EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
Background: Originally I was using CentoOS 7 with Samba 4.2.10 and FreeRadius 3.0.4 on a Windows network that was on Server 2003 and Forest Functional Level. We were using certificate base authentications for tablets and username and password for certain users. We upgraded the functional level to 2012R2 Native and it broke everything. Neither certificates or username and passwords would get any Accepts, only Rejects. I changed the config from sites-enabled/default post-auth { if (!(Ldap-Group == "WiFi")) { reject } to where the certificates authenticate and any Active Directory user can authenticate by using: sites-enabled/default post-auth { # if (Ldap-Group == "WiFi") { # noop # } Just to get people working again. This was confirmed with two test users using radtest -t mschap mcyrus Password1 localhost 0 XXXXXX and watching the radiusd -X debug. Test user mcyrus is not in the WiFi group, test user nlegend is. Currently: I built another server on CentOS 7 but built Samba 4.5.0 and FreeRadius 4.0.x from source to see if newer versions were more compatible, again closely following the deployingfreeradius.com guides. I edited the config files to try and get authorization working again. I can get it doing the same thing where certificates and all AD users can get logged in or only users in the WiFi group get Accepts but none of the certificates get Accepts. The odd thing, or least what I don't understand is: Why the certificates stop working even though the computer accounts are also in the WiFi security group. Wrapping up: I guess what it comes down to is a few of questions: 1. Is Samba 4.5.0/FreeRadius 4.0.x even compatible with a 2012R2 forest functional level (schema 69) as a member server? I've seen some posts stating that it's experimental as a DC but not whether a member server is working/stable. 2. Is it compatible with a Windows Server 2016 forest functional level as we will be heading down that road soon? 3. Should it be possible to have certificate based authorizations AND LDAP group authorizations working on the same server. If yes, I would greatly appreciate any tips or help in figuring out how to get it configured correctly and working again. Thank you for any guidance you can provide, Travis radiusd -X [root@radius ~]# systemctl stop radiusd && radiusd -X Info : FreeRADIUS Version 4.0.0 Info : Copyright (C) 1999-2016 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Info : Starting - reading configuration files ... Debug : including dictionary file /opt/freeradius/share/freeradius/dictionary Debug : including dictionary file /opt/freeradius/etc/raddb/dictionary Debug : including configuration file /opt/freeradius/etc/raddb/radiusd.conf Debug : including configuration file /opt/freeradius/etc/raddb/proxy.conf Debug : including configuration file /opt/freeradius/etc/raddb/clients.conf Debug : including files in directory /opt/freeradius/etc/raddb/mods-enabled/ Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/always Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/attr_filter Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/cache_eap Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/chap Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail.log Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/digest Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/dhcp Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/dynamic_clients Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap_inner Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/echo Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/exec Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/expiration Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/expr Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/files Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/linelog Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/logintime Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/mschap Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/pap Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/passwd Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/preprocess Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/radutmp Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/realm Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/replicate Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/soh Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/sradutmp Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/unix Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/unpack Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/utf8 Debug : including configuration file /opt/freeradius/etc/raddb/mods-enabled/ldap Debug : including files in directory /opt/freeradius/etc/raddb/policy.d/ Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/abfab-tr Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/accounting Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/canonicalization Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/control Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/cui Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/debug Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/dhcp Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/eap Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/filter Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/operator-name Debug : including configuration file /opt/freeradius/etc/raddb/policy.d/vendor Debug : including files in directory /opt/freeradius/etc/raddb/sites-enabled/ Debug : including configuration file /opt/freeradius/etc/raddb/sites-enabled/default Debug : including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel Debug : main { Debug : security { Debug : allow_core_dumps = no Debug : } Debug : name = "radiusd" Debug : prefix = "/opt/freeradius" Debug : localstatedir = "/opt/freeradius/var" Debug : logdir = "/opt/freeradius/var/log/radius" Debug : run_dir = "/opt/freeradius/var/run/radiusd" Debug : } Debug : main { Debug : name = "radiusd" Debug : prefix = "/opt/freeradius" Debug : localstatedir = "/opt/freeradius/var" Debug : sbindir = "/opt/freeradius/sbin" Debug : logdir = "/opt/freeradius/var/log/radius" Debug : run_dir = "/opt/freeradius/var/run/radiusd" Debug : libdir = "/opt/freeradius/lib" Debug : radacctdir = "/opt/freeradius/var/log/radius/radacct" Debug : hostname_lookups = no Debug : max_request_time = 30 Debug : cleanup_delay = 5 Debug : continuation_timeout = 15 Debug : max_requests = 16384 Debug : pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid" Debug : checkrad = "/opt/freeradius/sbin/checkrad" Debug : debug_level = 0 Debug : proxy_requests = yes Debug : log { Debug : stripped_names = no Debug : auth = no Debug : auth_badpass = no Debug : auth_goodpass = no Debug : colourise = yes Debug : msg_denied = "You are already logged in - access denied" Debug : } Debug : resources { Debug : } Debug : security { Debug : max_attributes = 200 Debug : reject_delay = 1.000000 Debug : status_server = yes Debug : allow_vulnerable_openssl = "no" Debug : } Debug : } Switching to configured log settings radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dynamic = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client Tracmor { ipaddr = 10.10.0.151 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-Branch { ipaddr = 10.10.2.131 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-IT { ipaddr = 10.10.2.130 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-TC { ipaddr = 10.10.2.4 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-TC-RF { ipaddr = 10.10.2.65 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-Training { ipaddr = 10.10.2.6 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client LAK-Upstairs { ipaddr = 10.10.2.5 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 01-MPK { ipaddr = 192.168.1.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 03-ELC { ipaddr = 192.168.3.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 04-BKF { ipaddr = 192.168.4.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 05-LAS { ipaddr = 192.168.5.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 05-Training { ipaddr = 192.168.5.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 06-RIV { ipaddr = 192.168.6.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 07-PHX { ipaddr = 192.168.7.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 08-FRN { ipaddr = 192.168.8.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 09-ANA { ipaddr = 192.168.9.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10-SAC { ipaddr = 192.168.10.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 11-OAK { ipaddr = 192.168.11.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 12-BUR { ipaddr = 192.168.12.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 13-RNO { ipaddr = 192.168.13.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 14-PRT { ipaddr = 192.168.14.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 14-PRT-2 { ipaddr = 192.168.14.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 15-SEA { ipaddr = 192.168.15.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 16-SPK { ipaddr = 192.168.16.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 17-EUG { ipaddr = 192.168.17.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 17-EUG-2 { ipaddr = 192.168.17.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 18-BOI { ipaddr = 192.168.18.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 19-SLC { ipaddr = 192.168.19.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 20-ORM { ipaddr = 192.168.20.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 21-OGD { ipaddr = 192.168.21.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 22-RED { ipaddr = 192.168.22.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 24-POC { ipaddr = 192.168.24.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 25-DGO { ipaddr = 192.168.25.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 26-TAC { ipaddr = 192.168.26.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 27-ANC { ipaddr = 192.168.27.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 28-NOG { ipaddr = 192.168.28.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 30-TUC { ipaddr = 192.168.30.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 31-MES { ipaddr = 192.168.31.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 32-PHO { ipaddr = 192.168.32.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 33-BEL { ipaddr = 192.168.33.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 34-MED { ipaddr = 192.168.34.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 35-VIS { ipaddr = 192.168.35.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 35-VIS-WH1 { ipaddr = 192.168.35.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 35-VIS-WH2 { ipaddr = 192.168.35.252 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 36-YUM { ipaddr = 192.168.36.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 37-SLE { ipaddr = 192.168.37.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 38-SJC { ipaddr = 192.168.38.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 39-SFO { ipaddr = 192.168.39.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 40-CCR { ipaddr = 192.168.40.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 41-VNY { ipaddr = 192.168.41.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 42-MOD { ipaddr = 192.168.42.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 43-TLV { ipaddr = 192.168.43.