Unifi wifi SSHA passwords freeradius

Сергей Черевко ink.dude at mail.ru
Wed Feb 12 11:59:33 CET 2020


 
Hi!
 
I have Unifi wifi  — freeradius — ldap
 
In LDAP i have SSHA password for users.
 
This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
https://github.com/hacor/unifi-freeradius-ldap
 
i use ttls + pap
 
All ok, but i have some troubles with timeout (or something else)
 
After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
 
When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
 
 
Logs
 
Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
Info: Need 6 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
Info: Need 5 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
Info: Need 4 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
Info: Need 3 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
 
Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
 
An here is my config freeradius
 
EAP
 
eap {
    default_eap_type = ttls
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = ${max_requests}
    md5 {
    }
    leap {
    }
    gtc {
        auth_type = PAP
    }
    tls-config tls-common {
        private_key_password = XXX
        private_key_file = ${certdir}/server.pem
        certificate_file = ${certdir}/server.pem
        ca_file = ${cadir}/ca.pem
        dh_file = ${certdir}/dh
        ca_path = ${cadir}
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        cache {
            enable = no
            lifetime = 24 # hours
        }
        verify {
        }
        ocsp {
            enable = no
            override_cert_url = yes
            url = " http://127.0.0.1/ocsp/ "
        }
    }

    tls {
        tls = tls-common
    }
    ttls {
        tls = tls-common
        default_eap_type = gtc
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
    }
    mschapv2 {
    }
}
 
DEFAULT
 
server default {
listen {
    type = auth
    ipaddr = *
    port = 0
    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}
listen {
    ipaddr = *
    port = 0
    type = acct
    limit {
    }
}
authorize {
    filter_username
    preprocess
    digest
    suffix
    eap {
        ok = return
        #updated = return
    }
    files
    -sql
    ldap
    expiration
    logintime
    pap
        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        #pap
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
    digest
    #Auth-Type LDAP {
        ldap
    #}
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    unix
    -sql
    exec
    attr_filter.accounting_response
}
session {
}
post-auth {
    if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
        update reply {
            &User-Name !* ANY
        }
    }
    update {
        &reply: += &session-state:
    }
            
        if (LDAP-Group == "vpn") {
        vpn_l2tp_pool
        }
        elsif (LDAP-Group == "vpn-ext") {
        vpn_l2tp_ext_pool
        }
        elsif (LDAP-Group == "vpn-1c") {
        ok
        }
        else {
        reject
        }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        eap
        remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}
 
INNER TUNNEL
 
server inner-tunnel {
listen {
       ipaddr = *
       port = 18120
       type = auth
}
authorize {
    filter_username
    suffix
    update control {
        &Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    -sql
    ldap
    expiration
    logintime
    pap
    if (User-Password) {
            update control {
                Auth-Type := ldap
            }
        }
}
authenticate {
    Auth-Type PAP {
        #pap
        ldap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    mschap
#    Auth-Type LDAP {
        ldap
#    }
    eap
}
session {
    radutmp
}
post-auth {
    -sql
                if (LDAP-Group == "wifi") {
                noop
                } else {
                reject
                }
    if (0) {
        update reply {
            User-Name !* ANY
            Message-Authenticator !* ANY
            EAP-Message !* ANY
            Proxy-State !* ANY
            MS-MPPE-Encryption-Types !* ANY
            MS-MPPE-Encryption-Policy !* ANY
            MS-MPPE-Send-Key !* ANY
            MS-MPPE-Recv-Key !* ANY
        }
        update {
            &outer.session-state: += &reply:
        }
    }
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
        update outer.session-state {
            &Module-Failure-Message := &request:Module-Failure-Message
        }
    }
}
pre-proxy {
}
post-proxy {
    eap
}
}
 
LDAP
 
ldap {
    server = 'localhost'
    identity = 'cn=admin,dc=fusioncore,dc=local'
    password = fusioncore
    base_dn = 'ou=people,dc=fusioncore,dc=local'
    sasl {
    }
    update {
        control:Password-With-Header    += 'userPassword'
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:                += 'radiusReplyAttribute'
    }
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }
    group {
        base_dn = "ou=groups,dc=fusioncore,dc=local"
        filter = '(objectClass=GroupOfNames)'
        name_attribute = cn
        membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
        membership_attribute = 'memberUid'
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
        }
        attribute {
            ipaddr                = 'radiusClientIdentifier'
            secret                = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }
            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }
            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }
    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
    }
    ldap_connections_number = 5
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}
 
 
 
----------------------------------------------------------------------
 
 
 
----------------------------------------------------------------------
 
 
   
----------------------------------------------------------------------
 
 
   
----------------------------------------------------------------------
 
 
 


More information about the Freeradius-Users mailing list