Problems to authenticate against an Azure AD -Ldap
Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes. Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap. for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error: 5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) regards Uwe
On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf@zkm.de> wrote:
Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes. Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error:
So... "I did a bunch of stuff and it didn't work. How do I fix it?" Answer: do different stuff.
5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT. If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying. Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD. Alan DeKok.
Alan DeKok schrieb:
On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf@zkm.de> wrote:
Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes. Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error: So... "I did a bunch of stuff and it didn't work. How do I fix it?"
Answer: do different stuff.
5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.
If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html here the debug output
(0) Received Access-Request Id 0 from 127.0.0.1:43649 to 127.0.0.1:1812 length 170 (0) User-Name = "anonymous@karlshochschule.de" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02f3002101616e6f6e796d6f7573406b61726c73686f6368736368756c652e6465 (0) Message-Authenticator = 0x9d186575265e9dca32181993f9c38b65 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (0) suffix: Found realm "karlshochschule.de" (0) suffix: Adding Stripped-User-Name = "anonymous" (0) suffix: Adding Realm = "karlshochschule.de" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) if (!&Realm) { (0) if (!&Realm) -> FALSE (0) eap: Peer sent EAP Response (code 2) ID 243 length 33 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 244 length 6 (0) eap: EAP session adding &reply:State = 0x7147c84d71b3dd8c (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (0) EAP-Message = 0x01f400061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x7147c84d71b3dd8c1f070e9e942e974a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:43649 to 127.0.0.1:1812 length 345 (1) User-Name = "anonymous@karlshochschule.de" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02f400be150016030100b3010000af0303cf3b445b29290ef9f32015e464ef9a751992d449f9c1e3fadd708884da021235000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b0004030001 (1) State = 0x7147c84d71b3dd8c1f070e9e942e974a (1) Message-Authenticator = 0x60f1adc479ab8e933ce74dfd55181b1e (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (1) suffix: Found realm "karlshochschule.de" (1) suffix: Adding Stripped-User-Name = "anonymous" (1) suffix: Adding Realm = "karlshochschule.de" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) if (!&Realm) { (1) if (!&Realm) -> FALSE (1) eap: Peer sent EAP Response (code 2) ID 244 length 190 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (1) authenticate { (1) eap: Expiring EAP session with state 0x7147c84d71b3dd8c (1) eap: Finished EAP session with state 0x7147c84d71b3dd8c (1) eap: Previous EAP request found for state 0x7147c84d71b3dd8c, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Got final TLS record fragment (184 bytes) (1) eap_ttls: WARNING: Total received TLS record fragments (184 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_ttls: [eaptls verify] = ok (1) eap_ttls: Done initial handshake (1) eap_ttls: (other): before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b3] (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello (1) eap_ttls: >>> send TLS 1.2 [length 003d] (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello (1) eap_ttls: >>> send TLS 1.2 [length 06ae] (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate (1) eap_ttls: >>> send TLS 1.2 [length 022c] (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3/TLS write server done (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 245 length 1014 (1) eap: EAP session adding &reply:State = 0x7147c84d70b2dd8c (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (1) EAP-Message = 0x01f503f615c00000092f160303003d0200003903036ead001a5fcd107ae275a24d91c469ce7db00ead3656cc2d444f574e4752440100c030000011ff01000100000b0004030001020017000016030306ae0b0006aa0006a70006a4308206a030820488a003020102020900bb42a628d2722440300d0609 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x7147c84d70b2dd8c1f070e9e942e974a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:43649 to 127.0.0.1:1812 length 161 (2) User-Name = "anonymous@karlshochschule.de" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02f500061500 (2) State = 0x7147c84d70b2dd8c1f070e9e942e974a (2) Message-Authenticator = 0x63ba835e9e97dc2c21b2135cf8dab043 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (2) suffix: Found realm "karlshochschule.de" (2) suffix: Adding Stripped-User-Name = "anonymous" (2) suffix: Adding Realm = "karlshochschule.de" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) if (!&Realm) { (2) if (!