Re: groupcmp fails during tunneled request
---BeginMessage--- Hello, Just to inform that I have solved the problem. Some parts of the ldap were not indexed properly so it cause some troubles with freeradius. Matthew Ivan Kalik a écrit : I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Debug ldap and see what is going on. For some reason you are loosing the connection to ldap. Ivan Kalik Kalik Informatika ISP ---End Message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello again, I'll try to be more specific so someone can give me an advice. Here is the thing: the server is running, and now the group check is failing since I can't be authorised because it says that I don't have a huntgroup (ie: no huntrgoup). On my ldap account, I do have them. I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Auth: [preprocess] No huntgroup access: Error: Discarding duplicate request from client Error: WARNING: Unresponsive child for request 1953, in module preprocess component authorize and sometimes: Error: TLS Alert read:fatal:access denied Error: TLS_accept:failed in SSLv3 read client certificate A Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. I a bit confused as I can't see the group membership errors in debug as it doesn't occur. I guess the TLS alert is ome client with a wrong CA. Any help, suggestion will be really appreciated. Matthew Matthieu Lazaro a écrit : Hello, I'm still having the issue. It all works ok when I restart freeradius or when I run the debug then it starts failing a while later. I tried to increase the time out on ldap connexions.This did nothing. Any idea is welcome. Thanks, Matthew Ivan Kalik a écrit : I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Error: TLS Alert read:fatal:access denied Fix that. It works in debug mode because server is running as root. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Error: TLS Alert read:fatal:access denied Fix that. It works in debug mode because server is running as root. Ivan Kalik Kalik Informatika ISP I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello, I'm still having the issue. It all works ok when I restart freeradius or when I run the debug then it starts failing a while later. I tried to increase the time out on ldap connexions.This did nothing. Any idea is welcome. Thanks, Matthew Ivan Kalik a écrit : I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
---BeginMessage---
Ivan Kalik a écrit :
Ivan Kalik a écrit :
I am having an issue with the groups again.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
When I have the attribute wireless it works without a flaw, if I have
both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and
I'm
rejected.
User is not in wireless2 group in ldap?
Ivan Kalik
Kalik Informatika ISP
The user *IS* in the wireless2 group in LDAP... That's why I don't
understand why it says no huntgroup because wireless works.
I was thinking about the syntaxe maybe ( , ==)
Is that user entry or huntgroup entry? In user entry Ldap-Group should be
on the check line. Post the debug.
Ivan Kalik
Kalik Informatika ISP
Hello and thanks for the prompt response.
This is a huntgroup entry:
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
I really wanted to post the debug of a non working configuration with those
groups, but it seems to work now since I have put it in debug mode And I
haven't changed anything on the configuration since it didn't work. SO
something is really weird. I'll give you the debug since I think some stuff in
it is really strange anyway.
Best Regards,
Matthew
rad_recv: Access-Request packet from host {nas-...@} port 1645, id=142,
length=156
User-Name = ldap-test-user
Framed-MTU = 1400
Called-Station-Id = 00-1E-13-6E-E7-F0
Calling-Station-Id = 00-21-E9-AD-65-C9
Service-Type = Login-User
Message-Authenticator = x
EAP-Message =
NAS-Port-Type = Wireless-802.11
NAS-Port = 74057
NAS-Port-Id = 74057
NAS-IP-Address = {nas-...@}
NAS-Identifier = test-access-point
+- entering group authorize {...}
rlm_ldap: Entering ldap_groupcmp()
[preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com
[preprocess] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -
(uid=ldap-test-user)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to radiusserver.companyname.fr:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=radtest,ou=accounts,dc=companyname,dc=com/xxx
to radiusserver.companyname.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=companyname,dc=com, with filter
(uid=ldap-test-user)
rlm_ldap: ldap_release_conn: Release Id: 0
[preprocess]expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=companyname,dc=com, with filter
((radiusGroupName=wireless)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*)
rlm_ldap::groupcmp: Group wireless not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com
[preprocess]expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=companyname,dc=com, with filter
((radiusGroupName=wireless2)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group wireless2
rlm_ldap: ldap_release_conn: Release Id: 0
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/{nas-...@}/auth-detail-20090630
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/{nas-...@}/auth-detail-20090630
[auth_log] expand: %t - Tue Jun 30 09:39:31 2009
++[auth_log] returns ok
Re: groupcmp fails during tunneled request
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit :
Content of my huntgroup file.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
REM NAS-IP-Address == 10.44.12.2
Ldap-Group == REM
OK.
