Following this link I found that my inner tunnel file is missing the authorize section for ldap https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-avai... I added this in the end of authorize in inner tunnel: if (!&control.Auth-Type && &User-Password) { update control { &Auth-Type := LDAP } } Then I got this: FreeRADIUS Version 3.2.1 Copyright (C) 1999-2022 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/ldap including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/mschap including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel /etc/freeradius/3.0/sites-enabled/inner-tunnel[176]: Parse error in condition /etc/freeradius/3.0/sites-enabled/inner-tunnel[176]: (!&control.Auth-Type && &User-Password) { /etc/freeradius/3.0/sites-enabled/inner-tunnel[176]: ^ Invalid request qualifier Errors reading or parsing /etc/freeradius/3.0/radiusd.conf Citando Alan DeKok <aland@deployingradius.com>:
On Aug 17, 2023, at 11:22 AM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
You have to know that there are some people that aren't an expert like you, you probably have years of expertise in freeradius, I started to learn it this month.
You don't have to be an expert to read the documentation. You don't have to be an expert to clearly describe what you did.
I've thought the full debug output wouldn't be needed in this case, thats why I didn't post in the first message. You could have asked for it in your first message and I would happily provide and all of this would be avoided.
Or, you could have read the documentation as you were told to do when you joined the list.
When you join the list, you get an email saying POST THE FULL DEBUG OUTPUT OR PEOPLE WILL BE MAD AT YOU.
All of the "getting started" guides, including the "man" page say to look at the debug output and when asking questions on the list, post the full debug output.
Go read it: http://wiki.freeradius.org/list-help
The documentation I am reading says nothing about post all the debug output in the list: https://wiki.freeradius.org/guide/freeradius-active-directory-integration-ho...
Yes, because we don't update every single page to explain how to run the debug output. Instead, the documentation says for ANY problem, RUN IT IN DEBUG MODE AND READ THE OUTPUT.
Your guess was wrong because you totally ignored what I said earlier, I said that I was not doing MSCHAP.
Given you were confused and vague about much else of what you did, I didn't take that part seriously.
I configured the LDAP "bind as user" functionality exactly like in the guide I sent you earlier, there is said nothing about inner tunnel.
Which is why we suggest reading the debug output, and thinking about it.
If you see the password in the inner-tunnel, should you configure "bind as user" in the inner-tunnel?
Again, it's OK to not be an expert. It's not OK to give vague descriptions "I did stuff and it didn't work". It's not OK to ignore the documentation you get sent when you join the list.
Alan DeKok.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html