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 44-SNA { ipaddr = 192.168.44.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 45-STS { ipaddr = 192.168.45.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 46-POM { ipaddr = 192.168.46.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 48-GAR { ipaddr = 192.168.48.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 49-BPK { ipaddr = 192.168.49.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 51-LVK { ipaddr = 192.168.51.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 52-RSV { ipaddr = 192.168.52.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 53-SAL { ipaddr = 192.168.53.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 54-PHN { ipaddr = 192.168.54.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 55-ONT { ipaddr = 192.168.55.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 55-ONT-2 { ipaddr = 192.168.55.251 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 56-WLA { ipaddr = 192.168.56.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 57-BIL { ipaddr = 192.168.57.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 58-GTF { ipaddr = 192.168.58.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 59-RAN { ipaddr = 192.168.59.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 60-TEM { ipaddr = 192.168.60.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 61-NTL { ipaddr = 192.168.61.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 62-PSP { ipaddr = 192.168.62.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 63-STK { ipaddr = 192.168.63.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 64-KRK { ipaddr = 192.168.64.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 65-PEO { ipaddr = 192.168.65.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 66-VIC { ipaddr = 192.168.66.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 67-YAK { ipaddr = 192.168.67.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 68-DRA { ipaddr = 192.168.68.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 69-CHA { ipaddr = 192.168.69.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 70-TIG { ipaddr = 192.168.70.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 71-FRE { ipaddr = 192.168.71.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 72-DEN { ipaddr = 192.168.72.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 73-SIG { ipaddr = 192.168.73.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 74-CEN { ipaddr = 192.168.74.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 75-COR { ipaddr = 192.168.75.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 82-PNS { ipaddr = 192.168.82.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 183-PNS { ipaddr = 192.168.183.250 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled. thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 queue_priority = "default" auto_limit_acct = no } listen { type = "auth" ipaddr = * port = 0 recv_buff = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 recv_buff = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 recv_buff = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 recv_buff = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = eap # Creating Auth-Type = ntlm_auth # Creating Auth-Type = digest listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 recv_buff = 0 } radiusd: #### Loading modules #### modules { # Loaded module "rlm_always" # Loading module "reject" from file /opt/freeradius/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /opt/freeradius/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /opt/freeradius/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /opt/freeradius/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /opt/freeradius/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /opt/freeradius/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /opt/freeradius/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /opt/freeradius/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /opt/freeradius/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module "rlm_attr_filter" # Loading module "attr_filter.post-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy" relaxed = no } # Loading module "attr_filter.access_reject" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject" relaxed = no } # Loading module "attr_filter.access_challenge" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge" relaxed = no } # Loading module "attr_filter.accounting_response" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response" relaxed = no } # Loaded module "rlm_cache" # Loading module "cache_eap" from file /opt/freeradius/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module "rlm_chap" # Loading module "chap" from file /opt/freeradius/etc/raddb/mods-enabled/chap # Loaded module "rlm_detail" # Loading module "detail" from file /opt/freeradius/etc/raddb/mods-enabled/detail detail { filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module "rlm_digest" # Loading module "digest" from file /opt/freeradius/etc/raddb/mods-enabled/digest # Loaded module "rlm_dhcp" # Loading module "dhcp" from file /opt/freeradius/etc/raddb/mods-enabled/dhcp # Loaded module "rlm_dynamic_clients" # Loading module "dynamic_clients" from file /opt/freeradius/etc/raddb/mods-enabled/dynamic_clients # Loaded module "rlm_eap" # Loading module "eap" from file /opt/freeradius/etc/raddb/mods-enabled/eap eap { default_eap_type = "tls" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } # Loaded module "rlm_eap_md5" # Loaded module "rlm_eap_leap" # Loaded module "rlm_eap_gtc" gtc { challenge = "Password: " auth_type = "PAP" } # Loaded module "rlm_eap_tls" tls { tls = "tls-common" require_client_cert = yes