Alan DeKok schrieb:
On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf@zkm.de> wrote:
Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes. Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error: So... "I did a bunch of stuff and it didn't work. How do I fix it?"
Answer: do different stuff.
5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.
If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html here the debug output
(0) Received Access-Request Id 0 from 127.0.0.1:43649 to 127.0.0.1:1812 length 170 (0) User-Name = "anonymous@karlshochschule.de" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02f3002101616e6f6e796d6f7573406b61726c73686f6368736368756c652e6465 (0) Message-Authenticator = 0x9d186575265e9dca32181993f9c38b65 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (0) suffix: Found realm "karlshochschule.de" (0) suffix: Adding Stripped-User-Name = "anonymous" (0) suffix: Adding Realm = "karlshochschule.de" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) if (!&Realm) { (0) if (!&Realm) -> FALSE (0) eap: Peer sent EAP Response (code 2) ID 243 length 33 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 244 length 6 (0) eap: EAP session adding &reply:State = 0x7147c84d71b3dd8c (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (0) EAP-Message = 0x01f400061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x7147c84d71b3dd8c1f070e9e942e974a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:43649 to 127.0.0.1:1812 length 345 (1) User-Name = "anonymous@karlshochschule.de" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02f400be150016030100b3010000af0303cf3b445b29290ef9f32015e464ef9a751992d449f9c1e3fadd708884da021235000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b0004030001 (1) State = 0x7147c84d71b3dd8c1f070e9e942e974a (1) Message-Authenticator = 0x60f1adc479ab8e933ce74dfd55181b1e (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (1) suffix: Found realm "karlshochschule.de" (1) suffix: Adding Stripped-User-Name = "anonymous" (1) suffix: Adding Realm = "karlshochschule.de" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) if (!&Realm) { (1) if (!&Realm) -> FALSE (1) eap: Peer sent EAP Response (code 2) ID 244 length 190 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (1) authenticate { (1) eap: Expiring EAP session with state 0x7147c84d71b3dd8c (1) eap: Finished EAP session with state 0x7147c84d71b3dd8c (1) eap: Previous EAP request found for state 0x7147c84d71b3dd8c, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Got final TLS record fragment (184 bytes) (1) eap_ttls: WARNING: Total received TLS record fragments (184 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_ttls: [eaptls verify] = ok (1) eap_ttls: Done initial handshake (1) eap_ttls: (other): before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b3] (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello (1) eap_ttls: >>> send TLS 1.2 [length 003d] (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello (1) eap_ttls: >>> send TLS 1.2 [length 06ae] (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate (1) eap_ttls: >>> send TLS 1.2 [length 022c] (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3/TLS write server done (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 245 length 1014 (1) eap: EAP session adding &reply:State = 0x7147c84d70b2dd8c (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (1) EAP-Message = 0x01f503f615c00000092f160303003d0200003903036ead001a5fcd107ae275a24d91c469ce7db00ead3656cc2d444f574e4752440100c030000011ff01000100000b0004030001020017000016030306ae0b0006aa0006a70006a4308206a030820488a003020102020900bb42a628d2722440300d0609 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x7147c84d70b2dd8c1f070e9e942e974a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:43649 to 127.0.0.1:1812 length 161 (2) User-Name = "anonymous@karlshochschule.de" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02f500061500 (2) State = 0x7147c84d70b2dd8c1f070e9e942e974a (2) Message-Authenticator = 0x63ba835e9e97dc2c21b2135cf8dab043 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (2) suffix: Found realm "karlshochschule.de" (2) suffix: Adding Stripped-User-Name = "anonymous" (2) suffix: Adding Realm = "karlshochschule.de" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) if (!&Realm) { (2) if (!&Realm) -> FALSE (2) eap: Peer sent EAP Response (code 2) ID 245 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (2) authenticate { (2) eap: Expiring EAP session with state 0x7147c84d70b2dd8c (2) eap: Finished EAP session with state 0x7147c84d70b2dd8c (2) eap: Previous EAP request found for state 0x7147c84d70b2dd8c, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 246 length 1014 (2) eap: EAP session adding &reply:State = 0x7147c84d73b1dd8c (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (2) EAP-Message = 0x01f603f615c00000092f07a5bce150289ec883f5c159a3e4a90c89c78846700415571d88542761e9972724f4a90c8ee8bb817865b11ce9f05cc051b2014902535224805acc9dd5965593794322f617c3e9dead670d26818eccdbdad8133b1e2f78255b0203010001a3819430819130090603551d130402 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x7147c84d73b1dd8c1f070e9e942e974a (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:43649 to 127.0.0.1:1812 length 161 (3) User-Name = "anonymous@karlshochschule.de" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02f600061500 (3) State = 0x7147c84d73b1dd8c1f070e9e942e974a (3) Message-Authenticator = 0x669f156a27bfaedd4a4b920612820d39 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (3) suffix: Found realm "karlshochschule.de" (3) suffix: Adding Stripped-User-Name = "anonymous" (3) suffix: Adding Realm = "karlshochschule.de" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) if (!