&Realm) -> FALSE (2) eap: Peer sent EAP Response (code 2) ID 245 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (2) authenticate { (2) eap: Expiring EAP session with state 0x7147c84d70b2dd8c (2) eap: Finished EAP session with state 0x7147c84d70b2dd8c (2) eap: Previous EAP request found for state 0x7147c84d70b2dd8c, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 246 length 1014 (2) eap: EAP session adding &reply:State = 0x7147c84d73b1dd8c (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (2) EAP-Message = 0x01f603f615c00000092f07a5bce150289ec883f5c159a3e4a90c89c78846700415571d88542761e9972724f4a90c8ee8bb817865b11ce9f05cc051b2014902535224805acc9dd5965593794322f617c3e9dead670d26818eccdbdad8133b1e2f78255b0203010001a3819430819130090603551d130402 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x7147c84d73b1dd8c1f070e9e942e974a (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:43649 to 127.0.0.1:1812 length 161 (3) User-Name = "anonymous@karlshochschule.de" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02f600061500 (3) State = 0x7147c84d73b1dd8c1f070e9e942e974a (3) Message-Authenticator = 0x669f156a27bfaedd4a4b920612820d39 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (3) suffix: Found realm "karlshochschule.de" (3) suffix: Adding Stripped-User-Name = "anonymous" (3) suffix: Adding Realm = "karlshochschule.de" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) if (!&Realm) { (3) if (!&Realm) -> FALSE (3) eap: Peer sent EAP Response (code 2) ID 246 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (3) authenticate { (3) eap: Expiring EAP session with state 0x7147c84d73b1dd8c (3) eap: Finished EAP session with state 0x7147c84d73b1dd8c (3) eap: Previous EAP request found for state 0x7147c84d73b1dd8c, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 247 length 353 (3) eap: EAP session adding &reply:State = 0x7147c84d72b0dd8c (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (3) EAP-Message = 0x01f7016115800000092fd193786f177d2c11a0db978590610aa2c9ccb04fd3a595cde36ece47874024cd74dc85d60501ccbd0b3d5327d3475e5796e0769cf14476f1fc0354e39d3b9e0312c66d542b08fb4c3f3d00931334fe4049158725e0ec6be1da2d4c7d2f7f7bd482b3c2159646137de9ec82be0e (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x7147c84d72b0dd8c1f070e9e942e974a (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:43649 to 127.0.0.1:1812 length 254 (4) User-Name = "anonymous@karlshochschule.de" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02f70063150016030300251000002120bb1c8623cce4fcdd9969e81d38e5ce4869085c7f00628eab184bd12844bb205014030300010116030300289fba59a5dc9971e195f63c4b77230687c8ea837e3e4a0b8e30a742e55b6e05b64100a59dc08c19f2 (4) State = 0x7147c84d72b0dd8c1f070e9e942e974a (4) Message-Authenticator = 0x65cf15a9d2b9b7a35991fa06afb4fb42 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (4) suffix: Found realm "karlshochschule.de" (4) suffix: Adding Stripped-User-Name = "anonymous" (4) suffix: Adding Realm = "karlshochschule.de" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) if (!&Realm) { (4) if (!&Realm) -> FALSE (4) eap: Peer sent EAP Response (code 2) ID 247 length 99 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (4) authenticate { (4) eap: Expiring EAP session with state 0x7147c84d72b0dd8c (4) eap: Finished EAP session with state 0x7147c84d72b0dd8c (4) eap: Previous EAP request found for state 0x7147c84d72b0dd8c, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: [eaptls verify] = ok (4) eap_ttls: Done initial handshake (4) eap_ttls: TLS_accept: SSLv3/TLS write server done (4) eap_ttls: <<< recv TLS 1.2 [length 0025] (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_ttls: <<< recv TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS read finished (4) eap_ttls: >>> send TLS 1.2 [length 0001] (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_ttls: >>> send TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS write finished (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 248 length 61 (4) eap: EAP session adding &reply:State = 0x7147c84d75bfdd8c (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:43649 length 0 (4) EAP-Message = 0x01f8003d15800000003314030300010116030300283af9c0e6b9e5a741c0c2e2290518e28dfbb7329ccf7ffa91ade72b6662636b4b7e404a85b4a3ed7a (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x7147c84d75bfdd8c1f070e9e942e974a (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:43649 to 127.0.0.1:1812 length 250 (5) User-Name = "anonymous@karlshochschule.de" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02f8005f150017030300549fba59a5dc9971e230a9475002c0b31b27bf0b18d9f6e4f771bd336049231946679c2ea83f4182f9d7ef3ecc42edaec13bae2ba1834c278e0523839e9ba7f6453bb6528656531ed0d33bb3cb18f0859d68b35f9d (5) State = 0x7147c84d75bfdd8c1f070e9e942e974a (5) Message-Authenticator = 0x7e43e268618f2c1c4c230df9a130c81e (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default-khs (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "karlshochschule.de" for User-Name = "anonymous@karlshochschule.de" (5) suffix: Found realm "karlshochschule.de" (5) suffix: Adding Stripped-User-Name = "anonymous" (5) suffix: Adding Realm = "karlshochschule.de" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) if (!