Problem: Staff user cannot access WLAN (radius)

Knowledge Base Community
,
#1

Problem:

A staff user cannot access the wifi via radius

Investigation:

univention-radius-check-access --username mititest --station-id none
     DEBUG: [user=mititest; mac=e:::::] Given username: 'mititest'
     DEBUG: [user=mititest; mac=e:::::] Given stationId: 'none'
     DEBUG: [user=mititest; mac=e:::::] Loading proxy rules from UCR
     DEBUG: [user=mititest; mac=e:::::] Loaded user_to_group {.......}
     DEBUG: [user=mititest; mac=e:::::] Loaded group_info {}
     DEBUG: [user=mititest; mac=e:::::] Checking UCR proxy rules for user
     DEBUG: [user=mititest; mac=e:::::] DENY: user mititest not found in any WLAN enabled group
     DEBUG: [user=mititest; mac=e:::::] DENY: user mititest groups=['Domain Users TEST', 'mitarbeiter-test']
     DEBUG: [user=mititest; mac=e:::::] DENY: WLAN enabled groups=[]
      INFO: [user=mititest; mac=e:::::] Login attempt denied by UCR proxy rules
      INFO: [user=mititest; mac=e:::::] Login attempt with unknown username
     DEBUG: [user=mititest; mac=e:::::] User is not allowed to authenticate via RADIUS
     DEBUG: [user=mititest; mac=e:::::] --- Thus access is DENIED.

vs working user:

univention-radius-check-access --username lehritest --station-id none
     DEBUG: [user=lehritest; mac=e:::::] Given username: 'lehritest'
     DEBUG: [user=lehritest; mac=e:::::] Given stationId: 'none'
     DEBUG: [user=lehritest; mac=e:::::] Loading proxy rules from UCR
     DEBUG: [user=lehritest; mac=e:::::] Loaded user_to_group {......}
     DEBUG: [user=lehritest; mac=e:::::] Loaded group_info {}
     DEBUG: [user=lehritest; mac=e:::::] Checking UCR proxy rules for user
     DEBUG: [user=lehritest; mac=e:::::] DENY: user lehritest not found in any WLAN enabled group
     DEBUG: [user=lehritest; mac=e:::::] DENY: user lehritest groups=['Domain Users TEST', 'lehrer-test']
     DEBUG: [user=lehritest; mac=e:::::] DENY: WLAN enabled groups=[]
      INFO: [user=lehritest; mac=e:::::] Login attempt denied by UCR proxy rules
     DEBUG: [user=lehritest; mac=e:::::] Checking LDAP settings for user
     DEBUG: [user=lehritest; mac=e:::::] DENY 'uid=lehritest,cn=lehrer,cn=users,ou=TEST,dc=test,dc=int'
     DEBUG: [user=lehritest; mac=e:::::] -> ALLOW 'cn=lehrer-test,cn=groups,ou=TEST,dc=test,dc=int'
     DEBUG: [user=lehritest; mac=e:::::] -> DENY 'cn=Domain Users TEST,cn=groups,ou=TEST,dc=test,dc=int'
      INFO: [user=lehritest; mac=e:::::] Login attempt permitted by LDAP settings
     DEBUG: [user=lehritest; mac=e:::::] MAC filtering is disabled by radius/mac/whitelisting.
      INFO: [user=lehritest; mac=e:::::] User is allowed to use RADIUS
     DEBUG: [user=lehritest; mac=e:::::] --- Thus access is ALLOWED.

Check if the user is found by the school-server:
univention-ldapsearch -D “$(ucr get ldap/hostdn)” -y /etc/machine.secret -h localhost -p 7389 uid=mititest

Solution:

https://docs.software-univention.de/ucsschool-manual/5.0/de/structure.html#structure-staff-in-edunet

On the Primary Directory Node and all Backup Directory Nodes the LDAP ACLs must be adjusted and the ldap server must be restarted:

ucr set ucsschool/ldap/replicate_staff_to_edu="true"
ucr commit /etc/ldap/slapd.conf
systemctl restart slapd
1 Like
#2

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon