Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss.
I use own certificates. PEAP with MSCHAPv2.
I config. ldap module :
server = "pegasus.fri.uniza.sk"
port = 636
base_dn = "dc=fri,dc=uniza,dc=sk"
user {
base_dn = "ou=People,dc=fri,dc=uniza,dc=sk"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
options {
chase_referrals = yes
rebind = yes
}
tls {
ca_path = ${certdir}
ca_file = ${certdir}/cacert.cer
certificate_file = ${certdir}/friradius.cer
private_key_file = ${certdir}/friradius.key
require_cert = "demand"
}
In sites-available/default and inner-tunnel I just added :
authorize {
ldap
}
In eap I config >
eap {
default_eap_type = peap
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
In mschap >
mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
passchange {
}
}
Also added realm to proxy >
Its starting all-right :
"Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 47617
Ready to process requests."
But when I try radtest :
radtest -t mschap matisko@fri.uniza.sk <password>localhost 0 testing123
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20
Debug is :
(1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek@fri.uniza.sk"
(1) suffix : Found realm "fri.uniza.sk"
(1) suffix : Adding Stripped-User-Name = "hajtmanek"
(1) suffix : Adding Realm = "fri.uniza.sk"
(1) suffix : Authentication realm is LOCAL.
(1) [suffix] = ok
(1) eap : No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap : --> (uid=hajtmanek)
(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk
(1) ldap : --> ou=People,dc=fri,dc=uniza,dc=sk
(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ERROR: ldap : Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
(1) ERROR: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Opening additional connection (5)
rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636
TLS: warning: cacertdir not implemented for gnutls
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = fail
(1) } # authorize = fail
(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
Binding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).