Hello, I am having a problem getting LDAP authentication working on FreeRADIUS Version 3.0.0. The behaviour I am experiencing is that the server will send an Access-Accept message without doing any checking of credentials. I would expect to see an LDAP bind, but that does not occur. In the debug output, I see a FreeRadius preparing to proxy, but this never happens. I'm hoping that I've overlooked something simple, it has been a while since I've done a fresh install. Here are some relevant excerpts, followed by the startup debug and then a request. Any and all help is appreciated. raddb/proxy.conf: realm NULL { virtual_server = captive_portal } sites-enabled/captive_portal: server captive_portal { authorize { uw.ldap } authenticate { Auth-Type LDAP { uw.ldap } } } Starting debug output: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Jun 21 2012 at 16:59:04 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/wimax including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/inner-eap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/counter including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/attr_rewrite including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/checkval including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/cui including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/acct_unique including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/netid including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/captive_portal main { security { allow_core_dumps = no } } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 128000 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com<http://example.com/> { auth_pool = my_auth_failover } realm NULL { virtual_server = captive_portal } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/mods-enabled/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/mods-enabled/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:- passchange { } allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/mods-enabled/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = yes lifetime = 24 max_entries = 10000 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } debug: Using cached TLS configuration from previous invocation Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/mods-enabled/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Loading virtual module acct_unique Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module remove_reply_message_if_eap Module: Linked to module rlm_always Module: Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } Module: Loading virtual module remove_reply_message_if_eap } # modules } # server server netid { # from file /etc/raddb/sites-enabled/netid modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "netid1.ldap" from file /etc/raddb/mods-enabled/ldap ldap netid1.ldap { server = "<redacted>" port = 389 password = "<redacted>" identity = "<redacted>" net_timeout = 5 timeout = 4 timelimit = 3 /etc/raddb/mods-enabled/ldap[234]: "tls_mode" is deprecated. Please replace it with the up-to-date configuration tls_mode = no /etc/raddb/mods-enabled/ldap[234]: "start_tls" is deprecated. Please replace it with the up-to-date configuration start_tls = no /etc/raddb/mods-enabled/ldap[234]: "tls_require_cert" is deprecated. Please replace it with the up-to-date configuration tls_require_cert = "allow" basedn = "<redacted>" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute netid1.ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for netid1.ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name netid1.ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1c37530 Module: Instantiating module "netid2.ldap" from file /etc/raddb/mods-enabled/ldap ldap netid2.ldap { server = "<redacted>" port = 389 password = "<redacted>" identity = "<redacted>" net_timeout = 5 timeout = 4 timelimit = 3 /etc/raddb/mods-enabled/ldap[257]: "tls_mode" is deprecated. Please replace it with the up-to-date configuration tls_mode = no /etc/raddb/mods-enabled/ldap[257]: "start_tls" is deprecated. Please replace it with the up-to-date configuration start_tls = no /etc/raddb/mods-enabled/ldap[257]: "tls_require_cert" is deprecated. Please replace it with the up-to-date configuration tls_require_cert = "allow" basedn = "<redacted>" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute netid2.ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for netid2.ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name netid2.ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1c39a30 Module: Checking authorize {...