FreeRADIUS 3.0.12 + openLDAP + Apple access point?
Hello... At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP backend for use with my Apple access points. This has worked for years. I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a FreeBSD jail. Unfortunately, I can not make it work. Testing pap works: radtest -x -t pap .... Testing mschap works: radtest -x -t mschap .... I have NTpasswords in my ldap-database, and FreeRADIUS picks them up. I just don't unerstand why access is not beeing granted by the access points. I have pasted the lengthy log of a failed attempt here: https://pastebin.com/CLqegYRe It looks to me like this is where it goes wrong: ... ... (18) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=kp-vpn-cph)(objectC" (18) files: Waiting for search result... (18) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com" rlm_ldap (ldap): Released connection (4) (18) files: users: Matched entry DEFAULT at line 63 (18) [files] = ok rlm_ldap (ldap): Reserved connection (0) (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) ldap: --> (uid=bj) (18) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += '{CRYPT}$*****' (18) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931 rlm_ldap (ldap): Released connection (0) (18) [ldap] = updated (18) [expiration] = noop (18) [logintime] = noop (18) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password (18) pap: Removing &control:Password-With-Header (18) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = Reject (18) Auth-Type = Reject, rejecting user (18) Failed to authenticate the user (18) Using Post-Auth-Type Reject (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (18) Post-Auth-Type REJECT { (18) attr_filter.access_reject: EXPAND %{User-Name} (18) attr_filter.access_reject: --> bj (18) attr_filter.access_reject: Matched entry DEFAULT at line 11 (18) [attr_filter.access_reject] = updated (18) update outer.session-state { (18) No attributes updated (18) } # update outer.session-state = noop (18) } # Post-Auth-Type REJECT = updated (18) } # server inner-tunnel (18) Virtual server sending reply ... ... Thank you, Tobias
On Wed, 2017-12-06 at 13:20 +0000, Tobias Balle-Petersen wrote:
I have pasted the lengthy log of a failed attempt here: https://pastebin.com/CLqegYRe
Please just send it to the list. (18) files: users: Matched entry DEFAULT at line 63 What is on line 63 of the users file? -- Matthew
On Dec 6, 2017, at 8:20 AM, Tobias Balle-Petersen <tobiasbp@gmail.com> wrote:
At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP backend for use with my Apple access points. This has worked for years.
That's common. I've seen people with installations that are 10+ years old. If it works... why change it?
I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a FreeBSD jail. Unfortunately, I can not make it work.
Follow the guide: http://deployingradius.com/documents/configuration/eap.html And test the "inner-tunnel" first. Read the comments at the start of that file for more details.
I have pasted the lengthy log of a failed attempt here: https://pastebin.com/CLqegYRe
It looks to me like this is where it goes wrong: ... (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = Reject (18) Auth-Type = Reject, rejecting user
That means the "Auth-Type = Reject" was set somewhere long before that message is printed. Read the *rest* of the log to look for Reject, or something that might set it. Specifically:
(8) files: users: Matched entry DEFAULT at line 63
As ALWAYS, the default configuration works. Install it, add a user, configure a cert, and EAP for WiFi *will* work. Many people start mashing all kinds of things into the config without testing. Then, after a few days of editing, it doesn't work. Since they *never* tested it, it never worked, and they have no idea where it went from "working" to "not working". Take a methodical approach to changing the configuration. And *test* it every time you make a change. This is all documented in "man radiusd". Alan DeKok.
participants (3)
-
Alan DeKok -
Matthew Newton -
Tobias Balle-Petersen