AD Authentication via python module eventually fails
Hi guys, I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating users against an AD via ldap binds, I call a module (small python program) that calls the ldap binds, etc. So this module's return value indicates to the freeradius if auth was successful or not. From time to time the server starts to return (maybe a month) auth failures. I believe that this module loading for each auth user makes the server's state change or in general leave it in a unconsistent state. The module is loaded from the 'python' module putting the name of the module's filename. This module is on /usr/lib/python2.7/custom_module.py. This configuration was transfered from another (older freeradius version, ubuntu 16.04) to this new freeradius server. I suggested go through the ntlm_auth route but the IT manager decided to go this route (the module using ldap binds) which it works but we have this problem and the original person that used the module also have. I wonder if anybody can iluminate what's happening at the server state level. To fix this I have to restart the freeradius process and everything start to work again so it's not something on the AD side. I suspect an 'in-memory' state or something is the cause. Any ideas? Thanks,
hi, any reason why python is being used at all - not having seen the script not sure why you arent just doing everything native in FR ? alan On Wed, 2 Oct 2019 at 21:08, Orestes Leal Rodríguez <olealrd1981@gmail.com> wrote:
Hi guys,
I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating users against an AD via ldap binds, I call a module (small python program) that calls the ldap binds, etc. So this module's return value indicates to the freeradius if auth was successful or not. From time to time the server starts to return (maybe a month) auth failures. I believe that this module loading for each auth user makes the server's state change or in general leave it in a unconsistent state. The module is loaded from the 'python' module putting the name of the module's filename. This module is on /usr/lib/python2.7/custom_module.py. This configuration was transfered from another (older freeradius version, ubuntu 16.04) to this new freeradius server. I suggested go through the ntlm_auth route but the IT manager decided to go this route (the module using ldap binds) which it works but we have this problem and the original person that used the module also have. I wonder if anybody can iluminate what's happening at the server state level. To fix this I have to restart the freeradius process and everything start to work again so it's not something on the AD side. I suspect an 'in-memory' state or something is the cause. Any ideas?
Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, I mentioned in the other email it was the boss' decision. I cannot do anything if he doesn't want to do it another way (I suggested go through ntlm_auth but it was not chosen. On 10/2/19, Alan Buxey <alan.buxey@gmail.com> wrote:
hi,
any reason why python is being used at all - not having seen the script
The script just import the ldap module, binds to a GC server to fullfills the authentication requests and return falsoe y the password is incorrect or the account it's not found, or true if the auth was correct. We have two backends domains so that was the reason it was done this way (although I had an alternative doing the same using ntlm_auth). not sure why you arent
just doing everything native in FR ?
alan
On Wed, 2 Oct 2019 at 21:08, Orestes Leal Rodríguez <olealrd1981@gmail.com> wrote:
Hi guys,
I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating users against an AD via ldap binds, I call a module (small python program) that calls the ldap binds, etc. So this module's return value indicates to the freeradius if auth was successful or not. From time to time the server starts to return (maybe a month) auth failures. I believe that this module loading for each auth user makes the server's state change or in general leave it in a unconsistent state. The module is loaded from the 'python' module putting the name of the module's filename. This module is on /usr/lib/python2.7/custom_module.py. This configuration was transfered from another (older freeradius version, ubuntu 16.04) to this new freeradius server. I suggested go through the ntlm_auth route but the IT manager decided to go this route (the module using ldap binds) which it works but we have this problem and the original person that used the module also have. I wonder if anybody can iluminate what's happening at the server state level. To fix this I have to restart the freeradius process and everything start to work again so it's not something on the AD side. I suspect an 'in-memory' state or something is the cause. Any ideas?
Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 2, 2019, at 5:39 PM, Orestes Leal Rodríguez <olealrd1981@gmail.com> wrote:
I mentioned in the other email it was the boss' decision. I cannot do anything if he doesn't want to do it another way (I suggested go through ntlm_auth but it was not chosen.
So he's making decisions which break the corporate infrastructure? Nice.
The script just import the ldap module, binds to a GC server to fullfills the authentication requests and return falsoe y the password is incorrect or the account it's not found, or true if the auth was correct.
FreeRADIUS can do this with the native LDAP module. You don't need to do ntlm_auth.
We have two backends domains so that was the reason it was done this way (although I had an alternative doing the same using ntlm_auth).
FreeRADIUS can use two LDAP modules, one for each back-end domain. It's simpler, faster, more standard, and it *works*. I'd say tell your boss that he's wrong, but I'm sure he already knows that. Alan DeKok.
