On Jan 3, 2008 10:18 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > falz wrote: > > I have a FreeRADIUS server working properly with an LDAP backend. I've > > brought some user config into the 'users' file for a legacy system > > we're migrating to this server. However, I cannot seem to find the > > appropriate way to have FreeRADIUS map clients to a specific > > authentication type. > > What does that mean?
Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the livingston-style 'users' file. What I have now is Client A works fine with LDAP, but it seems to be a default across the system. Client B always talks to LDAP, it doesn't seem to read from the user's file. Here's some debug stuff. When I start radiusd -X, it does show that it reads the files module: Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" As well as ldap: Module: Loaded LDAP <snipped because it all works> But when one authenticate, it chooses ldap only: rad_recv: Access-Request packet from host 192.168.0.130:1028, id=18, length=119 User-Name = "falz" User-Password = "abc123" NAS-IP-Address = 192.168.0.130 NAS-Port = 4 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = "52000 LAPM/V42BIS" Called-Station-Id = "5552271012" Calling-Station-Id = "5552291017" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "falz", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for falz radius_xlat: '(uid=falz)' radius_xlat: 'ou=staff,dc=domain,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff,dc=domain,dc=net, with filter (uid=falz) request done: ld 0x8068e00 msgid 3 rlm_ldap: checking if remote access for falz is allowed by radiusReplyItem rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair := "shell:priv-lvl=15" rlm_ldap: extracted attribute Fall-Through from generic item Fall-Through = 1 rlm_ldap: extracted attribute Extreme-CLI-Authorization from generic item Extreme-CLI-Authorization = Enabled rlm_ldap: extracted attribute Service-Type from generic item Service-Type = NAS-Prompt-User rlm_ldap: extracted attribute Service-Type from generic item Service-Type := Administrative-User rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user falz authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "falz" with password "abc123" rlm_ldap: user DN: uid=falz,ou=users,ou=staff,dc=domain,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=falz,ou=users,ou=staff,dc=domain,dc=net/abc123 to localhost:389 rlm_ldap: waiting for bind result ... request done: ld 0x8068f00 msgid 1 rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 2 modcall: leaving group LDAP (returns reject) for request 2 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [falz] (from client portmaster3 port 4 cli 6082291017) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 18 to 192.168.0.130 port 1028 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 18 with timestamp 477d0e80 Nothing to do. Sleeping until we see a request. It is logical that it does this, as I have nothing in my config about this client using 'files'/'users', because I do not know what to put in. I posted the original link, and also found this, which is related: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40372.html However, in all cases that I find, users are trying to authenticate with multiple same-type backends. Original link user is authenticating off of different LDAP servers, this case they're authenticating off of multiple SQL servers. I want 1 LDAP and one 'files'. --falz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html