Freeradius - how to reply "memberof" active directory information for Strongswan

Sébastien Genesta genesta.sebastien at gmail.com
Wed Sep 25 17:13:49 CEST 2019 

Hi,

So I come back to you because I'm encountering an issue with LDAP
authentication on Strongswan.

below my /etc/freeradius/3.0/sites-enabled/default

authorize
{
[...]
        ldap
        if (ok) {
        update control {
            Auth-Type := LDAP
        }
        return
        }
[...]
}

authenticate
{
[...]
ldap
[...]
}

When I use radtest, authentication works (Received Access-Accept Id 108
from 127.0.0.1:1812 to 127.0.0.1:58411 length 20)

When I try to connect from Strongswan following debug message is returned:

root at xxxxxxxxxxxxxxxxxxxx:/etc/freeradius/3.0/mods-enabled# (1) Received
Access-Request Id 81 from 127.0.0.1:38840 to 127.0.0.1:1812 length 167
(1)   User-Name = "*****************"
(1)   NAS-Port-Type = Virtual
(1)   Service-Type = Framed-User
(1)   NAS-Port = 4
(1)   NAS-Port-Id = "*******************"
(1)   NAS-IP-Address = *********************
(1)   Called-Station-Id = "************[4500]"
(1)   Calling-Station-Id = "3*********************[4500]"
(1)   Acct-Session-Id = "1569423115-4"
(1)   EAP-Message = 0x0200000d017367656e65737461
(1)   NAS-Identifier = "StrongSwan"
(1)   Message-Authenticator = 0xeccdef2bf094890a372c069ac44dc467
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 375
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 375
seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 375
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 375
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 371
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://*********************:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (6)
(1) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap:    --> (sAMAccountName=*********************)
(1) ldap: Performing search in "*******************" with filter
"(sAMAccountName=*****************)", scope "sub"
(1) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://***********************
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://*****************************
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://************************************
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(1) ldap: User object found at DN
"CN=**********************************************"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (6) - Was referred to a different LDAP
server
Need 3 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://*****************************
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)     [ldap] = ok
(1)     if (ok) {
(1)     if (ok)  -> TRUE
(1)     if (ok)  {
(1)       update control {
(1)         Auth-Type := ldap
(1)       } # update control = noop
(1)       return
(1)     } # if (ok)  = noop
(1)   } # authorize = ok
(1) Found Auth-Type = ldap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) ldap: WARNING: You have set "Auth-Type := LDAP" somewhere
(1) ldap: WARNING: *********************************************
(1) ldap: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
(1) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
(1) ldap: WARNING: *********************************************
(1) ldap: ERROR: Attribute "User-Password" is required for authentication
(1)     [ldap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> *************
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1) eap: Request was previously rejected, inserting EAP-Failure
(1) eap: Sending EAP Failure (code 4) ID 0 length 4
(1)     [eap] = updated
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 81 from 127.0.0.1:1812 to 127.0.0.1:38840 length
44
(1)   EAP-Message = 0x04000004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 81 with timestamp +375

According to  "WARNING: You have set "Auth-Type := LDAP" somewhere", i've
tried to remove it but radtest fails (ERROR: No Auth-Type found: rejecting
the user via Post-Auth-Type = Reject)

Thanks

Le mer. 25 sept. 2019 à 15:20, Sébastien Genesta <
genesta.sebastien at gmail.com> a écrit :

> Hi,
>
> Thanks for your answer. I think the issue is caused by the fact that I was
> using mschap to check AD for membership.
>
> I will try to configure ldap module and give you a feedback with debug
> information if it still doesn't work.
>
> Seb.
>
> Le mar. 24 sept. 2019 à 20:45, Alan DeKok <aland at deployingradius.com> a
> écrit :
>
>> On Sep 24, 2019, at 2:34 PM, Sébastien Genesta <
>> genesta.sebastien at gmail.com> wrote:
>> > I'm using Freeradius for the Active Directory authentication of my
>> > Strongswan clients.
>>
>>   That should be fine.
>>
>> > My goal is to declare 2 vpn connections with different virtual IP
>> leases,
>> > allowing me to separate traffic (as an example, one vpn connection for
>> > sales and the other for technicians).
>> >
>> > To do it, I'm trying to use Group selection option (rightgroups) on
>> > Strongswan.
>> >
>> > According to Strongswan documentation (
>> > https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have
>> to
>> > use class attribute on my freeradius server to return the group
>> membership.
>> >
>> > The issue is that I don't know how.
>> >
>> > I'm using mschap for authentication to Active Directory.
>>
>>   You can't get group information using mschap.  You MUST configure the
>> ldap module to check AD for group membership.
>>
>> > I've tried to follow this post but it didn't work
>> >
>> http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td5752289.html
>>
>>   Define "didn't work".  What happened?
>>
>> > More precisaly below part (replacing ldap module by mschap module and
>> also
>> > changing path because my freeradius version is 3.0):
>> > ...
>> > # /etc/raddb/sites-enabled/default
>> > post-auth {
>> > ...
>> >        foreach &reply:memberOf {
>> >            update reply {
>> >                Class += "%{Foreach-Variable-0}"
>> >            }
>> >        }
>> > ...
>> > }
>>
>>   And... what showed up in the debug output?
>>
>> > Is there any official guide explaning how to reply memberOf attribute?
>>
>>   No.
>>
>> > How can I do it?
>>
>>   The above method *should* work, provided you read the debug output to
>> see what's going on.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list