} for more modules to load } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server captive_portal { # from file /etc/raddb/sites-enabled/captive_portal modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating module "uw.ldap" from file /etc/raddb/mods-enabled/ldap ldap uw.ldap { server = "<redacted>" port = 389 password = "<redacted>" identity = "<redacted>" net_timeout = 5 timeout = 4 timelimit = 3 /etc/raddb/mods-enabled/ldap[206]: "tls_mode" is deprecated. Please replace it with the up-to-date configuration tls_mode = no /etc/raddb/mods-enabled/ldap[206]: "start_tls" is deprecated. Please replace it with the up-to-date configuration start_tls = no /etc/raddb/mods-enabled/ldap[206]: "tls_require_cert" is deprecated. Please replace it with the up-to-date configuration tls_require_cert = "allow" basedn = "<redacted>" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" groupmembership_attribute = "memberof" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute uw.ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for uw.ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name uw.ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1c3cd80 Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 max_pps = 0 } listen { type = "acct" ipaddr = * port = 0 max_pps = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 max_pps = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. Request output: rad_recv: Access-Request packet from host 172.x.x.x port 33182, id=67, length=170 NAS-IP-Address = 172.x.x.x NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "123" User-Password = "123" Calling-Station-Id = "<redacted>" Called-Station-Id = "<redacted>" Framed-IP-Address = 172.21.13.175 Service-Type = Login-User Aruba-Essid-Name = "wireless" Aruba-Location-Id = "AP1" Aruba-AP-Group = "MC-std" Message-Authenticator = 0x44be431a401e9bd87f9afb5305eb49ce (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "123", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "123" (0) suffix : Adding Realm = "NULL" (0) suffix : Proxying request from user 123 to realm NULL (0) suffix : Preparing to proxy authentication request to realm "NULL" (0) [suffix] = updated (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) WARNING: Empty pre-proxy section. Using default return values. Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Proxy reply, or no User-Name. Ignoring. (0) [suffix] = ok (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) Auth-Type = Accept, accepting the user (0) Login OK: [123] (from client wn-wc-phy-211-a port 0 cli C8BCC8ED2768) (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) group post-auth { (0) - entering group post-auth {...} (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 67 to 172.x.x.x port 33182 (0) Finished request 0. This part confuses me: Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Dave A.
On 07/05/2012 12:24 AM, David Aldwinckle wrote:
Hello,
I am having a problem getting LDAP authentication working on FreeRADIUS Version 3.0.0. The behaviour I am experiencing is that the server will send an Access-Accept message without doing any checking of credentials. I would expect to see an LDAP bind, but that does not occur. In the debug output, I see a FreeRadius preparing to proxy, but this never happens. I'm hoping that I've overlooked something simple, it has been a while since I've done a fresh install.
You've most likely misconfigured the server, possibly without realising it. I note you are proxying the NULL realm to a local virtual server, which is a very not-default configuration.
(0) Auth-Type = Accept, accepting the user
Find out where this is configured, and remove it.
Hi, That is what I originally hoped for. Your post made me go back and rewrite my ldap module config, which in the end didn't change anything. I also did a search on the entire directory for any instances of "Auth-Type" to verify that I had not set it to "Accept". I found no occurrences that weren't in unused sites or documentation. So then I tried: 1. Uncommenting LDAP in the authorization and authentication sections of the default virtual server. They are commented out in my 2.2 config, because I don't use the default virtual server to handle ldap. More on this later. 2. Removed the NULL realm so that these requests would be handled locally. And success! A login that should work, works, and one that should not, doesn't. However, this isn't an acceptable solution in the long run. Then I tried adding the NULL realm back to proxy.conf to send the request to another virtual server, and adding a DEFAULT line to the users file, with Proxy-To-Realm, to make sure it gets there. I saw again that any random user and password would be accepted. I can clearly see the LDAP search fail with [ldap] = notfound. The reason I proxy the null realm is because of the variety of things the server has to handle: 1. local EAP and 802.1x - done in the default virtual server since you can't proxy twice. 