&Realm) { (3) if (!&Realm) -> FALSE (3) eap: Peer sent EAP Response (code 2) ID 246 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (3) authenticate { (3) eap: Expiring EAP session with state 0x7147c84d73b1dd8c (3) eap: Finished EAP session with state 0x7147c84d73b1dd8c (3) eap: Previous EAP request found for state 0x7147c84d73b1dd8c, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 247 length 353 (3) eap: EAP session adding &reply:State = 0x7147c84d72b0dd8c (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (3) EAP-Message = 0x01f7016115800000092fd193786f177d2c11a0db978590610aa2c9ccb04fd3a595cde36ece47874024cd74dc85d60501ccbd0b3d5327d3475e5796e0769cf14476f1fc0354e39d3b9e0312c66d542b08fb4c3f3d00931334fe4049158725e0ec6be1da2d4c7d2f7f7bd482b3c2159646137de9ec82be0e (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x7147c84d72b0dd8c1f070e9e942e974a (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:43649 to 127.0.0.1:1812 length 254 (4) User-Name = "anonymous@karlshochschule.de" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02f70063150016030300251000002120bb1c8623cce4fcdd9969e81d38e5ce4869085c7f00628eab184bd12844bb205014030300010116030300289fba59a5dc9971e195f63c4b77230687c8ea837e3e4a0b8e30a742e55b6e05b64100a59dc08c19f2 (4) State = 0x7147c84d72b0dd8c1f070e9e942e974a (4) Message-Authenticator = 0x65cf15a9d2b9b7a35991fa06afb4fb42 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (4) suffix: Found realm "karlshochschule.de" (4) suffix: Adding Stripped-User-Name = "anonymous" (4) suffix: Adding Realm = "karlshochschule.de" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) if (!&Realm) { (4) if (!&Realm) -> FALSE (4) eap: Peer sent EAP Response (code 2) ID 247 length 99 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (4) authenticate { (4) eap: Expiring EAP session with state 0x7147c84d72b0dd8c (4) eap: Finished EAP session with state 0x7147c84d72b0dd8c (4) eap: Previous EAP request found for state 0x7147c84d72b0dd8c, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: [eaptls verify] = ok (4) eap_ttls: Done initial handshake (4) eap_ttls: TLS_accept: SSLv3/TLS write server done (4) eap_ttls: <<< recv TLS 1.2 [length 0025] (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_ttls: <<< recv TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS read finished (4) eap_ttls: >>> send TLS 1.2 [length 0001] (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_ttls: >>> send TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS write finished (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 248 length 61 (4) eap: EAP session adding &reply:State = 0x7147c84d75bfdd8c (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (4) EAP-Message = 0x01f8003d15800000003314030300010116030300283af9c0e6b9e5a741c0c2e2290518e28dfbb7329ccf7ffa91ade72b6662636b4b7e404a85b4a3ed7a (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x7147c84d75bfdd8c1f070e9e942e974a (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:43649 to 127.0.0.1:1812 length 250 (5) User-Name = "anonymous@karlshochschule.de" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02f8005f150017030300549fba59a5dc9971e230a9475002c0b31b27bf0b18d9f6e4f771bd336049231946679c2ea83f4182f9d7ef3ecc42edaec13bae2ba1834c278e0523839e9ba7f6453bb6528656531ed0d33bb3cb18f0859d68b35f9d (5) State = 0x7147c84d75bfdd8c1f070e9e942e974a (5) Message-Authenticator = 0x7e43e268618f2c1c4c230df9a130c81e (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (5) suffix: Found realm "karlshochschule.de" (5) suffix: Adding Stripped-User-Name = "anonymous" (5) suffix: Adding Realm = "karlshochschule.de" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) if (!&Realm) { (5) if (!&Realm) -> FALSE (5) eap: Peer sent EAP Response (code 2) ID 248 length 95 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (5) authenticate { (5) eap: Expiring EAP session with state 0x7147c84d75bfdd8c (5) eap: Finished EAP session with state 0x7147c84d75bfdd8c (5) eap: Previous EAP request found for state 0x7147c84d75bfdd8c, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: [eaptls process] = ok (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "testuser@karlshochschule.de" (5) User-Password = "password" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-khs (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (5) suffix: Found realm "karlshochschule.de" (5) suffix: Adding Stripped-User-Name = "testuser" (5) suffix: Adding Realm = "karlshochschule.de" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop rlm_ldap (ldap_khs): Closing connection (0): Hit idle_timeout, was idle for 117 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (1): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (2): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (3): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (4): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap_khs): Opening additional connection (5), 1 of 10 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 3 tm: 10 async: 0 ldap_ndelay_on: 3 attempting to connect: connect errno: 115 ldap_int_poll: fd: 3 tm: 10 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap_khs): Waiting for bind result... ldap_result ld 0x564774e6aaa0 msgid 1 wait4msg ld 0x564774e6aaa0 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x564774e6aaa0 msgid 1 all 1 ** ld 