Re: Help for configuration 3.0.11
Thanks for your help! The main problem was to notice, that the ldap user has rights to search through ldap, but was denied to get the NT-Password Hash because its IP was not recognized. ldap authentification now runs like a charme! Only thing left is, that freeradius seems not to close the ldap-connection. The ldap-admin says there are "error 11"s while the connection runs into a timeout and ldap then closes the connection after 60s or so. Any guesses where to start? Freeradius is also configured to work with Accounting, is FR trying to hold the connection for setting attributes or something like this? Thanks a lot! P.S. I have to correct the version, it's a 3.0.12 build from last week. Am Donnerstag, 29. September 2016, 13:32:33 CEST schrieb freeradius-users- request@lists.freeradius.org:
Message: 3 Date: Thu, 29 Sep 2016 12:08:20 +0100 From: Brian Candler <b.candler@pobox.com> To: Philipp Trenz <mail@philipptrenz.de>, freeradius-users@lists.freeradius.org Subject: Re: Help for configuration 3.0.11 Message-ID: <dd527617-ed09-10f3-1c63-9daa2b9f06d7@pobox.com> Content-Type: text/plain; charset=utf-8; format=flowed
On 28/09/2016 18:21, Philipp Trenz wrote:
As I understand, PEAP gets processed within the outer default-virtual server and this passes the inner MS-CHAPv2 to inner-tunnel. Now I'm not shure if it has to be processed through the mschap-module or through ldap-module.
Both.
If mschap-module where or when does freeradius get the NT-Password from LDAP? Does the mschap-module trigger the ldap-module?
You use the ldap module during the "authorize" phase, which finds the account and reads out the NT password hash. Then you use the mschap module during the "authenticate" phase, which actually checks the supplied password against the NT password hash.
It is very important to remember that FreeRADIUS runs the authorize modules *first*, and the authenticate modules at the end.
There are a couple of good articles here, specifically for using FreeRADIUS with a FreeIPA backend:
http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_ freeipa.html http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_ service_accounts..html
They also gives the fu required to get FreeIPA to store the ipaNTHash attribute, and to selectively expose it to the RADIUS server.
(You don't want to expose your NT password hashes to the whole world; they are essentially plain text passwords in their own right. A client can use the NT password hash by itself to authenticate, without having to brute force it)
Regards,
Brian.
On 29/09/2016 15:14, Philipp Trenz wrote:
Only thing left is, that freeradius seems not to close the ldap-connection. Correct. It keeps a pool of LDAP connections open for future use.
The ldap-admin says there are "error 11"s while the connection runs into a timeout and ldap then closes the connection after 60s or so. Any guesses where to start?
In mods-available/ldap: # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 Also look at the pool { ... } section, which in turn makes use of values set in the top-level radiusd.conf such as start_servers, max_servers etc. I'm not entirely clear whether the errors you are seeing are because freeradius is closing the connection after 60 seconds of it being unused, or the server is doing so. Either way, there are knobs you can tweak.
Am Donnerstag, 29. September 2016, 15:20:15 CEST schrieben Sie:
On 29/09/2016 15:14, Philipp Trenz wrote:
Only thing left is, that freeradius seems not to close the ldap-connection.
Correct. It keeps a pool of LDAP connections open for future use.
The ldap-admin
says there are "error 11"s while the connection runs into a timeout and ldap then closes the connection after 60s or so. Any guesses where to start?
In mods-available/ldap:
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
Also look at the pool { ... } section, which in turn makes use of values set in the top-level radiusd.conf such as start_servers, max_servers etc.
I'm not entirely clear whether the errors you are seeing are because freeradius is closing the connection after 60 seconds of it being unused, or the server is doing so. Either way, there are knobs you can tweak.
Thanks, I'll check that.
On Sep 29, 2016, at 10:14 AM, Philipp Trenz <mail@philipptrenz.de> wrote:
Thanks for your help! The main problem was to notice, that the ldap user has rights to search through ldap, but was denied to get the NT-Password Hash because its IP was not recognized. ldap authentification now runs like a charm!
That's a common issue.
Only thing left is, that freeradius seems not to close the ldap-connection. The ldap-admin says there are "error 11"s while the connection runs into a timeout and ldap then closes the connection after 60s or so. Any guesses where to start?
FreeRADIUS re-uses the same LDAP connection for multiple requests. This is for performance.
Freeradius is also configured to work with Accounting, is FR trying to hold the connection for setting attributes or something like this?
If you have one user authenticating, opening and then closing the LDAP connection is fine. If you have thousands of users authenticating, you want to re-use connections for multiple users. Alan DeKok.
participants (3)
-
Alan DeKok -
Brian Candler -
Philipp Trenz