Yet another Freeradius+openldap eap-ttls pap issue
Work
piepoli.antonio at gmail.com
Thu Nov 28 13:31:49 CET 2013
Hi there,
this is my first post on the list and It's always a shame to start with
a problem :) .
I woul like to implement a freeradius authentication server that uses
openldap as backend and supports both pap authentication (for the VPN
client) and eap -ttls pap for the wi-fi lan.
I think I've successfullyconfigured freeradius for the pap
authentication with openldap since the radtest returns ok. In the ldap
module I've also enabled the groupcheck since in my company they want to
restrict vpn access through ldap group membership. This works great. To
to this I've removed the comment from the groupcheck and added to the
user file thinks like this:
188:DEFAULT LDAP-Group=="vpntest"
189: Reply-Message="Test per VPN",
190: Class="vpntest",
191: Fall-Through = Yes
is this ugly? My company does not want to add radiuschema to the users.
Ok now just forget for the small OT and let's focus on the real problem.
These are the configs:
root at ldap:/etc/freeradius# egrep -v '(#|^\s*$)' modules/ldap
ldap {
server = "test-ldap.newenergygroup.com"
identity = "cn=admin,dc=newenergygroup,dc=com"
password = XXXXXXXXX
basedn = "dc=newenergygroup,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
password_attribute = userPassword
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
}
egrep -v '(#|^\s*$)' sites-enabled/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
root at ldap:/etc/freeradius# egrep -v '(#|^\s*$)' eap.conf
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
I'm testing the eap eapol_test -c eap_pool_test_config -a 127.0.0.1 -p
1812 -s testing123 -r1 and the config is:
network={
eap=TTLS
ssid="example"
eapol_flags=0
key_mgmt=WPA-EAP
identity="atest"
password="atest"
#ca_cert="/etc/freeradius/certs/ccaa.pem"
phase2="auth=PAP"
}
the debug from radius is:
rad_recv: Access-Request packet from host 127.0.0.1 port 33653, id=0,
length=118
User-Name = "atest"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000a016174657374
Message-Authenticator = 0xf57a3eb5217b5475fcd4acf2ab929c6c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "atest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> atest
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=atest)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to test-ldap.newenergygroup.com:389, authentication 0
[ldap] bind as cn=admin,dc=newenergygroup,dc=com/Ld4pPa$$w0rD to
test-ldap.newenergygroup.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(uid=atest)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(&(cn=vpnfullaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(&(cn=vpnlowaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(&(cn=vpntest)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(&(cn=vpntestadmin)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
rlm_ldap::ldap_groupcmp: User found in group vpntestadmin
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 193
++[files] returns ok
[ldap] performing user authorization for atest
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> atest
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest)
[ldap] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=newenergygroup,dc=com, with filter
(uid=atest)
[ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user atest authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] Attribute "User-Password" is required for authentication.
You seem to have set "Auth-Type := LDAP" somewhere.
THAT CONFIGURATION IS WRONG. DELETE IT.
YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
++[ldap] returns invalid
Failed to authenticate the user.
Login incorrect: [atest] (from client localhost port 0 cli
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> atest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 127.0.0.1 port 33653
Reply-Message = "Test per VPN ADMIN"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +23
Ready to process requests.
Thank you :), hope I'm not missing somithing stupid, I've read a lot of
documentation here and there.
ps. password on the LDAP are stored in hash form.
More information about the Freeradius-Users
mailing list