Re: Unifi wifi SSHA passwords freeradius
Сергей Черевко
ink.dude at mail.ru
Wed Feb 12 13:00:33 CET 2020
Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap?
Sorry
>Среда, 12 февраля 2020, 14:00 +03:00 от Сергей Черевко via Freeradius-Users <freeradius-users at lists.freeradius.org>:
>
>
>
>Hi!
>
>I have Unifi wifi — freeradius — ldap
>
>In LDAP i have SSHA password for users.
>
>This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
>https://github.com/hacor/unifi-freeradius-ldap
>
>i use ttls + pap
>
>All ok, but i have some troubles with timeout (or something else)
>
>After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
>
>When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
>
>
>Logs
>
>Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
>Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
>Info: Need 6 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
>Info: Need 5 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
>Info: Need 4 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
>Info: Need 3 more connections to reach 10 spares
>Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
>
>Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
>Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
>Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
>
>An here is my config freeradius
>
>EAP
>
>eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = ${max_requests}
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls-config tls-common {
> private_key_password = XXX
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> ca_file = ${cadir}/ca.pem
> dh_file = ${certdir}/dh
> ca_path = ${cadir}
> cipher_list = "DEFAULT"
> cipher_server_preference = no
> ecdh_curve = "prime256v1"
> cache {
> enable = no
> lifetime = 24 # hours
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = " http://127.0.0.1/ocsp/ "
> }
> }
>
> tls {
> tls = tls-common
> }
> ttls {
> tls = tls-common
> default_eap_type = gtc
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> peap {
> tls = tls-common
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> mschapv2 {
> }
>}
>
>DEFAULT
>
>server default {
>listen {
> type = auth
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
>}
>listen {
> ipaddr = *
> port = 0
> type = acct
> limit {
> }
>}
>authorize {
> filter_username
> preprocess
> digest
> suffix
> eap {
> ok = return
> #updated = return
> }
> files
> -sql
> ldap
> expiration
> logintime
> pap
> if (User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
>}
>authenticate {
> Auth-Type PAP {
> #pap
> ldap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> mschap
> digest
> #Auth-Type LDAP {
> ldap
> #}
> eap
>}
>preacct {
> preprocess
> acct_unique
> suffix
> files
>}
>accounting {
> detail
> unix
> -sql
> exec
> attr_filter.accounting_response
>}
>session {
>}
>post-auth {
> if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
> update reply {
> &User-Name !* ANY
> }
> }
> update {
> &reply: += &session-state:
> }
>
> if (LDAP-Group == "vpn") {
> vpn_l2tp_pool
> }
> elsif (LDAP-Group == "vpn-ext") {
> vpn_l2tp_ext_pool
> }
> elsif (LDAP-Group == "vpn-1c") {
> ok
> }
> else {
> reject
> }
> -sql
> exec
> remove_reply_message_if_eap
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
> eap
> remove_reply_message_if_eap
> }
> Post-Auth-Type Challenge {
> }
>}
>pre-proxy {
>}
>post-proxy {
> eap
>}
>}
>
>INNER TUNNEL
>
>server inner-tunnel {
>listen {
> ipaddr = *
> port = 18120
> type = auth
>}
>authorize {
> filter_username
> suffix
> update control {
> &Proxy-To-Realm := LOCAL
> }
> eap {
> ok = return
> }
> -sql
> ldap
> expiration
> logintime
> pap
> if (User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
>}
>authenticate {
> Auth-Type PAP {
> #pap
> ldap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> mschap
># Auth-Type LDAP {
> ldap
># }
> eap
>}
>session {
> radutmp
>}
>post-auth {
> -sql
> if (LDAP-Group == "wifi") {
> noop
> } else {
> reject
> }
> if (0) {
> update reply {
> User-Name !* ANY
> Message-Authenticator !* ANY
> EAP-Message !* ANY
> Proxy-State !* ANY
> MS-MPPE-Encryption-Types !* ANY
> MS-MPPE-Encryption-Policy !* ANY
> MS-MPPE-Send-Key !* ANY
> MS-MPPE-Recv-Key !* ANY
> }
> update {
> &outer.session-state: += &reply:
> }
> }
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
> update outer.session-state {
> &Module-Failure-Message := &request:Module-Failure-Message
> }
> }
>}
>pre-proxy {
>}
>post-proxy {
> eap
>}
>}
>
>LDAP
>
>ldap {
> server = 'localhost'
> identity = 'cn=admin,dc=fusioncore,dc=local'
> password = fusioncore
> base_dn = 'ou=people,dc=fusioncore,dc=local'
> sasl {
> }
> update {
> control:Password-With-Header += 'userPassword'
> control: += 'radiusControlAttribute'
> request: += 'radiusRequestAttribute'
> reply: += 'radiusReplyAttribute'
> }
> user {
> base_dn = "${..base_dn}"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> sasl {
> }
> }
> group {
> base_dn = "ou=groups,dc=fusioncore,dc=local"
> filter = '(objectClass=GroupOfNames)'
> name_attribute = cn
> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> membership_attribute = 'memberUid'
> }
> profile {
> }
> client {
> base_dn = "${..base_dn}"
> filter = '(objectClass=radiusClient)'
> template {
> }
> attribute {
> ipaddr = 'radiusClientIdentifier'
> secret = 'radiusClientSecret'
> }
> }
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> type {
> start {
> update {
> description := "Online at %S"
> }
> }
> interim-update {
> update {
> description := "Last seen at %S"
> }
> }
> stop {
> update {
> description := "Offline at %S"
> }
> }
> }
> }
> post-auth {
> update {
> description := "Authenticated at %S"
> }
> }
> options {
> chase_referrals = yes
> rebind = yes
> res_timeout = 10
> srv_timelimit = 3
> net_timeout = 1
> idle = 60
> probes = 3
> interval = 3
> ldap_debug = 0x0028
> }
> tls {
> start_tls = no
> }
> ldap_connections_number = 5
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> spare = ${thread[pool].max_spare_servers}
> uses = 0
> retry_delay = 30
> lifetime = 0
> idle_timeout = 60
> }
>}
>
>
>
>----------------------------------------------------------------------
>
>
>
>----------------------------------------------------------------------
>
>
>
>----------------------------------------------------------------------
>
>
>
>----------------------------------------------------------------------
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list