>Please post radiusd -X output. Specifically the part on ldap searches and
>where the USERS file is matched.
Relevant part of radius -X
(auth is successful and group correct)
rad_recv: Access-Request packet from host 10.250.3.1:56020, id=246, length=188
NAS-Identifier = "radiowavetest.radiowave.net"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.4.230.10"
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xbb1e683a0647bf82fa842f8dddd0407f
MS-CHAP2-Response =
0x010056f2af227579756f984ce333919c80660000000000000000e2af48d7ffc1f099a96315810b76b801aa3270f18e3b7016
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=lisdoonvarna)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group lisdoonvarna not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=ballyvaughan)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group ballyvaughan
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 10
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=doolin)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group doolin not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=fanore)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group fanore not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 32
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 2
modcall: entering group redundant for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: '([EMAIL PROTECTED])'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
([EMAIL PROTECTED])
rlm_ldap: checking if remote access for [EMAIL PROTECTED] is allowed by
dialupAccess
rlm_ldap: Added password porsche914 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as user-Password, value porsche914 & op=21
rlm_ldap: Adding userPassword as ntPassword, value porsche914 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusLoginIPHost as Login-IP-Host, value 10.4.230.10 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.4.230.10
& op=11
rlm_ldap: Adding userPassword as NT-Password, value porsche914 & op=11
rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns ok for request 2
modcall: group redundant returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 2
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 2
modcall: group Auth-Type returns ok for request 2
Login OK: [EMAIL PROTECTED]/<no User-Password attribute>] (from client
ballyvaughan port 0 cli 10.4.230.10)
Sending Access-Accept of id 246 to 10.250.3.1:56020
Login-IP-Host = 10.4.230.10
Framed-IP-Address = 10.4.230.10
MS-CHAP2-Success =
0x01533d38464139373542414538393644464138354145354135344141374644444641393435324643383441
MS-MPPE-Recv-Key = 0x3bcd403b3f6078fe1546117459804a4c
MS-MPPE-Send-Key = 0x011615d1235ce2ebd4b61746892c7c0e
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.250.3.1:58589, id=109,
length=156
NAS-Identifier = "radiowavetest.radiowave.net"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.4.230.10"
User-Name = "[EMAIL PROTECTED]"
Framed-IP-Address = 10.250.4.16
Acct-Status-Type = Start
Acct-Session-Id = "6538373-pt0"
Acct-Multi-Session-Id = "6538373-pt0"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 3
modcall[preacct]: module "preprocess" returns noop for request 3
rlm_realm: Looking up realm "radiowave.net" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "radiowave.net"
modcall[preacct]: module "suffix" returns noop for request 3
modcall[preacct]: module "files" returns noop for request 3
modcall: group preacct returns noop for request 3
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.250.3.1,NAS-IP-Address =
10.250.3.1,Acct-Session-Id = "6538373-pt0",User-Name = "[EMAIL PROTECTED]"'
rlm_acct_unique: Acct-Unique-Session-ID = "fe9ce4dd0d0d52c4".
(auth is successful but group does not exsist)
rad_recv: Access-Request packet from host 10.250.3.1:60780, id=53, length=188
NAS-Identifier = "radiowavetest.radiowave.net"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.4.230.10"
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xbb1e6896e761f32d9a6c7ac81451a974
MS-CHAP2-Response =
0x01008ffd28c28741bdca50c3f4aa47c148ca00000000000000000b798d8e8c645e4eedecb42290684d221e8ef2a92b4527e6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.250.3.204:389, authentication 0
rlm_ldap: bind as cn=manager,dc=radiowave,dc=net/23ldap11safe to
10.250.3.204:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=lisdoonvarna)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group lisdoonvarna not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=doolin)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group doolin not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=clients,dc=radiowave,dc=net'
radius_xlat: '([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
(&(radiusGroupName=fanore)([EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in [EMAIL
PROTECTED],vd=radiowave.net,o=clients,dc=radiowave,dc=net, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group fanore not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 36
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: '([EMAIL PROTECTED])'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.250.3.204:389, authentication 0
rlm_ldap: bind as cn=manager,dc=radiowave,dc=net/23ldap11safe to