include_length = yes } tls-config tls-common { verify_depth = 0 ca_path = "/opt/freeradius/etc/raddb/certs" pem_file_type = yes private_key_file = "/opt/freeradius/etc/raddb/certs/server.pem" certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem" ca_file = "/opt/freeradius/etc/raddb/certs/ca_and_crl.pem" private_key_password = <<< secret >>> dh_file = "/opt/freeradius/etc/raddb/certs/dh" fragment_size = 1024 auto_chain = yes check_crl = yes cipher_list = "DEFAULT" allow_renegotiation = no ecdh_curve = "prime256v1" disable_tlsv1_2 = no cache { lifetime = 86400 verify = no } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } staple { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Loaded module "rlm_eap_ttls" ttls { tls = "tls-common" virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls - Using cached TLS configuration from previous invocation # Loaded module "rlm_eap_peap" peap { tls = "tls-common" proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls - Using cached TLS configuration from previous invocation # Loaded module "rlm_eap_mschapv2" mschapv2 { with_ntdomain_hack = no send_error = no identity = "radius" } # Loading module "inner-eap" from file /opt/freeradius/etc/raddb/mods-enabled/eap_inner eap inner-eap { default_eap_type = "mschapv2" ignore_unknown_eap_types = no cisco_accounting_username_bug = no } gtc { challenge = "Password: " auth_type = "PAP" } mschapv2 { with_ntdomain_hack = no send_error = no } tls { tls = "tls-peer" require_client_cert = yes include_length = yes } tls-config tls-peer { verify_depth = 0 ca_path = "/opt/freeradius/etc/raddb/certs" pem_file_type = yes private_key_file = "/opt/freeradius/etc/raddb/certs/server.key" certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem" ca_file = "/opt/freeradius/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/opt/freeradius/etc/raddb/certs/dh" fragment_size = 16384 auto_chain = yes check_crl = yes allow_renegotiation = no ecdh_curve = "prime256v1" cache { lifetime = 86400 verify = no } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } staple { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Loaded module "rlm_exec" # Loading module "echo" from file /opt/freeradius/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /opt/freeradius/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module "rlm_expiration" # Loading module "expiration" from file /opt/freeradius/etc/raddb/mods-enabled/expiration # Loaded module "rlm_expr" # Loading module "expr" from file /opt/freeradius/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module "rlm_files" # Loading module "files" from file /opt/freeradius/etc/raddb/mods-enabled/files files { filename = "/opt/freeradius/etc/raddb/mods-config/files/authorize" acctusersfile = "/opt/freeradius/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/opt/freeradius/etc/raddb/mods-config/files/pre-proxy" } # Loaded module "rlm_linelog" # Loading module "linelog" from file /opt/freeradius/etc/raddb/mods-enabled/linelog linelog { destination = "file" delimiter = " " file { filename = "/opt/freeradius/var/log/radius/linelog" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { port = 514 timeout = 2.000000 } udp { port = 514 timeout = 2.000000 } } # Loading module "log_accounting" from file /opt/freeradius/etc/raddb/mods-enabled/linelog linelog log_accounting { destination = "file" delimiter = " " file { filename = "/opt/freeradius/var/log/radius/linelog-accounting" permissions = 384 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000.000000 } udp { timeout = 1000.000000 } } # Loaded module "rlm_logintime" # Loading module "logintime" from file /opt/freeradius/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module "rlm_mschap" # Loading module "mschap" from file /opt/freeradius/etc/raddb/mods-enabled/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-RSDNET} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth_timeout = 10 passchange { } allow_retry = yes } # Loading module "ntlm_auth" from file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=RSDNET --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module "rlm_pap" # Loading module "pap" from file /opt/freeradius/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module "rlm_passwd" # Loading module "etc_passwd" from file /opt/freeradius/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module "rlm_preprocess" # Loading module "preprocess" from file /opt/freeradius/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/opt/freeradius/etc/raddb/mods-config/preprocess/huntgroups" hints = "/opt/freeradius/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module "rlm_radutmp" # Loading module "radutmp" from file /opt/freeradius/etc/raddb/mods-enabled/radutmp radutmp { filename = "/opt/freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module "rlm_realm" # Loading module "IPASS" from file /opt/freeradius/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /opt/freeradius/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /opt/freeradius/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /opt/freeradius/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module "rlm_replicate" # Loading module "replicate" from file /opt/freeradius/etc/raddb/mods-enabled/replicate # Loaded module "rlm_soh" # Loading module "soh" from file /opt/freeradius/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /opt/freeradius/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/opt/freeradius/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module "rlm_unix" # Loading module "unix" from file /opt/freeradius/etc/raddb/mods-enabled/unix unix { radwtmp = "/opt/freeradius/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module "rlm_unpack" # Loading module "unpack" from