Active Directory authenticated VPN

Michael Ströder michael at stroeder.com
Thu May 6 13:15:40 CEST 2021


On 5/6/21 11:57 AM, Pisch Tamás wrote:
> Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org>
>> Because as Alan already said FreeRADIUS does not know anything about
>> Kerberos.
>>
>> FYI: SASL and GSSAPI are two authentication abstraction layers.
>>
>> Mainly FreeRADIUS passes the SASL mech string as-is to libldap which
>> invokes libsasl with the correct parameters. For SASL mech GSSAPI
>> libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
>>
> I feel myself lost in a jungle.

That's understandable. It also took me a while to sort out all this
years ago and I'm still learning every day.

>> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
>>
> Ok, I did it. When I use kinit, I can see messages in the log. When I start
> freeradius, nothing new appears in the log with
> tls {
> start_tls = no
> }
> sasl {
> mech = 'GSSAPI'
> realm = 'ad.ourdomain.hu'
> }

Maybe that's a dead-end. I currently don't have the time to locally test
something like this. And I'm rather reluctant to recommend Kerberos anyway.

> I tried with start_tls again, with
> require_cert<-->= 'allow'
> But it didn't help. I still get "Strong(er) authentication required"

With former MS AD versions it was not possible to combine SASL/GSSAPI
with TLS (either StartTLS or LDAPS). Not sure about the current state.

In your former message you wrote that you've added LDAP settings to
ldap.conf. Don't do that.

I would highly recommend to add all LDAP settings in FreeRADIUS config
(file raddb/mods-available/ldap) and nowhere else. Then you have one
place where to look for config errors and the relevant settings will
appear in the radiusd output.

Furthermore I'd even recommend to start radiusd with env var
LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf.

Here's a example config to be used for my Æ-DIR:

https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simple-bind

It should not be too difficult to change the parameters for MS AD.

And then starting radiusd with option -X is your friend during testing.

Ciao, Michael.


More information about the Freeradius-Users mailing list