Hello to everyone, after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here. First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data. After trying a lot of things, the same or even new errors will appear again and again. The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group. My question is: Is it because of some config that it does not work, or is it because of the domain controller? ldap.conf: ----------------------------------------------------------------------------------------------- ldap { server = "ldap://intranet.***.de <ldap://intranet.***.de>" identity = "INTRANET\*USERNAME*" password = "*******" base_dn = "DC=intranet,DC=DC,DC=de" sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = 'DC=intranet,DC=*DC*,DC=de' filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } Profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } Tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } ----------------------------------------------------------------------------------------------- Site-enabled/default and Innertunnel: ----------------------------------------------------------------------------------------------- The files are both still standard. The only thing I have added is: -ldap if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } } In the authorize-section. ----------------------------------------------------------------------------------------------- FREERADIUS -X: ----------------------------------------------------------------------------------------------- (7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371 (7) User-Name = "*USERNAME*" (7) NAS-IP-Address = *AccessPoint-IP* (7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (7) NAS-Port-Id = "00000001" (7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (7) NAS-Port-Type = Wireless-802.11 (7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (7) Service-Type = Framed-User (7) Calling-Station-Id = "6A-95-50-D9-1B-DC" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (7) Acct-Multi-Session-Id = "97193BFF112F1388" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb (7) State = 0x91de85df97e69c726c333a62068cc31c (7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 98 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x91de85df97e69c72 (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: Setting User-Name to *USERNAME* (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "*USERNAME*" (7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "*USERNAME*" (7) State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 67 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (samaccountname=*USERNAME*) (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub" (7) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server (7) [ldap] = ok (7) if ((ok || updated) && User-Password && !control:Auth-Type) { (7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: Creating challenge hash with username: *USERNAME* (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) eap_mschapv2: [mschap] = reject (7) eap_mschapv2: } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 56 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> *USERNAME* (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) EAP-Message = 0x04380004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 57 length 46 (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0 (7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x91de85df96e79c726c333a62068cc31c (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319 (8) User-Name = "*USERNAME*" (8) NAS-IP-Address = *AccessPoint-IP* (8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (8) NAS-Port-Id = "00000001" (8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (8) NAS-Port-Type = Wireless-802.11 (8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (8) Service-Type = Framed-User (8) Calling-Station-Id = "6A-95-50-D9-1B-DC" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (8) Acct-Multi-Session-Id = "97193BFF112F1388" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f (8) State = 0x91de85df96e79c726c333a62068cc31c (8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 57 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x91de85df96e79c72 (8) eap: Finished EAP session with state 0x91de85df96e79c72 (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 57 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> *USERNAME* (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44 (8) EAP-Message = 0x04390004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 18 with timestamp +11 (1) Cleaning up request packet ID 19 with timestamp +11 (2) Cleaning up request packet ID 20 with timestamp +11 (3) Cleaning up request packet ID 21 with timestamp +11 (4) Cleaning up request packet ID 22 with timestamp +11 (5) Cleaning up request packet ID 23 with timestamp +11 (6) Cleaning up request packet ID 24 with timestamp +11 (7) Cleaning up request packet ID 25 with timestamp +11 (8) Cleaning up request packet ID 26 with timestamp +11 Ready to process requests Sincerely yours Florian Bergner
On 10.12.20 10:49, online@berg-ner.de wrote:
Hello to everyone,
after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
After trying a lot of things, the same or even new errors will appear again and again. The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
My question is: Is it because of some config that it does not work, or is it because of the domain controller?
ldap.conf: ----------------------------------------------------------------------------------------------- ldap { server = "ldap://intranet.***.de <ldap://intranet.***.de>" identity = "INTRANET\*USERNAME*" password = "*******" base_dn = "DC=intranet,DC=DC,DC=de"
sasl { }
update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' }
user { base_dn = "${..base_dn}" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } }
group { base_dn = 'DC=intranet,DC=*DC*,DC=de' filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' }
Profile { }
client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } }
accounting { reference = "%{tolower:type.%{Acct-Status-Type}}"
type { start { update { description := "Online at %S" } }
interim-update { update { description := "Last seen at %S" } }
stop { update { description := "Offline at %S" } } } }
post-auth { update { description := "Authenticated at %S" } }
options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 }
Tls { }
pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30
lifetime = 0 idle_timeout = 60 } }
-----------------------------------------------------------------------------------------------
Site-enabled/default and Innertunnel: ----------------------------------------------------------------------------------------------- The files are both still standard. The only thing I have added is:
-ldap if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } }
In the authorize-section. -----------------------------------------------------------------------------------------------
FREERADIUS -X: ----------------------------------------------------------------------------------------------- (7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371 (7) User-Name = "*USERNAME*" (7) NAS-IP-Address = *AccessPoint-IP* (7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (7) NAS-Port-Id = "00000001" (7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (7) NAS-Port-Type = Wireless-802.11 (7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (7) Service-Type = Framed-User (7) Calling-Station-Id = "6A-95-50-D9-1B-DC" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (7) Acct-Multi-Session-Id = "97193BFF112F1388" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb (7) State = 0x91de85df97e69c726c333a62068cc31c (7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 98 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x91de85df97e69c72 (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: Setting User-Name to *USERNAME* (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "*USERNAME*" (7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "*USERNAME*" (7) State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 67 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (samaccountname=*USERNAME*) (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub" (7) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server (7) [ldap] = ok (7) if ((ok || updated) && User-Password && !control:Auth-Type) { (7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: Creating challenge hash with username: *USERNAME* (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) eap_mschapv2: [mschap] = reject (7) eap_mschapv2: } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 56 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> *USERNAME* (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) EAP-Message = 0x04380004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 57 length 46 (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0 (7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x91de85df96e79c726c333a62068cc31c (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319 (8) User-Name = "*USERNAME*" (8) NAS-IP-Address = *AccessPoint-IP* (8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (8) NAS-Port-Id = "00000001" (8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (8) NAS-Port-Type = Wireless-802.11 (8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (8) Service-Type = Framed-User (8) Calling-Station-Id = "6A-95-50-D9-1B-DC" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (8) Acct-Multi-Session-Id = "97193BFF112F1388" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f (8) State = 0x91de85df96e79c726c333a62068cc31c (8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 57 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x91de85df96e79c72 (8) eap: Finished EAP session with state 0x91de85df96e79c72 (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 57 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> *USERNAME* (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44 (8) EAP-Message = 0x04390004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 18 with timestamp +11 (1) Cleaning up request packet ID 19 with timestamp +11 (2) Cleaning up request packet ID 20 with timestamp +11 (3) Cleaning up request packet ID 21 with timestamp +11 (4) Cleaning up request packet ID 22 with timestamp +11 (5) Cleaning up request packet ID 23 with timestamp +11 (6) Cleaning up request packet ID 24 with timestamp +11 (7) Cleaning up request packet ID 25 with timestamp +11 (8) Cleaning up request packet ID 26 with timestamp +11 Ready to process requests
Sincerely yours
Florian Bergner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, only members of a domain can authenticate against AD. This only works with a local samba server on the radius server. See: https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO... You also could use a different backend (not AD). Then local authentication would work. Do not work against the system. Just see what works, and what does not. http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html When you read carefully through your logs, than you will see where the problem is. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Hello! thanks for the quick answer! The Freeradius I want to set up in my company, so logically I have a domain and I also try to connect to the radius (via an access point) in the WLAN from the company. Unfortunately I have no other choice but LDAP authentication. I need to get this to work.
