On Feb 18, 2016, at 3:03 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, bit by bit I'm learning how freeradius works and making progress. The suggestion to look at the man page for unlang was very helpful, there's a lot of good information in there. Also the suggestion to test the inner tunnel with "radtest" has been useful.
That's good.
I've gotten a working configuration where my local ldap users are authenticated with PAM
Please no. Please use the LDAP module. PAM has all kinds of problems.
and jumpcloud users are authenticated with the little script I mentioned earlier. All this through the inner tunnel in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have:
if ("%{User-Name}" =~ /jumpcloud/i) { update control { Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` } update reply { Reply-Message = "Hello jumpcloud ldap user" } }
You should really do instead: suffix if (Realm == "jumpcloud") { update control { Auth-Type := `/opt/RadiusCheck/CheckUser.sh '%{Stripped-User-Name}' '%{User-Password}' } } else { ldap # local users } There's no need to run /bin/bash, if the CheckUser.sh script is executable. And you should key off of realms, like I suggested. And use the Stripped-User-Name, which is the user name without the realm.
If it doesn't match then it defaults to PAM because I have DEFAULT Auth-Type = PAM in the users file.
And don't do that. Just use LDAP in "authorize", and let the server figure it out.
One question: I know Alan and the docs always say not to set the auth type manually. I would like to know how to configure it so it will automatically recognize and configure the user with PAM.
You don't. FreeRADIUS is an *authentication server*. You should have *FreeRADIUS* do authentication. Not anything else.
I also at Alan's suggestion added the following lines at the end of proxy.conf: realm "jumpcloud" { auth_pool = my_auth_failover }
I didn't say that. I suggested: realm jumpcloud { } which make it a local realm. You don't need to proxy the jumpcloud users.
Ok, moving on. I would like to use ldap instead of PAM. So what I did in the inner-tunnel file was uncomment "ldap" in the authorize section, and uncomment Auth-Type LDAP { ldap } in the authenticate section. Then I modified modules/ldap as follows:
server = "<ip address>" identity = "cn=Manager,dc=xxxx" password = xxxxxxx basedn = "ou=People,dc=xxxx" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so that I'm not explicitly setting the auth-type anywhere.
That's good.
Then I run " radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log shows. It binds to ldap, looks up the user and grabs the password. But bombs out with an error that the Auth-Type isn't set. What am I doing wrong?
Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Feb 18 11:43:42 2016 : Info: [ldap] ... expanding second conditional Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{User-Name} -> test2 Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2) Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: ou=People,dc=xxxx -> ou=People,dc=xxxx Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] attempting LDAP reconnection Thu Feb 18 11:43:42 2016 : Debug: [ldap] (re)connect to <ip>:389, authentication 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] bind as cn=Manager,dc=xxxx/xxxxxx to <ip.>:389 Thu Feb 18 11:43:42 2016 : Debug: [ldap] waiting for bind result ... Thu Feb 18 11:43:42 2016 : Debug: [ldap] Bind was successful Thu Feb 18 11:43:42 2016 : Debug: [ldap] performing search in ou=People,dc=xxxx, with filter (uid=test2) Thu Feb 18 11:43:42 2016 : Debug: [ldap] userPassword -> Password-With-Header == "{crypt}v0EA8plSCTsuk" Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method
Which version are you running? If it's 2.1.12, stop wasting your time, and upgrade to 3.0. Or even 2.2.9. The PAP module *should* recognize crypt'd passwords and authenticate them.
Unfortunately jumpcloud doesn't permit an "@" symbol in their usernames. I've submitted a feature request to them to allow this. I've gotten around this meanwhile by creating a username as "user.jumpcloud"
So tell your users "user@jumpcloud", configure a "jumpcloud" realm as I suggested, use Stripped-user-Name, and the server will figure it out. Alan DeKok.