Dear freeradius-users, I've succeeded in getting LDAP authz/authn working with MSCHAPv2 and have been using it successfully for a few months now. I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth. I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3. someuser Cleartext-Password := "somepassword" The authorize section of my default config (sans comments) looks like this. authorize { preprocess chap mschap suffix eap { ok = return } files ldap expiration logintime pap } As you can see, "files" is there, so it would seem that (based on my admittedly limited understanding of how FreeRADIUS is supposed to work) the users file should be queried. Nevertheless, authentication is failing and nothing is being logged apart from the following. Login incorrect (rlm_ldap: User not found) What could I be doing wrong? -- Anthony Chavez http://hexadecagram.org/ mailto:acc@hexadecagram.org xmpp:acc@hexadecagram.org
I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth.
I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3.
someuser Cleartext-Password := "somepassword"
Post the debug (radiusd -X). Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth.
I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3.
someuser Cleartext-Password := "somepassword"
Post the debug (radiusd -X).
Ivan Kalik Kalik Informatika ISP
Here it is. After looking at the log myself, I thought that perhaps setting access_attr="NULL" in radiusd.conf might do the trick, so I tried it without success. Note that the following log is what was produced before setting access_attr="NULL". I have not installed a RADIUS schema into my LDAP DIT yet, so I've been using access_attr="uid". Script started on Mon Oct 27 18:16:13 2008 FreeRADIUS Version 2.0.3, for host i386-portbld-freebsd7.0, built on Jun 16 2008 at 16:15:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log" libdir = "/usr/local/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "freeradius" group = "freeradius" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "secret" nastype = "other" } client 192.168.0.132 { require_message_authenticator = no secret = "secret" shortname = "someap1" } client 192.168.0.133 { require_message_authenticator = no secret = "secret" shortname = "someap2" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "secret" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "secret" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "directory.somedomain" port = 389 password = "secret" identity = "cn=Manager,dc=somedomain" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,ou=Users,dc=somedomain" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x2843d7e0 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.0.18 port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address 192.168.0.18 port 1812 Listening on accounting address * port 1813 Listening on proxy address 192.168.0.18 port 1814 Ready to process requests. Message-Authenticator = 0x85d159310ab2060a1fbc5c51c4582d62 Service-Type = Framed-User User-Name = "someuser\000" Framed-MTU = 1488 Called-Station-Id = "somemac1:somessid" Calling-Station-Id = "somemac2" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000b01726164697573 NAS-IP-Address = 192.168.0.133 NAS-Port = 6 NAS-Port-Id = "STA port # 6" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "someuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry someuser at line 50 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for someuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=someuser) expand: ou=People,ou=Users,dc=somedomain -> ou=People,ou=Users,dc=somedomain rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to directory.somedomain:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=somedomain/secret to directory.somedomain:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Users,dc=somedomain, with filter (uid=someuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8db73d858db62474893e60a208ccf56d Finished request 0. Going to the next request Waking up in 4.9 seconds. Message-Authenticator = 0xca4a6436f9937c0df93b6885b18e0fa5 Service-Type = Framed-User User-Name = "someuser\000" Framed-MTU = 1488 State = 0x8db73d858db62474893e60a208ccf56d Called-Station-Id = "somemac1:somessid" Calling-Station-Id = "somemac2" NAS-Identifier = "AP11G" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100060300 NAS-IP-Address = 192.168.0.133 NAS-Port = 6 NAS-Port-Id = "STA port # 6" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "someuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry someuser at line 50 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for someuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=someuser) expand: ou=People,ou=Users,dc=somedomain -> ou=People,ou=Users,dc=somedomain rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Users,dc=somedomain, with filter (uid=someuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [someuser\000/<via Auth-Type = EAP>] (from client someap2 port 6 cli somemac2) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> someuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +27 Waking up in 1.0 seconds. Cleaning up request 1 ID 1 with timestamp +27 Ready to process requests. ^C Script done on Mon Oct 27 18:16:50 2008 -- Anthony Chavez http://hexadecagram.org/ mailto:acc@hexadecagram.org xmpp:acc@hexadecagram.org
..
Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { .. access_attr = "uid" access_attr_used_for_allow = yes .. Login incorrect (rlm_ldap: User not found): [someuser\000/<via Auth-Type = EAP>] (from client someap2 port 6 cli somemac2)
If you want people who are not in ldap to connect you have to remove ldap access control. Ivan Kalik Kalik Informatika ISP
On Mon, 2008-10-27 at 18:41 -0600, Anthony Chavez wrote:
Module: Instantiating ldap ldap { server = "directory.somedomain" port = 389 password = "secret" identity = "cn=Manager,dc=somedomain"
I don't know how much of this was from clean up, but if possible you really really shouldn't use cn=Manager,dc=somedomain for this. It is generally concidered a no go to let anything use the directory manager. At our site I created a dedicated radiusd user who has exactly and only the rights needed by radius. I don't know if that is an option at your site, but if it is I strongly suggest it. Pat
Hi,
I don't know how much of this was from clean up, but if possible you really really shouldn't use cn=Manager,dc=somedomain for this. It is generally concidered a no go to let anything use the directory manager. At our site I created a dedicated radiusd user who has exactly and only the rights needed by radius. I don't know if that is an option at your site, but if it is I strongly suggest it.
agreed. it is always good to have some best practice mentioned on this list. alan
Antony,
I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I have a very similar setup (lots of users in LDAP, a few with "local" passwords on the RADIUS server). As to security, I created the user as a local unix account on the RADIUS server and do Auth-Type := System. This way, I don't have to put a Cleartext-Password anywhere.
In addition, my special users _are_ in LDAP, so when LDAP is asked they get authorized. Only the password is checked against /etc/passwd on the RADIUS server. But how would you "remove LDAP access control" for these users? Cheers, Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Anthony Chavez -
Martin Pauly -
Pat Riehecky -
tnt@kalik.net