As I see, that I should provide "Service-Type = Login-User" in the reply. Is it possible somehow? ________________________________________ Feladó: [EMAIL PROTECTED] [EMAIL PROTECTED], meghatalmazó: Dajka Tamás [EMAIL PROTECTED] Küldve: 2008. október 28. 11:48 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover
Now, the users file is empty, and still the same (%Authorization failed on the switch). The log: ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++- entering policy redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for myusername expand: (uid=%{User-Name}) -> (uid=myusername) expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername) rlm_ldap: checking if remote access for viper is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user viper authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- policy redundant returns ok rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items ++[ciscoextra] returns ok ++[ciscogroup] returns notfound rad_check_password: Found Auth-Type ldap auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "myusername" with password "myldappasswd" rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/mypassword to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user myusername authenticated succesfully ++[ldap] returns ok Login OK: [myusername/mypassword] (from client shortname port 1 cli myclientip) Sending Access-Accept of id 142 to myswitchip port 1645 Cisco-AVPair = "shell:priv-lvl=1" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 142 with timestamp +9 Access-Accept, but still error on the switch (% Authorization failed.). As to my previous testing, not all the switches work, if the mentioned users file section (DEFAULT ...) is not present (I mean, authing against files,ciscopwd ). This is some Cisco error, but coudn't find any workaround. Is it not possible to use somehow the users file, with DEAFULT entires and Fall-Through flags? >> >>The myusername is same in the ciscopwd file and in LDAP, but the passwords >>are different. >Why??? That file should be for users that are not in ldap or as ldap >backup (same user, same password, so when ldap server fails they can >still connect). The passwords are different just for testing. The ciscopws should act as backup, if ldap server failes. Thanks, Tamas ________________________________________ Feladó: [EMAIL PROTECTED] [EMAIL PROTECTED], meghatalmazó: [EMAIL PROTECTED] [EMAIL PROTECTED] Küldve: 2008. október 28. 11:25 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover >rad_recv: Access-Request packet from host myswitchip port 1645, id=139, >length=80 > NAS-IP-Address = myswitchip > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "myusernamer" > Calling-Station-Id = "myclientip" > User-Password = "myvalid_ldap_password" >+- entering group authorize .. >++- entering policy redundant > users: Matched entry DEFAULT at line 11 >+++[files] returns ok >++- policy redundant returns ok OK. Your redundant section is not going to make much sense if you are going to have matches on DEFAULT entries in files. files will always be used while ldap and ciscopwd - never. On top of that you are setting auth type ldap - remove files from redundant section and delete that auth type entry from it. > >The myusername is same in the ciscopwd file and in LDAP, but the passwords are >different. Why??? That file should be for users that are not in ldap or as ldap backup (same user, same password, so when ldap server fails they can still connect). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html