FreeRadius 3 OpenLDAP and MAC based Auth

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3 OpenLDAP and MAC based Auth

Jürgen Northe
Hello !

> You send an Access-Request with User-Name and User-Password
> (0) Received Access-Request Id 165 from 192.168.0.7:3437 to
>> 192.168.0.215:1812 length 241
>> (0) User-Name = "106530670342"
>> (0) User-Password = "106530670342"
> You check the user but there's no password
> (0) redundant redundant_ldap {
>> rlm_ldap (ldap1): Reserved connection (0)
>> (0) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
>> (0) ldap1: --> (cn=106530670342)
>> (0) ldap1: Performing search in "dc=firma,dc=de" with filter
>> "(cn=106530670342)", scope "sub"
>> (0) ldap1: Waiting for search result...
>> (0) ldap1: User object found at DN
>> "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP
>> Config,dc=firma,dc=de"
>> (0) ldap1: Processing user attributes
>> (0) ldap1: WARNING: No "known good" password added. Ensure the admin user
>> has permission to read the password attribute
>> (0) ldap1: WARNING: PAP authentication will *NOT* work with Active
>> Directory (if that is what you were trying to configure)
>>
> So Access-Reject is sent

Yes, the Access-request from the switch contains User-Name and
User-Password, both attributes contain the mac address without hyphen.  If there is a match in LDAP the user is authorized and therefor
accepted. The Access-reply should contain the the attributes like VLAN ID.

I can see that the user is found in the directory...

(0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
(0) ldap1: Waiting for search result...
(0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
(0) ldap1: Processing user attributes
...
(0) } # authorize = ok

Am I wrong to say the authorization was successful?

In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results.

Thank you!


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3 OpenLDAP and MAC based Auth

Alan DeKok-2

On Jan 10, 2019, at 3:53 PM, Jürgen Northe <[hidden email]> wrote:
>
> Yes, the Access-request from the switch contains User-Name and
> User-Password, both attributes contain the mac address without hyphen.  If there is a match in LDAP the user is authorized and therefor
> accepted. The Access-reply should contain the the attributes like VLAN ID.

  That should work.

> I can see that the user is found in the directory...
>
> (0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
> (0) ldap1: Waiting for search result...
> (0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
> (0) ldap1: Processing user attributes
> ...
> (0) } # authorize = ok
>
> Am I wrong to say the authorization was successful?

  Maybe.  "authorized" is not always the same as "authorized with all of the configuration you want it to have".

  If you grab the latest version from GitHub: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x

  The file raddb/mods-available/ldap contains updated comments that tell you how to run "ldapsearch".  You can run that using the configuration from the LDAP module (copy it manually to the command line).  And then fight with LDAP / ldapsearch to get it to return the correct data.

  Once that's done, convert the ldapsearch parameters back to the FR config, and it should work.

> In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results.

  The server comes with schemas:  doc/schemas/ldap/openldap/freeradius.ldif

  At least, that's in the git repo and the release "tar" files.  Who knows where the various package maintainers put them.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html