Am 10.12.2020 um 11:43 schrieb Michael Schwartzkopff <ms@sys4.de>:
On 10.12.20 10:49, online@berg-ner.de <mailto:online@berg-ner.de> wrote:
Hello to everyone,
after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
After trying a lot of things, the same or even new errors will appear again and again. The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
My question is: Is it because of some config that it does not work, or is it because of the domain controller?
ldap.conf: ----------------------------------------------------------------------------------------------- ldap { server = "ldap://intranet.***.de <ldap://intranet.***.de> <ldap://intranet.***.de <ldap://intranet.***.de>>" identity = "INTRANET\*USERNAME*" password = "*******" base_dn = "DC=intranet,DC=DC,DC=de"
sasl { }
update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' }
user { base_dn = "${..base_dn}" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } }
group { base_dn = 'DC=intranet,DC=*DC*,DC=de' filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' }
Profile { }
client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } }
accounting { reference = "%{tolower:type.%{Acct-Status-Type}}"
type { start { update { description := "Online at %S" } }
interim-update { update { description := "Last seen at %S" } }
stop { update { description := "Offline at %S" } } } }
post-auth { update { description := "Authenticated at %S" } }
options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 }
Tls { }
pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30
lifetime = 0 idle_timeout = 60 } }
-----------------------------------------------------------------------------------------------
Site-enabled/default and Innertunnel: ----------------------------------------------------------------------------------------------- The files are both still standard. The only thing I have added is:
-ldap if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } }
In the authorize-section. -----------------------------------------------------------------------------------------------
FREERADIUS -X: ----------------------------------------------------------------------------------------------- (7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371 (7) User-Name = "*USERNAME*" (7) NAS-IP-Address = *AccessPoint-IP* (7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (7) NAS-Port-Id = "00000001" (7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (7) NAS-Port-Type = Wireless-802.11 (7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (7) Service-Type = Framed-User (7) Calling-Station-Id = "6A-95-50-D9-1B-DC" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (7) Acct-Multi-Session-Id = "97193BFF112F1388" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb (7) State = 0x91de85df97e69c726c333a62068cc31c (7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 98 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x91de85df97e69c72 (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: Setting User-Name to *USERNAME* (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "*USERNAME*" (7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "*USERNAME*" (7) State = 0x6d94a36d6dacb9f97126b7451b802a00 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 56 length 67 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (samaccountname=*USERNAME*) (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub" (7) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>> rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server (7) [ldap] = ok (7) if ((ok || updated) && User-Password && !control:Auth-Type) { (7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9 (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: Creating challenge hash with username: *USERNAME* (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) eap_mschapv2: [mschap] = reject (7) eap_mschapv2: } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 56 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> *USERNAME* (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) EAP-Message = 0x04380004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04380004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 57 length 46 (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0 (7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x91de85df96e79c726c333a62068cc31c (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319 (8) User-Name = "*USERNAME*" (8) NAS-IP-Address = *AccessPoint-IP* (8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF" (8) NAS-Port-Id = "00000001" (8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth" (8) NAS-Port-Type = Wireless-802.11 (8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC" (8) Service-Type = Framed-User (8) Calling-Station-Id = "6A-95-50-D9-1B-DC" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA" (8) Acct-Multi-Session-Id = "97193BFF112F1388" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f (8) State = 0x91de85df96e79c726c333a62068cc31c (8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 57 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x91de85df96e79c72 (8) eap: Finished EAP session with state 0x91de85df96e79c72 (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 57 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> *USERNAME* (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44 (8) EAP-Message = 0x04390004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 18 with timestamp +11 (1) Cleaning up request packet ID 19 with timestamp +11 (2) Cleaning up request packet ID 20 with timestamp +11 (3) Cleaning up request packet ID 21 with timestamp +11 (4) Cleaning up request packet ID 22 with timestamp +11 (5) Cleaning up request packet ID 23 with timestamp +11 (6) Cleaning up request packet ID 24 with timestamp +11 (7) Cleaning up request packet ID 25 with timestamp +11 (8) Cleaning up request packet ID 26 with timestamp +11 Ready to process requests
Sincerely yours
Florian Bergner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Hi,
only members of a domain can authenticate against AD. This only works with a local samba server on the radius server. See:
https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO... <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO>
You also could use a different backend (not AD). Then local authentication would work.
