Active Directory authenticated VPN
Hello, I would like to set up VPN on a Samba DC (Debian Bullseye). I could set it up with ntlm_auth, but I read that ntlm_auth may serve about 30 request per second maximum, and uses smbv1. I would like to filter users by group or msNPAllowDialin AD property. I can use: winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}" in mschap, but how I can filter users? Regards, Tamas.
On Apr 22, 2021, at 9:07 AM, Pisch Tamás <pischta@gmail.com> wrote:
I would like to set up VPN on a Samba DC (Debian Bullseye). I could set it up with ntlm_auth, but I read that ntlm_auth may serve about 30 request per second maximum, and uses smbv1. I would like to filter users by group or msNPAllowDialin AD property. I can use:
winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}"
in mschap, but how I can filter users?
Use LDAP group checking. The "winbind" feature just does authentication. It doesn't do anything else. See the LDAP-Group documentation for how to use LDAP groups. In recent versions of the server, there are even pointers to this in mods-available/ldap Alan DeKok.
winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}"
in mschap, but how I can filter users?
Use LDAP group checking. The "winbind" feature just does authentication. It doesn't do anything else.
I tried to implement this: https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD Do I need multiple items in the authenticate and the authorize section? Wouldn't be enough mschap for authentication (and I set winbind_username and winbind_domain in it), and ldap for authorization?
See the LDAP-Group documentation for how to use LDAP groups.
Where can I find it?
In recent versions of the server, there are even pointers to this in mods-available/ldap
I found a group section in the ldap module, but I would need help for that. How can I filter for vpnusers group? I tried to filter according to this: http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085979.... group-authorization { if (&LDAP-Group[*] == "cn=vpnusers,cn=Users,dc=ad,dc=ourdomain,dc=hu") { ok } else { reject } } Now, I get error message, when I try to start the freeradius server: /etc/freeradius/3.0/mods-enabled/eap[14]: Failed to find 'Auth-Type EAP' section. Cannot authenticate users. /etc/freeradius/3.0/mods-enabled/eap[14]: Instantiation failed for module "eap" Before I made my last changes, it didn't complain about eap. Eap is not listed in my default server file. I removed it from the mods-enabled dir (but later I'm going to set up eduroam, and it will need EAP). I linked ldap into the mods-enabled. Now I get this error message: rlm_ldap (ldap): Bind with cn=vpn,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.. I started to create certificate, but when I run make, it misses password.mk file. I don't have it. How it looks like/how can I generate it? Regards, Tamas.
On Apr 26, 2021, at 2:58 AM, Pisch Tamás <pischta@gmail.com> wrote:
I tried to implement this: https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
I really dislike guides like that style of guide. It tells you "make the config look like this", without saying *why*.
Do I need multiple items in the authenticate and the authorize section?
I would suggest understanding what the configuration does, and what you want to do. I will *not* be explaining that in detail on the mailing list. There are many, many, resources already available. i.e. start with the default configuration, and *read it*. The comments explain in great detail what each piece does.
Wouldn't be enough mschap for authentication (and I set winbind_username and winbind_domain in it), and ldap for authorization?
It depends on what you want to do.
See the LDAP-Group documentation for how to use LDAP groups.
Where can I find it?
The server comes with documentation, and there's a wiki. Please do a little bit of work.
In recent versions of the server, there are even pointers to this in mods-available/ldap
I found a group section in the ldap module, but I would need help for that. How can I filter for vpnusers group?
See the documentation that comes with the server.
I tried to filter according to this: http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085979....
Hmm... Ignore the wiki, ignore the documentation. Just google for things until you stumble across a random post from 5 years ago. No, that is *not* the recommended approach.
Now, I get error message, when I try to start the freeradius server: /etc/freeradius/3.0/mods-enabled/eap[14]: Failed to find 'Auth-Type EAP' section. Cannot authenticate users. /etc/freeradius/3.0/mods-enabled/eap[14]: Instantiation failed for module "eap" Before I made my last changes, it didn't complain about eap.
What were those changes? Do you know? You *should* know.
Eap is not listed in my default server file. I removed it from the mods-enabled dir (but later I'm going to set up eduroam, and it will need EAP).
Then why delete all EAP from the default configuration? Honestly, this is just making work for yourself. You don't know what your requirements are. You don't know what the server does. You're making random changes to the config. Without understanding what they do. Just go back to the default configuration. It works. Then make SMALL changes. TEST THE CHANGES. It will work.
I linked ldap into the mods-enabled. Now I get this error message: rlm_ldap (ldap): Bind with cn=vpn,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.. I started to create certificate,
Why? You just need to enable TLS transport in the LDAP module. You don't necessarily need a client cert.
but when I run make, it misses password.mk file. I don't have it. How it looks like/how can I generate it?
There's no "password.mk" in the default configuration. I have no idea what you're doing here, or why. To be perfectly honest, your method of making changes is what's causing work for yourself. You're trying to configure a complex system by poking at pieces randomly. This just won't work. Alan DeKok.