2. proxying to eduroam - I use realm DEFAULT to send to the eduroam pool. 3. captive portal logins - no realm in username, ldap with group checking 4. vpn logins - no realm in username 5. network device management (ssh) - no realm in username, ldap with group checking 6. guest wireless authentication - no realm in username, different ldap server with group checking So, what I was doing was using the users file to match a specific attribute from each request, and then Proxy-To-Realm, so I could handle each in its own virtual server. I understand that its kind of ugly and I am open to suggestions on how to improve, or redesign if needed. Anyway, here is an example of the ldap search failing, but Access-Accept. rad_recv: Access-Request packet from host 172.x.x.x port 33182, id=73, length=170 Code: 1 Id: 73 Length: 170 Vector: 42ff0476073ba8c8168873d6f27aabd1 Data: 04 06 ac 10 20 8a 05 06 00 00 00 00 3d 06 00 00 00 13 01 05 31 32 33 02 12 03 c5 b2 f2 1f 3c 3b 4b f1 89 27 84 0c 63 6f b3 1f 0e 43 38 42 43 43 38 45 44 32 37 36 38 1e 0e 30 30 30 42 38 36 30 39 33 39 38 30 08 06 ac 15 0d af 06 06 00 00 00 01 1a 0e 000039e7 (14823) 05 08 75 77 2d 6e 73 64 1a 17 000039e7 (14823) 06 11 41 53 2d 41 50 2d 4d 43 2d 31 30 39 35 2d 42 1a 0e 000039e7 (14823) 0a 08 4d 43 2d 73 74 64 50 12 fb b9 f9 b2 c5 c3 8e 04 95 e6 03 39 64 97 79 4b NAS-IP-Address = 172.x.x.x NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "123" User-Password = "123" Calling-Station-Id = "redacted" Called-Station-Id = "redacted" Framed-IP-Address = 172.x.x.x Service-Type = Login-User Aruba-Essid-Name = "wireless" Aruba-Location-Id = "AP1" Aruba-AP-Group = "MC-std" Message-Authenticator = 0xfbb9f9b2c5c38e0495e603396497794b Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group authorize { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group authorize {...} Thu Jul 5 07:59:33 2012 : Info: (0) [preprocess] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [chap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [mschap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [digest] = noop Thu Jul 5 07:59:33 2012 : Info: (0) suffix : No '@' in User-Name = "123", looking up realm NULL Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Found realm "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Adding Stripped-User-Name = "123" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Adding Realm = "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Proxying request from user 123 to realm NULL Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Preparing to proxy authentication request to realm "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) [suffix] = updated Thu Jul 5 07:59:33 2012 : Info: (0) eap : No EAP-Message, not doing EAP Thu Jul 5 07:59:33 2012 : Info: (0) [eap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207 Thu Jul 5 07:59:33 2012 : Info: (0) [files] = ok Thu Jul 5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: %{Stripped-User-Name} -> 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123) Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: dc=ads,dc=xxxxxx,dc=ca -> dc=ads,dc=xxxxx,dc=ca Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] attempting LDAP reconnection Thu Jul 5 07:59:33 2012 : Debug: [ldap] (re)connect to ldap.xxxxxx.ca:389, authentication 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] bind as AD\xxxxx/xxxxx to ldap.xxxxxx.ca:389 Thu Jul 5 07:59:33 2012 : Debug: [ldap] waiting for bind result ... Thu Jul 5 07:59:33 2012 : Debug: [ldap] Bind was successful Thu Jul 5 07:59:33 2012 : Debug: [ldap] performing search in dc=ads,dc=xxxxxx,dc=ca, with filter (samaccountname=123) Thu Jul 5 07:59:33 2012 : Debug: [ldap] object not found Thu Jul 5 07:59:33 2012 : Info: (0) ldap : search failed Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Jul 5 07:59:33 2012 : Info: (0) [ldap] = notfound Thu Jul 5 07:59:33 2012 : Info: (0) [expiration] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [logintime] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [pap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) WARNING: Empty pre-proxy section. Using default return values. Thu Jul 5 07:59:33 2012 : Debug: Proxying to virtual server captive_portal Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group authorize { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group authorize {...