Re: groupcmp fails during tunneled request
---BeginMessage--- Hello, Just to inform that I have solved the problem. Some parts of the ldap were not indexed properly so it cause some troubles with freeradius. Matthew Ivan Kalik a écrit : I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Debug ldap and see what is going on. For some reason you are loosing the connection to ldap. Ivan Kalik Kalik Informatika ISP ---End Message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello again, I'll try to be more specific so someone can give me an advice. Here is the thing: the server is running, and now the group check is failing since I can't be authorised because it says that I don't have a huntgroup (ie: no huntrgoup). On my ldap account, I do have them. I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Auth: [preprocess] No huntgroup access: Error: Discarding duplicate request from client Error: WARNING: Unresponsive child for request 1953, in module preprocess component authorize and sometimes: Error: TLS Alert read:fatal:access denied Error: TLS_accept:failed in SSLv3 read client certificate A Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. I a bit confused as I can't see the group membership errors in debug as it doesn't occur. I guess the TLS alert is ome client with a wrong CA. Any help, suggestion will be really appreciated. Matthew Matthieu Lazaro a écrit : Hello, I'm still having the issue. It all works ok when I restart freeradius or when I run the debug then it starts failing a while later. I tried to increase the time out on ldap connexions.This did nothing. Any idea is welcome. Thanks, Matthew Ivan Kalik a écrit : I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Error: TLS Alert read:fatal:access denied Fix that. It works in debug mode because server is running as root. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Error: TLS Alert read:fatal:access denied Fix that. It works in debug mode because server is running as root. Ivan Kalik Kalik Informatika ISP I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello, I'm still having the issue. It all works ok when I restart freeradius or when I run the debug then it starts failing a while later. I tried to increase the time out on ldap connexions.This did nothing. Any idea is welcome. Thanks, Matthew Ivan Kalik a écrit : I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
---BeginMessage--- Ivan Kalik a écrit : Ivan Kalik a écrit : I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP The user *IS* in the wireless2 group in LDAP... That's why I don't understand why it says no huntgroup because wireless works. I was thinking about the syntaxe maybe ( , ==) Is that user entry or huntgroup entry? In user entry Ldap-Group should be on the check line. Post the debug. Ivan Kalik Kalik Informatika ISP Hello and thanks for the prompt response. This is a huntgroup entry: WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, I really wanted to post the debug of a non working configuration with those groups, but it seems to work now since I have put it in debug mode And I haven't changed anything on the configuration since it didn't work. SO something is really weird. I'll give you the debug since I think some stuff in it is really strange anyway. Best Regards, Matthew rad_recv: Access-Request packet from host {nas-...@} port 1645, id=142, length=156 User-Name = ldap-test-user Framed-MTU = 1400 Called-Station-Id = 00-1E-13-6E-E7-F0 Calling-Station-Id = 00-21-E9-AD-65-C9 Service-Type = Login-User Message-Authenticator = x EAP-Message = NAS-Port-Type = Wireless-802.11 NAS-Port = 74057 NAS-Port-Id = 74057 NAS-IP-Address = {nas-...@} NAS-Identifier = test-access-point +- entering group authorize {...} rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com [preprocess] WARNING: Deprecated conditional expansion :-. See man unlang for details [preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ldap-test-user) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to radiusserver.companyname.fr:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as uid=radtest,ou=accounts,dc=companyname,dc=com/xxx to radiusserver.companyname.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=companyname,dc=com, with filter (uid=ldap-test-user) rlm_ldap: ldap_release_conn: Release Id: 0 [preprocess]expand: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter ((radiusGroupName=wireless)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group wireless not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com [preprocess]expand: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter ((radiusGroupName=wireless2)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group wireless2 rlm_ldap: ldap_release_conn: Release Id: 0 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/{nas-...@}/auth-detail-20090630 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/{nas-...@}/auth-detail-20090630 [auth_log] expand: %t - Tue Jun 30 09:39:31 2009 ++[auth_log] returns ok
Re: groupcmp fails during tunneled request
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : Content of my huntgroup file. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, REM NAS-IP-Address == 10.44.12.2 Ldap-Group == REM OK. Content of my user file: DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap Fall-Through = no, That should match (remove that Auth-Type from this and REM entry). But ... DEFAULT Huntgroup-Name == REM, Auth-Type = ldap Fall-Through = no, DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. ... server inner-tunnel { +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = alicebob, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=companyname,dc=com - dc=companyname,dc=com ... you haven't enabled preprocess in inner-tunnel server. Huntgroups are processed in preprocess. Ivan Kalik Kalik Informatika ISP Hello Again, I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. Any ideas? Best Regards, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : I am having an issue with the groups again. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says no huntgroup and I'm rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP The user *IS* in the wireless2 group in LDAP... That's why I don't understand why it says no huntgroup because wireless works. I was thinking about the syntaxe maybe ( , ==) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
I'm having an issue with the group check (ldap_groupcmp). Everything is fine until the request is tunnelled, and I can't find out why my user is rejected there It seems that he ends in this section during this phase: DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. No. That didn't match. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not found or user not a member See. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at line 15 But something else did. What is on line 15 in users file? Tell me if you need more debug output... We do. This doesn't show anything. Post the debug with whole inner tunnel exchange. It was working perfectly before I introduced the group check using the huntgroups. Huntgroups? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : I'm having an issue with the group check (ldap_groupcmp). Everything is fine until the request is tunnelled, and I can't find out why my user is rejected there It seems that he ends in this section during this phase: DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. No. That didn't match. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not found or user not a member See. Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at line 15 But something else did. What is on line 15 in users file? DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. Tell me if you need more debug output... We do. This doesn't show anything. Post the debug with whole inner tunnel exchange. It was working perfectly before I introduced the group check using the huntgroups. Huntgroups? Content of my huntgroup file. WIFINAS-Identifier == accessPoint-Manager Ldap-Group == wireless, Ldap-Group == wireless2, REM NAS-IP-Address == 10.44.12.2 Ldap-Group == REM Content of my user file: DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap Fall-Through = no, DEFAULT Huntgroup-Name == REM, Auth-Type = ldap Fall-Through = no, DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. Invalid operator for item NAS-Identifier: reverting to '==' == I have corrected this now Full Debug: rad_recv: Access-Request packet from host 10.0.0.2 port 32769, id=13, length=219 User-Name = alicebob Calling-Station-Id = 00-13-02-25-CF-40 Called-Station-Id = 00-1E-13-1C-87-00:WiFi-TEST NAS-Port = 1 NAS-IP-Address = 192.168.225.8 NAS-Identifier = accessPoint-Manager Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 502 EAP-Message = 0x0207002219001703010017d6d3387b7eed6b4b21f289092b99288904cc4970a60bfc State = 0x6416d65c6011cf1de638dad1d46f61b2 Message-Authenticator = 0x0b5692123f68b20d631e3b7b45b39069 +- entering group authorize {...} Invalid operator for item NAS-Identifier: reverting to '==' rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com - dc=companyname,dc=com [preprocess] WARNING: Deprecated conditional expansion :-. See man unlang for details [preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=alicebob) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter (uid=alicebob) rlm_ldap: ldap_release_conn: Release Id: 0 [preprocess]expand: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter ((radiusGroupName=wireless)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=alicebob,ou=companystaff,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428 [auth_log] expand: %t - Tue Apr 28 16:10:52 2009 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = alicebob, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 34 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request