0x564774e6aaa0 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564774e6aaa0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x564774e6aaa0 request count 1 (abandoned 0) ** ld 0x564774e6aaa0 Response Queue: Empty ld 0x564774e6aaa0 response count 0 ldap_chkResponseList ld 0x564774e6aaa0 msgid 1 all 1 ldap_chkResponseList returns ld 0x564774e6aaa0 NULL ldap_int_select read1msg: ld 0x564774e6aaa0 msgid 1 all 1 read1msg: ld 0x564774e6aaa0 msgid 1 message type bind read1msg: ld 0x564774e6aaa0 0 new referrals read1msg: mark request completed, ld 0x564774e6aaa0 msgid 1 request done: ld 0x564774e6aaa0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap_khs): Bind successful rlm_ldap (ldap_khs): Reserved connection (5) (5) ldap_khs: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap_khs: --> (cn=testuser) (5) ldap_khs: Performing search in "OU=AADDC Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub" ldap_search_ext put_filter: "(cn=testuser)" put_filter: simple put_simple_filter: "cn=testuser" ldap_build_search_req ATTRS: userPassword ntPassword ldap_send_initial_request ldap_send_server_request (5) ldap_khs: Waiting for search result... ldap_result ld 0x564774e6aaa0 msgid 2 wait4msg ld 0x564774e6aaa0 msgid 2 (timeout 20000000 usec) wait4msg continue ld 0x564774e6aaa0 msgid 2 all 1 ** ld 0x564774e6aaa0 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564774e6aaa0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x564774e6aaa0 request count 1 (abandoned 0) ** ld 0x564774e6aaa0 Response Queue: Empty ld 0x564774e6aaa0 response count 0 ldap_chkResponseList ld 0x564774e6aaa0 msgid 2 all 1 ldap_chkResponseList returns ld 0x564774e6aaa0 NULL ldap_int_select read1msg: ld 0x564774e6aaa0 msgid 2 all 1 read1msg: ld 0x564774e6aaa0 msgid 2 message type search-entry read1msg: ld 0x564774e6aaa0 msgid 2 message type search-result read1msg: ld 0x564774e6aaa0 0 new referrals read1msg: mark request completed, ld 0x564774e6aaa0 msgid 2 request done: ld 0x564774e6aaa0 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) adding response ld 0x564774e6aaa0 msgid 2 type 101: ldap_parse_result ldap_get_dn (5) ldap_khs: User object found at DN "CN=testuser,OU=AADDC Users,DC=karlshochschule,DC=de" (5) ldap_khs: Processing user attributes ldap_get_values_len ldap_get_values_len (5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap_khs): Waiting for bind result... ldap_result ld 0x564773fe1710 msgid 1 wait4msg ld 0x564773fe1710 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x564773fe1710 msgid 1 all 1 ** ld 0x564773fe1710 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564773fe1710 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x564773fe1710 request count 1 (abandoned 0) ** ld 0x564773fe1710 Response Queue: Empty ld 0x564773fe1710 response count 0 ldap_chkResponseList ld 0x564773fe1710 msgid 1 all 1 ldap_chkResponseList returns ld 0x564773fe1710 NULL ldap_int_select read1msg: ld 0x564773fe1710 msgid 1 all 1 read1msg: ld 0x564773fe1710 msgid 1 message type bind read1msg: ld 0x564773fe1710 0 new referrals read1msg: mark request completed, ld 0x564773fe1710 msgid 1 request done: ld 0x564773fe1710 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap_khs): Bind successful (5) [ldap_khs] = ok (5) inner_eap: No EAP-Message, not doing EAP (5) [inner_eap] = noop (5) [pap] = noop (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-khs (5) Post-Auth-Type REJECT { (5) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (5) inner_tunnel_linelog: --> messages.Access-Reject (5) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}] (%{request:Module-Failure-Message}) (cli %{outer.request:Calling-Station-Id} via TLS tunnel) (5) inner_tunnel_linelog: --> Login incorrect: [testuser@karlshochschule.de] (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject) (cli 02-00-00-00-00-01 via TLS tunnel) (5) [inner_tunnel_linelog] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> testuser@karlshochschule.de (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) EXPAND badpass (5) --> badpass (5) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [testuser/234Tu45$%] (from client localhost port 0 via TLS tunnel) badpass (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 248 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (5) Post-Auth-Type REJECT { (5) outer_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (5) outer_linelog: --> messages.Access-Reject (5) outer_linelog: EXPAND Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli %{request:Calling-Station-Id}) (5) outer_linelog: --> Login incorrect: [anonymous@karlshochschule.de] (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed) (cli 02-00-00-00-00-01) (5) [outer_linelog] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> anonymous@karlshochschule.de (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) EXPAND badpass (5) --> badpass (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous/<via Auth-Type = eap>] (from client localhost port 0 cli 02-00-00-00-00-01) badpass (5) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:43649 length 44 (5) EAP-Message = 0x04f80004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 0 with timestamp +116 (1) Cleaning up request packet ID 1 with timestamp +116 (2) Cleaning up request packet ID 2 with timestamp +116 (3) Cleaning up request packet ID 3 with timestamp +116 (4) Cleaning up request packet ID 4 with timestamp +116 Waking up in 0.1 seconds. (5) Cleaning up request packet ID 5 with timestamp +116 Ready to process requests ^Croot@radsec:~#