} Thu Jul 5 07:59:33 2012 : Info: (0) [preprocess] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [chap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [mschap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [digest] = noop Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Proxy reply, or no User-Name. Ignoring. Thu Jul 5 07:59:33 2012 : Info: (0) [suffix] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [eap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207 Thu Jul 5 07:59:33 2012 : Info: (0) [files] = ok Thu Jul 5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: %{Stripped-User-Name} -> 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123) Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: dc=ads,dc=xxxxxxxx,dc=ca -> dc=ads,dc=xxxxxxxx,dc=ca Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] performing search in dc=ads,dc=xxxxxxx,dc=ca, with filter (samaccountname=123) Thu Jul 5 07:59:33 2012 : Debug: [ldap] object not found Thu Jul 5 07:59:33 2012 : Info: (0) ldap : search failed Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Jul 5 07:59:33 2012 : Info: (0) [ldap] = notfound Thu Jul 5 07:59:33 2012 : Info: (0) [expiration] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [logintime] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [pap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) Auth-Type = Accept, accepting the user Thu Jul 5 07:59:33 2012 : Auth: (0) Login OK: [123] (from client wxxxxxxx port 0 cli C8BCC8ED2768) Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group post-auth { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group post-auth {...} Thu Jul 5 07:59:33 2012 : Info: (0) [exec] = noop Thu Jul 5 07:59:33 2012 : Info: (0) policy remove_reply_message_if_eap { Thu Jul 5 07:59:33 2012 : Info: (0) - entering policy remove_reply_message_if_eap {...} Thu Jul 5 07:59:33 2012 : Info: (0) ? if (reply:EAP-Message && reply:Reply-Message) Thu Jul 5 07:59:33 2012 : Info: (0) ? Evaluating (reply:EAP-Message ) -> FALSE Thu Jul 5 07:59:33 2012 : Info: (0) ? Skipping (reply:Reply-Message) Thu Jul 5 07:59:33 2012 : Info: (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE Thu Jul 5 07:59:33 2012 : Info: (0) else else { Thu Jul 5 07:59:33 2012 : Info: (0) - entering else else {...} Thu Jul 5 07:59:33 2012 : Info: (0) [noop] = noop Thu Jul 5 07:59:33 2012 : Info: (0) - else else returns noop Thu Jul 5 07:59:33 2012 : Info: (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 73 to 172.16.32.138 port 33182 Code: 2 Id: 73 Length: 20 Vector: 69147ff0c996e2d6f56993d745fe3fca Dave A. On 2012-07-05, at 4:07 AM, Phil Mayers wrote: On 07/05/2012 12:24 AM, David Aldwinckle wrote:
Hello,
I am having a problem getting LDAP authentication working on FreeRADIUS Version 3.0.0. The behaviour I am experiencing is that the server will send an Access-Accept message without doing any checking of credentials. I would expect to see an LDAP bind, but that does not occur. In the debug output, I see a FreeRadius preparing to proxy, but this never happens. I'm hoping that I've overlooked something simple, it has been a while since I've done a fresh install.
You've most likely misconfigured the server, possibly without realising it. I note you are proxying the NULL realm to a local virtual server, which is a very not-default configuration.
(0) Auth-Type = Accept, accepting the user
Find out where this is configured, and remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Aldwinckle wrote:
(0) WARNING: Empty pre-proxy section. Using default return values. Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
That doesn't make sense. You've broken the configuration somehow. Don't do that. If I take your virtual server "captive_portal" and NULL realm configuration, it works for me.
This part confuses me:
Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Yes. It's not supposed to do that. It doesn't do that in the default configuration. Alan DeKok.
Hi, Thanks for your response. I'll throw on a fresh install and if that doesn't work, maybe there is a problem with how I've built the RHEL6 rpm. Thanks, Dave On 2012-07-06, at 11:50 AM, Alan DeKok wrote: David Aldwinckle wrote:
(0) WARNING: Empty pre-proxy section. Using default return values. Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
That doesn't make sense. You've broken the configuration somehow. Don't do that. If I take your virtual server "captive_portal" and NULL realm configuration, it works for me.
This part confuses me:
Proxying to virtual server captive_portal (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Yes. It's not supposed to do that. It doesn't do that in the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
David Aldwinckle -
Phil Mayers