Hello, I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to control guest access to my newly very fast broadband (4G). As part of that process I thought I'd start by setting up a Freeradius server. I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7). Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run alongside these. Is that correct? I set it up via SSH following the 'hard way' described at: https://draculaservers.com/tutorials/freeradius-centos-7-mysql/ Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I access several of the hosted web sites. I couldn't allow that situation to continue. So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server things cam back to normal. I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have over-ridden the normal server firewall policy? If so, what should I do about it? I could add the 1812 and 1813 ports to the existing firewall policy, but would that work? I'd be grateful for some help here, please. Tim Dawson -- Tim Dawson Maolbhuidhe Fionnphort Isle of Mull PA66 6BP 01681 700718
On Oct 2, 2019, at 7:18 PM, Tim Dawson <tim@ramasaig.com> wrote:
I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to control guest access to my newly very fast broadband (4G). As part of that process I thought I'd start by setting up a Freeradius server.
I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7). Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run alongside these. Is that correct?
If you want to set it up that way, sure. The main criteria is that the captive portal is able to send RADIUS packets to the RADIUS server. Preferably over IPSec, too.
I set it up via SSH following the 'hard way' described at: https://draculaservers.com/tutorials/freeradius-centos-7-mysql/
If it works, I guess.
Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I access several of the hosted web sites. I couldn't allow that situation to continue.
So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server things cam back to normal.
I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have over-ridden the normal server firewall policy? If so, what should I do about it?
Fix the firewall so that it doesn't block web access?
I could add the 1812 and 1813 ports to the existing firewall policy, but would that work?
That won't help for web access. It's not really clear what you're doing. I suspect the underlying issues have nothing to do with FreeRADIUS though. Alan DeKok.
Thank you for your reply. I'm sorry if it's not really clear what I'm doing. The link I sent contained every command line I used, though I realise it would be tedious to follow it all. Maybe what I'm doing isn't the right thing at all, but then that's why I come to a mailing list like this, for help. My understanding was simply that I needed to have a Radius Server available. I thought the obvious place to have it would be on my cloud server. I imagine that's where the captive portal will live too. I will try to get a better understanding of the whole Captive Portal procedure and then return if necessary to ask specific questions about Freeradius. Regards, Tim Dawson On 03/10/2019 01:14, Alan DeKok wrote:
On Oct 2, 2019, at 7:18 PM, Tim Dawson <tim@ramasaig.com> wrote:
I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to control guest access to my newly very fast broadband (4G). As part of that process I thought I'd start by setting up a Freeradius server.
I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7). Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run alongside these. Is that correct?
If you want to set it up that way, sure. The main criteria is that the captive portal is able to send RADIUS packets to the RADIUS server. Preferably over IPSec, too.
I set it up via SSH following the 'hard way' described at: https://draculaservers.com/tutorials/freeradius-centos-7-mysql/
If it works, I guess.
Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I access several of the hosted web sites. I couldn't allow that situation to continue.
So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server things cam back to normal.
I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have over-ridden the normal server firewall policy? If so, what should I do about it?
Fix the firewall so that it doesn't block web access?
I could add the 1812 and 1813 ports to the existing firewall policy, but would that work?
That won't help for web access.
It's not really clear what you're doing. I suspect the underlying issues have nothing to do with FreeRADIUS though.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tim Dawson Maolbhuidhe Fionnphort Isle of Mull PA66 6BP 01681 700718
On Oct 3, 2019, at 4:03 AM, Tim Dawson <tim@ramasaig.com> wrote:
I'm sorry if it's not really clear what I'm doing. The link I sent contained every command line I used, though I realise it would be tedious to follow it all. Maybe what I'm doing isn't the right thing at all, but then that's why I come to a mailing list like this, for help.
If you have an issue with someone else's documentation, then ask them for help. It's not appropriate to ask me to read through a long installation guide, especially when 75% or more is unrelated to FreeRADIUS. This list is for help with FreeRADIUS. It is *not* for getting general system administration help.
My understanding was simply that I needed to have a Radius Server available. I thought the obvious place to have it would be on my cloud server. I imagine that's where the captive portal will live too.
That's not the way that captive portals usually work. They sit at the edge, and usually they're the local router / firewall.
I will try to get a better understanding of the whole Captive Portal procedure and then return if necessary to ask specific questions about Freeradius.
That would help. Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Orestes Leal Rodríguez -
Tim Dawson