Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss.

I use own certificates. PEAP with MSCHAPv2.

 

I config. ldap module :

server = "pegasus.fri.uniza.sk"

        port = 636

        base_dn = "dc=fri,dc=uniza,dc=sk"

        user {

                base_dn = "ou=People,dc=fri,dc=uniza,dc=sk"

                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

                scope = 'sub'

        }

 options {

                chase_referrals = yes

                rebind = yes

}

 tls {

                ca_path = ${certdir}           

        ca_file = ${certdir}/cacert.cer

                certificate_file = ${certdir}/friradius.cer

                private_key_file = ${certdir}/friradius.key

                require_cert    = "demand"

        }

 

In sites-available/default and inner-tunnel I just added :

authorize {

        ldap

}

In eap I config >
eap {
        default_eap_type = peap
        tls {
                tls = tls-common
        }
        ttls {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "inner-tunnel"
        }
        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "inner-tunnel"
        }
In mschap >
mschap {
        use_mppe = no
        require_encryption = yes
        require_strong = yes
        passchange {
        }
}
Also added realm to proxy >
realm fri.uniza.sk {
}

Its starting all-right :

"Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel

Listening on auth address * port 1812 as server default

Listening on acct address * port 1813 as server default

Opening new proxy socket 'proxy address * port 0'

Listening on proxy address * port 47617

Ready to process requests."

But when I try radtest :
radtest -t mschap matisko@fri.uniza.sk <password>localhost 0 testing123
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20
Debug is : 
(1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek@fri.uniza.sk"
(1) suffix : Found realm "fri.uniza.sk"
(1) suffix : Adding Stripped-User-Name = "hajtmanek"
(1) suffix : Adding Realm = "fri.uniza.sk"
(1) suffix : Authentication realm is LOCAL.
(1)   [suffix] = ok
(1) eap : No EAP-Message, not doing EAP
(1)   [eap] = noop
(1)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap :    --> (uid=hajtmanek)
(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk
(1) ldap :    --> ou=People,dc=fri,dc=uniza,dc=sk
(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ERROR: ldap : Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
(1) ERROR: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Opening additional connection (5)
rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636
TLS: warning: cacertdir not implemented for gnutls
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)   [ldap] = fail
(1)  } #  authorize = fail
(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)
(1) Using Post-Auth-Type Reject
Binding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).