hello guys. I am configuring radius with ldap. The binding is succesfull, but when I try to radtest an existing user i get this error: (2) [logintime] = noop (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (2) WARNING: pap : Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = ok (2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (2) Failed to authenticate the user ..with a rejected response. The user does exists in active directory. using : FreeRADIUS Version 3.0.4 radtest line: radtest xxxxxx1 xxxxxxx1 localhost 0 testing12 I keep reading not to set Auth-type and let the system do its thing. What am I missing? Thank you
Post all the debug, not just the bit that YOU think is important. What's your plan with this system? Users in AD - are you planning to use eg PEAP for wireless authentication? alan
Ready to process requests Received Access-Request Id 36 from 127.0.0.1:55677 to 127.0.0.1:1812 length 81 User-Name = 'yyyy1' User-Password = 'xxxx1' NAS-IP-Address = 10.0.45.44 NAS-Port = 0 Message-Authenticator = 0xd1c9ced51d4b2fb6529fcc61d622782c (0) Received Access-Request packet from host 127.0.0.1 port 55677, id=36, length=81 (0) User-Name = 'yyyy1' (0) User-Password = 'xxxx1' (0) NAS-IP-Address = 10.0.45.44 (0) NAS-Port = 0 (0) Message-Authenticator = 0xd1c9ced51d4b2fb6529fcc61d622782c (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "yyyy1", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql : EXPAND %{User-Name} (0) sql : --> yyyy1 (0) sql : SQL-User-Name set to 'yyyy1' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'yyyy1' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'yyyy1' ORDER BY id' (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql : --> SELECT groupname FROM radusergroup WHERE username = 'yyyy1' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'yyyy1' ORDER BY priority' (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) (0) [sql] = notfound rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=yyyy1) (0) ldap : EXPAND dc=testtn,dc=com (0) ldap : --> dc=testtn,dc=com (0) ldap : Performing search in 'dc=testtn,dc=com' with filter '(uid=yyyy1)', scope 'sub' (0) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.testtn.com/DC=ForestDnsZones,DC=testtn,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.testtn.com/DC=DomainDnsZones,DC=testtn,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// testtn.com/CN=Configuration,DC=testtn,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (4) (0) [ldap] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql : EXPAND .query (0) sql : --> .query (0) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND %{User-Name} (0) sql : --> yyyy1 (0) sql : SQL-User-Name set to 'yyyy1' (0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yyyy1', 'xxxx1', 'Access-Reject', '2016-08-25 09:56:07') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yyyy1', 'xxxx1', 'Access-Reject', '2016-08-25 09:56:07')' rlm_sql (sql): Released connection (4) (0) [sql] = ok (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> yyyy1 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 55677, id=36, length=0 Sending Access-Reject Id 36 from 127.0.0.1:1812 to 127.0.0.1:55677 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 36 with timestamp +12 Ready to process requests Right now I am trying to have a working instance of radius with ldap auth, but , yes I will be using PEAP for wireless authentication. Thank you
On Aug 25, 2016, at 10:07 AM, Roberto Rios <rrios@chattanooga.gov> wrote: Please *read* the debug log. All of it. ...
rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) ldap : Search returned no results
That should be easy enough to understand.
Right now I am trying to have a working instance of radius with ldap auth, but , yes I will be using PEAP for wireless authentication.
Ensure that the user is in LDAP. Ensure that the LDAP module configuration in FreeRADIUS is correct. The server prints out the LDAP search strings it's using for a reason. Please *read them*, and see if they make sense to you. If you're using Active Directory, use ntlm_auth to authenticate users. See http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok.
the fact that binding AD with credentials give in ldap conf is succesful, does that not mean that radius and AD are already seeing each other. this is my ldap conf: # for the behavioral semantics of specifying more than one host. server = "10.0.43.1" # Port to connect on, defaults to 389. Setting this to 636 will enable # LDAPS if start_tls (see below) is not able to be used. port = 389 # Administrator account for searching and possibly modifying. identity = "cn=ldapradius1,ou=Admins,dc=xxxx,dc=xxx" password = xxxxx # Unless overridden in another section, the dn from which all # searches will start from. base_dn = "dc=xxxx,dc=xxx" everything else is set as default Thank you On Thu, Aug 25, 2016 at 11:07 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 25, 2016, at 10:07 AM, Roberto Rios <rrios@chattanooga.gov> wrote:
Please *read* the debug log. All of it.
...
rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) ldap : Search returned no results
That should be easy enough to understand.
Right now I am trying to have a working instance of radius with ldap auth, but , yes I will be using PEAP for wireless authentication.
Ensure that the user is in LDAP. Ensure that the LDAP module configuration in FreeRADIUS is correct.
The server prints out the LDAP search strings it's using for a reason. Please *read them*, and see if they make sense to you.
If you're using Active Directory, use ntlm_auth to authenticate users. See http://deployingradius.com/documents/configuration/ active_directory.html
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Aug 25, 2016, at 1:29 PM, Roberto Rios <rrios@chattanooga.gov> wrote:
the fact that binding AD with credentials give in ldap conf is succesful, does that not mean that radius and AD are already seeing each other.
Yes. But it doesn't mean that LDAP is returning the users password to FreeRADIUS.
this is my ldap conf:
I didn't ask for that. Please pay attention. If your LDAP server is AD, then follow the guide I posted. Nothing else will fix the problem. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Roberto Rios