Do not work against the system. Just see what works, and what does not.
http://deployingradius.com/documents/protocols/compatibility.html <http://deployingradius.com/documents/protocols/compatibility.html>
http://deployingradius.com/documents/protocols/oracles.html <http://deployingradius.com/documents/protocols/oracles.html>
When you read carefully through your logs, than you will see where the problem is.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On 10.12.20 11:51, online@berg-ner.de wrote:
> Hello!
>
> thanks for the quick answer!
>
> The Freeradius I want to set up in my company, so logically I have a domain and I also try to connect to the radius (via an access point) in the WLAN from the company.
>
> Unfortunately I have no other choice but LDAP authentication. I need to get this to work.
If the way you want to go is technically impossible, it makes no sense
to complain.
I told you how it is possible. Read the docs.
>> Am 10.12.2020 um 11:43 schrieb Michael Schwartzkopff <ms@sys4.de>:
>>
>> On 10.12.20 10:49, online@berg-ner.de <mailto:online@berg-ner.de> wrote:
>>> Hello to everyone,
>>>
>>> after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
>>>
>>> First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
>>>
>>> After trying a lot of things, the same or even new errors will appear again and again.
>>> The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
>>>
>>> My question is: Is it because of some config that it does not work, or is it because of the domain controller?
>>>
>>> ldap.conf:
>>> -----------------------------------------------------------------------------------------------
>>> ldap {
>>> server = "ldap://intranet.***.de <ldap://intranet.***.de> <ldap://intranet.***.de <ldap://intranet.***.de>>"
>>> identity = "INTRANET\*USERNAME*"
>>> password = "*******"
>>> base_dn = "DC=intranet,DC=DC,DC=de"
>>>
>>> sasl {
>>> }
>>>
>>> update {
>>> control:Password-With-Header += 'userPassword'
>>> control: += 'radiusControlAttribute'
>>> request: += 'radiusRequestAttribute'
>>> reply: += 'radiusReplyAttribute'
>>> }
>>>
>>> user {
>>> base_dn = "${..base_dn}"
>>> filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>>> sasl {
>>> }
>>> }
>>>
>>> group {
>>> base_dn = 'DC=intranet,DC=*DC*,DC=de'
>>> filter = '(objectClass=posixGroup)'
>>> scope = 'sub'
>>> name_attribute = cn
>>> membership_filter = "(member=%{control:Ldap-UserDn})"
>>> membership_attribute = 'memberOf'
>>> }
>>>
>>> Profile {
>>> }
>>>
>>> client {
>>> base_dn = "${..base_dn}"
>>> filter = '(objectClass=radiusClient)'
>>> template {
>>> }
>>> attribute {
>>> ipaddr = 'radiusClientIdentifier'
>>> secret = 'radiusClientSecret'
>>> }
>>> }
>>>
>>> accounting {
>>> reference = "%{tolower:type.%{Acct-Status-Type}}"
>>>
>>> type {
>>> start {
>>> update {
>>> description := "Online at %S"
>>> }
>>> }
>>>
>>> interim-update {
>>> update {
>>> description := "Last seen at %S"
>>> }
>>> }
>>>
>>> stop {
>>> update {
>>> description := "Offline at %S"
>>> }
>>> }
>>> }
>>> }
>>>
>>> post-auth {
>>> update {
>>> description := "Authenticated at %S"
>>> }
>>> }
>>>
>>> options {
>>> chase_referrals = yes
>>> rebind = yes
>>> res_timeout = 10
>>> srv_timelimit = 3
>>> net_timeout = 1
>>> idle = 60
>>> probes = 3
>>> interval = 3
>>> ldap_debug = 0x0028
>>> }
>>>
>>> Tls {
>>> }
>>>
>>> pool {
>>> start = ${thread[pool].start_servers}
>>> min = ${thread[pool].min_spare_servers}
>>> max = ${thread[pool].max_servers}
>>> spare = ${thread[pool].max_spare_servers}
>>> uses = 0
>>> retry_delay = 30
>>>
>>> lifetime = 0
>>> idle_timeout = 60
>>> }
>>> }
>>>
>>> -----------------------------------------------------------------------------------------------
>>>
>>> Site-enabled/default and Innertunnel:
>>> -----------------------------------------------------------------------------------------------
>>> The files are both still standard. The only thing I have added is:
>>>
>>> -ldap
>>> if ((ok || updated) && User-Password && !control:Auth-Type) {
>>> update {
>>> control:Auth-Type := ldap
>>> }
>>> }
>>>
>>> In the authorize-section.
