On Aug 12, 2019, at 9:31 PM, Yuya Yanagi <peacefull64@gmail.com> wrote:
We are replacing from freeradius v2 to freeradius v3, the settings will take over the previous contents, and the Wifi authentication method will not change from EAP-TTLS + MS-CHAPv2 It is a specification and customer request.
OK.
In freeradius v2 environment, you can connect with EAP-TTLS + MS-CHAPv2. In Freeradius v3, you can connect with EAP-TTLS + PAP, but you cannot connect with MS-CHAPv2.
It should be possible with mostly the same configuration.
There is no AD in this environment, everything is done with LDAP, and the password is stored in LDAP with NT Hash. Mapping has the following two mappings. (LDAP is OpenLDAP use )
control:NT-Password := 'sambaNtPassword' control:User-Password := 'sambaNtPassword'
Are those attributes found in LDAP?
In the authentication section I am trying to reference LDAP with Auth-Type LDAP The following error occurs and there is no inquiry.
(6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere (6) ldap_regularusers: WARNING: ********************************************* (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (6) ldap_regularusers: WARNING: ********************************************* (6) ldap_regularusers: ERROR: Attribute "User-Password" is required for authentication
That seems pretty clear. Don't set "Auth-Type := LDAP". It's not needed.
(6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy rewrite_called_station_id = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "yanagi", looking up realm NULL (6) suffix: Found realm "NULL" (6) suffix: Adding Stripped-User-Name = "yanagi" (6) suffix: Adding Realm = "NULL" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) eap: Peer sent EAP Response (code 2) ID 8 length 65 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) if (&outer.request:NAS-IP-Address =~ /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address == "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") { (6) if (&outer.request:NAS-IP-Address =~ /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address == "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") -> TRUE (6) if (&outer.request:NAS-IP-Address =~ /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address == "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") { (6) if (&outer.request:Called-Station-SSID == 'BLUE') { (6) if (&outer.request:Called-Station-SSID == 'BLUE') -> TRUE (6) if (&outer.request:Called-Station-SSID == 'BLUE') { rlm_ldap (ldap_regularusers): Closing connection (0): Hit idle_timeout, was idle for 294 seconds rlm_ldap (ldap_regularusers): You probably need to lower "min" rlm_ldap (ldap_regularusers): Closing connection (1): Hit idle_timeout, was idle for 294 seconds rlm_ldap (ldap_regularusers): You probably need to lower "min" rlm_ldap (ldap_regularusers): Closing connection (2): Hit idle_timeout, was idle for 294 seconds rlm_ldap (ldap_regularusers): You probably need to lower "min" rlm_ldap (ldap_regularusers): Closing connection (3): Hit idle_timeout, was idle for 293 seconds rlm_ldap (ldap_regularusers): You probably need to lower "min" rlm_ldap (ldap_regularusers): Closing connection (4): Hit idle_timeout, was idle for 293 seconds rlm_ldap (ldap_regularusers): You probably need to lower "min" rlm_ldap (ldap_regularusers): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap_regularusers): Opening additional connection (5), 1 of 10 pending slots used rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636 rlm_ldap (ldap_regularusers): Waiting for bind result... rlm_ldap (ldap_regularusers): Bind successful rlm_ldap (ldap_regularusers): Reserved connection (5) (6) ldap_regularusers: EXPAND (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (6) ldap_regularusers: --> (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi)) (6) ldap_regularusers: Performing search in "ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp" with filter "(&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi))", scope "sub" (6) ldap_regularusers: Waiting for search result... (6) ldap_regularusers: User object found at DN "uid=yanagi,ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp" (6) ldap_regularusers: Processing user attributes (6) ldap_regularusers: control:NT-Password := 0x4243353030433041363439353842434531393638383936303344464645343530
That's the NT password. If you just leave things alone, it will work.
(6) ldap_regularusers: control:Password-With-Header := '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA==' rlm_ldap (ldap_regularusers): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_regularusers): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636 rlm_ldap (ldap_regularusers): Waiting for bind result... rlm_ldap (ldap_regularusers): Bind successful (6) [ldap_regularusers] = updated (6) update control { (6) &Auth-Type := LDAP (6) } # update control = noop
Don't do that. It's breaking the server. Delete those lines from your configuration. The user should then be able to authenticate. Alan DeKok.