FreeRadius 3 OpenLDAP and MAC based Auth
Jürgen Northe
jn at northe-online.de
Mon Jan 7 15:07:30 CET 2019
> On Jan 4, 2019, at 2:35 AM, Jürgen Northe <jn at northe-online.de> wrote:
> >
Hello Alan,
> > I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.
>
> Did you follow the instructions in raddb/README.rst? There is detail documentation on how to upgrade.
It is not an implace upgrade, I use a fresh installation of CentOS7 1810 with all the packages from the distro. The FR2 is running productive until I swich over.
>
> > So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
> > rlm_ldap: radiusAuthType -> Auth-Type == Accept
> > along with the other attributes stored in the directory.
>
> What did you change? The default configuration works, and returns all attributes it finds in LDAP.
I went through the r2 config and searched for settings I made 7 years ago. Then I searched for the same default values in the FR3 configs and adjusted them with the new settings (IP, hostname, certificate stuff, passwords, ..) . I dumped the LDAP database, copied it to the new server and restored the content.
>
> And what information is in LDAP?
Here is the result of the LDAP query of the testing laptop . As you can see, the information regarding the VLAN-ID is stored in radiusProfileDn which I have posted below the query along with the content of ldap module.
ldapsearch -D "cn=Manager,dc=firma,dc=de" -w xxxxxxxxxxxxxxxxxxxx -h radldap1-215 -b "dc=firma,dc=de" -s sub "cn=106530670342"
# extended LDIF
#
# LDAPv3
# base <dc=firma,dc=de> with scope subtree
# filter: cn=106530670342
# requesting: ALL
#
# NBBZ1807-134, 4.notebooks, 172.17.0.0, SUBNET, DHCP Config, firma
.de
dn: cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=j
unghans-microtec,dc=de
objectClass: radiusprofile
objectClass: dhcpHost
objectClass: top
cn: 10-65-30-67-03-42
cn: 106530670342
cn: NBBZ1807-134
dhcpHWAddress: ethernet 10:65:30:67:03:42
radiusCallingStationId: 10-65-30-67-03-42
radiusReplyMessage: Hello NBBZ1807-134
radiusProfileDn: cn=INTRA,ou=VLAN,ou=profiles,ou=radius,dc=firma,d
c=de
dhcpStatements: fixed-address 172.17.4.134
# search result
search: 2
result: 0 Success
##### LDAP export:
dn: cn=INTRA,ou=VLAN,ou=profiles,ou=radius,dc=firma,dc=de
objectClass: top
objectClass: organizationalRole
objectClass: radiusprofile
cn: INTRA
radiusAuthType: Accept
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 170
radiusTunnelType: VLAN
##### ldap module:
ldap ldap1 {
server = 'radldap1-215'
identity = "cn=Manager,dc=firma,dc=de"
password = xxxxxxxxxxxxxxxxxxxxxxxx
base_dn = "dc=firma,dc=de"
scope = "sub"
# filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(|(cn=%{%{StrippedUserName}:%{UserName}})(macAddress=%{%{StrippedUserName}:%{UserName}}))"
set_auth_type = no
sasl {
}
# update {
# control:Password-With-Header += 'userPassword'
# control: += 'radiusControlAttribute'
# request: += 'radiusRequestAttribute'
# reply: += 'radiusReplyAttribute'
# }
user {
base_dn = "${..base_dn}"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
profile_attribute = "radiusProfileDn"
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
ldap ldap2 {
server = 'radldap2-216'
identity = "cn=Manager,dc=firma,dc=de"
password = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
base_dn = "dc=firma,dc=de"
scope = "sub"
# filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(|(cn=%{%{StrippedUserName}:%{UserName}})(macAddress=%{%{StrippedUserName}:%{UserName}}))"
set_auth_type = no
sasl {
}
# update {
# control:Password-With-Header += 'userPassword'
# control: += 'radiusControlAttribute'
# request: += 'radiusRequestAttribute'
# reply: += 'radiusReplyAttribute'
# }
user {
base_dn = "${..base_dn}"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
>
> > I do have a the dictionary_mapping file and the entries in the enabled ldap module
>
> There is no "dictionary_mapping" file in the LDAP module configuration for v3. This is one thing that changed...
>
> You can't just copy your v2 configuration to v3, and expect it to work. That's what major version number changes mean... the configurations are *not* 100% compatible.
>
> > . I am fighting the whole day with this issue but can't even find hint in he running environment.
> > The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.
> >
> > With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.
> You're making random changes without really understanding what's going on. That's not going to work.
7 years ago I had a 2day training but if you do not need it anymore, you forget things. At the beginning I was very optimistic with a quick success until I reached this state. So I started to force a authorization with the" if" statement to see if the attributes of the ldap will apear in the radius log :)
> > radiusd -X
> > (1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240
>
> No, that's an *edited* version of the debug output. You've deleted information which may be important. Don't do that.
The only thing I replaced is the company name by "firma" and passwords by xxxxx the rest 100% is pure the output I got from "radiusd -X"
>
> Alan DeKok.
Thank you Alan !
More information about the Freeradius-Users
mailing list