Content of my user file:
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
Reply-Message = Account disabled. Please call the helpdesk.
DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap
Fall-Through = no,
That should match (remove that Auth-Type from this and REM entry). But ...
DEFAULT Huntgroup-Name == REM, Auth-Type = ldap
Fall-Through = no,
DEFAULT Auth-Type := Reject
Reply-Message = Please call the helpdesk.
...
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = alicebob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=companyname,dc=com - dc=companyname,dc=com
... you haven't enabled preprocess in inner-tunnel server. Huntgroups are
processed in preprocess.
Ivan Kalik
Kalik Informatika ISP
Hello Again,
I am having an issue with the groups again.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
When I have the attribute wireless it works without a flaw, if I have both,
it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected.
Any ideas?
Best Regards,
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP The user *IS* in the wireless2 group in LDAP... That's why I don't understand why it says no huntgroup because wireless works. I was thinking about the syntaxe maybe ( , ==) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I'm having an issue with the group check (ldap_groupcmp). Everything is fine until the request is tunnelled, and I can't find out why my user is rejected there It seems that he ends in this section during this phase: DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. No. That didn't match. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not found or user not a member See. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at line 15 But something else did. What is on line 15 in users file? Tell me if you need more debug output... We do. This doesn't show anything. Post the debug with whole inner tunnel exchange. It was working perfectly before I introduced the group check using the huntgroups. Huntgroups? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit :
I'm having an issue with the group check (ldap_groupcmp).
Everything is fine until the request is tunnelled, and I can't find out
why my user is rejected there
It seems that he ends in this section during this phase:
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
Reply-Message = Account disabled. Please call the helpdesk.
No. That didn't match.
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not
found or user not a member
See.
Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id:
0
Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at
line 15
But something else did. What is on line 15 in users file?
DEFAULT Auth-Type := Reject
Reply-Message = Please call the helpdesk.
Tell me if you need more debug output...
We do. This doesn't show anything. Post the debug with whole inner tunnel
exchange.
It was working perfectly before I introduced the group check using the
huntgroups.
Huntgroups?
Content of my huntgroup file.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
REM NAS-IP-Address == 10.44.12.2
Ldap-Group == REM
Content of my user file:
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
Reply-Message = Account disabled. Please call the helpdesk.
DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap
Fall-Through = no,
DEFAULT Huntgroup-Name == REM, Auth-Type = ldap
Fall-Through = no,
DEFAULT Auth-Type := Reject
Reply-Message = Please call the helpdesk.
Invalid operator for item NAS-Identifier: reverting to '=='
== I have corrected this now
Full Debug:
rad_recv: Access-Request packet from host 10.0.0.2 port 32769, id=13,
length=219
User-Name = alicebob
Calling-Station-Id = 00-13-02-25-CF-40
Called-Station-Id = 00-1E-13-1C-87-00:WiFi-TEST
NAS-Port = 1
NAS-IP-Address = 192.168.225.8
NAS-Identifier = accessPoint-Manager
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 502
EAP-Message =
0x0207002219001703010017d6d3387b7eed6b4b21f289092b99288904cc4970a60bfc
State = 0x6416d65c6011cf1de638dad1d46f61b2
Message-Authenticator = 0x0b5692123f68b20d631e3b7b45b39069
+- entering group authorize {...}
Invalid operator for item NAS-Identifier: reverting to '=='
rlm_ldap: Entering ldap_groupcmp()
[preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com
[preprocess] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -
(uid=alicebob)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=companyname,dc=com, with filter
(uid=alicebob)
rlm_ldap: ldap_release_conn: Release Id: 0
[preprocess]expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=companyname,dc=com, with filter
((radiusGroupName=wireless)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
uid=alicebob,ou=companystaff,dc=companyname,dc=com, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428
[auth_log] expand: %t - Tue Apr 28 16:10:52 2009
++[auth_log] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = alicebob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 34
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request