>>> -----------------------------------------------------------------------------------------------
>>>
>>>
>>> FREERADIUS -X:
>>> -----------------------------------------------------------------------------------------------
>>> (7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
>>> (7) User-Name = "*USERNAME*"
>>> (7) NAS-IP-Address = *AccessPoint-IP*
>>> (7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>>> (7) NAS-Port-Id = "00000001"
>>> (7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>>> (7) NAS-Port-Type = Wireless-802.11
>>> (7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>>> (7) Service-Type = Framed-User
>>> (7) Calling-Station-Id = "6A-95-50-D9-1B-DC"
>>> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
>>> (7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>>> (7) Acct-Multi-Session-Id = "97193BFF112F1388"
>>> (7) WLAN-Pairwise-Cipher = 1027076
>>> (7) WLAN-Group-Cipher = 1027076
>>> (7) WLAN-AKM-Suite = 1027073
>>> (7) Framed-MTU = 1400
>>> (7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
>>> (7) State = 0x91de85df97e69c726c333a62068cc31c
>>> (7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
>>> (7) Restoring &session-state
>>> (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (7) &session-state:TLS-Session-Version = "TLS 1.2"
>>> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>>> (7) authorize {
>>> (7) policy filter_username {
>>> (7) if (&User-Name) {
>>> (7) if (&User-Name) -> TRUE
>>> (7) if (&User-Name) {
>>> (7) if (&User-Name =~ / /) {
>>> (7) if (&User-Name =~ / /) -> FALSE
>>> (7) if (&User-Name =~ /@[^@]*@/ ) {
>>> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>> (7) if (&User-Name =~ /\.\./ ) {
>>> (7) if (&User-Name =~ /\.\./ ) -> FALSE
>>> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>>> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
>>> (7) if (&User-Name =~ /\.$/) {
>>> (7) if (&User-Name =~ /\.$/) -> FALSE
>>> (7) if (&User-Name =~ /@\./) {
>>> (7) if (&User-Name =~ /@\./) -> FALSE
>>> (7) } # if (&User-Name) = notfound
>>> (7) } # policy filter_username = notfound
>>> (7) [preprocess] = ok
>>> (7) [chap] = noop
>>> (7) [mschap] = noop
>>> (7) [digest] = noop
>>> (7) suffix: Checking for suffix after "@"
>>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (7) suffix: No such realm "NULL"
>>> (7) [suffix] = noop
>>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 98
>>> (7) eap: Continuing tunnel setup
>>> (7) [eap] = ok
>>> (7) } # authorize = ok
>>> (7) Found Auth-Type = eap
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (7) authenticate {
>>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Finished EAP session with state 0x91de85df97e69c72
>>> (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
>>> (7) eap: Peer sent packet with method EAP PEAP (25)
>>> (7) eap: Calling submodule eap_peap to process data
>>> (7) eap_peap: Continuing EAP-TLS
>>> (7) eap_peap: [eaptls verify] = ok
>>> (7) eap_peap: Done initial handshake
>>> (7) eap_peap: [eaptls process] = ok
>>> (7) eap_peap: Session established. Decoding tunneled attributes
>>> (7) eap_peap: PEAP state phase2
>>> (7) eap_peap: EAP method MSCHAPv2 (26)
>>> (7) eap_peap: Got tunneled request
>>> (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7) eap_peap: Setting User-Name to *USERNAME*
>>> (7) eap_peap: Sending tunneled request to inner-tunnel
>>> (7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
>>> (7) eap_peap: User-Name = "*USERNAME*"
>>> (7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00
>>> (7) Virtual server inner-tunnel received request
>>> (7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7) FreeRADIUS-Proxied-To = 127.0.0.1
>>> (7) User-Name = "*USERNAME*"
>>> (7) State = 0x6d94a36d6dacb9f97126b7451b802a00
>>> (7) WARNING: Outer and inner identities are the same. User privacy is compromised.
