On 07/11/2024 22:47, Joseph Allen wrote:
Next I moved that file to the enabled mods folder as well as moving the google-ldap-auth file to the sites-enable folder. (I say move, I did a symbolic link). After lots of troubleshooting, I removed the default from the sites-enabled just to try and simplify everything.
Here's your problem.
First I ran into issues with the filter_inner_identity, I don't quite understand why that is failing, but I saw somewhere else that is not needed, so I commented it out. Now I keep seeing this:
That's fine, not everyone needs it.
(0) Received Access-Request Id 26 from 192.168.52.1:59099 to 192.168.52.155:1812 length 249 ... (0) EAP-Message = 0x027b0012017465737440746573742e636f6d
EAP
(0) Message-Authenticator = 0xf88e64c655b98a2aa22e62a2844fe21d (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/google-ldap-auth (0) authorize { ...
there was no "eap" in there.
(0) if (&User-Password && !control:Auth-Type) { (0) if (&User-Password && !control:Auth-Type) -> FALSE (0) } # authorize = updated (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
So the big question, is why is there no password? I am testing with my iPad, and I am typing in a password when connecting to the Wifi. The wifi config is set to WPA Enterprise.
You removed the default server, and therefore the call to the eap module. The comments at the top of the google-ldap configuration say it is the inner tunnel virtual server. Sending wifi auth to it directly won't work, as it's for an EAP inner method (specifically, EAP-TTLS/PAP only, as that's the only commonly used one that has a clear text password to use). You need to add the default virtual server back in again, then configure the relevant (TTLS) "virtual_server" in mods-enabled/eap to point to "google-ldap" instead of "inner-tunnel" (the default). Best still, go back to the default configuration, add your user to the "users" file, and get the basics working. Once you have done that you can remove or change one thing at a time and then you'll whether what you have done has broken anything or not. Using version control is useful for this. -- Matthew