Alan DeKok schrieb:
On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf@zkm.de> wrote:
here the debug output ... (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password" So EAP-TTLS with PAP. That's good.
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) yeah...
Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail...
There's documentation for this.
ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues.
We've put more checks and warnings into v3 which complain about this issue. But they exist only in the debug output, which usually means that they're hard to find.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi alan, i changed the code in the inner tunnel as described in the Link you gave the result is :
/etc/freeradius/3.0/sites-enabled/inner-khs[12]: Unknown or invalid value "ldap" for attribute Auth-Type /etc/freeradius/3.0/sites-enabled/inner-khs[11]: Failed to parse "update" subsection. /etc/freeradius/3.0/sites-enabled/inner-khs[2]: Errors parsing authorize section. here the code: server inner-tunnel { authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } ldap_khs #text if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } } #ende text inner_eap { ok = return } pap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type inner_eap { inner_eap } } post-auth { inner_tunnel_linelog Post-Auth-Type REJECT { inner_tunnel_linelog attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } }