Re: Get AD Profile
Ok I finally realise what I was doing wrong. To retrieve one Active
Directory user's group it's not necessary to use de replyItem in
ldap.attrmap. It's only necessary to configure correctly the ldap
module. So I resolved this using the following configuration:
Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu:
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users
against Active Directory and that is working fine. But I want to
retrieve user's profile from Active Directory, to add VLAN ID
(Tunel-Private-Group-ID) to Access-Accept reply.
I really don't know how to do this and I could find a clear solution,
either in documentation (rlm_ldap) ot by googling. So I would
appreciate if someone could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file:
replyItem radiusProfileDn memberOf. The profile I want to retrieve
is the CN in this object like cn=PROFILE,dc=domain,dc=com, but in
radius debug I'm getting this error:
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand: (sAMAccountName=
%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=pt - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
CN=grupo1,DC=ldaptest,DC=com for attribute name radiusProfileDn
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
expand: %{Stripped-User-Name} - figo
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -
figo
++[files] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP] (from client
portatil port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to 192.168.10.200 port 33000
User-Name = figo
MS-MPPE-Recv-Key =
0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
MS-MPPE-Send-Key =
0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
EAP-Message = 0x03080004
Message-Authenticator = 0x
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get AD Profile
Sorry, my last message was sent before time :). I was betrayed by a very
sensitive touchpad...
Now the complete message:
Ok I finally realise what I was doing wrong. To retrieve one Active
Directory user's group it's not necessary to use de replyItem in
ldap.attrmap. It's only necessary to configure correctly the ldap
module. So I resolved this by using the following configuration:
In radius.conf:
ldap {
server = 192.168.100.173:389
basedn = dc=ldaptest,dc=com
password =
identity = cn=manager,cn=users,dc=ldaptest,dc=com
filter =
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_attribute = memberOf
groupmembership_filter =
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
NOTE: The %{Ldap-UserDn} attribute was replaced by %{check:LDAP-UserDn} since
2.0 ( I lost a lot of time here because I was using %{Ldap-UserDn} as stated in
documentation)
In users file:
(one entry to each group)
DEFAULT Ldap-Group == CN=groupX,DC=ldaptest,DC=com
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = 3
Now the reply is like:
rad_recv: Access-Request packet from host 192.168.10.200 port 33073, id=17,
length=217
User-Name = LDAPTEST.COM\\figo
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x02080050190017030100205178b4a5223790b6da72bc08db63ad2293c28106a590b25833bd4a70ba08f8d91703010020ff2d3faaec5ab346aaebb253b110da880ba6c5c55a27deaad76e9ddeb9016be6
State = 0x7491a0427399b9e1f10398e7556e31d5
Message-Authenticator = 0x342892f124c4b5b005c0d5810e0b5ba9
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = LDAPTEST.COM\figo, skipping NULL due to
config.
++[suffix] returns noop
rlm_realm: Looking up realm LDAPTEST.COM for User-Name =
LDAPTEST.COM\figo
rlm_realm: Found realm LDAPTEST.COM
rlm_realm: Adding Stripped-User-Name = figo
rlm_realm: Proxying request from user figo to realm LDAPTEST.COM
rlm_realm: Adding Realm = LDAPTEST.COM
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com
expand:
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
-
(|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=grupo1,DC=ldaptest,DC=com, with filter
(|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group CN=grupo1,DC=ldaptest,DC=pt
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 8
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP]
Get AD Profile
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users against
Active Directory and that is working fine. But I want to retrieve user's
profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to
Access-Accept reply.
I really don't know how to do this and I could find a clear solution, either
in documentation (rlm_ldap) ot by googling. So I would appreciate if someone
could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file: replyItem
radiusProfileDn memberOf. The profile I want to retrieve is the CN in this
object like cn=PROFILE,dc=domain,dc=com, but in radius debug I'm getting
this error:
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=pt - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
CN=grupo1,DC=ldaptest,DC=com for attribute name radiusProfileDn
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
expand: %{Stripped-User-Name} - figo
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - figo
++[files] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP] (from client portatil
port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to 192.168.10.200 port 33000
User-Name = figo
MS-MPPE-Recv-Key =
0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
MS-MPPE-Send-Key =
0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
EAP-Message = 0x03080004
Message-Authenticator = 0x
Is this the way I to achieve or I want or am I completely wrong?
Thnx,
Nelson Vale
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