>>> (7) server inner-tunnel {
>>> (7) session-state: No cached attributes
>>> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7) authorize {
>>> (7) policy filter_username {
>>> (7) if (&User-Name) {
>>> (7) if (&User-Name) -> TRUE
>>> (7) if (&User-Name) {
>>> (7) if (&User-Name =~ / /) {
>>> (7) if (&User-Name =~ / /) -> FALSE
>>> (7) if (&User-Name =~ /@[^@]*@/ ) {
>>> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>> (7) if (&User-Name =~ /\.\./ ) {
>>> (7) if (&User-Name =~ /\.\./ ) -> FALSE
>>> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>>> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
>>> (7) if (&User-Name =~ /\.$/) {
>>> (7) if (&User-Name =~ /\.$/) -> FALSE
>>> (7) if (&User-Name =~ /@\./) {
>>> (7) if (&User-Name =~ /@\./) -> FALSE
>>> (7) } # if (&User-Name) = notfound
>>> (7) } # policy filter_username = notfound
>>> (7) [chap] = noop
>>> (7) [mschap] = noop
>>> (7) suffix: Checking for suffix after "@"
>>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (7) suffix: No such realm "NULL"
>>> (7) [suffix] = noop
>>> (7) update control {
>>> (7) &Proxy-To-Realm := LOCAL
>>> (7) } # update control = noop
>>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 67
>>> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
>>> (7) [eap] = updated
>>> (7) [files] = noop
>>> rlm_ldap (ldap): Reserved connection (1)
>>> (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (7) ldap: --> (samaccountname=*USERNAME*)
>>> (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
>>> (7) ldap: Waiting for search result...
>>> rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Bind successful
>>> (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
>>> (7) ldap: Processing user attributes
>>> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>>> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>>> rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
>>> (7) [ldap] = ok
>>> (7) if ((ok || updated) && User-Password && !control:Auth-Type) {
>>> (7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE
>>> (7) [expiration] = noop
>>> (7) [logintime] = noop
>>> (7) [pap] = noop
>>> (7) } # authorize = updated
>>> (7) Found Auth-Type = eap
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7) authenticate {
>>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
>>> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
>>> (7) eap: Calling submodule eap_mschapv2 to process data
>>> (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7) eap_mschapv2: authenticate {
>>> (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
>>> (7) mschap: Creating challenge hash with username: *USERNAME*
>>> (7) mschap: Client is using MS-CHAPv2
>>> (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
>>> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> (7) eap_mschapv2: [mschap] = reject
>>> (7) eap_mschapv2: } # authenticate = reject
>>> (7) eap: Sending EAP Failure (code 4) ID 56 length 4
>>> (7) eap: Freeing handler
>>> (7) [eap] = reject
>>> (7) } # authenticate = reject
>>> (7) Failed to authenticate the user
>>> (7) Using Post-Auth-Type Reject
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7) Post-Auth-Type REJECT {
>>> (7) attr_filter.access_reject: EXPAND %{User-Name}
>>> (7) attr_filter.access_reject: --> *USERNAME*
>>> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>> (7) [attr_filter.access_reject] = updated
>>> (7) update outer.session-state {
>>> (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
>>> (7) } # update outer.session-state = noop
>>> (7) } # Post-Auth-Type REJECT = updated
>>> (7) } # server inner-tunnel
>>> (7) Virtual server sending reply
>>> (7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7) EAP-Message = 0x04380004
>>> (7) Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Got tunneled reply code 3
>>> (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7) eap_peap: EAP-Message = 0x04380004
>>> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Got tunneled reply RADIUS code 3
>>> (7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7) eap_peap: EAP-Message = 0x04380004
