On May 17, 2023, at 7:03 AM, Matthew Macdonald-Wallace <matt@doics.co> wrote:
I'm new to Freeradius but want to get it working for our local hack/makerspace to ensure we can provide decent QoS on the WiFi for our members.
My LDAP server is https://github.com/lldap/lldap and that *does not* expose a "plain text password" field.
Then you need to set "Auth-Type = LDAP". See the comments in sites-available/default.
I am running Freeradius via docker and I've uploaded my config at https://gist.github.com/proffalken/a6213dc7266a6a9800432b3c0e1b264d (passwords and domains have been changed to protect the innocent!)
http://wiki.freeradius.org/list-help All of the documentation says we need the debug output. The configuration is not helpful.
As you can see from the log below, the LDAP lookup works, however the authentication request is rejected because the "Auth-Type" is not found.
Yes. If LDAP gives FreeRADIUS a "known good" password (clear-text, salted/hashed, etc.) then FreeRADIUS can figure out how to authenticate the user. If LDAP does not give FreeRADUS a password, then FreeRADIUS has no idea how to authenticate the user. You MUST tell it how to authenticate the user.
I'm sure this is an obvious fix, but I've not been able to find an answer in my searching!
See sites-available/default. Look for "ldap". This is documented.
I'm using the following command to test:
radtest mmw pass1234 10.x.x.5 0 testing123
and this is the log:
Please post *just* the output from FreeRADIUS, without extra things added.
-=-=-=-=-=-=-=-=-=-= freeradius_1 | rlm_ldap (ldap): Reserved connection (0) freeradius_1 | (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User- Name}}) freeradius_1 | (0) ldap: --> (uid=mmw)
All of those prefixes are noise, and are unhelpful. So read sites-available/ldap. Look for "ldap". There is documentation on how (and why) to set Auth-Type LDAP. This causes FreeRADIUS to bind to LDAP using the supplied username and password. The LDAP server can then return pass / fail to FreeRADIUS. Alan DeKok.