On Apr 20, 2022, at 12:11 PM, Xin Huang <xin.huang@forescout.com> wrote:
I am trying to troubleshoot an issue with the ldap module after upgrading from FreeRadius version 2.2.9 to FreeRadius version 3.0.19.
When using the GC LDAPs port (3269) the LDAP-Group search no longer works on FR3. It seems that the ldap module does not attempt to start tls on port 3269. In a packet capture I can see that there is no TLS certificate exchange, and FreeRadius sends cleartext username and password after TCP handshake, then the LDAP server immediately sends a RST. In contrast, on FR2, there is a tls negotiation starting and then when successful it is able to perform the LDAP-Group search.
See https://networkradius.com/packages/ Look for "ldap".
.. radiusd:7878:1650470518.552032:Wed Apr 20 11:01:58 2022: ldap_url_parse_ext(ldap://csurf-dot1x-dc1.csurflab.local:3269) radiusd:7878:1650470518.552046:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception begins.
Yeah, that's garbage. It doesn't work. And PLEASE follow the documentation: http://wiki.freeradius.org We do NOT not need to see the server run with "-xxxxxxxxx". It DOES NOT HELP. We do NOT need to see the configuration files. It DOES NOT HELP. Following the documentation DOES help to debug and solve issues. Alan DeKok.