>>> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Tunneled authentication was rejected
>>> (7) eap_peap: FAILURE
>>> (7) eap: Sending EAP Request (code 1) ID 57 length 46
>>> (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
>>> (7) [eap] = handled
>>> (7) } # authenticate = handled
>>> (7) Using Post-Auth-Type Challenge
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (7) Challenge { ... } # empty sub-section is ignored
>>> (7) session-state: Saving cached attributes
>>> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (7) TLS-Session-Version = "TLS 1.2"
>>> (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
>>> (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
>>> (7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
>>> (7) Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) State = 0x91de85df96e79c726c333a62068cc31c
>>> (7) Finished request
>>> Waking up in 4.8 seconds.
>>> (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
>>> (8) User-Name = "*USERNAME*"
>>> (8) NAS-IP-Address = *AccessPoint-IP*
>>> (8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>>> (8) NAS-Port-Id = "00000001"
>>> (8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>>> (8) NAS-Port-Type = Wireless-802.11
>>> (8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>>> (8) Service-Type = Framed-User
>>> (8) Calling-Station-Id = "6A-95-50-D9-1B-DC"
>>> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
>>> (8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>>> (8) Acct-Multi-Session-Id = "97193BFF112F1388"
>>> (8) WLAN-Pairwise-Cipher = 1027076
>>> (8) WLAN-Group-Cipher = 1027076
>>> (8) WLAN-AKM-Suite = 1027073
>>> (8) Framed-MTU = 1400
>>> (8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
>>> (8) State = 0x91de85df96e79c726c333a62068cc31c
>>> (8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
>>> (8) Restoring &session-state
>>> (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (8) &session-state:TLS-Session-Version = "TLS 1.2"
>>> (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
>>> (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>>> (8) authorize {
>>> (8) policy filter_username {
>>> (8) if (&User-Name) {
>>> (8) if (&User-Name) -> TRUE
>>> (8) if (&User-Name) {
>>> (8) if (&User-Name =~ / /) {
>>> (8) if (&User-Name =~ / /) -> FALSE
>>> (8) if (&User-Name =~ /@[^@]*@/ ) {
>>> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>> (8) if (&User-Name =~ /\.\./ ) {
>>> (8) if (&User-Name =~ /\.\./ ) -> FALSE
>>> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>>> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
>>> (8) if (&User-Name =~ /\.$/) {
>>> (8) if (&User-Name =~ /\.$/) -> FALSE
>>> (8) if (&User-Name =~ /@\./) {
>>> (8) if (&User-Name =~ /@\./) -> FALSE
>>> (8) } # if (&User-Name) = notfound
>>> (8) } # policy filter_username = notfound
>>> (8) [preprocess] = ok
>>> (8) [chap] = noop
>>> (8) [mschap] = noop
>>> (8) [digest] = noop
>>> (8) suffix: Checking for suffix after "@"
>>> (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (8) suffix: No such realm "NULL"
>>> (8) [suffix] = noop
>>> (8) eap: Peer sent EAP Response (code 2) ID 57 length 46
>>> (8) eap: Continuing tunnel setup
>>> (8) [eap] = ok
>>> (8) } # authorize = ok
>>> (8) Found Auth-Type = eap
>>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (8) authenticate {
>>> (8) eap: Expiring EAP session with state 0x91de85df96e79c72
>>> (8) eap: Finished EAP session with state 0x91de85df96e79c72
>>> (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
>>> (8) eap: Peer sent packet with method EAP PEAP (25)
>>> (8) eap: Calling submodule eap_peap to process data
>>> (8) eap_peap: Continuing EAP-TLS
>>> (8) eap_peap: [eaptls verify] = ok
>>> (8) eap_peap: Done initial handshake
>>> (8) eap_peap: [eaptls process] = ok
>>> (8) eap_peap: Session established. Decoding tunneled attributes
>>> (8) eap_peap: PEAP state send tlv failure
>>> (8) eap_peap: Received EAP-TLV response
>>> (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.)
