subject:"LDAP VPN Auth yet not in group\?"

Re: LDAP VPN Auth yet not in group?

2010-08-26 Thread Alan DeKok

freerad...@corwyn.net wrote:
> I tracked down where this is different.
> In huntgroups I have:
> VPN_Huntgroup  NAS-IP-Address == x.x.x.x
> In users I have:
> DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
> Reply-Message := "Authorized Users Only"
> 
> For a normal user, I see:
> Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name ==
> "VPN_Huntgroup") returns ok

  The "if" statement there is NOT the "users" file.  It is an entry you
added in the file raddb/sites-available/default.

  Run the server in FULL debugging mode to see what it's doing, and why.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP VPN Auth yet not in group?

2010-08-24 Thread freeradius


At 04:48 PM 8/24/2010, Rick Steeves wrote:

I authenticate VPN users where the VPN Server authenticates against 
a LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works 
fine. I'm using a user account to authenticate the radius server 
against AD for the queries.


What's odd is tho the other user accounts work, I can't authenticate 
with that actual user account (even though it's in the same Security 
group). Multiple other users in the security group VPN_Users work.


I tracked down where this is different.
In huntgroups I have:
VPN_Huntgroup  NAS-IP-Address == x.x.x.x
In users I have:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
Reply-Message := "Authorized Users Only"

For a normal user, I see:
Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name == 
"VPN_Huntgroup") returns ok

Tue Aug 24 17:02:32 2010 : Info: Found Auth-Type = MSCHAP
Tue Aug 24 17:02:32 2010 : Info: +- entering group MS-CHAP {...}

But if the LDAP service account connects with the VPN_Huntgroup set, I see:

Tue Aug 24 16:41:57 2010 : Info: ++- if (Huntgroup-Name == 
"VPN_Huntgroup") returns reject
Tue Aug 24 16:41:57 2010 : Auth: Invalid user: [_sonicwall] (from 
client VPN_SOHO port 0)


If I remove
VPN_Huntgroup  NAS-IP-Address == x.x.x.x
I
from huntgroups, the normal accounts still work and log the same, but 
the LDAP service account now looks like the normal users account in 
the logs, and defaults to MSCHAP and then everything is ok.


As always, no idea why. Any insights appreciated for why that account 
behaves differently.


Thx.

Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP VPN Auth yet not in group?

2010-08-24 Thread freeradius





I authenticate VPN users where the VPN Server authenticates against a 
LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works 
fine. I'm using a user account to authenticate the radius server 
against AD for the queries.


What's odd is tho the other user accounts work, I can't authenticate 
with that actual user account (even though it's in the same Security 
group). Multiple other users in the security group VPN_Users work.


What seems (to me) to be odd in particular is I see
ue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name == "VPN_Huntgroup")
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Huntgroup-Name == 
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name == 
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++- entering if (Huntgroup-Name == 
"VPN_Huntgroup") {...}

Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users")
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()


which makes me think it sees the user _sonicwall in the VPN_Users 
group, but then I get:


Tue Aug 24 16:41:57 2010 : Debug: rlm_ldap::ldap_groupcmp: 
ldap_get_values() failed

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Ldap-Group == 
"VPN_Users") -> FALSE

Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users") -> FALSE


Any insights appreciated.

Thanks

Rick

Full output below.

rad_recv: Access-Request packet from host 10.4.1.241 port 1196, 
id=26, length=126

User-Name = "_sonicwall"
MS-CHAP-Challenge = 0x780006c8503fee2cdf1d2505fe99f322
MS-CHAP2-Response = 
0x01002f06ff27350f7121396d65349fc61ca9675d0094d1b342dc5f172dc60bd9fd258fb94fc68aac5ff6

NAS-IP-Address = 10.4.1.241
NAS-Port = 0
Tue Aug 24 16:41:57 2010 : Info: server server_vpn {
Tue Aug 24 16:41:57 2010 : Info: +- entering group authorize {...}
Tue Aug 24 16:41:57 2010 : Info: ++[preprocess] returns ok
Tue Aug 24 16:41:57 2010 : Info: [mschap] Found MS-CHAP 
attributes.  Setting 'Auth-Type  = mschap'

Tue Aug 24 16:41:57 2010 : Info: ++[mschap] returns ok
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
OU=Enterprise,DC=int,DC=invtitle,DC=com -> 
OU=Enterprise,DC=int,DC=invtitle,DC=com
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
%{Stripped-User-Name} ->
Tue Aug 24 16:41:57 2010 : Info: [files]... expanding second 
conditional
Tue Aug 24 16:41:57 2010 : Info: [files]expand: %{User-Name} 
-> _sonicwall
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=_sonicwall)(objectClass=person))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter 
(&(sAMAccountname=_sonicwall)(objectClass=person))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom)))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] object not found
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter (objectclass=*)
Tue Aug 24 16:41:57 2010 : Debug: rlm_ldap::ldap_groupcmp: 
ldap_get_values() failed

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id:

Re: LDAP VPN Auth yet not in group?

Re: LDAP VPN Auth yet not in group?

LDAP VPN Auth yet not in group?

3 matches

Site Navigation

Mail list logo

Footer information