Freeradius - how to reply "memberof" active directory information for Strongswan
Hi, I'm using Freeradius for the Active Directory authentication of my Strongswan clients. My goal is to declare 2 vpn connections with different virtual IP leases, allowing me to separate traffic (as an example, one vpn connection for sales and the other for technicians). To do it, I'm trying to use Group selection option (rightgroups) on Strongswan. According to Strongswan documentation ( https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to use class attribute on my freeradius server to return the group membership. The issue is that I don't know how. I'm using mschap for authentication to Active Directory. *My current configuration:* */etc/freeradius/3.0/mods-available/mschap* with_ntdomain_hack = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" */etc/freeradius/3.0/mods-enabled/eap* eap { [...] default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no */etc/freeradius/3.0/clients.conf* client localhost { ipaddr = 127.0.0.1 proto = * secret = <radius-secret> require_message_authenticator = no nas_type = other limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } # IPv6 Client #client localhost_ipv6 { # ipv6addr = ::1 # secret = testing123 #} I've tried to follow this post but it didn't work http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td... More precisaly below part (replacing ldap module by mschap module and also changing path because my freeradius version is 3.0): *1) Added a mapping in ldap mod.* # /etc/raddb/mods-enabled/ldap ldap { ... update { ... reply:memberOf += 'memberOf' } ... } *2) Added an Attribute reference* # /etc/raddb/dictionary ATTRIBUTE memberOf 3001 string *3) Added a update reply* # /etc/raddb/sites-enabled/default post-auth { ... foreach &reply:memberOf { update reply { Class += "%{Foreach-Variable-0}" } } ... } I also tried to set below information (according to http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054... ) post-auth { ... update reply { Class += %{Group} } } ... } I've searched accross the Internet but didn't find a way to do it properly. Is there any official guide explaning how to reply memberOf attribute? How can I do it? Thanks for your help <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Garanti sans virus. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#m_-4546190989838674270_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Sep 24, 2019, at 2:34 PM, Sébastien Genesta <genesta.sebastien@gmail.com> wrote:
I'm using Freeradius for the Active Directory authentication of my Strongswan clients.
That should be fine.
My goal is to declare 2 vpn connections with different virtual IP leases, allowing me to separate traffic (as an example, one vpn connection for sales and the other for technicians).
To do it, I'm trying to use Group selection option (rightgroups) on Strongswan.
According to Strongswan documentation ( https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to use class attribute on my freeradius server to return the group membership.
The issue is that I don't know how.
I'm using mschap for authentication to Active Directory.
You can't get group information using mschap. You MUST configure the ldap module to check AD for group membership.
I've tried to follow this post but it didn't work http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td...
Define "didn't work". What happened?
More precisaly below part (replacing ldap module by mschap module and also changing path because my freeradius version is 3.0): ... # /etc/raddb/sites-enabled/default post-auth { ... foreach &reply:memberOf { update reply { Class += "%{Foreach-Variable-0}" } } ... }
And... what showed up in the debug output?
Is there any official guide explaning how to reply memberOf attribute?
No.
How can I do it?
The above method *should* work, provided you read the debug output to see what's going on. Alan DeKok.
Hi, Thanks for your answer. I think the issue is caused by the fact that I was using mschap to check AD for membership. I will try to configure ldap module and give you a feedback with debug information if it still doesn't work. Seb. Le mar. 24 sept. 2019 à 20:45, Alan DeKok <aland@deployingradius.com> a écrit :
On Sep 24, 2019, at 2:34 PM, Sébastien Genesta < genesta.sebastien@gmail.com> wrote:
I'm using Freeradius for the Active Directory authentication of my Strongswan clients.
That should be fine.
My goal is to declare 2 vpn connections with different virtual IP leases, allowing me to separate traffic (as an example, one vpn connection for sales and the other for technicians).
To do it, I'm trying to use Group selection option (rightgroups) on Strongswan.
According to Strongswan documentation ( https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to use class attribute on my freeradius server to return the group membership.
The issue is that I don't know how.
I'm using mschap for authentication to Active Directory.
You can't get group information using mschap. You MUST configure the ldap module to check AD for group membership.
I've tried to follow this post but it didn't work
http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td...
Define "didn't work". What happened?
More precisaly below part (replacing ldap module by mschap module and also changing path because my freeradius version is 3.0): ... # /etc/raddb/sites-enabled/default post-auth { ... foreach &reply:memberOf { update reply { Class += "%{Foreach-Variable-0}" } } ... }
And... what showed up in the debug output?
Is there any official guide explaning how to reply memberOf attribute?
No.
How can I do it?
