Configuring FreeRadius with LDAP and Google MFA

Quentin Rapin quentinrapin at gmail.com
Tue Oct 5 09:25:38 CEST 2021 

Hello,

I'm trying to setup a freeradius v.3.0.20 server using LDAP with MFA
(Google authenticator).

The LDAP part worked, however, since I added the MFA configuration, it
doesn't work anymore, it seems that the password are not even checked
against the ldap database (Windows AD).
I followed this tutorial to get it working:
https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/

Here is part of the logs :

Ready to process requests
(0) Received Access-Request Id 67 from 127.0.0.1:46701 to
127.0.0.1:1812 length 95
(0) User-Name = "my_user"
(0) User-Password = "Password831041"
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Port = 1812
(0) Message-Authenticator = 0x63145e2376266d9643ce6ad73cf9e8f3
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ mailto:/@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ mailto:/@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ mailto:/@\./) {
(0) if (&User-Name =~ mailto:/@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_uuid {
(0) if (&User-Name =~ /^(.*)@example\.com$/) {
(0) if (&User-Name =~ /^(.*)@example\.com$/) -> FALSE
(0) } # policy filter_uuid = notfound
(0) policy filter_google_otp {
(0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
(0) if (&User-Password =~ /^(.*)([0-9]{6})$/) -> TRUE
(0) if (&User-Password =~ /^(.*)([0-9]{6})$/) {
(0) update request {
(0) EXPAND %{2}
(0) --> 831041
(0) &Google-Password := 831041
(0) EXPAND %{1}
(0) --> Password
(0) &User-Password := Password
(0) } # update request = noop
(0) } # if (&User-Password =~ /^(.*)([0-9]{6})$/) = noop
(0) } # policy filter_google_otp = noop
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "my_user", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: Searching for user in group "LAN_Network_Admins"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (samaccountname=my_user)
(0) files: Performing search in "DC=office,DC=my,DC=lan" with filter
"(samaccountname=my_user)", scope "sub"
(0) files: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: User object found at DN "CN=test
ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan"
(0) files: Checking for user in group objects
(0) files: EXPAND
(&(CN=LAN_Network_Admins,OU=Organization,OU=Groups,DC=office,DC=my,DC=lan=LAN_Network_Admins)(objectClass=GroupOfNames)(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))))
(0) files: --> (&(CN=LAN_Network_Admins,OU=Organization,OU=Groups,DC=office,DC=my,DC=lan=LAN_Network_Admins)(objectClass=GroupOfNames)(|(&(objectClass=GroupOfNames)(member=CN\3dtest
ldap\2cOU\3dNetwork\2cOU\3dLevel3\2cOU\3dAdmins\2cOU\3dNEOXAN\2cOU\3dManagement\2cOU\3dAccounts\2cDC\3doffice\2cDC\3dmy\2cDC\3dlan))(&(objectClass=GroupOfNames)(member=CN\3dtest
ldap\2cOU\3dNetwork\2cOU\3dLevel3\2cOU\3dAdmins\2cOU\3dNEOXAN\2cOU\3dManagement\2cOU\3dAccounts\2cDC\3doffice\2cDC\3dmy\2cDC\3dlan))))
(0) files: Waiting for bind result...
(0) files: Bind successful
(0) files: Performing search in "DC=office,DC=my,DC=lan" with filter
"(&(CN=LAN_Network_Admins,OU=Organization,OU=Groups,DC=office,DC=my,DC=lan=LAN_Network_Admins)(objectClass=GroupOfNames)(|(&(objectClass=GroupOfNames)(member=CN\3dtest
ldap\2cOU\3dNetwork\2cOU\3dLevel3\2cOU\3dAdmins\2cOU\3dNEOXAN\2cOU\3dManagement\2cOU\3dAccounts\2cDC\3doffice\2cDC\3dmy\2cDC\3dlan))(&(objectClass=GroupOfNames)(member=CN\3dtest
ldap\2cOU\3dNetwork\2cOU\3dLevel3\2cOU\3dAdmins\2cOU\3dNEOXAN\2cOU\3dManagement\2cOU\3dAccounts\2cDC\3doffice\2cDC\3dmy\2cDC\3dlan))))",
scope "sub"
(0) files: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: Search returned no results
(0) files: Checking user object's memberOf attributes
(0) files: Waiting for bind result...
(0) files: Bind successful
(0) files: Performing unfiltered search in "CN=test
ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan",
scope "base"
(0) files: Waiting for search result...
(0) files: Processing memberOf value "CN=SG_NEOXAN_Users,OU=Shadow
Groups,OU=Management,OU=Groups,DC=office,DC=my,DC=lan" as a DN
(0) files: Resolving group DN "CN=SG_NEOXAN_Users,OU=Shadow
Groups,OU=Management,OU=Groups,DC=office,DC=my,DC=lan" to group name
(0) files: Performing unfiltered search in
"CN=SG_NEOXAN_Users,OU=Shadow
Groups,OU=Management,OU=Groups,DC=office,DC=my,DC=lan", scope "base"
(0) files: Waiting for search result...
(0) files: ERROR: No
CN=LAN_Network_Admins,OU=Organization,OU=Groups,DC=office,DC=my,DC=lan
attributes found in object
rlm_ldap (ldap): Deleting connection (0) - Was referred to a different
LDAP server
Need 6 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldaps://my-dc-01.office.my.lan:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: User is not a member of "LAN_Network_Admins"
(0) files: users: Matched entry DEFAULT at line 5
(0) [files] = ok
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (samaccountname=my_user)
(0) ldap: Performing search in "DC=office,DC=my,DC=lan" with filter
"(samaccountname=my_user)", scope "sub"
(0) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.office.my.lan/DC=DomainDnsZones,DC=office,DC=my,DC=lan
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) ldap: User object found at DN "CN=test
ldap,OU=Network,OU=Level3,OU=Admins,OU=NEOXAN,OU=Management,OU=Accounts,DC=office,DC=my,DC=lan"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (1) - Was referred to a different
LDAP server
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Reject
(0) Auth-Type = Reject, rejecting user
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> my_user
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 67 from 127.0.0.1:1812 to 127.0.0.1:46701 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 67 with timestamp +16
Ready to process requests

Can someone help me?

Thanks in advance, best regards,

Quentin

More information about the Freeradius-Users mailing list