Re: nas-identifier and ldap.attrmap
This is a discussion on Re: nas-identifier and ldap.attrmap within the FreeRADIUS Users forums, part of the Networking and Network Related category; > Hi > > Thxs for the fast reply!! > > Ok, user steve (the one with the Auth-Type := ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-18-2005
|
|||
|
|||
Re: nas-identifier and ldap.attrmap
> Hi > > Thxs for the fast reply!! > > Ok, user steve (the one with the Auth-Type := Local) exists only for > testing purposes. With user-data in die local users file, the > nas-identifier works!!!! > > So, I don't know why radius ignores my ldap data ... Its not ignoring it, I think you just aren't telling it how to use it. I'll clip some of your log below and add some comments. > > rad_recv: Access-Request packet from host 127.0.0.1:1055, id=0, length=200 > User-Name = "testuser" > User-Password = "123456" > NAS-IP-Address = 0.0.0.0 > Service-Type = Login-User > Framed-IP-Address = 192.168.100.2 > Calling-Station-Id = "00-11-43-68-B6-C7" > Called-Station-Id = "00-00-21-D7-27-EA" > NAS-Identifier = "chilli" > Acct-Session-Id = "4263b69500000000" > NAS-Port-Type = Wireless-802.11 > NAS-Port = 0 > Message-Authenticator = 0x07bdf3d7094da860977e4a9592cf0684 > WISPr-Logoff-URL = "http://192.168.100.1:3990/logoff" **Nas-Identifier is being sent over as chilli. > rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > users: Matched DEFAULT at 145 ** line 145 is where you are matching your users file. What does that line of your users file say? > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=myserverUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=myserver,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as uid=radmin,ou=admin,dc=myserver,dc=local/123456 to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=myserver,dc=local, with > filter (&(objectclass=myserverUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed by isVPNUser > rlm_ldap: performing search in > uid=testuser,ou=radius,dc=myserver,dc=local, with filter > (objectclass=radiusprofile) > rlm_ldap: Adding radiusNASIdentifier as NAS-Identifier, value vpn & op=21 ** rlm_ldap found your check-item of nas-identifier = vpn. > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding userpassword as User-Password, value 123456 & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 ** You are being authorized as OK. That means that you aren't telling freeradius what the radiusNasIdentifier needs to be. The checkval module will check that the same nas-identifier in the packet must match what is in ldap. checkval { item-name = Nas-Identifier check-name = Nas-Identifier data-type = string notfound-reject = yes } That says that if nas-identifier in the packet is chilli, then you must have radiusnasidentifier of chilli in ldap. Or, if nas-identifier comes in with vpn, you must have nasidentifier of vpn in ldap. If not, reject the user. You then put checkval in authorize. eg: authorize { stuff.. ldap checkval } Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