The above method *should* work, provided you read the debug output to see what's going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, So I come back to you because I'm encountering an issue with LDAP authentication on Strongswan. below my /etc/freeradius/3.0/sites-enabled/default authorize { [...] ldap if (ok) { update control { Auth-Type := LDAP } return } [...] } authenticate { [...] ldap [...] } When I use radtest, authentication works (Received Access-Accept Id 108 from 127.0.0.1:1812 to 127.0.0.1:58411 length 20) When I try to connect from Strongswan following debug message is returned: root@xxxxxxxxxxxxxxxxxxxx:/etc/freeradius/3.0/mods-enabled# (1) Received Access-Request Id 81 from 127.0.0.1:38840 to 127.0.0.1:1812 length 167 (1) User-Name = "*****************" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) NAS-Port = 4 (1) NAS-Port-Id = "*******************" (1) NAS-IP-Address = ********************* (1) Called-Station-Id = "************[4500]" (1) Calling-Station-Id = "3*********************[4500]" (1) Acct-Session-Id = "1569423115-4" (1) EAP-Message = 0x0200000d017367656e65737461 (1) NAS-Identifier = "StrongSwan" (1) Message-Authenticator = 0xeccdef2bf094890a372c069ac44dc467 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 375 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 375 seconds rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 375 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 375 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 371 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://*********************:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (sAMAccountName=*********************) (1) ldap: Performing search in "*******************" with filter "(sAMAccountName=*****************)", scope "sub" (1) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://*********************** rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://***************************** rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://************************************ rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) ldap: User object found at DN "CN=**********************************************" (1) ldap: Processing user attributes (1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (6) - Was referred to a different LDAP server Need 3 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://***************************** rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = ok (1) if (ok) { (1) if (ok) -> TRUE (1) if (ok) { (1) update control { (1) Auth-Type := ldap (1) } # update control = noop (1) return (1) } # if (ok) = noop (1) } # authorize = ok (1) Found Auth-Type = ldap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (1) ldap: WARNING: ********************************************* (1) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (1) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (1) ldap: WARNING: ********************************************* (1) ldap: ERROR: Attribute "User-Password" is required for authentication (1) [ldap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> ************* (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap: Request was previously rejected, inserting EAP-Failure (1) eap: Sending EAP Failure (code 4) ID 0 length 4 (1) [eap] = updated (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 81 from 127.0.0.1:1812 to 127.0.0.1:38840 length 44 (1) EAP-Message = 0x04000004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 81 with timestamp +375 According to "WARNING: You have set "Auth-Type := LDAP" somewhere", i've tried to remove it but radtest fails (ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject) Thanks Le mer. 25 sept. 2019 à 15:20, Sébastien Genesta < genesta.sebastien@gmail.com> a écrit :
Hi,
Thanks for your answer. I think the issue is caused by the fact that I was using mschap to check AD for membership.
I will try to configure ldap module and give you a feedback with debug information if it still doesn't work.
Seb.
Le mar. 24 sept. 2019 à 20:45, Alan DeKok <aland@deployingradius.com> a écrit :
On Sep 24, 2019, at 2:34 PM, Sébastien Genesta < genesta.sebastien@gmail.com> wrote:
I'm using Freeradius for the Active Directory authentication of my Strongswan clients.
That should be fine.
My goal is to declare 2 vpn connections with different virtual IP leases, allowing me to separate traffic (as an example, one vpn connection for sales and the other for technicians).
To do it, I'm trying to use Group selection option (rightgroups) on Strongswan.
According to Strongswan documentation ( https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to use class attribute on my freeradius server to return the group membership.
The issue is that I don't know how.
I'm using mschap for authentication to Active Directory.
You can't get group information using mschap. You MUST configure the ldap module to check AD for group membership.
I've tried to follow this post but it didn't work
http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td...
Define "didn't work". What happened?
More precisaly below part (replacing ldap module by mschap module and also changing path because my freeradius version is 3.0): ... # /etc/raddb/sites-enabled/default post-auth { ... foreach &reply:memberOf { update reply { Class += "%{Foreach-Variable-0}" } } ... }
And... what showed up in the debug output?
Is there any official guide explaning how to reply memberOf attribute?
No.
How can I do it?
The above method *should* work, provided you read the debug output to see what's going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 25, 2019, at 11:13 AM, Sébastien Genesta <genesta.sebastien@gmail.com> wrote:
So I come back to you because I'm encountering an issue with LDAP authentication on Strongswan.
below my /etc/freeradius/3.0/sites-enabled/default
Please don't post configuration pieces to the list. It's not necessary. ALL of the documentation says "don't post configuration files to the list".
When I try to connect from Strongswan following debug message is returned: ... (1) ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (1) ldap: WARNING: ********************************************* (1) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (1) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (1) ldap: WARNING: ********************************************* (1) ldap: ERROR: Attribute "User-Password" is required for authentication
That seems pretty clear. You edited the default configuration and broke it. Don't do that.
According to "WARNING: You have set "Auth-Type := LDAP" somewhere", i've tried to remove it but radtest fails (ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)
Because you *also* removed "eap" from the "authorize" section. Your first step when installing the server should NOT be to butcher the configuration files. The default configuration works. All of the documentation says BE CAREFUL WITH EDITING THE FILES. It really can't be any clearer. Go back to using the default configuration. Then, follow the documentation for configuring LDAP. It *will* work. Alan DeKok.
participants (2)
-
Alan DeKok -
Sébastien Genesta