&Realm) { (5) if (!&Realm) -> FALSE (5) eap: Peer sent EAP Response (code 2) ID 248 length 95 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (5) authenticate { (5) eap: Expiring EAP session with state 0x7147c84d75bfdd8c (5) eap: Finished EAP session with state 0x7147c84d75bfdd8c (5) eap: Previous EAP request found for state 0x7147c84d75bfdd8c, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: [eaptls process] = ok (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "testuser@karlshochschule.de" (5) User-Password = "password" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-khs (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "karlshochschule.de" for User-Name = "testuser@karlshochschule.de" (5) suffix: Found realm "karlshochschule.de" (5) suffix: Adding Stripped-User-Name = "testuser" (5) suffix: Adding Realm = "karlshochschule.de" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop rlm_ldap (ldap_khs): Closing connection (0): Hit idle_timeout, was idle for 117 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (1): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (2): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (3): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): Closing connection (4): Hit idle_timeout, was idle for 116 seconds rlm_ldap (ldap_khs): You probably need to lower "min" ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed rlm_ldap (ldap_khs): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap_khs): Opening additional connection (5), 1 of 10 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 3 tm: 10 async: 0 ldap_ndelay_on: 3 attempting to connect: connect errno: 115 ldap_int_poll: fd: 3 tm: 10 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap_khs): Waiting for bind result... ldap_result ld 0x564774e6aaa0 msgid 1 wait4msg ld 0x564774e6aaa0 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x564774e6aaa0 msgid 1 all 1 ** ld 0x564774e6aaa0 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564774e6aaa0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x564774e6aaa0 request count 1 (abandoned 0) ** ld 0x564774e6aaa0 Response Queue: Empty ld 0x564774e6aaa0 response count 0 ldap_chkResponseList ld 0x564774e6aaa0 msgid 1 all 1 ldap_chkResponseList returns ld 0x564774e6aaa0 NULL ldap_int_select read1msg: ld 0x564774e6aaa0 msgid 1 all 1 read1msg: ld 0x564774e6aaa0 msgid 1 message type bind read1msg: ld 0x564774e6aaa0 0 new referrals read1msg: mark request completed, ld 0x564774e6aaa0 msgid 1 request done: ld 0x564774e6aaa0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap_khs): Bind successful rlm_ldap (ldap_khs): Reserved connection (5) (5) ldap_khs: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap_khs: --> (cn=testuser) (5) ldap_khs: Performing search in "OU=AADDC Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub" ldap_search_ext put_filter: "(cn=testuser)" put_filter: simple put_simple_filter: "cn=testuser" ldap_build_search_req ATTRS: userPassword ntPassword ldap_send_initial_request ldap_send_server_request (5) ldap_khs: Waiting for search result... ldap_result ld 0x564774e6aaa0 msgid 2 wait4msg ld 0x564774e6aaa0 msgid 2 (timeout 20000000 usec) wait4msg continue ld 0x564774e6aaa0 msgid 2 all 1 ** ld 0x564774e6aaa0 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564774e6aaa0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x564774e6aaa0 request count 1 (abandoned 0) ** ld 0x564774e6aaa0 Response Queue: Empty ld 0x564774e6aaa0 response count 0 ldap_chkResponseList ld 0x564774e6aaa0 msgid 2 all 1 ldap_chkResponseList returns ld 0x564774e6aaa0 NULL ldap_int_select read1msg: ld 0x564774e6aaa0 msgid 2 all 1 read1msg: ld 0x564774e6aaa0 msgid 2 message type search-entry read1msg: ld 0x564774e6aaa0 msgid 2 message type search-result read1msg: ld 0x564774e6aaa0 0 new referrals read1msg: mark request completed, ld 0x564774e6aaa0 msgid 2 request done: ld 0x564774e6aaa0 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) adding response ld 0x564774e6aaa0 msgid 2 type 101: ldap_parse_result ldap_get_dn (5) ldap_khs: User object found at DN "CN=testuser,OU=AADDC Users,DC=karlshochschule,DC=de" (5) ldap_khs: Processing user attributes ldap_get_values_len ldap_get_values_len (5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.karlshochschule.de:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 20.79.97.218:636 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request rlm_ldap (ldap_khs): Waiting for bind result... ldap_result ld 0x564773fe1710 msgid 1 wait4msg ld 0x564773fe1710 msgid 1 (timeout 20000000 usec) wait4msg continue ld 0x564773fe1710 msgid 1 all 1 ** ld 0x564773fe1710 Connections: * host: ldap.karlshochschule.de port: 636 (default) refcnt: 2 status: Connected last used: Thu Sep 21 16:52:17 2023 ** ld 0x564773fe1710 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x564773fe1710 request count 1 (abandoned 0) ** ld 0x564773fe1710 Response Queue: Empty ld 0x564773fe1710 response count 0 ldap_chkResponseList ld 0x564773fe1710 msgid 1 all 1 ldap_chkResponseList