Issue with VLAN Assignment during 802.1x Authentication in RADIUS (Incorrect LDAP Query)

Toxa · September 5, 2024, 10:15am

Hello,

I’ve encountered an issue with VLAN assignment for users authenticating via 802.1x. While the users authenticate successfully, the VLAN is not being assigned. After reviewing the Freeradius debug logs, I noticed that the Tunnel-Private-Group-Id attribute is not included in the Reply-Message. Further investigation revealed that the LDAP query is constructed incorrectly, using the %{User-Name} variable, which includes the domain name and a backslash (\\), resulting in a malformed query like uid=domainname\5cusername.

Example from the Freeradius debug log:

(25)     if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.domainname.example.com/)  -> FALSE
(25)     if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password)) {
(25)     if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password))  -> FALSE
(25)     if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") {
rlm_ldap (ldap): Reserved connection (12)
(25)     Performing search in "dc=domainname,dc=example,dc=com" with filter "(|(uid=domainname\5cusername)(macAddress=0C:37:96:<mask>))", scope "sub"
(25)     Waiting for search result...
(25)     Search returned no results
rlm_ldap (ldap): Released connection (12)
(25)     EXPAND %{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}
(25)        --> 
(25)     if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}")  -> FALSE

As a result, the query does not return any results, and the VLAN is not assigned.

Solution: I modified the Freeradius configuration /etc/freeradius/3.0/sites-enabled/default by replacing the %{User-Name} variable with %{Stripped-User-Name} to ensure the LDAP query is constructed correctly without the domain name and backslash:

if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") {

After this change, RADIUS started returning the correct VLAN ID:

(10)   Tunnel-Type := VLAN
(10)   Tunnel-Medium-Type := IEEE-802
(10)   Tunnel-Private-Group-Id := "3156"

Question: Is this a bug in UCS (a configuration or logic issue in the LDAP query), or am I missing something? Could there be any unintended side effects from replacing %{User-Name} with %{Stripped-User-Name}?

Thank you in advance for your assistance!

Toxa · September 5, 2024, 10:18am

Here’s a patch of my config:

--- sites-available/default     2024-09-05 12:34:34.546155709 +0300
+++ sites-available/default-changed     2024-09-05 12:39:16.774779933 +0300
@@ -832,17 +832,17 @@
     # Check if the user or machine exists and do post-auth actions
     # else do nothing in post-auth
     # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above)
-    if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") {
+    if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") {
 
         # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
         # In case there are assignments for several groups the first vlan-id is automatically taken.
-        if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") {
+        if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") {
 
             update reply {
                 Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
                 Tunnel-Type := VLAN
                 Tunnel-Medium-Type := IEEE-802
-                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}"
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}"
 
 
             }

proofs · February 19, 2026, 9:50am

Hi, maybe I´ve the same Problem?

Ich configured our radius to access 802 auth.

My Problem is, the Usernames are anytime wrong.

The Windows Machine send´s the Username “User-Name = “TEST\atest””
But in my ldap search looks:
"ldapsearch -x -D “uid=Administrator,cn=users,dc=test,dc=test,dc=de” -W -b “dc=kl,dc=klippel,dc=de” “(&(memberUid=atest)(univentionObjectType=groups/group)(univentionNetworkAccess=1))” cn univentionVLanId
Enter LDAP Password:

extended LDIF

LDAPv3

base <dc=test,dc=test,dc=de> with scope subtree

filter: (&(memberUid=atest)(univentionObjectType=groups/group)(univentionNetworkAccess=1))

requesting: cn univentionVLanId

sysops_group, test_groups, groups, test.teste.de

dn: cn=sysops_group,cn=kl_groups,cn=groups,dc=test,dc=test,dc=de
cn: sysops_group
univentionVLanId: 201

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

"

How can I configure the ldap string to send the correct Username “atest”?

I dont understand that Problem -.-

The PC ist correctly authenticatet.

Have a Nice Day