FreeRadius 2.0.4 - problems with LDAP and Sonicwall...
I've been trying to get my freeradius server to work with an Netscape LDAP server and authenticate users when they connect via VPN to our Sonicwall gateway. I have set the Sonicwall as a client so the radius recognizes it and then adjusted the radiusd.conf. However, when I try to authenticate an LDAP user from the sonicwall it will say the authentication failed and the radius shows the following messages: ---------- (running in radiusd -X) User-Name = "testuser" User-Password = "testing" NAS-IP-Address = sonicwallIP NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [testuser/testing] (from client sonicwall port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. ---------- If I uncomment a local user account on the Radius box and then try authenticating from the Sonicwall with this it will succeed. It just doesn't seem to want to go to the LDAP server and then back to the Sonicwall. Has anyone had any experience with this sort of setup, and might be able to shed some light on how I can set it up to use LDAP for the authentication? -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall...... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I don't see anything in the log here about ldap. It jumps from [logintime] to [pap]. Did you uncomment lines containing "ldap" in the sites-enabled/default file (in the authorize and authenticate sections)? Yancey On May 29, 2008, at 2:34 PM, aprotector wrote:
I've been trying to get my freeradius server to work with an Netscape LDAP server and authenticate users when they connect via VPN to our Sonicwall gateway. I have set the Sonicwall as a client so the radius recognizes it and then adjusted the radiusd.conf. However, when I try to authenticate an LDAP user from the sonicwall it will say the authentication failed and the radius shows the following messages:
---------- (running in radiusd -X)
User-Name = "testuser" User-Password = "testing" NAS-IP-Address = sonicwallIP NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [testuser/testing] (from client sonicwall port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds.
----------
If I uncomment a local user account on the Radius box and then try authenticating from the Sonicwall with this it will succeed. It just doesn't seem to want to go to the LDAP server and then back to the Sonicwall. Has anyone had any experience with this sort of setup, and might be able to shed some light on how I can set it up to use LDAP for the authentication? -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall...... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Y-OH-Y wrote:
Did you uncomment lines containing "ldap" in the sites-enabled/default file (in the authorize and authenticate sections)?
I'll take a look when I open it tomorrow. All of that is in the radiusd.conf file? Or is there more in users or one of the other conf files? aprotector On May 29, 2008, at 2:34 PM, aprotector wrote:
I've been trying to get my freeradius server to work with an Netscape LDAP server and authenticate users when they connect via VPN to our Sonicwall gateway. I have set the Sonicwall as a client so the radius recognizes it and then adjusted the radiusd.conf. However, when I try to authenticate an LDAP user from the sonicwall it will say the authentication failed and the radius shows the following messages:
---------- (running in radiusd -X)
User-Name = "testuser" User-Password = "testing" NAS-IP-Address = sonicwallIP NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [testuser/testing] (from client sonicwall port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds.
----------
If I uncomment a local user account on the Radius box and then try authenticating from the Sonicwall with this it will succeed. It just doesn't seem to want to go to the LDAP server and then back to the Sonicwall. Has anyone had any experience with this sort of setup, and might be able to shed some light on how I can set it up to use LDAP for the authentication? -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall...... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall...... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I'll take a look when I open it tomorrow. All of that is in the radiusd.conf file? Or is there more in users or one of the other conf files?
There is more in default virtual server. The fact that authenticate and authoriye sections are no longer in radiusd.conf is documented towards the end of the file (where those sections used to be). Last comment is "See "sites-enabled/default" for some additional documentation.". It's clear for those who bother to read. Ivan Kalik Kalik Informatika ISP
Yeah, totally missed that. Sorry. Finally I see a new message! Anything error is better than the other one. :) After I ran it this time from the Sonicwall with the LDAP user account it gave me: ----------- rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser expand: (uid=%u) -> (uid=testuser) expand: o=notexist -> o=notexist rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: bind to localhost:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [testuser/testing (from client sonicwall port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. ----------- So it seems like it's stripping out the user properly where it has the name 'testuser' but then there is the o=notexist. Have I missed a configuration parameter where I'm setting the search base? -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall...... Sent from the FreeRadius - User mailing list archive at Nabble.com.
No, you've missed out letting the RADIUS server be allowed to talk to your LDAP server ... Or starting it at least .. :)
rlm_ldap: bind to localhost:389 failed: Can't contact LDAP server
If they can't talk, I don't think it'll matter much about anything else .. Now, don't take my word for it as I've never used FreeRadius with an LDAP server, but I think you may want that to start with .. //anders -----Original Message----- From: freeradius-users-bounces+anders.holm=sysadmin.ie@lists.freeradius.org [mailto:freeradius-users-bounces+anders.holm=sysadmin.ie@lists.freeradius.or g] On Behalf Of aprotector Sent: 30 May 2008 01:11 To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 2.0.4 - problems with LDAP and Sonicwall... Yeah, totally missed that. Sorry. Finally I see a new message! Anything error is better than the other one. :) After I ran it this time from the Sonicwall with the LDAP user account it gave me: ----------- rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser expand: (uid=%u) -> (uid=testuser) expand: o=notexist -> o=notexist rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: bind to localhost:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [testuser/testing (from client sonicwall port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. ----------- So it seems like it's stripping out the user properly where it has the name 'testuser' but then there is the o=notexist. Have I missed a configuration parameter where I'm setting the search base? -- View this message in context: http://www.nabble.com/FreeRadius-2.0.4---problems-with-LDAP-and-Sonicwall... -tp17544085p17548827.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
aprotector wrote:
I've been trying to get my freeradius server to work with an Netscape LDAP server and authenticate users when they connect via VPN to our Sonicwall gateway. I have set the Sonicwall as a client so the radius recognizes it and then adjusted the radiusd.conf. However, when I try to authenticate an LDAP user from the sonicwall it will say the authentication failed and the radius shows the following messages:
And no reference to "ldap".
+- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
So... you have a user in LDAP, and you didn't uncomment the references to "ldap" in the "authorize" section. i.e. you have a user in LDAP, and you didn't tell the server to look in the LDAP database.
If I uncomment a local user account on the Radius box and then try authenticating from the Sonicwall with this it will succeed. It just doesn't seem to want to go to the LDAP server and then back to the Sonicwall. Has anyone had any experience with this sort of setup, and might be able to shed some light on how I can set it up to use LDAP for the authentication?
$ grep ldap raddb/* raddb/*/* Read. Edit. Run. Alan DeKok.
participants (5)
-
Alan DeKok -
Anders Holm -
aprotector -
Ivan Kalik -
Yeargan Yancey