returns ld 0x564773fe1710 NULL ldap_int_select read1msg: ld 0x564773fe1710 msgid 1 all 1 read1msg: ld 0x564773fe1710 msgid 1 message type bind read1msg: ld 0x564773fe1710 0 new referrals read1msg: mark request completed, ld 0x564773fe1710 msgid 1 request done: ld 0x564773fe1710 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree rlm_ldap (ldap_khs): Bind successful (5) [ldap_khs] = ok (5) inner_eap: No EAP-Message, not doing EAP (5) [inner_eap] = noop (5) [pap] = noop (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-khs (5) Post-Auth-Type REJECT { (5) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (5) inner_tunnel_linelog: --> messages.Access-Reject (5) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}] (%{request:Module-Failure-Message}) (cli %{outer.request:Calling-Station-Id} via TLS tunnel) (5) inner_tunnel_linelog: --> Login incorrect: [testuser@karlshochschule.de] (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject) (cli 02-00-00-00-00-01 via TLS tunnel) (5) [inner_tunnel_linelog] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> testuser@karlshochschule.de (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) EXPAND badpass (5) --> badpass (5) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [testuser/234Tu45$%] (from client localhost port 0 via TLS tunnel) badpass (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 248 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default-khs (5) Post-Auth-Type REJECT { (5) outer_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (5) outer_linelog: --> messages.Access-Reject (5) outer_linelog: EXPAND Login incorrect: [%{User-Name}] (%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli %{request:Calling-Station-Id}) (5) outer_linelog: --> Login incorrect: [anonymous@karlshochschule.de] (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed) (cli 02-00-00-00-00-01) (5) [outer_linelog] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> anonymous@karlshochschule.de (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) EXPAND badpass (5) --> badpass (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous/<via Auth-Type = eap>] (from client localhost port 0 cli 02-00-00-00-00-01) badpass (5) Delaying response for 1.000000 seconds Waking up in 0.1 seconds. Waking up in 0.8 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:43649 length 44 (5) EAP-Message = 0x04f80004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 0 with timestamp +116 (1) Cleaning up request packet ID 1 with timestamp +116 (2) Cleaning up request packet ID 2 with timestamp +116 (3) Cleaning up request packet ID 3 with timestamp +116 (4) Cleaning up request packet ID 4 with timestamp +116 Waking up in 0.1 seconds. (5) Cleaning up request packet ID 5 with timestamp +116 Ready to process requests ^Croot@radsec:~#
On 21.09.23 16:59, Uwe Faber wrote:
Alan DeKok schrieb:
On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf@zkm.de> wrote:
Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes. Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error: So... "I did a bunch of stuff and it didn't work. How do I fix it?"
Answer: do different stuff.
5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.
If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html here the debug output
(...) (5) ldap_khs: Performing search in "OU=AADDC Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub" ldap_search_ext (....)
(5) ldap_khs: User object found at DN "CN=testuser,OU=AADDC Users,DC=karlshochschule,DC=de" (....)
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) (....)
The logs are quite obvious. You are trying to do an ldapsearch against an AD-LDAP. That will not work, since AD-LDAP does not reply with the necessary LDAP attributes for the password so that freeradius can authenticate. You have to use ldapbind for authentication. Next Version RADIUS server: https://freeradius.org/documentation/freeradius-server/4.0.0/howto/modules/l... Perhaps this helps: https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-service...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf@zkm.de> wrote:
here the debug output ... (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password"
So EAP-TTLS with PAP. That's good.
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
yeah... Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail... There's documentation for this.
ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls
And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues. We've put more checks and warnings into v3 which complain about this issue. But they exist only in the debug output, which usually means that they're hard to find. Alan DeKok.
Alan DeKok schrieb:
On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf@zkm.de> wrote:
here the debug output ... (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password" So EAP-TTLS with PAP. That's good.
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) yeah...
Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail...
There's documentation for this.
ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues.