10.250.3.204:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter
([EMAIL PROTECTED])
rlm_ldap: checking if remote access for [EMAIL PROTECTED] is allowed by
dialupAccess
rlm_ldap: Added password porsche914 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as user-Password, value porsche914 & op=21
rlm_ldap: Adding userPassword as ntPassword, value porsche914 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusLoginIPHost as Login-IP-Host, value 10.4.230.10 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.4.230.10
& op=11
rlm_ldap: Adding userPassword as NT-Password, value porsche914 & op=11
rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns ok for request 0
modcall: group redundant returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
radius_xlat: 'sorry you are not allowred to dial in here'
Login OK: [EMAIL PROTECTED]/<no User-Password attribute>] (from client
ballyvaughan port 0 cli 10.4.230.10)
Sending Access-Accept of id 53 to 10.250.3.1:60780
Reply-Message = "sorry you are not allowred to dial in here"
Login-IP-Host = 10.4.230.10
Framed-IP-Address = 10.4.230.10
MS-CHAP2-Success =
0x01533d36383236314538323541384430463344463735373239303746314536443742354342323533304337
MS-MPPE-Recv-Key = 0xed38ac9f7fc2417f6748af9e4c5e0fb8
MS-MPPE-Send-Key = 0x3ea0cbf4a78d7df022406716f1675340
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.250.3.1:56633, id=101,
length=156
NAS-Identifier = "radiowavetest.radiowave.net"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "10.4.230.10"
User-Name = "[EMAIL PROTECTED]"
Framed-IP-Address = 10.250.4.16
Acct-Status-Type = Start
Acct-Session-Id = "6538747-pt0"
Acct-Multi-Session-Id = "6538747-pt0"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 1
modcall[preacct]: module "preprocess" returns noop for request 1
rlm_realm: Looking up realm "radiowave.net" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "radiowave.net"
modcall[preacct]: module "suffix" returns noop for request 1
modcall[preacct]: module "files" returns noop for request 1
modcall: group preacct returns noop for request 1
>Please post the full users file as well.
Users file is at the bottom
>Finally, where did you get ldaphuntgroupname and ldapgroupname?
>Huntgroups are defined in the file huntgroups. You defined
>groupmembership_attribute as "radiusGroupName". That means you need to
>use radiusgroupname in ldap to put a user into a group.
Ok my attributes are right and these are wrong. I used attributes from the
schema.
>huntgroups
>test1 NAS-IP-Address == 1.1.1.1
>test2 NAS-IP-Address == 2.2.2.2
yep this is the same
>users (important - these are all on one line)
>DEFAULT Huntgroup-Name == test1, Ldap-Group == test1, User-Profile :=
>"cn=test1,ou=profiles,dc=yourdomain"
>DEFAULT Huntgroup-Name == test2, Ldap-Group == test2, User-Profile :=
>"cn=test2,ou=profiles,dc=yourdomain"
>DEFAULT Auth-Type := Reject
This is the same as mine but you mention something about it needing to be on
the same line exactly what do you mean by this
>ldap
>dn: cn=test1,ou=users,dc=yourdomain
>radiusgroupname: test1
>...
>Here is what will happen, in the following scenarios.
>test1 comes from nasip of 1.1.1.1
> -match huntgroup-name of test1
> -freeradius looks to see if user has radiusgroupname: test1 - this user
>does, so it matches that line in users file
> -cn=test1 user profile will be added to reply items and authorization
>passes (Some-Attribute = SomeValue)
> -user is authenticated (if pass matches, success)
Cool this looks good this is what I want it to do, so I just have to get it
right
>Hope that helps.
Good start thanks
Users File
################################################################################
# default auth to get radius with ldap to work
####################################################################################
DEFAULT Ldap-Group == lisdoonvarna
Huntgroup-Name == internet,
User-Profile :=
"cn=lisdoonvarna,ou=profiles,o=radius,dc=radiowave,dc=net",
Simultaneous-Use := 2,
Fall-Through = 1
#DEFAULT Ldap-Group == ballyvaughan
# Huntgroup-Name == internet,
# User-Profile :=
"cn=ballyvaughan,ou=profiles,o=radius,dc=radiowave,dc=net",
# Simultaneous-Use := 2,
# Fall-Through = 1
DEFAULT Ldap-Group == doolin
Huntgroup-Name == internet,
User-Profile := "cn=doolin,ou=profiles,o=radius,dc=radiowave,dc=net",
Simultaneous-Use := 2,
Fall-Through = 1
DEFAULT Ldap-Group == fanore
Huntgroup-Name == internet,
User-Profile := "cn=fanore,ou=profiles,o=radius,dc=radiowave,dc=net",
Simultaneous-Use := 2,
Fall-Through = 1
#########################################################################
### default ldap authentication fall through works
##########################################################################
# DEFAULT Auth-Type := Ldap
# Auth-Type := Accept,
# Simultaneous-Use := 1
DEFAULT Auth-Type := Reject
Reply-Message = "sorry you are not allowred to dial in here",
Simultaneous-Use := 0
I would think the main issue lyes here which is the above command???
users: Matched entry DEFAULT at line 36
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.322 / Virus Database: 266.11.12 - Release Date: 17/05/2005
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
