Comment 1 Sönke Schwardt-Krummrich 2018-10-29 10:40:19 CET

It has to be checked, if univention-radius and ucs-school-radius-802.1x are functionally equal. There are reports, that machine accounts are not able to log in via univention-radius.

Comment 2 Jürn Brodersen 2019-01-15 10:39:43 CET

Feature branch (for ucs and ucs@school):
juern/4.4/radius-merge

Comment 3 Jannik Ahlers 2019-01-28 11:32:11 CET

Some new tests are already checked in and built:

Successful build
Package: ucs-test
Version: 9.0.0-16A~4.4.0.201901281123
Branch: ucs_4.4-0

ucs-test (9.0.0-16)
078415ae947d | Bug #46018: added additional tests for radius


The new test 07_mac_whitelisting fails with version 6.0.1-2 of the radius package.

Comment 4 Jannik Ahlers 2019-01-28 12:30:07 CET

the ucr variable descriptions in the univention-radius package mention some default values. a lot of those seem to be outdated (they get set to different values in postinst).

Comment 5 Jürn Brodersen 2019-01-28 13:52:19 CET

> The new test 07_mac_whitelisting fails with version 6.0.1-2 of the radius
> package.

Thanks :)

[juern/4.4/radius-merge be4fec87e1] Bug #46018: Fix mac address decoding

Comment 6 Jürn Brodersen 2019-02-19 11:59:41 CET

Changes in @school

[4.4 675cc80b9] Bug #46018: Use config and code from univention-radius
[4.4 18b42f839] Bug #46018: changelog
[4.4 cdf60e5b4] Bug #46018: Merge branch 'juern/4.4/radius-merge' into 4.4
[4.4 07aa3fd8d] Bug #46018: Add version to dependency on univention-radius
[4.4 0be835a03] Bug #46018: yaml

Changes in ucs

[4.4-0 078415ae94] Bug #46018: added additional tests for radius
[4.4-0 aa2dced715] Bug #46018: Move python libs into seperate folder
[4.4-0 6f20f7a0c9] Bug #46018: Refactor for logging and extensibility
[4.4-0 d620977c28] Bug #46018: Remove deprecated readme
[4.4-0 f3d98f5e55] Bug #46018: Remove package conflict with ucs@school
[4.4-0 301064c011] Bug #46018: changelog
[4.4-0 8ed14c20a8] Bug #46018: Merge branch 'juern/4.4/radius-merge' into 4.4-0
[4.4-0 70338fdced] Bug #46018: changelog

Comment 7 Jürn Brodersen 2019-02-26 17:37:29 CET

QA feedback:
@school:
[4.4 ba6e9947c] Bug #46018: Fix typo
[4.4 3c8e5be73] Bug #46018: yaml

ucs:
[4.4-0 79b74ec40f] Bug #46018: fix typos; better loglevel conversion

Comment 8 Sönke Schwardt-Krummrich 2019-02-27 02:45:40 CET

The UCR variable "freeradius/auth/helper/ntlm/debug" with default value of "2" has been introduced.

After installation, the RADIUS app only supports the LDAP flags that can be set for users and groups. As of UCS 4.4, UCS@school settings that could be set using UCR variables are no longer supported by the RADIUS app without UCS@school installed. After an installation of UCS@school, however, these are available again.
For UCS@school installations that did NOT install the RADIUS app before, it must be noted that the RADIUS app is automatically installed during the update to UCS 4.4. So after the automatic installation of the RADIUS app, the LDAP flags are also evaluated. If the flags are still in the LDAP (e.g. after a previous test of the RADIUS app), they automatically become active again after the update of the RADIUS system to UCS 4.4! The RADIUS flags should therefore be checked immediately before/after the update.

In order to install RADIUS on a UCS@school system, the package ucs-school-radius-802.1x must still be installed, since only this package contains the UCS@school part. However, the U@S package also automatically installs univention-radius via a dependency, so that only one installation step is necessary here.