>>> (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
>>> (8) eap_peap: to find out the reason why the user was rejected
>>> (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
>>> (8) eap_peap: what went wrong, and how to fix the problem
>>> (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
>>> (8) eap: Sending EAP Failure (code 4) ID 57 length 4
>>> (8) eap: Failed in EAP select
>>> (8) [eap] = invalid
>>> (8) } # authenticate = invalid
>>> (8) Failed to authenticate the user
>>> (8) Using Post-Auth-Type Reject
>>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (8) Post-Auth-Type REJECT {
>>> (8) attr_filter.access_reject: EXPAND %{User-Name}
>>> (8) attr_filter.access_reject: --> *USERNAME*
>>> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>> (8) [attr_filter.access_reject] = updated
>>> (8) [eap] = noop
>>> (8) policy remove_reply_message_if_eap {
>>> (8) if (&reply:EAP-Message && &reply:Reply-Message) {
>>> (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>>> (8) else {
>>> (8) [noop] = noop
>>> (8) } # else = noop
>>> (8) } # policy remove_reply_message_if_eap = noop
>>> (8) } # Post-Auth-Type REJECT = updated
>>> (8) Delaying response for 1.000000 seconds
>>> Waking up in 0.3 seconds.
>>> Waking up in 0.6 seconds.
>>> (8) Sending delayed response
>>> (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
>>> (8) EAP-Message = 0x04390004
>>> (8) Message-Authenticator = 0x00000000000000000000000000000000
>>> Waking up in 3.8 seconds.
>>> (0) Cleaning up request packet ID 18 with timestamp +11
>>> (1) Cleaning up request packet ID 19 with timestamp +11
>>> (2) Cleaning up request packet ID 20 with timestamp +11
>>> (3) Cleaning up request packet ID 21 with timestamp +11
>>> (4) Cleaning up request packet ID 22 with timestamp +11
>>> (5) Cleaning up request packet ID 23 with timestamp +11
>>> (6) Cleaning up request packet ID 24 with timestamp +11
>>> (7) Cleaning up request packet ID 25 with timestamp +11
>>> (8) Cleaning up request packet ID 26 with timestamp +11
>>> Ready to process requests
>>>
>>>
>>>
>>>
>>>
>>> Sincerely yours
>>>
>>> Florian Bergner
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>>
>>
>> Hi,
>>
>> only members of a domain can authenticate against AD. This only works
>> with a local samba server on the radius server. See:
>>
>> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO>
>>
>>
>> You also could use a different backend (not AD). Then local
>> authentication would work.
>>
>>
>> Do not work against the system. Just see what works, and what does not.
>>
>> http://deployingradius.com/documents/protocols/compatibility.html <http://deployingradius.com/documents/protocols/compatibility.html>
>>
>> http://deployingradius.com/documents/protocols/oracles.html <http://deployingradius.com/documents/protocols/oracles.html>
>>
>>
>> When you read carefully through your logs, than you will see where the
>> problem is.
>>
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
participants (2)
-
Michael Schwartzkopff -
online@berg-ner.de