Hi, sorry but i don’t understand where i shoud write correct values. in the «sites-enabled\default»? Or in ldap? Sorry
Среда, 12 февраля 2020, 14:00 +03:00 от Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org>:
Hi! I have Unifi wifi — freeradius — ldap In LDAP i have SSHA password for users. This config on github help me to setup normal auth with SSHA passwords (instead plaintext) https://github.com/hacor/unifi-freeradius-ldap i use ttls + pap All ok, but i have some troubles with timeout (or something else) After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working Logs Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds Info: Need 6 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used Info: Need 5 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used Info: Need 4 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used Info: Need 3 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds An here is my config freeradius EAP eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = XXX private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours } verify { } ocsp { enable = no override_cert_url = yes url = " http://127.0.0.1/ocsp/ " } }
tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } DEFAULT server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return #updated = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest #Auth-Type LDAP { ldap #} eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } if (LDAP-Group == "vpn") { vpn_l2tp_pool } elsif (LDAP-Group == "vpn-ext") { vpn_l2tp_ext_pool } elsif (LDAP-Group == "vpn-1c") { ok } else { reject } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } INNER TUNNEL server inner-tunnel { listen { ipaddr = * port = 18120 type = auth } authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap # Auth-Type LDAP { ldap # } eap } session { radutmp } post-auth { -sql if (LDAP-Group == "wifi") { noop } else { reject } if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } LDAP ldap { server = 'localhost' identity = 'cn=admin,dc=fusioncore,dc=local' password = fusioncore base_dn = 'ou=people,dc=fusioncore,dc=local' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "ou=groups,dc=fusioncore,dc=local" filter = '(objectClass=GroupOfNames)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } ldap_connections_number = 5 pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html