Univention Bugzilla – Bug 47899
Include univention-check-radius-access in ucs-school-radius-802.1x
Last modified: 2019-03-12 11:01:12 CET
"univention-radius" includes a tool called univention-check-radius-access. This tool is handy to quickly check if a certain user has RADIUS access. It is not present in UCS@school because U@S includes the package "ucs-school-radius-802.1x", which does not contain univention-check-radius-access, and not "univention-radius"- I think we should provide univention-check-radius-access with "ucs-school-radius-802.1x" as well.
This would really be nice to have, with this tool the internetconnection is checked too. This would have saved us some time in troubleshooting.
univention-check-radius-access schould work 4.4 I don't think the qa has a high priority -> Target Milestone
root@master140:~# univention-radius-check-access --username=user4 INFO: [user=user4; mac=None] Loglevel set to: 4 DEBUG: [user=user4; mac=None] Given username: "user4" DEBUG: [user=user4; mac=None] Given stationId: "None" DEBUG: [user=user4; mac=None] Loading proxy rules from UCR DEBUG: [user=user4; mac=None] Loaded user_to_group {'mamu': ['gsMitte-1A', 'schueler-gsmitte', 'Domain Users gsMitte'], 'demo_student': ['Domain Users DEMOSCHOOL', 'DEMOSCHOOL-Democlass', 'schueler-demoschool'], 'demo_teacher': ['Domain Users DEMOSCHOOL', 'lehrer-demoschool'], 'demo_admin': ['Domain Users DEMOSCHOOL', 'mitarbeiter-demoschool']} DEBUG: [user=user4; mac=None] Loaded group_info {'gsMitte-1A': (7, False), 'schueler-gsmitte': (5, True), 'lehrer-demoschool': (0, True)} DEBUG: [user=user4; mac=None] Checking proxy rules network access DEBUG: [user=user4; mac=None] DENY: No proxy rules for user user4 found INFO: [user=user4; mac=None] Proxy rules deny username attempt to login DEBUG: [user=user4; mac=None] Checking ldap network access for user DEBUG: [user=user4; mac=None] DENY 'uid=user4,cn=users,dc=nstx,dc=local' DEBUG: [user=user4; mac=None] -> DENY 'cn=Domain Users,cn=groups,dc=nstx,dc=local' DEBUG: [user=user4; mac=None] -> -> DENY 'cn=Users,cn=Builtin,dc=nstx,dc=local' DEBUG: [user=user4; mac=None] -> DENY 'cn=grpA,cn=groups,dc=nstx,dc=local' DEBUG: [user=user4; mac=None] -> -> ALLOW 'cn=grpB,cn=groups,dc=nstx,dc=local' INFO: [user=user4; mac=None] LDAP settings allow attempt to login DEBUG: [user=user4; mac=None] MAC filtering is disabled by radius/mac/whitelisting. INFO: [user=user4; mac=None] User is allowed to use RADIUS DEBUG: [user=user4; mac=None] --- Thus access is ALLOWED. I suggest to increase the log level of the radius ntlm helper tool and log actual auth requests on the fly. OK: code change OK: functional test
UCS@school 4.4 v1 has been released. https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html If this error occurs again, please clone this bug.