Hi all,
Currently using FR for PEAP authentication, with LDAP
as user database.
I'm trying to do the following setup: certain AP only
allow a selected group of users (determined by LDAP
group) access and deny everyone else. While other AP
allows all valid user.
I'm using CVS snapshot 20040319. With RH 9.
My huntgroups file,
RestrictedAP NAS-IP-Address == 10.1.22.220
My users file,
DEFAULT Ldap-Group == "cn=JKR,o=Office",
Huntgroup-Name == RestrictedAP
Fall-Through = no
DEFAULT Huntgroup-Name != RestrictedAP
Fall-Through = no
DEFAULT Auth-Type := Reject
When users connect to AP belonging to RestrictedAP.
Those users belong to LDAP group "cn=JKR,o=Office"
correctly matched to the first DEFAULT entry. But
other users get matched to the 2nd DEFAULT entry
instead of being rejected. Did I miss configured
somewhere?
Following is the connection log for user not belonging
to the LDAP group, I only include the first RADIUS
packet to keep this post short. What is interesting is
that there are 2 huntgroups match statement, while for
users in the LDAP group only 1 huntgroups match
statement.
rad_recv: Access-Request packet from host
10.1.22.220:6001, id=177, length=131
User-Name = "lasuser"
NAS-IP-Address = 10.1.22.220
Called-Station-Id = "4a-db-93"
Calling-Station-Id = "1c-08-e7"
NAS-Identifier = "AP03"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000c016c617375736572
Message-Authenticator =
0xfe444a0ed5bd0c4ae0c0967bd6ea8ebe
rad_lowerpair: User-Name now 'lasuser'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok
for request 11
modcall[authorize]: module "mschap" returns noop for
request 11
rlm_realm: No '@' in User-Name = "lasuser",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 11
rlm_eap: EAP packet type response id 2 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 11
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=Office'
radius_xlat: '(uid=lasuser)'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=Office, with filter
(uid=lasuser)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=lasuser,o=Office))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=lasuser,o=Office)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=JKR,o=Office, with
filter
(|(&(objectClass=GroupOfNames)(member=uid=lasuser,o=Office))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=lasuser,o=Office)))
rlm_ldap: object not found or got ambiguous search
result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=JKR,o=Office not
found or user is not a member.
huntgroups: Matched RestrictedAP at 1
huntgroups: Matched RestrictedAP at 1
users: Matched DEFAULT at 4
modcall[authorize]: module "files" returns ok for
request 11
rlm_ldap: - authorize
rlm_ldap: performing user authorization for lasuser
radius_xlat: '(uid=lasuser)'
radius_xlat: 'o=Office'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=Office, with filter
(uid=lasuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 0x &
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user lasuser authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for
request 11
modcall: group authorize returns updated for request
11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled
for request 11
modcall: group authenticate returns handled for
request 11
Sending Access-Challenge of id 177 to 10.1.22.220:6001
EAP-Message = 0x010300060d20
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x8f451a390dc47f214d4bda0214f50ba8
Finished request 11
Going to the next request
I can provide more info if needed.
Any help greatly appreciated.
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
