Freeradius-Users Digest, Vol 241, Issue 34

thomas thomas.nodon at gmail.com
Wed May 28 15:10:33 UTC 2025 

Hello Alan,

I don't know how I missed this but the solution to my problem was very
straight forward.

Quick recap, we have a FreeRADIUS v3.0.21 configured for EAP-TTLS/PAP
with OpenLDAP.

I had an issue where if a user miss spelled their username ldap could
not find the user and thus didn't return a "known good" for pap,
resulting

        ERROR: No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject

This message was then logged to radius.log because we use auth = yes
in radius.conf for logging (no custom linelogs for us), it made
trouble shooting longer than it needed to be.

We wanted to log a custom message in the inner-tunnel Post-Auth-Type
Reject, if ldap returned notfound.

I added the following to our inner-tunnel authorize stanza, turns out
I just had to update the &request:Module-Failure-Message with my
message.

        -ldap
        if (notfound){
                update control {
                        &request:Module-Failure-Message := "[ldap]
user not found"
                }
        }

Now I get the custom message when a user tries to login with a wrong
username, without any custom linelogs or extra outputs to the
radius.log file.

        Login incorrect ([ldap] user not found): [johndo at lab.local]
(from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunnel)

Thanks for the tip !
Thomas

On Wed, May 28, 2025 at 2:00 PM
<freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. LDAP and module messages (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 27 May 2025 13:14:00 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: LDAP and module messages
> Message-ID: <D812D7AD-AB1F-4511-A528-C941750391D8 at deployingradius.com>
> Content-Type: text/plain;       charset=utf-8
>
> On May 27, 2025, at 11:15?AM, thomas <thomas.nodon at gmail.com> wrote:
> > I believe in v2, it was due to our config, which set Auth-Type to
> > ldap, and since it failed to retrieve a non existent user from ldap it
> > would log the ldap failure error.
> >
> > For our new config, we refrained from setting the Auth-Type to ldap as
> > recommended by the documentation.
>
>   In most cases, the LDAP server can be queried, and can return the password to FreeRADIUS.
>
>   If the LDAP server can't (or won't) do that, then you have to set Auth-Type to LDAP.
>
> > I could not find which attribute/variable to update with my message,
> > since there is no failure in the authorize santza.
>
>   You can add an attribute to raddb/dictionary, and then set a value in an "update" section.
>
> > For now I have made the following linelog.
> >
> >        linelog log_ldap_user_notfound {
> >                filename = ${logdir}/radius.log
> >                permissions = 0640
> >                format = "%t : Login incorrect: (ldap: user
> > %{User-Name} not found) Client-Mac = %{Calling-Station-Id}"
> >        }
> >
> > And added the following in the authorize santza after ldap.
> >
> >      ldap
> >      if (notfound){
> >              log_ldap_user_notfound
> >      }
>
>   That works, too.
>
> > But this outputs an extra line in the radius.log since we use the auth
> > = yes radius.conf.
> >
> > If there is better way to do this let know, in the mean time if I find
> > a better solution I will post it to the mailing list.
>
>   See raddb/radiusd.conf, and the "log" section.  You can edit the "msg_goodpass" configuration item to include more text, or another attribute.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 241, Issue 34
> *************************************************

More information about the Freeradius-Users mailing list