Hi, I purged my configuration and started it again from the default state. The system is Debian Bullseye. dpkg --purge freeradius freeradius-ldap freeradius-krb5 freeradius-common freeradius-utils freeradius-config apt install freeradius freeradius-ldap freeradius-krb5 freeradius-common freeradius-utils freeradius-config mkdir /var/log/freeradius/radacct I've created vpn user before. I started the setup now according to this: https://wiki.freeradius.org/guide/freeradius-active-directory-integration-ho... ntlm_auth --request-nt-key --domain=ad --username=vpn OK. setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged clients.conf: client localhost { ipaddr = 127.0.0.1 netmask = 32 secret = xyz shortname = localhost } mods-available-mschap: mschap { with_ntdomain_hack = yes ... winbind_username = "%{mschap:User-Name}" ##winbind_domain = "%{mschap:NT-Domain}" winbind_domain = "ad.ourdomain.hu" Why "%{mschap:NT-Domain}"doesn't work? mods-available/eap: default_eap_type = peap In tls-config tls-common { : random_file = /dev/urandom In the users file: bob Cleartext-Password := "asdfg", MS-CHAP-Use-NTLM-Auth := 0 Reply-Message := "Hello, %{User-Name}" Testing: radtest -x -t mschap vpn "qwert" localhost 0 asdfg Debug messages: (3) Received Access-Request Id 205 from 127.0.0.1:54834 to 127.0.0.1:1812 length 129 (3) User-Name = "vpn" (3) NAS-IP-Address = 1.2.3.4 (3) NAS-Port = 0 (3) Message-Authenticator = 0xd38e4b9f5882a26aac2b6c434193ce2c (3) MS-CHAP-Challenge = 0xf5cbfa7a17cd01a9 (3) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000018e5b4331f9534d83e07def8a29c802dfd30a011e2e6224a (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (3) [mschap] = ok (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "vpn", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = ok (3) Found Auth-Type = mschap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) mschap: Client is using MS-CHAPv1 with NT-Password (3) mschap: EXPAND %{mschap:User-Name} (3) mschap: --> vpn rlm_mschap (mschap): Reserved connection (7) (3) mschap: sending authentication request user='vpn' domain=' ad.ourdomain.hu' rlm_mschap (mschap): Released connection (7) Need 1 more connections to reach min connections (3) rlm_mschap (mschap): Opening additional connection (9), 1 of 30 pending slots used (3) mschap: Authenticated successfully (3) mschap: adding MS-CHAPv1 MPPE keys (3) [mschap] = ok (3) } # authenticate = ok Why vpn@ad.ourdomain.hu doesn't work? radtest -x -t mschap vpn@ad.ourdomain.hu "qwert" localhost 0 asdfg Debug messages: (4) Received Access-Request Id 203 from 127.0.0.1:34360 to 127.0.0.1:1812 length 145 (4) User-Name = "vpn@ad.ourdomain.hu" (4) NAS-IP-Address = 1.2.3.4 (4) NAS-Port = 0 (4) Message-Authenticator = 0x6f31019a0d498b004da273a6cdf4dae3 (4) MS-CHAP-Challenge = 0x0c602d2a989f07bd (4) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005fe2f91d70356771e4af8a27ddcfec463f235dfcf04e7e31 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (4) [mschap] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ad.ourdomain.hu" for User-Name = " vpn@ad.ourdomain.hu" (4) suffix: No such realm "ad.ourdomain.hu" (4) [suffix] = noop (4) eap: No EAP-Message, not doing EAP (4) [eap] = noop (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = mschap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) mschap: Client is using MS-CHAPv1 with NT-Password (4) mschap: EXPAND %{mschap:User-Name} (4) mschap: --> vpn@ad.ourdomain.hu rlm_mschap (mschap): Closing connection (8): Hit idle_timeout, was idle for 772 seconds rlm_mschap (mschap): You probably need to lower "min" rlm_mschap (mschap): Reserved connection (7) (4) mschap: sending authentication request user='vpn@ad.ourdomain.hu' domain='ad.ourdomain.hu' rlm_mschap (mschap): Released connection (7) Need 1 more connections to reach min connections (3) rlm_mschap (mschap): Opening additional connection (10), 1 of 30 pending slots used (4) mschap: ERROR: The specified account does not exist. [0xC0000064] (4) mschap: ERROR: MS-CHAP2-Response is incorrect (4) [mschap] = reject (4) } # authenticate = reject (4) Failed to authenticate the user Thanks, Tamas Pisch.
On Apr 28, 2021, at 3:51 AM, Pisch Tamás <pischta@gmail.com> wrote:
I purged my configuration and started it again from the default state. The system is Debian Bullseye.
That should work much better.
Why vpn@ad.ourdomain.hu doesn't work?
Because Active Directory is too dumb to notice that it's responsible for "ad.ourdomain.hu". The solution is two steps: 1) edit proxy.conf, and add: realm ad.ourdomain.hu { } That defines the domain as something that FreeRADIUS knows about. So that it will take "vpn@ad.ourdomain.hu", and split it into pieces. 2) set winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}" Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't exist, use %{mschap:User-Name} That should work. Alan DeKok.
> > Why vpn@ad.ourdomain.hu doesn't work?
> Because Active Directory is too dumb to notice that it's responsible for
> "ad.ourdomain.hu".
> The solution is two steps:
> 1) edit proxy.conf, and add:
> realm ad.ourdomain.hu {
> }
> That defines the domain as something that FreeRADIUS knows about. So
> that it will take "vpn@ad.ourdomain.hu", and split it into pieces.
>
> 2) set
> winbind_username = "%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
> Which says "use the Stripped-User-Name ("vpn" here), and if that doesn't
> exist, use %{mschap:User-Name}
>
Thanks, the authentication works now.
Next step would be the user filtering, based on vpnusers Active Directory
group. You said:
> You just need to enable TLS transport in the LDAP module. You don't
> necessarily need a client cert.
>
In the ldap module:
server=localhost
tls {
start_tls = yes
...
group {
membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
Then the freeradius server says:
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Could not start TLS: Connect error
I ran certs/bootstrap
In radiusd.conf:
certdir = ${confdir}/certs
cadir = ${confdir} /certs
In the ldap module:
ca_file = ${certdir}/ca.pem
ca_path = ${certdir}
certificate_file = ${certdir}/server.crt
private_key_file = ${certdir}/server.key
random_file = /dev/urandom
Freeradius server:
TLS: could not use private key: The requested data were not available. (-56)
rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown
error
Thanks,
Tamas.
On May 4, 2021, at 5:36 AM, Pisch Tamás <pischta@gmail.com> wrote:
Thanks, the authentication works now.
That's good.
membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})' Then the freeradius server says: rlm_ldap (ldap): Connecting to ldap://localhost:389 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Could not start TLS: Connect error
Is the port even open? Does the LDAP server accept TLS connections? Does ldapsearch work? Does ldapsearch work with TLS? You can't just give up and go "there's an error, I don't know what else to do". You have to track down the source of the error. Find each piece of the problem, and test it individually. It's the only way to track down these kind of issues. Are you running a version of CentOS or RedHat with broken LDAP libraries? See http://packages.networkradius.com for more information.
I ran certs/bootstrap In radiusd.conf:
Those certs are for use with EAP, not with LDAP. Ignore them. Alan DeKok.
membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})' Then the freeradius server says: rlm_ldap (ldap): Connecting to ldap://localhost:389 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Could not start TLS: Connect error
Is the port even open? Does the LDAP server accept TLS connections? Does ldapsearch work? Does ldapsearch work with TLS?
ldapsearch -D "admin@ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h localhost -s sub "(samaccountname=admin)" ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. kinit admin ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "( samaccountname=admin)" -Y GSSAPI It works. I read a little about it, but I don't know, what I should configure for it. I set KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?) realm = 'AD.OURDOMAIN.HU' I noticed in the debug output of the freeradius server that it uses cached TLS settings. How can I get rid of them?
You can't just give up and go "there's an error, I don't know what else to do". You have to track down the source of the error.
You are right.
Find each piece of the problem, and test it individually. It's the only way to track down these kind of issues.
Surely, I don't understand very well this system. You said I have to read the documentation. Yes, I used to do it.
Are you running a version of CentOS or RedHat with broken LDAP libraries?
I use Debian Bullseye, Samba AD installed on it.
See http://packages.networkradius.com for more information.
Bullseye is not on that list, but freeradius-ldap 3.0.21 is installed for me.
Thanks, Tamas.
On May 4, 2021, at 10:32 AM, Pisch Tamás <pischta@gmail.com> wrote:
ldapsearch -D "admin@ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h localhost -s sub "(samaccountname=admin)" ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
So... fix that. Get TLS transport working first with ldapsearch. Then, use the same configuration for FreeRADIUS.
kinit admin
ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "( samaccountname=admin)" -Y GSSAPI It works. I read a little about it, but I don't know, what I should configure for it. I set KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?) realm = 'AD.OURDOMAIN.HU'
That's all ldap magic. We didn't write OpenLDAP or ldapsearch, so our help here is limited.
I noticed in the debug output of the freeradius server that it uses cached TLS settings. How can I get rid of them?
The debug output doesn't say that. You're probably confusing EAP-TLS debug output for LDAP debug output. They're very different. Both use TLS, but they're not the same. Alan DeKok.
So... fix that. Get TLS transport working first with ldapsearch. Then, use the same configuration for FreeRADIUS.
Another way is when I use GSSAPI, not TLS.
kinit admin
ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "( samaccountname=admin)" -Y GSSAPI It works. I read a little about it, but I don't know, what I should configure for it. I set KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?) realm = 'AD.OURDOMAIN.HU'
That's all ldap magic. We didn't write OpenLDAP or ldapsearch, so our help here is limited.
I mean: I set KRB5_CLIENT_KTNAME and realm in the ldap module. Other changes in the ldap module: identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password=… base_dn = 'dc=ad,dc=ourdomain,dc=hu' realm { mech = 'GSSAPI' KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab realm = 'ad.ourdomain.hu' } Debug output: Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): Connecting to ldap://localhost:389 Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): New libldap handle 0x5603f6c668b0 Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL prompt : Please enter your authorization name Wed May 5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL result : cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu Wed May 5 16:06:54 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Local error But kinit Administrator works. Thanks, Tamas.
On May 5, 2021, at 10:24 AM, Pisch Tamás <pischta@gmail.com> wrote:
So... fix that. Get TLS transport working first with ldapsearch. Then, use the same configuration for FreeRADIUS.
Another way is when I use GSSAPI, not TLS.
So far as I know, the OpenLDAP client library doesn't support GSSAPI. If it does, then FreeRADIUS doesn't use it, because TLS is so much more common.
I mean: I set KRB5_CLIENT_KTNAME and realm in the ldap module. Other changes in the ldap module:
Just configure it as documented.
identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
password=…
base_dn = 'dc=ad,dc=ourdomain,dc=hu' realm { mech = 'GSSAPI' KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab realm = 'ad.ourdomain.hu' }
What is that? You can't just invent configuration sections and expect the server to magically understand what you want. There is nothing in the documentation which says that this "realm" subsection exists. Your choices are: a) use the documented configuration to connect FreeRADIUS to LDAP b) invent things, and don't have FreeRADIUS connect to LDAP. Alan DeKok.
On 5/5/21 4:43 PM, Alan DeKok wrote:
So far as I know, the OpenLDAP client library doesn't support GSSAPI.
Not true. It depends on whether it was built with Kerberos support (using MIT Kerberos or heimdal libs). I guess on most Linux systems libldap has SASL/GSSAPI support.
If it does, then FreeRADIUS doesn't use it, because TLS is so much more common.
I agree TLS is way more secure. Ciao, Michael.
On May 5, 2021, at 3:42 PM, Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On 5/5/21 4:43 PM, Alan DeKok wrote:
So far as I know, the OpenLDAP client library doesn't support GSSAPI.
Not true.
It depends on whether it was built with Kerberos support (using MIT Kerberos or heimdal libs). I guess on most Linux systems libldap has SASL/GSSAPI support.
The LDAP module already has a "sasl { .. .}" section. But anything GSSAPI is either unsupported, or is some magic part of sasl which I choose to ignore, because it's too complex. :) Alan DeKok.
On 5/5/21 9:48 PM, Alan DeKok wrote:
On May 5, 2021, at 3:42 PM, Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On 5/5/21 4:43 PM, Alan DeKok wrote:
So far as I know, the OpenLDAP client library doesn't support GSSAPI.
Not true.
It depends on whether it was built with Kerberos support (using MIT Kerberos or heimdal libs). I guess on most Linux systems libldap has SASL/GSSAPI support.
The LDAP module already has a "sasl { .. .}" section. But anything GSSAPI is either unsupported, or is some magic part of sasl which I choose to ignore, because it's too complex. :)
People who are really eager to use Kerberos could probably just set SASL mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars: https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e... Anyway it's harder to get this right (means secure) than using TLS. Ciao, Michael.
I mean: I set KRB5_CLIENT_KTNAME and realm in the ldap module. Other changes in the ldap module:
Just configure it as documented.
RTFM answers huts me. I try the best. If I set something wrong, please tell me. If I miss some settings, please tell me. That helps me. I *do* read the documentation.
identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
password=…
base_dn = 'dc=ad,dc=ourdomain,dc=hu' realm { mech = 'GSSAPI' KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab realm = 'ad.ourdomain.hu' } What is that? You can't just invent configuration sections and expect the server to magically understand what you want. There is nothing in the documentation which says that this "realm" subsection exists.
Sorry, it was wrong, it is sasl, and I used it correctly in the configuration file, I just wrote wrongly here. I don't insist on using sasl, TLS would be good. Some days ago ldapsearch didn't work with start_tls, but worked with GSSAPI, this is why I tried that direction. People who are really eager to use Kerberos could probably just set SASL
mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e...
I've already read it. I know that I should set environmental variables. I tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug output. I wrote the following into ldap.conf: TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE DC=AD,DC=OURDOMAIN,DC=HU TLS_REQCERT allow And ldapsearch works now: ldapsearch -h 127.0.0.1 -D "cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu" -W -b "dc=ad,dc=ourdomain,dc=hu" -s sub -x -ZZ -LLL "(cn=Administrator)" So, in ldap.conf I commented the sasl parameters, and enabled start_tls.I still need in the ldap module: identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' freeradius starts, but when I try radtest -x -t mschap vpn@ad.ourdomain.hu "..." localhost 0 pwd in the freeradius debug output I see: Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required Error: rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.. Thanks, Tamas.
...
-----Oorspronkelijk bericht----- Van: Freeradius-Users And ldapsearch works now: ldapsearch -h 127.0.0.1 -D "cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu" -W -b "dc=ad,dc=ourdomain,dc=hu" -s sub -x -ZZ -LLL "(cn=Administrator)" So, in ldap.conf I commented the sasl parameters, and enabled start_tls.I still need in the ldap module: identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' freeradius starts, but when I try radtest -x -t mschap vpn@ad.ourdomain.hu "..." localhost 0 pwd in the freeradius debug output I see: Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required Error: rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di... I bet you forgot.. (in smb.con) ntlm auth = mschapv2-and-ntlmv2-only Needed in AD-DC's and the member running radius. Greetz, Louis
L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org> ezt írta (időpont: 2021. máj. 6., Cs, 10:37):
...
-----Oorspronkelijk bericht----- Van: Freeradius-Users And ldapsearch works now: ldapsearch -h 127.0.0.1 -D "cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu" -W -b "dc=ad,dc=ourdomain,dc=hu" -s sub -x -ZZ -LLL "(cn=Administrator)" So, in ldap.conf I commented the sasl parameters, and enabled start_tls.I still need in the ldap module: identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' freeradius starts, but when I try radtest -x -t mschap vpn@ad.ourdomain.hu "..." localhost 0 pwd in the freeradius debug output I see: Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required Error: rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di...
I bet you forgot.. (in smb.con) ntlm auth = mschapv2-and-ntlmv2-only Needed in AD-DC's and the member running radius.
No, I've already set it. Thanks, Tamás.
You're using mixed citation from two different authors. Please cite correctly. On 5/6/21 10:28 AM, Pisch Tamás wrote:
Michael Ströder wrote:
People who are really eager to use Kerberos could probably just set SASL mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e...
I've already read it. I know that I should set environmental variables. I tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug output.
Because as Alan already said FreeRADIUS does not know anything about Kerberos. FYI: SASL and GSSAPI are two authentication abstraction layers. Mainly FreeRADIUS passes the SASL mech string as-is to libldap which invokes libsasl with the correct parameters. For SASL mech GSSAPI libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work. You can try to set KRB5_TRACE to let libkrb5 write debug logs. Ciao, Michael.
Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> ezt írta (időpont: 2021. máj. 6., Cs, 10:47):
You're using mixed citation from two different authors. Please cite correctly.
Ok, sorry.
On 5/6/21 10:28 AM, Pisch Tamás wrote:
Michael Ströder wrote:
People who are really eager to use Kerberos could probably just set SASL mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e...
I've already read it. I know that I should set environmental variables. I tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug output.
Because as Alan already said FreeRADIUS does not know anything about Kerberos.
FYI: SASL and GSSAPI are two authentication abstraction layers.
Mainly FreeRADIUS passes the SASL mech string as-is to libldap which invokes libsasl with the correct parameters. For SASL mech GSSAPI libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
Great, thanks. I feel myself lost in a jungle. This is why I wrote to the list, and the read the documentation answer doesn't help me. Surely I could find these somewhere in the documentation someday, but concrete helps me a lot.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' } I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required" message. Thanks, Tamás.
On 5/6/21 11:57 AM, Pisch Tamás wrote:
Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org>
Because as Alan already said FreeRADIUS does not know anything about Kerberos.
FYI: SASL and GSSAPI are two authentication abstraction layers.
Mainly FreeRADIUS passes the SASL mech string as-is to libldap which invokes libsasl with the correct parameters. For SASL mech GSSAPI libsasl calls libgssapi_krb5 which calls libkrb5 which does the real work.
I feel myself lost in a jungle.
That's understandable. It also took me a while to sort out all this years ago and I'm still learning every day.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' }
Maybe that's a dead-end. I currently don't have the time to locally test something like this. And I'm rather reluctant to recommend Kerberos anyway.
I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required"
With former MS AD versions it was not possible to combine SASL/GSSAPI with TLS (either StartTLS or LDAPS). Not sure about the current state. In your former message you wrote that you've added LDAP settings to ldap.conf. Don't do that. I would highly recommend to add all LDAP settings in FreeRADIUS config (file raddb/mods-available/ldap) and nowhere else. Then you have one place where to look for config errors and the relevant settings will appear in the radiusd output. Furthermore I'd even recommend to start radiusd with env var LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf. Here's a example config to be used for my Æ-DIR: https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp... It should not be too difficult to change the parameters for MS AD. And then starting radiusd with option -X is your friend during testing. Ciao, Michael.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' }
Maybe that's a dead-end. I currently don't have the time to locally test something like this. And I'm rather reluctant to recommend Kerberos anyway.
It's not a problem - if I can authorize with ldap-tls, it is enough for me. I just wrote two paralell thread: sasl and start_tls. But start_tls is enough for me, if it works. Maybe it is useful if I write down again my goal: I have a Samba based AD. I want to create road warrior vpn, with authentication and authorization from the AD. Alan said that the Samba howto isn't good, because it doesn't explain itself. Ok. But it describes the elements of the whole thing what I want to realize. In the past days I understood that I need RADIUS for the authentication (and it works with winbind_username and winbind_domain parameters set appropriately) and authorization. For authorization I need the ldap module. I accept other working solution too. This is, where I stuck. I don't insist on using sasl at all. I just want to make authorization work. Meanwhile I found SoftEther (with that, the second part of the Samba howto is not needed for me). It seems it can do the vpn part of the task, and it can use RADIUS (it can authenticate from AD directly, but I haven't found a way to restrict access to an AD group, so I still need RADIUS).
In your former message you wrote that you've added LDAP settings to ldap.conf. Don't do that.
I just wanted to test whether I can query LDAP with ldapsearch, I didn't want to link the two together.
Furthermore I'd even recommend to start radiusd with env var LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf.
Ok, thanks.
Here's a example config to be used for my Æ-DIR:
https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp...
I tried it, freeradius debug message: SASL/EXTERNAL authentication started Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636 failed: Unknown authentication method
And then starting radiusd with option -X is your friend during testing.
Yes, I use it always. Thanks, Tamás.
On May 6, 2021, at 9:04 AM, Pisch Tamás <pischta@gmail.com> wrote:
I tried it, freeradius debug message: SASL/EXTERNAL authentication started Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636 failed: Unknown authentication method
This message is *printed* by FreeRADIUS. The message comes from the LDAP server. Which means that SASL isn't supported. Alan DeKok.
On 5/6/21 3:04 PM, Pisch Tamás wrote:
https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp...
I tried it, freeradius debug message: SASL/EXTERNAL authentication started Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636 failed: Unknown authentication method
It seems you set SASL mech EXTERNAL. Don't do that if you want to use LDAP simple bind. Without seeing your config I can only guess though. Background: LDAP knows two different method for bind operation: 1. LDAP simple bind, mainly sends the bind-DN and password. As you can see in my ldap.simple-bind example file the line mech = 'EXTERNAL' is commented (disabled) and these lines are used for the simple bind: identity = 'uid=system_radiusd,ou=ae-dir' password = supersecret 2. LDAP SASL bind for which the message format and messages exchanged depend on the SASL mech used. Password-less mechs are e.g. EXTERNAL and GSSAPI. Sending a bind operation with SASL/EXTERNAL instructs the LDAP server to use authc credential information from a lower transport layer. IIRC MS AD and/or Samba4 do not support that. Typically SASL/EXTERNAL is used for authenticating with TLS client certs to the LDAP server as in this example file: https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.sasl... I typically use the EAP-TLS server cert also as LDAP client cert which is directly mapped in Æ-DIR's config to the accompanying aeService entry (which is then authorized to search for users enabled for that service). No way to do things like that in MS AD/Samba4. See small description here: https://www.ae-dir.com/apps.html#wifi
And then starting radiusd with option -X is your friend during testing.
Yes, I use it always.
Good. Ciao, Michael.
On May 6, 2021, at 5:57 AM, Pisch Tamás <pischta@gmail.com> wrote:
Great, thanks. I feel myself lost in a jungle.
That's RADIUS. :( The problem with RADIUS isn't just RADIUS. Getting packets in and out of a server is fairly trivial. Doing everything people want is much harder. This situation is a good example. You want to use RADIUS, but that really means using LDAP, Kerberos, SASL, and GSSAPI. How do all those work together? I don't know, I've got way too many other things to remember. One of the main frustrations we see on the list is the attitude that "you wrote the RADIUS server, therefore you must understand how X works". Where X is something entirely unrelated to RADIUS. Some people have a very hard time understanding that we're not experts in all of the libraries used by FreeRADIUS, and all of the dozens of things we connect to, and all of the dozens of protocols used. Instead, we rely on the end users to figure out a good chunk of the rarely-used situations like this. Then, we rely on them to describe what they did. Either so that we can update the docs, or that they can supply a patch to update the docs. But as we see with the complaint the other day, some people are enthusiastic about laying blame, but are horrified at the thought of contributing. They have some narcissistic sense of entitlement, that they *deserve* a world-class product for free, and if it isn't perfect, they *deserve* to complain about it, and they expect me to be grateful for their feedback that "the documentation is crap". I have no patience (or respect) for that kind of abusive behavior. That's not what you're doing here, of course. But I thought it was worth pointing out that what's-his-name who complained pretty much proved my point that he would rather kill himself than contribute.
This is why I wrote to the list, and the read the documentation answer doesn't help me. Surely I could find these somewhere in the documentation someday, but concrete helps me a lot.
The documentation is full of concrete examples. Sadly, not this one. So... if you figure out it, PLEASE tell us, so we can document it, and no one else has to go through this pain.
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' } I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required" message.
So the issue is that your LDAP server doesn't do TLS, but something else. And then there's the issue of chaining together a complex solution of FreeRADIUS to libldap to SASL GSSAP to Kerberos, and finally to LDAP. Which explains why this isn't documented. Most people don't do it, because it's complex and fragile. Instead, just use TLS. Maybe issue a client certificate, and then configure FreeRADIUS to use that. That process is documented, tested, and works. The more complex the system, the more moving parts it has. And the more likely it is that one of the moving parts breaks, or just plain doesn't work. Sorry we can't help, but this is a rare situation, it's extremely complex, and few people have done this before. Which makes it difficult to give useful advice. Alan DeKok.
Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 6., Cs, 13:39):
On May 6, 2021, at 5:57 AM, Pisch Tamás <pischta@gmail.com> wrote:
Great, thanks. I feel myself lost in a jungle.
That's RADIUS. :(
Yes, I understood that not freeradius is complex, but RADIUS itself.
You want to use RADIUS, but that really means using LDAP, Kerberos, SASL, and GSSAPI. How do all those work together? I don't know, I've got way too many other things to remember.
Maybe my situation is not so complex. I explained it to Michael.
But as we see with the complaint the other day, some people are enthusiastic about laying blame, but are horrified at the thought of contributing.
Yes, I see.
The documentation is full of concrete examples. Sadly, not this one. So... if you figure out it, PLEASE tell us, so we can document it, and no one else has to go through this pain.
I found example for AD authentication. For authorization with group filtering - I don't remember (maybe there is, just I don't remember for it).
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' } I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required" message.
