Ok, thanks a lot Alan, let's do it right then, sorry for missing the docs, I thought I read it all though. A is radiusA.domain, IP 172.29.179.49 B is radiusB.domain, IP 172.29.49.89 C is IP 172.29.188.249 1) When I try to connect from A to B : echo "User-Name=***,User-Password=***" | radclient radiusB.domain:1812 auth *** Sent Access-Request Id 133 from 0.0.0.0:50763 to 172.29.49.89:1812 length 67 Received Access-Accept Id 133 from 172.29.49.89:1812 to 172.29.179.49:50763 length 20 2) When I try to connect from C to A : echo "User-Name=***,User-Password=***" | radclient radiusA.domain:1812 auth *** Sent Access-Request Id 253 from 0.0.0.0:44465 to 172.29.179.49:1812 length 67 Received Access-Reject Id 253 from 172.29.179.49:1812 to 172.29.188.249:44465 length 20 (0) -: Expected Access-Accept got Access-Reject 3) On A in debug mode : (0) Received Access-Request Id 49 from 172.29.188.249:59565 to 172.29.179.49:1812 length 67 (0) User-Name = "***" (0) User-Password = "***" (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "***", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: -->*** (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 49 from 172.29.179.49:1812 to 172.29.188.249:59565 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 49 with timestamp +3 Ready to process requests Le 19/10/2020 à 17:45, Alan DeKok a écrit :
On Oct 19, 2020, at 11:39 AM, Julien COCHENNEC <julien.cochennec@ac-orleans-tours.fr> wrote: I have a server A proxying requests to server B (having LDAP enabled), and a client C requesting A.
When I try to connect from A to B with radclient it works. Logs say :
Login OK: [blabla2] (from client rad1-eee port 0) That's good.
When I try to connect from C to A :
Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [blabla2/?Q?#%?????)[~???dW???ŝ7?g-m?[˵] (from client rad1-eee port 0) And that's the same problem people have seen for 20 years.
The shared secret is wrong.
I don't get why the credentials differ while proxying, which conf file should I check to understand this? Is this part coming from an ldap conf problem or from radiusd.conf problem? The password is coming from the client.
Here's the site-available/default file content : Why? *all* of the documentation says to post the output of "radiusd -X". And all of the documentation says "don't post configuration files".
If you run the server in debugging mode as ALL of the documentation says, it will TELL YOU what's wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Julien Cochennec Pôle de compétences - gestion des identités Mél julien.cochennec@ac-orleans-tours.fr Tél 02 38 83 48 88 DSI - Rectorat d'Orléans-Tours 10 Rue Molière 45000 Orléans www.ac-orleans-tours.fr