Univention Bugzilla – Bug 57567
Incorrect LDAP Query in Freeradius Leads to VLAN Assignment Failure during 802.1x Authentication
Last modified: 2024-09-05 12:41:39 CEST
**Overview**: When using Freeradius for 802.1x authentication, the VLAN assignment fails due to an incorrectly constructed LDAP query. The query uses the `%{User-Name}` variable, which includes both the domain name and a double backslash (\\), resulting in a malformed `uid` search string like `uid=domainname\5cusername`. This leads to the LDAP search returning no results, and subsequently, the VLAN is not assigned to the user. **Steps to Reproduce**: 1. Configure RADIUS app to authenticate users via 802.1x. 2. Ensure the user has a corresponding VLAN ID in LDAP. 3. Observe the debug logs during authentication: - The LDAP query is incorrectly formed with `uid=domainname\5cusername`. - VLAN is not assigned. **Actual Results**: LDAP search query fails due to the inclusion of the domain name and a backslash in the `uid` attribute, resulting in no matching records being found. The `Tunnel-Private-Group-Id` attribute is missing from the `Reply-Message`. Example from Freeradius debug: ``` (25) if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") { rlm_ldap (ldap): Reserved connection (12) (25) Performing search in "dc=domainname,dc=example,dc=com" with filter "(|(uid=domainname\5cusername)(macAddress=0C:37:96:<masked>))" ``` **Expected Results**: Freeradius should send the correct `Tunnel-Private-Group-Id` (VLAN ID) in the reply after a successful LDAP query, assigning the appropriate VLAN to the authenticated user. **Workaround**: Replacing `%{User-Name}` with `%{Stripped-User-Name}` in the Freeradius configuration fixes the issue, as it removes the domain name and backslash from the query, allowing it to match the correct user. Configuration change patch: ``` --- sites-available/default 2024-09-05 12:34:34.546155709 +0300 +++ sites-available/default-changed 2024-09-05 12:39:16.774779933 +0300 @@ -832,17 +832,17 @@ # Check if the user or machine exists and do post-auth actions # else do nothing in post-auth # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above) - if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") { + if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") { # For known users as well for known machines we take the vlan-id from the group the user/machine is member of. # In case there are assignments for several groups the first vlan-id is automatically taken. - if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") { + if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") { update reply { Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 - Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}" + Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domainname,dc=example,dc=com?univentionVlanId?sub?(&(|(memberUid=%{Stripped-User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}" } ``` **Environment**: - Freeradius: 3.0.17 - univention-radius: 7.0.7-3 - UCS: