Re: Problems to authenticate against an Azure AD -Ldap
Hi, so i changed like in the description, see the Text below, and it workes fine with eap-tool, but when i try to use from an AP with the same user that works with the eapool i got foloowing message: (17) State = 0xc49a7b91c0156ec00a1a15f1faab1856 (17) Message-Authenticator = 0xfcd8e560453c0793ff01f894937ed387 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (17) suffix: Found realm "karlshochschule.de" (17) suffix: Adding Stripped-User-Name = "testuser" (17) suffix: Adding Realm = "karlshochschule.de" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) if (!&Realm) { (17) if (!&Realm) -> FALSE (17) eap: Peer sent EAP Response (code 2) ID 143 length 79 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (17) authenticate { (17) eap: Expiring EAP session with state 0xc49a7b91c0156ec0 (17) eap: Finished EAP session with state 0xc49a7b91c0156ec0 (17) eap: Previous EAP request found for state 0xc49a7b91c0156ec0, released from the list (17) eap: Peer sent packet with method EAP TTLS (21) (17) eap: Calling submodule eap_ttls to process data (17) eap_ttls: Authenticate (17) eap_ttls: Continuing EAP-TLS (17) eap_ttls: Peer indicated complete TLS record size will be 69 bytes (17) eap_ttls: Got complete TLS record (69 bytes) (17) eap_ttls: [eaptls verify] = length included (17) eap_ttls: [eaptls process] = ok (17) eap_ttls: Session established. Proceeding to decode tunneled attributes (17) eap_ttls: Got tunneled request (17) eap_ttls: EAP-Message = 0x02000020017465737475736572406b61726c73686f6368736368756c652e6465 (17) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_ttls: Got tunneled identity of testuser@karlshochschule.de (17) eap_ttls: Setting default EAP type for tunneled EAP session (17) eap_ttls: Sending tunneled request (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x02000020017465737475736572406b61726c73686f6368736368756c652e6465 (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "testuser@karlshochschule.de" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-khs (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) suffix: Checking for suffix after "@" (17) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (17) suffix: Found realm "karlshochschule.de" (17) suffix: Adding Stripped-User-Name = "testuser" (17) suffix: Adding Realm = "karlshochschule.de" (17) suffix: Authentication realm is LOCAL (17) [suffix] = ok (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 227 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 227 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 224 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 170 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 170 seconds rlm_ldap (ldap): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 10 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 3 tm: 10 async: 0 ldap_ndelay_on: 3 attempting to connect: connect errno: 115 ldap_int_poll: fd: 3 tm: 10 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap): Waiting for bind result... ldap_result ld 0x555727575600 msgid 1 wait4msg ld 0x555727575600 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x555727575600 msgid 1 all 1 ** ld 0x555727575600 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x555727575600 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x555727575600 request count 1 (abandoned 0) ** ld 0x555727575600 Response Queue: Empty ld 0x555727575600 response count 0 ldap_chkResponseList ld 0x555727575600 msgid 1 all 1 ldap_chkResponseList returns ld 0x555727575600 NULL ldap_int_select read1msg: ld 0x555727575600 msgid 1 all 1 read1msg: ld 0x555727575600 msgid 1 message type bind read1msg: ld 0x555727575600 0 new referrals read1msg: mark request completed, ld 0x555727575600 msgid 1 request done: ld 0x555727575600 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (17) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (17) ldap: --> (cn=testuser) (17) ldap: Performing search in "OU=AADDC Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub" ldap_search_ext put_filter: "(cn=testuser)" put_filter: simple put_simple_filter: "cn=testuser" ldap_build_search_req ATTRS: userPassword ntPassword ldap_send_initial_request ldap_send_server_request (17) ldap: Waiting for search result... ldap_result ld 0x555727575600 msgid 2 wait4msg ld 0x555727575600 msgid 2 (timeout 20000000 usec) wait4msg continue ld 0x555727575600 msgid 2 all 1 ** ld 0x555727575600 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x555727575600 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x555727575600 request count 1 (abandoned 0) ** ld 0x555727575600 Response Queue: Empty ld 0x555727575600 response count 0 ldap_chkResponseList ld 0x555727575600 msgid 2 all 1 ldap_chkResponseList returns ld 0x555727575600 NULL ldap_int_select read1msg: ld 0x555727575600 msgid 2 all 1 read1msg: ld 0x555727575600 msgid 2 message type search-entry read1msg: ld 0x555727575600 msgid 2 message type search-result read1msg: ld 0x555727575600 0 new referrals read1msg: mark request completed, ld 0x555727575600 msgid 2 request done: ld 0x555727575600 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) adding response ld 0x555727575600 msgid 2 type 101: ldap_parse_result ldap_get_dn (17) ldap: User object found at DN "CN=testuser,OU=AADDC Users,DC=karlshochschule,DC=de" (17) ldap: Processing user attributes ldap_get_values_len ldap_get_values_len (17) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (17) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) ldap_msgfree rlm_ldap (ldap): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap): Waiting for bind result... ldap_result ld 0x5557273b7d10 msgid 1 wait4msg ld 0x5557273b7d10 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x5557273b7d10 msgid 1 all 1 ** ld 0x5557273b7d10 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 2 10:48:04 2023 ** ld 0x5557273b7d10 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x5557273b7d10 request count 1 (abandoned 0) ** ld 0x5557273b7d10 Response Queue: Empty ld 0x5557273b7d10 response count 0 ldap_chkResponseList ld 0x5557273b7d10 msgid 1 all 1 ldap_chkResponseList returns ld 0x5557273b7d10 NULL ldap_int_select read1msg: ld 0x5557273b7d10 msgid 1 all 1 read1msg: ld 0x5557273b7d10 msgid 1 message type bind read1msg: ld 0x5557273b7d10 0 new referrals read1msg: mark request completed, ld 0x5557273b7d10 msgid 1 request done: ld 0x5557273b7d10 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap): Bind successful (17) [ldap] = ok (17) if ((ok || updated) && User-Password && !control:Auth-Type) { (17) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (17) } # authorize = ok (17) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (17) Failed to authenticate the user (17) Using Post-Auth-Type Reject (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-khs (17) Post-Auth-Type REJECT { (17) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (17) inner_tunnel_linelog: --> messages.Access-Reject (17) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}] (%{request:Module-Failure-Message}) (cli %{outer.request:Calling-Station-Id} via TLS tunnel) (17) inner_tunnel_linelog: --> Login incorrect: [testuser@karlshochschule.de] (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject) (cli 90-9C-4A-B9-FD-41 via TLS tunnel) (17) [inner_tunnel_linelog] = ok (17) attr_filter.access_reject: EXPAND %{User-Name} (17) attr_filter.access_reject: --> testuser@karlshochschule.de (17) attr_filter.access_reject: Matched entry DEFAULT at line 11 (17) [attr_filter.access_reject] = updated (17) update outer.session-state { (17) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (17) } # update outer.session-state = noop (17) } # Post-Auth-Type REJECT = updated (17) EXPAND badpass (17) --> badpass (17) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [testuser/<no User-Password attribute>] (from client 10.09.9.240 port 0 via TLS tunnel) badpass (17) } # server inner-tunnel (17) Virtual server sending reply (17) eap_ttls: Got tunneled Access-Reject (17) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (17) eap: Sending EAP Failure (code 4) ID 143 length 4 (17) eap: Failed in EAP select (17) [eap] = invalid (17) } # authenticate = invalid (17) Failed to authenticate the user (17) Using Post-Auth-Type Reject (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs *********************************************************************** ldap { server = 'ldaps://ldap.karlshochschule.de' port = 636 identity = 'CN=Bind User,OU=AADDC Users,dc=karlshochschule,dc=de' password = password base_dn = 'OU=AADDC Users,dc=karlshochschule,dc=de' user { preprocess suffix base_dn = "${..base_dn}" filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" } update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' } post-auth { update { description := "Authenticated at %S" } } options { ldap_debug = 0xFFFF } tls { ca_file = /etc/ssl/certs/ca-certificates.crt ca_path = /etc/ssl/certs/ certificate_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt private_key_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.key } } ************************************************************************ eap { default_eap_type = ttls max_sessions = ${max_requests} tls-config tls-common { #certificate_file = ${certdir}/name-of-certificate-file.pem #private_key_file = ${certdir}/name-of-private-key-file.key #dh_file = ${certdir}/dh certificate_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt private_key_file = /etc/ssl/private/rad-ka-swlan.karlshochschule.de.key ca_file = /etc/ssl/certs/ca-certificates.crt cipher_list = "DEFAULT !kRSA !PSK !SRP !SSLv3" ecdh_curve = "" } ttls { tls = tls-common virtual_server = inner-tunnel } peap { tls = tls-common virtual_server = inner-tunnel } } *********************************************************************** server inner-tunnel { authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } ldap if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } } } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } post-auth { inner_tunnel_linelog Post-Auth-Type REJECT { inner_tunnel_linelog attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } ********************************************************************************************************** server default { listen { type = auth ipv4addr = * port = 0 } authorize { filter_username suffix if (!&Realm) { reject } eap { ok = return } } authenticate { eap } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } outer_linelog remove_reply_message_if_eap Post-Auth-Type REJECT { outer_linelog attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } *******************************************************************************************************************************
Post TEXT to the mailing list. The list manager strips attachments, because too many people were posting 10M images of screen shots of the debug output. Or posting 100K of debug output in HTML, which then turned into megabytes of nonsense. If your email system wraps the email in layer after layer of obfuscation, the images / html / RTF / whatever will get deleted.
On Oct 3, 2023, at 10:17 AM, Daniel Lux <dlux@lux-it-systeme.de> wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, now i am realy confused confused Was this post in html ? i thought it was text ? should i post my question again ? regards Uwe Alan DeKok schrieb: > Post TEXT to the mailing list. > > The list manager strips attachments, because too many people were posting 10M images of screen shots of the debug output. Or posting 100K of debug output in HTML, which then turned into megabytes of nonsense. > > If your email system wraps the email in layer after layer of obfuscation, the images / html / RTF / whatever will get deleted. > >> On Oct 3, 2023, at 10:17 AM, Daniel Lux <dlux@lux-it-systeme.de> wrote: >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 3, 2023, at 12:29 PM, Uwe Faber <uf@zkm.de> wrote: > > Hi Alan, > > now i am realy confused confused > > Was this post in html ? > > i thought it was text ? If you read the message, I was replying to someone else. > should i post my question again ? No. When you emailed the list owner alias, I asked you to not post the configuration files. Since you've ignored my recommendations and done that, I don't think there's much I can do. i.e. if you're not going to read the documentation, debug output, or follow my advice, there's really very little I can contribute. > regards > > Uwe > > > Alan DeKok schrieb: >> Post TEXT to the mailing list. >> >> The list manager strips attachments, because too many people were posting 10M images of screen shots of the debug output. Or posting 100K of debug output in HTML, which then turned into megabytes of nonsense. >> >> If your email system wraps the email in layer after layer of obfuscation, the images / html / RTF / whatever will get deleted. >> >>> On Oct 3, 2023, at 10:17 AM, Daniel Lux <dlux@lux-it-systeme.de> wrote: >>> >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Daniel Lux -
Uwe Faber