You have to know that there are some people that aren't an expert like you, you probably have years of expertise in freeradius, I started to learn it this month. I've thought the full debug output wouldn't be needed in this case, thats why I didn't post in the first message. You could have asked for it in your first message and I would happily provide and all of this would be avoided. The documentation I am reading says nothing about post all the debug output in the list: https://wiki.freeradius.org/guide/freeradius-active-directory-integration-ho... Your guess was wrong because you totally ignored what I said earlier, I said that I was not doing MSCHAP. I configured the LDAP "bind as user" functionality exactly like in the guide I sent you earlier, there is said nothing about inner tunnel. In the default tunnel I uncomented this in authorize: # If you're using Active Directory and PAP, then uncomment # the following lines, and the "Auth-Type LDAP" section below. # # This will let you do PAP authentication to AD. # if ((ok || updated) && User-Password && !control:Auth-Type) { update control { &Auth-Type := ldap } } And this in authenticate: # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # # However, it is necessary for Active Directory, because # Active Directory won't give the passwords to FreeRADIUS. # Auth-Type LDAP { ldap } In the inner tunnel there isn't this text: "However, it is necessary for Active Directory, because Active Directory won't give the passwords to FreeRADIUS." That's why I have missed it, sorry. And sorry if I have not yet mastered all of the concepts of freeradius. Citando Alan DeKok <aland@deployingradius.com>:
On Aug 17, 2023, at 10:17 AM, Rodrigo Abrantes Antunes <rodrigoantunes@pelotas.ifsul.edu.br> wrote:
Can you point me where in the debug output it shows that i'ts doing PEAP+MSCHAP?
The point is not to just post to the list and complain. The point is to *understand* what the server is doing.
You should also not be surprised that my guess is wrong, because you've been careful to provide as little information as possible until about 4 messages into the conversation. I don't understand why there's such a need to ignore the documentation, and to post vague questions.
I also said that TTLS + PAP will work. The only condition is that it needs to be configured properly. With LDAP "bind as user" set in the inner tunnel.
The debug log shows the important bit:
... (5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (1) (5) [ldap] = ok (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
If you had posted the full debug log at the start, all of this back and forth could have been avoided. You would have had a simple and clear answer within about ten minutes. Instead, you're getting frustrated that you don't have a solution, and I'm frustrated that you're working hard to avoid getting a solution.
And even here you've edited the debug output to remove a good chunk of it. The beginning pieces are often useful when fixing problems like this. That's why we keep saying in ALL of the documentation to post ALL of the debug output. Just... read the documentation and do what it says. It's not hard, and it makes everything easier.
The problem here is that you didn't configure the LDAP "bind as user" functionality. Which I said was needed for AD.
Go back and read raddb/sites-enabled/inner-tunnel.
Look for:
# Uncomment this section if you want to use ldap for # authentication. The "Auth-Type ldap { ...}" configuration # section below also has to be uncommented.
And then follow the instructions.
If the "inner-tunnel" doesn't contain that text, then either it was deleted, or you're running an old version of the server which hasn't had the documentation updated. But I don't know what version you're actually running, because the debug output has been edited, and doesn't show that.
You can read the updated documentation on GitHub: https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-avai...
Follow those instructions, add the "Auth-Type := LDAP" as documented, and it will work.
This is why we write documentation. This is why we ask people to follow documentation. These issues with AD have been known for 15+ years. The main reason people still have difficulty with this is because the documentation is being ignored.
Alan DeKok.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html