FreeRadius 3 OpenLDAP and MAC based Auth

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3 OpenLDAP and MAC based Auth

Jürgen Northe
Hi folks,
I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.

So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
rlm_ldap: radiusAuthType -> Auth-Type == Accept
along with the other attributes stored in the directory.
I do have a the dictionary_mapping file and the entries in the enabled ldap module. I am fighting the whole day with this issue but can't even find hint in he running environment.
The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.

With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.

###
redundant_ldap{
ok = return
}

if (!ok) {
reject
}
else {
update control {
Auth-Type := Accept
}
}



radiusd -X
(1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240
(1) User-Name = "106530670342"
(1) User-Password = "106530670342"
(1) NAS-IP-Address = 192.168.0.7
(1) NAS-Identifier = "SWSG1AP1-7-v161121"
(1) NAS-Port = 16879715
(1) NAS-Port-Id = "slot=1;subslot=0;port=25;vlanid=99"
(1) NAS-Port-Type = Ethernet
(1) Service-Type = Call-Check
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = "10-65-30-67-03-42"
(1) Acct-Session-Id = "10101121726a6010"
(1) Huawei-Connect-ID = 675841
(1) Huawei-Product-ID = "H3C S5120-52C-EI"
(1) Huawei-Startup-Stamp = 956750420
(1) Attr-26.43.230 = 0x4769676162697445746865726e6574312f302f3235
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}%{2}%{3}%{4}%{5}%{6}}
(1) --> 106530670342
(1) &Calling-Station-Id := 106530670342
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "106530670342", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 195
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) redundant redundant_ldap {
rlm_ldap (ldap1): Reserved connection (1)
(1) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap1: --> (cn=106530670342)
(1) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
(1) ldap1: Waiting for search result...
(1) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
rlm_ldap (ldap1): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap1): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap1): Connecting to ldap://radldap1-215:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap1): Waiting for bind result...
rlm_ldap (ldap1): Bind successful
(1) [ldap1] = ok
(1) } # redundant redundant_ldap = ok
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> 106530670342
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3 OpenLDAP and MAC based Auth

Alan DeKok-2
On Jan 4, 2019, at 2:35 AM, Jürgen Northe <[hidden email]> wrote:
>
> I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.

  Did you follow the instructions in raddb/README.rst?  There is detail documentation on how to upgrade.

> So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
> rlm_ldap: radiusAuthType -> Auth-Type == Accept
> along with the other attributes stored in the directory.

  What did you change?  The default configuration works, and returns all attributes it finds in LDAP.

  And what information is in LDAP?

> I do have a the dictionary_mapping file and the entries in the enabled ldap module

  There is no "dictionary_mapping" file in the LDAP module configuration for v3.  This is one thing that changed...

  You can't just copy your v2 configuration to v3, and expect it to work.  That's what major version number changes mean... the configurations are *not* 100% compatible.

> . I am fighting the whole day with this issue but can't even find hint in he running environment.
> The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.
>
> With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.

  You're making random changes without really understanding what's going on.  That's not going to work.

> radiusd -X
> (1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240

  No, that's an *edited* version of the debug output.  You've deleted information which may be important.  Don't do that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html