Hello all *My Goal*: PAP on legacy port 1645, CHAP on 1812 working simultaneously. *My Environment*: FreeRADIUS 2.0.0-pre2, LDAP user database, MySQL Accounting. *Problem*: I'm running a virtual host for each AUTH port. Each works fine when placed in sites-enabled individually but my CHAP virtualhost fails when both are enabled. The vhost listening on 1812 appears to be referencing an LDAP module that is not listed in it's server{ ... } block. You will see "ou=Dialup" in the debugging output below of a CHAP request to 1812 that is only contained in the legacy PAP vhost. Any ideas are appreciated!!
I have 4 LDAP servers configured, two point to a different OU on the same servers for legacy PAP users. Is there maybe a way to change the basedn on the fly with NAS-IP-Address as the condition? This may be easier than sorting out my mess. Right now i'm differentiating requests using clients.conf: # CHAP NAS *client x.x.x.x { secret = test shortname = test nastype = other server = alexssa_dsl } *##################### # Stripped LDAP config # ##################### *ldap ldap01.alexssa.net { <snip> basedn = "ou=users,ou=radius,dc=alexssa,dc=net" ldap ldap02.alexssa.net { <snip> basedn = "ou=users,ou=radius,dc=alexssa,dc=net" ldap ldap01.alexssa.net_dialin { <snip> basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net" } ldap ldap02.alexssa.net_dialin { <snip> basedn = "ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net" }* ############################## # Below is my DSL (CHAP) vhost # ############################## *server alexssa_dsl { listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } authorize { if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) { update request { Stripped-User-Name = "%{1}" } } preprocess auth_log files redundant-load-balance { ldap01.alexssa.net ldap02.alexssa.net } daily chap } authenticate { Auth-Type CHAP { chap } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique files } # # Accounting. Log the accounting data. # accounting { # acctdetail sql # daily radutmp attr_filter.accounting_response } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } } # dsl server block* ###################### # Dialin (PAP) vhost # ###################### *server alexssa_dialin { listen { ipaddr = * port = 1645 type = auth } listen { ipaddr = * port = 1646 type = acct } authorize { if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) { update request { Stripped-User-Name = "%{1}" } } preprocess auth_log files redundant-load-balance { ldap01.alexssa.net_dialin ldap02.alexssa.net_dialin } daily pap } authenticate { Auth-Type PAP { pap } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique files } # # Accounting. Log the accounting data. # accounting { # acctdetail sql # daily dialup radutmp attr_filter.accounting_response } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } }* } # dialin server block ####################################### # debugging output of CHAP request to 1812 # ####################################### Listening on authentication address * port 1812 as server alexssa_dsl Listening on accounting address * port 1813 as server alexssa_dsl Listening on authentication address * port 1645 as server alexssa_dialin Listening on accounting address * port 1646 as server alexssa_dialin Ready to process requests. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 38.119.185.62 port 3563, id=15, length=63 User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x0f4e646219d84c7c72d88e920c879d2a01 server alexssa_dsl { +- entering group authorize ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) expand: %{User-Name} -> [EMAIL PROTECTED] ? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) -> TRUE ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) -> TRUE ++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) expand: %{1} -> 1000copyme +++[request] returns notfound ++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])@alexssa.net$/) returns notfound ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/38.119.185.62/auth-detail-20080103 expand: %t -> Thu Jan 3 15:19:46 2008 ++[auth_log] returns ok rlm_ldap: Entering ldap_groupcmp() expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net -> ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0 rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to ldap02.alexssa.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net -> ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Dialup,ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 16 ++[files] returns ok ++- entering redundant-load-balance group rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] expand: %{Stripped-User-Name} -> 1000copyme expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=1000copyme) expand: ou=users,ou=radius,dc=alexssa,dc=net -> ou=users,ou=radius,dc=alexssa,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0 rlm_ldap: bind as cn=xxxxx,dc=alexssa,dc=net/xxxxxx to ldap02.alexssa.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with filter (uid=1000copyme) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "test1234" rlm_ldap: looking for reply items in directory... rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap02.alexssa.net] returns ok ++- redundant-load-balance group returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP ++[chap] returns noop rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/<CHAP-Password>] (from client test port 0) } # server alexssa_dsl Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Sending delayed reject for request 0 Sending Access-Reject of id 15 to 38.119.185.62 port 3563 Reply-Message = "Please call the helpdesk. Alexssa can be reached at 262-338-3742" Waking up in 4 seconds... Cleaning up request 0 ID 15 with timestamp +17 Nothing to do. Sleeping until we see a request. -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html