Issue with VLAN Assignment during 802.1x Authentication in RADIUS (Incorrect LDAP Query)

Toxa · September 5, 2024, 10:15am

Hello,

I’ve encountered an issue with VLAN assignment for users authenticating via 802.1x. While the users authenticate successfully, the VLAN is not being assigned. After reviewing the Freeradius debug logs, I noticed that the Tunnel-Private-Group-Id attribute is not included in the Reply-Message. Further investigation revealed that the LDAP query is constructed incorrectly, using the %{User-Name} variable, which includes the domain name and a backslash (\\), resulting in a malformed query like uid=domainname\5cusername.

Example from the Freeradius debug log:

(25)     if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.domainname.example.com/)  -> FALSE
(25)     if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password)) {
(25)     if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password))  -> FALSE
(25)     if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") {
rlm_ldap (ldap): Reserved connection (12)
(25)     Performing search in "dc=domainname,dc=example,dc=com" with filter "(|(uid=domainname\5cusername)(macAddress=0C:37:96:<mask>))", scope "sub"
(25)     Waiting for search result...
(25)     Search returned no results
rlm_ldap (ldap): Released connection (12)
(25)     EXPAND %{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}
(25)        --> 
(25)     if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}")  -> FALSE

As a result, the query does not return any results, and the VLAN is not assigned.

Solution: I modified the Freeradius configuration /etc/freeradius/3.0/sites-enabled/default by replacing the %{User-Name} variable with %{Stripped-User-Name} to ensure the LDAP query is constructed correctly without the domain name and backslash:

if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") {

After this change, RADIUS started returning the correct VLAN ID:

(10)   Tunnel-Type := VLAN
(10)   Tunnel-Medium-Type := IEEE-802
(10)   Tunnel-Private-Group-Id := "3156"

Question: Is this a bug in UCS (a configuration or logic issue in the LDAP query), or am I missing something? Could there be any unintended side effects from replacing %{User-Name} with %{Stripped-User-Name}?

Thank you in advance for your assistance!

Toxa · September 5, 2024, 10:18am

Here’s a patch of my config:

--- sites-available/default     2024-09-05 12:34:34.546155709 +0300
+++ sites-available/default-changed     2024-09-05 12:39:16.774779933 +0300
@@ -832,17 +832,17 @@
     # Check if the user or machine exists and do post-auth actions
     # else do nothing in post-auth
     # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above)
-    if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") {
+    if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") {
 
         # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
         # In case there are assignments for several groups the first vlan-id is automatically taken.
-        if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") {
+        if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") {
 
             update reply {
                 Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
                 Tunnel-Type := VLAN
                 Tunnel-Medium-Type := IEEE-802
-                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}"
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}"
 
 
             }