[UCS@school 4.4]
d34c8fcc7 Bug #46018: add changelog entry
2fce74a1e Bug #46018: fixed syntax error
66a28923d Bug #46018: wording changes

Package: ucs-school-radius-802.1x
Version: 7.0.1-6A~4.4.0.201902270211
Branch: ucs_4.4-0
Scope: ucs-school-4.4

[UCS 4.4]
da6ca83991 Bug #46018: rename UCR variable univention-radius-ntlm-auth/debug to freeradius/auth/helper/ntlm/debug

Package: univention-radius
Version: 6.0.2-8A~4.4.0.201902270136
Branch: ucs_4.4-0

OK: code change
OK: functional change
FIXED: manual tests
    - OK: UCS 4.4-0 master w/o UCS@school (user, groups, groups in groups)
	- FIXED: UCS 4.4-0 master w/ UCS@school (user, groups, groups in groups, UCR)
	  → there was a syntax error in school_networkaccess.py (see commit above)
	- Update 4.3→4.4
	  - univention-radius only → only univention-radius installed after update
	  - ucs-school-radius-802.1x → both packages installed after update
REOPEN: tests
    - UCS 4.4-0 master w/ UCS@school (all ucs-test scripts were ok)
	- UCS 4.4-0 slave w/ UCS@school (08_clients_univention_conf FAILS)
OK: changelog entry
OK: package built and installable
NEWBUG: manual → bugs 48797, 48798
NEWBUG: I think we need a logrotation config → Bug 48799


Example log output of /var/log/univention/radius_ntlm_auth.log:
2019-02-26 23:51:45,957 - radius-ntlm -       INFO: [user=user4; mac=02:00:00:00:00:01] Loglevel set to: 4
2019-02-26 23:51:45,957 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] Given username: "user4"
2019-02-26 23:51:45,958 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] Given stationId: "02-00-00-00-00-01"
2019-02-26 23:51:45,958 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] UCS@school RADIUS support is not installed
2019-02-26 23:51:45,959 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] Checking ldap network access for user
2019-02-26 23:51:45,959 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] DENY 'uid=user4,cn=users,dc=nstx,dc=local'
2019-02-26 23:51:45,959 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] -> DENY 'cn=Domain Users,cn=groups,dc=nstx,dc=local'
2019-02-26 23:51:45,960 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] -> DENY 'cn=grpA,cn=groups,dc=nstx,dc=local'
2019-02-26 23:51:45,961 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] -> -> ALLOW 'cn=grpB,cn=groups,dc=nstx,dc=local'
2019-02-26 23:51:45,961 - radius-ntlm -       INFO: [user=user4; mac=02:00:00:00:00:01] LDAP settings allow attempt to login
2019-02-26 23:51:45,961 - radius-ntlm -      DEBUG: [user=user4; mac=02:00:00:00:00:01] MAC filtering is disabled by radius/mac/whitelisting.
2019-02-26 23:51:45,961 - radius-ntlm -       INFO: [user=user4; mac=02:00:00:00:00:01] User is allowed to use RADIUS

Comment 9 Sönke Schwardt-Krummrich 2019-02-27 12:01:02 CET

(In reply to Sönke Schwardt-Krummrich from comment #8)
> REOPEN: tests
>   - UCS 4.4-0 master w/ UCS@school (all ucs-test scripts were ok)
>   - UCS 4.4-0 slave w/ UCS@school (08_clients_univention_conf FAILS)

Tourned out that the ucs-test script was faulty on UCS@school systems.
ucs-test has been fixed.

Package: ucs-test
Version: 9.0.1-3A~4.4.0.201902271159
Branch: ucs_4.4-0

2be81fcf43 Bug #46018: Readd apptest tag to 45_radius/08_clients_univention_conf and fix computer object creation for UCS@school environments

Comment 10 Sönke Schwardt-Krummrich 2019-03-12 10:58:45 CET

UCS@school 4.4 v1 has been released.

https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html

If this error occurs again, please clone this bug.