I found the solution, you answered it there: http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737... But my question remains from my previous letter: why freeradius cannot use ldap without it, when I try to use pap? Thanks, Tamás. Pisch Tamás <pischta@gmail.com> ezt írta (időpont: 2021. máj. 12., Sze, 11:19):
Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 11., K, 14:15):
On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta@gmail.com> wrote:
Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with
the
built-in client... *once*, and when I disconnect and try to connect again, I get "The PPP link control protocol was terminated" error. the recommended solution didn't work:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann...
If only there was some kind of debug output you could look at, to see what the server is doing.
It seems the problem isn't on the Freeradius side, because it sends Access Accept response... I will try to find a solution for that.
Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP
Which forces ALL requests to use LDAP. This isn't what you want.
in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication
See? It doesn't work.
Ok, I force the ldap auth, but without it, the authentication doesn't work. The WHAT authentication doesn't work? VPN authentication?
When I connect with the Win10 built-in VPN client, it uses MSCHAP-v2. The Softether client uses PAP. Both client initiate VPN connection.
The solution to that is simple. Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that.
What is that policy supposed to be? We don't know. We don't have access to your VPN server, and you're not posting the debug output.
I examined the outputs. When I force the auth type in the users (=authorize) file, Freeradius uses files:
(0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain ,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
When I enable ldap in the authorize section of the default site, and don't use default auth-type in users, the debug output is different:
(0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
It doesn't use files. What is the difference between the two? When I use ldap in the default site for authorization, it doesn't work, but when I force the ldap in the users (authorize), it works.
Thanks,
Tamás.