Freeradius to authenticate against Google LDAP

Christian Bednarz christian.bednarz at lanes-planes.com
Wed Feb 10 10:48:31 CET 2021 

Hi all.

I finally managed to get an Access-Accept in radtest (I apparently forgot to uncomment the ldap section in sites-enabled/default’s authenticate section), so I went on trying to implement the whole free radius solution within our Ubiquity network for VPN. And communication between client, vpn gateway, freeradius and Google LDAP itself seem to work fine, telling from the debug log, which makes me extremely happy.

But what fails it the authentication part while trying to connect with built-in VPN connect from macOS Big Sur (11.2.0). Here is the log:

(0) Received Access-Request Id 161 from 192.168.4.1:54219 to 192.168.5.119:1812 length 152
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "it-test at lanes-planes.com"
(0)   MS-CHAP-Challenge = 0x36169958932d4caae570b84f9d904bc4
(0)   MS-CHAP2-Response = 0x73005bd7ede08f3f079761ea9347b33f9ab1000000000000000006e7f9e1e8a8cf46c100571989fc4c56437a955c64263d4a
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 100000
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "lanes-planes.com" for User-Name = "it-test at lanes-planes.com"
(0) suffix: Found realm "lanes-planes.com"
(0) suffix: Adding Stripped-User-Name = "it-test"
(0) suffix: Adding Realm = "lanes-planes.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=it-test)
(0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=it-test,ou=Users,dc=lanes-planes,dc=com"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     if (User-Password) {
(0)     if (User-Password)  -> FALSE
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: Creating challenge hash with username: it-test at lanes-planes.com
(0) mschap: Client is using MS-CHAPv2
(0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> it-test at lanes-planes.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 161 from 192.168.5.119:1812 to 192.168.4.1:54219 length 103
(0)   MS-CHAP-Error = "sE=691 R=1 C=5d2530561851dae0ec888c0efaa2434c V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 161 with timestamp +43
Ready to process requests

Would anyone be so kind to point me to the right direction what exactly to change in this setup in order to get it to work? Any help much appreciated. I feel quite close to the solution, but I might be lacking the necessary understanding of authentication protocols to get this sorted. :-/ Thank you.

Best regards
Christian

More information about the Freeradius-Users mailing list