User not being rejected...

qrt Tue, 20 Jan 2009 05:07:55 -0800

Hello,

I don't get it.


Maybe someone sees my mistake...

I have freeraradius on macos x.

My Users file has these entries:

/private/raddb/users

#-------------------------------------------------------------------------------------------------
# Allow members of group 'schueler' to WLAN-45

DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id == 4
        Auth-Type := opendirectory,
        Service-Type = Login-User,
        Reply-Message = "Schueler: WLAN-45 accept",
        Fall-Through = 0

#-------------------------------------------------------------------------------------------------
# Reject members of group 'schueler' from any other than  WLAN-45

DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id != 4
        Auth-Type := Reject,
        Reply-Message = "Schueler: Wrong WLAN!!!",

#-------------------------------------------------------------------------------------------------
# Allow members of group 'schuladministration' to WLAN-47

DEFAULT Ldap-Group == "schuladministration", Airespace-Wlan-Id == 6
        Auth-Type := opendirectory,
        Service-Type = Login-User,
        Reply-Message = "schuladministration: WLAN-47 accept",
        Fall-Through = 0

#-------------------------------------------------------------------------------------------------
# Reject all others

DEFAULT Auth-Type := Reject
        Reply-Message = "Access denied."

#-------------------------------------------------------------------------------------------------



In the log file I see this:

rad_recv: Access-Request packet from host 192.168.95.10:32768,id=151, length=197
        User-Name = "w45user"
        Calling-Station-Id = "00-17-F2-E8-74-76"
        Called-Station-Id = "00-1D-70-93-05-C0:WLAN-44"
        NAS-Port = 29
        NAS-IP-Address = 192.168.95.10
        NAS-Identifier = "KSHP-UG-SRV-WLC-04"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "44"
        EAP-Message = 0x020300061500
        State = 0xe56af3902cf86936b5da18867203a336
        Message-Authenticator = 0x0b2df96b7f01043f6296236014935512
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 43
  modcall[authorize]: module "preprocess" returns ok for request 43
  modcall[authorize]: module "chap" returns noop for request 43
  modcall[authorize]: module "mschap" returns noop for request 43
    rlm_realm: No '@' in User-Name = "w45user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 43
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 43
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(uid=w45user)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(uid=w45user)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=wlan_test)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group wlan_test not found or user is not amember.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=vpn_users)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group vpn_users not found or user is not amember.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=angestellte)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group angestellte not found or user is nota member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not amember.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not amember.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap::ldap_groupcmp: User found in group schueler
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter(&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
rlm_ldap::ldap_groupcmp: User found in group schueler
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 260
  modcall[authorize]: module "files" returns ok for request 43
modcall: leaving group authorize (returns updated) for request 43
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 43
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 43
modcall: leaving group authenticate (returns handled) for request 43
Sending Access-Challenge of id 151 to 192.168.95.10 port 32768
        Reply-Message = "Schueler: Wrong WLAN!!!"
EAP-Message =0x01040323158000000719010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935EAP-Message =0x395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda814162EAP-Message =0x8f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3fEAP-Message =0xf1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba607144216030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x287a38ce7b69dbc51126c71ef1bd49f3
Finished request 43
Going to the next request
Waking up in 6 seconds...


As far as I can tell, I see this line:

    users: Matched entry DEFAULT at line 260

This is the line containing 'DEFAULT Ldap-Group == "schueler",Airespace-Wlan-Id != 4'

which is correct.

So if this works (I can also read the ' Reply-Message = "Schueler:Wrong WLAN!!!"', why does this user get an access?


Why does the line 'Auth-Type := Reject,' not work?

What do I have to do to have him beeing rejected?

Any ideas

Thanks

Kurt

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

User not being rejected...

Reply via email to