We've put more checks and warnings into v3 which complain about this issue. But they exist only in the debug output, which usually means that they're hard to find.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi alan, i changed the code in the inner tunnel as described in the Link you gave the result is :
/etc/freeradius/3.0/sites-enabled/inner-khs[12]: Unknown or invalid value "ldap" for attribute Auth-Type /etc/freeradius/3.0/sites-enabled/inner-khs[11]: Failed to parse "update" subsection. /etc/freeradius/3.0/sites-enabled/inner-khs[2]: Errors parsing authorize section. here the code: server inner-tunnel { authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } ldap_khs #text if ((ok || updated) && User-Password && !control:Auth-Type) { update { control:Auth-Type := ldap } } #ende text inner_eap { ok = return } pap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type inner_eap { inner_eap } } post-auth { inner_tunnel_linelog Post-Auth-Type REJECT { inner_tunnel_linelog attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } }
You have been posting repeated messages with no content. Please fix this issue. If not, we can fix it on our end.
On Sep 27, 2023, at 8:24 AM, Uwe Faber <uf@zkm.de> wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And you're unsubscribed. Not banned. Just off the list until you start posting content. If you keep posting empty messages, you will be banned.
On Sep 27, 2023, at 9:45 AM, Uwe Faber <uf@zkm.de> wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 22, 2023, at 9:56 AM, Uwe Faber <uf@zkm.de> wrote:st/users.html
Hi alan, i changed the code in the inner tunnel as described in the Link you gave the result is :
/etc/freeradius/3.0/sites-enabled/inner-khs[12]: Unknown or invalid value "ldap" for attribute Auth-Type /etc/freeradius/3.0/sites-enabled/inner-khs[11]: Failed to parse "update" subsection. /etc/freeradius/3.0/sites-enabled/inner-khs[2]: Errors parsing authorize section.
You've had success in editing the configuration files to simplify it and use "ldap_khs" instead of just "ldap". What is less successful is expecting that the "Auth-Type LDAP" example will work when the "authenticate" section you post doesn't have the "ldap" configuration from the example. And, if you're going to use "ldap_khs" as the ldap module, you probably want to use that name instead of just bare "ldap". It takes care and effort to create a working configuration. And paying attention to details. Following half of the documentation is not likely to work. Alan DeKok.
I've unsubscribed you, and banned your email. You can be un-banned and re-subscribed if you convince me that you will stop posting empty messages to the list. If you get unbanned and keep posting empty messages, then the ban will be permanent. Fix your email system.
On Oct 2, 2023, at 8:50 AM, Uwe Faber <uf@zkm.de> wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Perhaps it's some weird Outlook Format like the winmail.dat Stuff? -- Daniel Lux Geschäftsführer Lux IT Systeme UG (haftungsbeschränkt) Steinbrücker Weg 3 31246 Ilsede Tel.: +49 176 4666 9865 E-Mail: dlux@lux-it-systeme.de Internet: www.lux-it-systeme.de Lux IT Systeme UG (haftungsbeschränkt) Solarisbank AG IBAN: DE69 1101 0101 5116 6357 61 BIC: SOBKDEB2XXX USt-IdNr.: DE345088340 Steuernummer: 38/210/01722 Amtsgericht Hildesheim HRB 207733 Geschäftsführung: Daniel Lux -----Ursprüngliche Nachricht----- Von: Freeradius-Users <freeradius-users-bounces+dlux=lux-it-systeme.de@lists.freeradius.org> Im Auftrag von Alan DeKok Gesendet: Montag, 2. Oktober 2023 14:53 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: Problems to authenticate against an Azure AD -Ldap I've unsubscribed you, and banned your email. You can be un-banned and re-subscribed if you convince me that you will stop posting empty messages to the list. If you get unbanned and keep posting empty messages, then the ban will be permanent. Fix your email system.
On Oct 2, 2023, at 8:50 AM, Uwe Faber <uf@zkm.de> wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 2, 2023, at 9:15 AM, <dlux@lux-it-systeme.de> <dlux@lux-it-systeme.de> wrote:
Perhaps it's some weird Outlook Format like the winmail.dat Stuff?
He had previously posted messages with content. I blocked one email address. Instead of emailing me or the "freeradius-users-owner" address to discuss or explain the issue, he's just subscribed with another email address. And kept posting content-free messages. Until such time as he can post content, *all* of his email addresses will be banned immediately. The issue is not just posting content-free messages. It's also that he's completely ignoring any attempt by me to have him fix the issue. He just keeps resubscribing, and posting nothing. It's 2023. It shouldn't be difficult to post messages to a mailing list. Alan DeKok.
participants (5)
-
Alan DeKok -
dlux@lux-it-systeme.de -
Matthew Newton -
Michael Schwartzkopff -
Uwe Faber