So the issue is that your LDAP server doesn't do TLS, but something else. And then there's the issue of chaining together a complex solution of FreeRADIUS to libldap to SASL GSSAP to Kerberos, and finally to LDAP.
Hope my situation isn't so complex, just the conversation went into the jungle... :) I got information privatelí about a samba setting: ldap server require strong aut It has options: yes/no/ allow_sasl_over_tls Default is yes. With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group. With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required". My questions are: -With this 'no' option is the ldap auth insecure? -Why group filtering doesn't work? With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})' } tls { start_tls = yes require_cert = 'allow' } } I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf' In default site: authorize { ldap } post-auth { if (LDAP-Group == "CN=vpnusers") { noop } else { reject } } I tried the condition with if (LDAP-Group == "CN=vpnusers,CN=Users,DC=ad,DC=ourdomain,DC=hu") { but without success. Debug output: mschap: Authenticated successfully (0) mschap: adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (LDAP-Group == "CN=vpnusers") { (0) Searching for user in group "CN=vpnusers" rlm_ldap (ldap): Reserved connection (1) (0) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) --> (uid=vpn) (0) Performing search in "dc=ad,dc=ourdomain,dc=hu" with filter "(uid=vpn)", scope "sub" (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ad.ourdomain.hu/CN=Configuration,DC=ad,DC=ourdomain,DC=hu rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) Search returned no results I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))" It gives the vpnusers object as a result. Thanks, Tamás.
On 5/7/21 12:09 PM, Pisch Tamás wrote:
With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group.
Well, then start from this config.
With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required".
I guess authentication was not successful in this case because you don't use simple bind (see my last message).
With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
membership_attribute shall only contain an LDAP attribute name, e.g. 'memberOf' if appropriate in your deployment.
I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf'
Note that 'memberOf' is a user attribute, not an attribute of the group entry. With the approach above you have to use membership_attribute = 'member'.
I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))" It gives the vpnusers object as a result.
Can't you see the difference? In the group filter you're correctly using attribute 'member' as assertion type, not 'memberOf'. Ciao, Michael.
Thanks for the clatification of the membership_attribute parameter. Now I understand its role. I changed it to member in my configuration, but the result is still the same, "Search returned no results". Thanks, Tamás. Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> ezt írta (időpont: 2021. máj. 7., P, 12:57):
On 5/7/21 12:09 PM, Pisch Tamás wrote:
With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group.
Well, then start from this config.
With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required".
I guess authentication was not successful in this case because you don't use simple bind (see my last message).
With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
membership_attribute shall only contain an LDAP attribute name, e.g. 'memberOf' if appropriate in your deployment.
I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf'
Note that 'memberOf' is a user attribute, not an attribute of the group entry.
With the approach above you have to use membership_attribute = 'member'.
I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
"(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
It gives the vpnusers object as a result.
Can't you see the difference?
In the group filter you're correctly using attribute 'member' as assertion type, not 'memberOf'.
Ciao, Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2021, at 7:34 AM, Pisch Tamás <pischta@gmail.com> wrote:
Thanks for the clatification of the membership_attribute parameter. Now I understand its role. I changed it to member in my configuration, but the result is still the same, "Search returned no results".
Then the configuration for the FreeRADIUS LDAP module is different from what you're using with ldapsearch. 3.0.18 and later have *detailed* instructions for how to use the LDAP module configuration in ldapsearch, and vice versa. It is just a matter of careful analysis, and cut & paste. Get ldapsearch working. Then use the instructions to copy that configuration to mods-available/ldap. It is that simple. Alan DeKok.
...and finally, it works, with these ldap settings: ldap { identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'cn=Users,dc=ad,dc=ourdomain,dc=hu' groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" group { membership_attribute = 'memberOf' } tls { start_tls = yes require_cert = 'allow' } I noticed that in the user object there is memberOf attribute, but in the group object the attribute name is member... I also had to modify the filter, because in AD the attribute name is samaccountname instead of uid (yes, the configuration file mentions it). Thanks for everyone for the help and for the patience :) Thanks, Tamás. Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 7., P, 13:46):
On May 7, 2021, at 7:34 AM, Pisch Tamás <pischta@gmail.com> wrote:
Thanks for the clatification of the membership_attribute parameter. Now I understand its role. I changed it to member in my configuration, but the result is still the same, "Search returned no results".
Then the configuration for the FreeRADIUS LDAP module is different from what you're using with ldapsearch.
3.0.18 and later have *detailed* instructions for how to use the LDAP module configuration in ldapsearch, and vice versa. It is just a matter of careful analysis, and cut & paste.
Get ldapsearch working. Then use the instructions to copy that configuration to mods-available/ldap. It is that simple.
In the ldap module, there is a help for ldapsearch. For the user I substituted my parameters: ldapsearch -D 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' -w '...' -h 'localhost' -b 'CN=vpn,CN=Users,dc=ad,dc=ourdomain,dc=hu' It gives the vpn user object. For the group I should expand it: ldapsearch -D 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' -w '...' -h 'localhost' -b 'CN=vpn,CN=Users,dc=ad,dc=ourdomain,dc=hu' '(&(objectClass=user)(sAMAccountName=vpn)(memberof=CN=vpnusers,cn=Users,dc=ad,dc=ourdomain,dc=hu))' I noticed that users have memberof attribute, but in the group, users listed in member attribute.
