Thanks Dustin Doris for your reply. I seem to be missing something
because I can not get it to work like you mentioned. Let me provide
some data and config info in hopes that you might be able to help
further. What I am hoping for is that it will send the profile info and
the info for the user.
For example, I am hoping to see the return attributes for jcleem/dial to
be:
radiusClientIPAddress: 172.18.5.1
radiusFramedIPNetmask: 255.255.255.0
radiusFramedProtocol: PPP
radiusFramedRouting: None
radiusServiceType: Framed-User
radiusFramedCompression: Van-Jacobson-TCP-IP
But I only get (does not include radiusClientIPAddress):
radiusFramedIPNetmask: 255.255.255.0
radiusFramedProtocol: PPP
radiusFramedRouting: None
radiusServiceType: Framed-User
radiusFramedCompression: Van-Jacobson-TCP-IP
If you need more info then what I provided below, just let me now.
--- begin ldif ---
dn: dc=multiband,dc=us
objectClass: dcObject
objectClass: organization
dc: multiband
o: Multiband
dn: ou=profiles,dc=multiband,dc=us
ou: profiles
objectClass: organizationalUnit
dn: ou=users,dc=multiband,dc=us
ou: users
objectClass: organizationalUnit
dn: ou=admins,dc=multiband,dc=us
ou: admins
objectClass: organizationalUnit
dn: uid=dial,ou=profiles,dc=multiband,dc=us
radiusFramedIPNetmask: 255.255.255.0
radiusFramedProtocol: PPP
radiusFramedRouting: None
radiusServiceType: Framed-User
uid: dial
objectClass: radiusprofile
radiusFramedCompression: Van-Jacobson-TCP-IP
dn: uid=jcleem,ou=users,dc=multiband,dc=us
uid: jcleem
objectClass: radiusprofile
mbAccountID: {65A8DC9F-14F6-4FB7-93D0-A70769154270}
mbContactID: {BA4AD34A-38B0-445C-AEA6-E00B8C4A1B81}
userPassword: xxx
radiusClientIPAddress: 172.18.5.1
radiusGroupName: dial
--- end ldif ---
--- /usr/local/sbin/radiusd -X ---
rad_recv: Access-Request packet from host 172.18.5.132:1845, id=45,
length=46
User-Name = "jcleem"
User-Password = "XXX"
rad_lowerpair: User-Name now 'jcleem'
rad_rmspace_pair: User-Name now 'jcleem'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
rlm_realm: No '@' in User-Name = "jcleem", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "jcleem"
rlm_realm: Proxying request from user jcleem to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 13
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,dc=multiband,dc=us'
radius_xlat: '(uid=jcleem)(objectclass=radiusprofile)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,dc=multiband,dc=us, with filter
(uid=jcleem)(objectclass=radiusprofile)
request 78 done
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=jcleem,ou=users,dc=multiband,
dc=us))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=jcleem,ou=use
rs,dc=multiband,dc=us)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,dc=multiband,dc=us, with filter
(&(radiusGroupName=disabled)(|(&(objectClass=GroupOfNames)(member=uid=jc
leem,ou=users,dc=multiband,dc=us))(&(objectClass=GroupOfUniqueNames)(uni
quemember=uid=jcleem,ou=users,dc=multiband,dc=us))))
request 79 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=jcleem,ou=users,dc=multiband,dc=us,
with filter (objectclass=*)
request 80 done
rlm_ldap::groupcmp: Group disabled not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=users,dc=multiband,dc=us'
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=jcleem,ou=users,dc=multiband,
dc=us))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=jcleem,ou=use
rs,dc=multiband,dc=us)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,dc=multiband,dc=us, with filter
(&(radiusGroupName=dial)(|(&(objectClass=GroupOfNames)(member=uid=jcleem
,ou=users,dc=multiband,dc=us))(&(objectClass=GroupOfUniqueNames)(uniquem
ember=uid=jcleem,ou=users,dc=multiband,dc=us))))
request 81 done
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=jcleem,ou=users,dc=multiband,dc=us,
with filter (objectclass=*)
request 82 done
rlm_ldap::ldap_groupcmp: User found in group dial
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 217
modcall[authorize]: module "files" returns ok for request 13
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jcleem
radius_xlat: '(uid=jcleem)(objectclass=radiusprofile)'
radius_xlat: 'ou=users,dc=multiband,dc=us'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,dc=multiband,dc=us, with filter
(uid=jcleem)(objectclass=radiusprofile)
request 83 done
rlm_ldap: performing search in uid=dial,ou=profiles,dc=multiband,dc=us,
with filter (objectclass=radiusprofile)
request 84 done
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None &
op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.0 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jcleem authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 13
modcall: group authorize returns ok for request 13
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 13
rlm_ldap: - authenticate
rlm_ldap: login attempt by "jcleem" with password "XXX"
rlm_ldap: user DN: uid=jcleem,ou=users,dc=multiband,dc=us
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=jcleem,ou=users,dc=multiband,dc=us/xxx to
localhost:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: Bind was successful
rlm_ldap: user jcleem authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 13
modcall: group Auth-Type returns ok for request 13
Sending Access-Accept of id 45 to 172.18.5.132:1845
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Routing = None
Framed-IP-Netmask = 255.255.255.0
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 13
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 13 ID 45 with timestamp 4249ebf5
Nothing to do. Sleeping until we see a request.
--- end /usr/local/sbin/radiusd -X ---
>>
>> Not sure how to ask my next question so I will try my best. We have
>> some users who receive static IP addresses and other special
attributes
>> that are unique to only that user. Then we have some who receive the
>> same attributes and attribute values as the next person. The big
>> difference is those users who receive a static IP verses a dynamic IP
>> out of the DHCP pool. It is my understanding that after LDAP has
>> verified the user it tells RADIUS all the group info. RADIUS then
goes
>> through the RADIUS Groups info and tries to find the first match.
Once
>> the match is found RADIUS then returns to the NAS the attributes for
the
>> profile not the actual user attributes. How do I setup the servers
so
>> that sometimes it returns the profile info (in the case of DHCP type
>> customers) and sometimes returns specific attributes (in the case of
>> static IP customers)?
>>
>>
>
>You can send back any reply values you want for the individual users by
>putting those entries into their ldap entry.
>
>eg:
>
>uid=somestaticuser,ou=radius,dc=yourdomain,dc=com
>objectclass: radiusprofile
>radiusgroupname: dial
>radiusgroupname: isdn
>radiusframedipaddress: 1.1.1.1
>radiusframedipnetmask: 255.255.255.252
>
>That will send back the reply attributes of framedipaddress and
>framedipnetmask for only that user.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
