTLS/PAP and OpenLDAP, the
setup works fine.
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login
incorrect, but the &Module-Failure-Message is ambiguous for our needs when
it comes to troubleshooting.
I get the following log if a user types their username incorrectly :
`Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [johndo at lab.local] (from client localhost port 0
via TLS tunnel)`
Is it possible to log something along the lines of "LDAP user not found"
without making custom loglines? I believe this was possible on FreeRADIUS
2.x.x.
You can find the debug info below.
Thanks in advance !
--Thomas
(5) Received Access-Request Id 5 from 127.0.0.1:47099 to 127.0.0.1:1812
length 229
(5) User-Name = "anonymous at lab.local"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02b2005315001703030048688da1ee57de5c653ec5b3ddb3fddaf954b25a2814726949f8960b9c81902198bf3054cc85cee621707608ab4bb4fecdd2dd6c1c55b33338264afb10435abffeb1198b43490adde2
(5) State = 0x5cf4dd435846c8abb4f3a6e2030e9f16
(5) Message-Authenticator = 0x161a97e6923da68704ab1e2c3048d6af
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1004
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) if !("%{User-Name}" =~ /@lab.local$/) {
(5) EXPAND %{User-Name}
(5) --> anonymous at lab.local
(5) if !("%{User-Name}" =~ /@lab.local$/) -> FALSE
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "lab.local" for User-Name =
"anonymous at lab.local"
(5) suffix: Found realm "lab.local"
(5) suffix: Adding Realm = "lab.local"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) eap: Peer sent EAP Response (code 2) ID 178 length 83
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x5cf4dd435846c8ab
(5) eap: Finished EAP session with state 0x5cf4dd435846c8ab
(5) eap: Previous EAP request found for state 0x5cf4dd435846c8ab, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) EAP Done initial handshake
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: User-Name = "johndo at lab.local"
(5) eap_ttls: User-Password = "johndoe"
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) User-Name = "johndo at lab.local"
(5) User-Password = "johndoe"
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "lab.local" for User-Name = "johndo at lab.local"
(5) suffix: Found realm "lab.local"
(5) suffix: Adding Realm = "lab.local"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: No EAP-Message, not doing EAP
(5) [eap] = noop
(5) [expiration] = noop
(5) [logintime] = noop
rlm_ldap (ldap): Reserved connection (0)
(5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap: --> (uid=johndo at lab.local)
(5) ldap: Performing search in "o=univ,dc=lab,dc=local" with filter
"(uid=johndo at lab.local)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.lab.local:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(5) [ldap] = notfound
(5) } # authorize = ok
(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> johndo at lab.local
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) update outer.session-state {
(5) &Module-Failure-Message := &request:Module-Failure-Message ->
'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
(5) } # update outer.session-state = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [johndo at lab.local] (from client localhost port 0
via TLS tunnel)
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(5) eap: Sending EAP Failure (code 4) ID 178 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> anonymous at lab.local
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP
sub-module failed): [anonymous at lab.local] (from client localhost port 0 cli
02-00-00-00-00-01)
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:47099 length 44
(5) EAP-Message = 0x04b20004
(5) Message-Authenticator = 0x00000000000000000000000000000000
More information about the Freeradius-Users
mailing list