Hi, Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with the built-in client... *once*, and when I disconnect and try to connect again, I get "The PPP link control protocol was terminated" error. the recommended solution didn't work: https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann... Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication Ok, I force the ldap auth, but without it, the authentication doesn't work. As I understand, Freeradius goes through on all methods until it finds one working. But without the mentioned default setting, it doesn't work. How can I use the SoftEther client without it? I can connect with it at least. According to the SoftEther documentation ( https://www.softether.org/4-docs/1-manual/2._SoftEther_VPN_Essential_Archite...) it uses PAP authentication, but I can establish the vpn only with forced LDAP authentication. Why? Thanks, Tamás.
On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta@gmail.com> wrote:
Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with the built-in client... *once*, and when I disconnect and try to connect again, I get "The PPP link control protocol was terminated" error. the recommended solution didn't work: https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann...
If only there was some kind of debug output you could look at, to see what the server is doing.
Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP
Which forces ALL requests to use LDAP. This isn't what you want.
in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication
See? It doesn't work.
Ok, I force the ldap auth, but without it, the authentication doesn't work.
The WHAT authentication doesn't work? VPN authentication? The solution to that is simple. Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that. What is that policy supposed to be? We don't know. We don't have access to your VPN server, and you're not posting the debug output. You could also try reading sites-available/README. That explains how virtual servers work, in connection with clients. So you could set up one virtual server for VPN, and another virtual server for other clients.
As I understand, Freeradius goes through on all methods until it finds one working.
No.
But without the mentioned default setting, it doesn't work. How can I use the SoftEther client without it? I can connect with it at least. According to the SoftEther documentation ( https://www.softether.org/4-docs/1-manual/2._SoftEther_VPN_Essential_Archite...) it uses PAP authentication, but I can establish the vpn only with forced LDAP authentication. Why?
I have no idea. You're not posting the debug output, so we can't tell what's going on. If you're going to configure a complex system such as RADIUS, you'll need to understand it. It's not just "follow some docs and make random changes to the config". You have to understand the difference between PAP and MS-CHAP, along with a host of other issues. Alan DeKok.
Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 11., K, 14:15):
On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta@gmail.com> wrote:
Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with the built-in client... *once*, and when I disconnect and try to connect
again,
I get "The PPP link control protocol was terminated" error. the recommended solution didn't work:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann...
If only there was some kind of debug output you could look at, to see what the server is doing.
It seems the problem isn't on the Freeradius side, because it sends Access Accept response... I will try to find a solution for that.
Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP
Which forces ALL requests to use LDAP. This isn't what you want.
in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication
See? It doesn't work.
Ok, I force the ldap auth, but without it, the authentication doesn't work. The WHAT authentication doesn't work? VPN authentication?
When I connect with the Win10 built-in VPN client, it uses MSCHAP-v2. The Softether client uses PAP. Both client initiate VPN connection.
The solution to that is simple. Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that.
What is that policy supposed to be? We don't know. We don't have access to your VPN server, and you're not posting the debug output.
I examined the outputs. When I force the auth type in the users (=authorize) file, Freeradius uses files: (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user When I enable ldap in the authorize section of the default site, and don't use default auth-type in users, the debug output is different: (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user It doesn't use files. What is the difference between the two? When I use ldap in the default site for authorization, it doesn't work, but when I force the ldap in the users (authorize), it works. Thanks, Tamás.
I found the solution, you answered it there: http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737... But my question remains from my previous letter: why freeradius cannot use ldap without it, when I try to use pap? Thanks, Tamás. Pisch Tamás <pischta@gmail.com> ezt írta (időpont: 2021. máj. 12., Sze, 11:19):
Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 11., K, 14:15):
On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta@gmail.com> wrote:
Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with
the
built-in client... *once*, and when I disconnect and try to connect again, I get "The PPP link control protocol was terminated" error. the recommended solution didn't work:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann...
If only there was some kind of debug output you could look at, to see what the server is doing.
It seems the problem isn't on the Freeradius side, because it sends Access Accept response... I will try to find a solution for that.
Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP
Which forces ALL requests to use LDAP. This isn't what you want.
in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication
See? It doesn't work.
Ok, I force the ldap auth, but without it, the authentication doesn't work. The WHAT authentication doesn't work? VPN authentication?
When I connect with the Win10 built-in VPN client, it uses MSCHAP-v2. The Softether client uses PAP. Both client initiate VPN connection.
The solution to that is simple. Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that.
What is that policy supposed to be? We don't know. We don't have access to your VPN server, and you're not posting the debug output.
I examined the outputs. When I force the auth type in the users (=authorize) file, Freeradius uses files:
(0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain ,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
When I enable ldap in the authorize section of the default site, and don't use default auth-type in users, the debug output is different:
(0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (samaccountname=vpn) (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with filter "(samaccountname=vpn)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
It doesn't use files. What is the difference between the two? When I use ldap in the default site for authorization, it doesn't work, but when I force the ldap in the users (authorize), it works.
Thanks,
Tamás.
participants (4)
-
Alan DeKok -
L.P.H. van Belle -
Michael Ströder -
Pisch Tamás