file /opt/freeradius/etc/raddb/mods-enabled/unpack # Loaded module "rlm_utf8" # Loading module "utf8" from file /opt/freeradius/etc/raddb/mods-enabled/utf8 rlm_ldap - libldap vendor: OpenLDAP, version: 20440 # Loaded module "rlm_ldap" # Loading module "ldap" from file /opt/freeradius/etc/raddb/mods-enabled/ldap ldap { server = "dc12vm.rsdtc.com" identity = "cn=radius,cn=users,dc=rsdtc,dc=com" password = <<< secret >>> sasl { } user { scope = "sub" access_attribute = "WiFi" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=rsdtc,dc=com" } profile { } options { ldap_debug = 40 chase_referrals = yes use_referral_credentials = no rebind = yes session_tracking = no res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute LDAP-Group instantiate { } } # modules # Instantiating module "reject" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /opt/freeradius/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject [/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /opt/freeradius/etc/raddb/mods-enabled/attr_filter reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /opt/freeradius/etc/raddb/mods-enabled/cache_eap # Loaded module "rlm_cache_rbtree" # Instantiating module "detail" from file /opt/freeradius/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /opt/freeradius/etc/raddb/mods-enabled/detail.log # Instantiating module "expiration" from file /opt/freeradius/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /opt/freeradius/etc/raddb/mods-enabled/files reading file /opt/freeradius/etc/raddb/mods-config/files/authorize reading file /opt/freeradius/etc/raddb/mods-config/files/accounting reading file /opt/freeradius/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /opt/freeradius/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /opt/freeradius/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /opt/freeradius/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /opt/freeradius/etc/raddb/mods-enabled/mschap mschap : authenticating by calling 'ntlm_auth' # Instantiating module "pap" from file /opt/freeradius/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /opt/freeradius/etc/raddb/mods-enabled/passwd # Instantiating module "preprocess" from file /opt/freeradius/etc/raddb/mods-enabled/preprocess reading file /opt/freeradius/etc/raddb/mods-config/preprocess/huntgroups reading file /opt/freeradius/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /opt/freeradius/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /opt/freeradius/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /opt/freeradius/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /opt/freeradius/etc/raddb/mods-enabled/realm # Instantiating module "ldap" from file /opt/freeradius/etc/raddb/mods-enabled/ldap accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap) - Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 connect_timeout = 3.000000 held_trigger_min = 0.000000 held_trigger_max = 0.500000 retry_delay = 30 spread = no } rlm_ldap (ldap) - Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base" rlm_ldap (ldap) - Waiting for search result... rlm_ldap (ldap) - Directory type: Active Directory rlm_ldap (ldap) - Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful rlm_ldap (ldap) - Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful rlm_ldap (ldap) - Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful rlm_ldap (ldap) - Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap) - Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful radiusd: #### Loading Virtual Servers #### server default { # from file /opt/freeradius/etc/raddb/sites-enabled/default } # server default server inner-tunnel { # from file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 58700 Listening on proxy address :: port 53027 Ready to process requests
On Oct 20, 2016, at 5:40 PM, TJ2718 via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Originally I was using CentoOS 7 with Samba 4.2.10 and FreeRadius 3.0.4 on a Windows network that was on Server 2003 and Forest Functional Level. We were using certificate base authentications for tablets and username and password for certain users. We upgraded the functional level to 2012R2 Native and it broke everything.
That's bad...
Neither certificates or username and passwords would get any Accepts, only Rejects.
The debug log will show why. Please read it.
I changed the config from ... Just to get people working again. This was confirmed with two test users using
Since I have no idea what your configuration does, I also have no idea why changing this would affect anything. Again, read the debug output. There's a *reason* we recommend reading it. A user successfully logging in tells you almost nothing. The debug log from a user getting rejected when you expect him to be accepted is *much* more useful.
Currently:
I built another server on CentOS 7 but built Samba 4.5.0 and FreeRadius 4.0.x from source to see if newer versions were more compatible,
Don't run v4.0.x. It's not ready for production. Use 3.0.12, which is the most recent stable release, and documented as such on the web site.
again closely following the deployingfreeradius.com guides. I edited the config files to try and get authorization working again. I can get it doing the same thing where certificates and all AD users can get logged in or only users in the WiFi group get Accepts but none of the certificates get Accepts.
The odd thing, or least what I don't understand is: Why the certificates stop working even though the computer accounts are also in the WiFi security group.
If only the debug output had useful information about the certificates. ... which it does.
I guess what it comes down to is a few of questions:
1. Is Samba 4.5.0/FreeRadius 4.0.x even compatible with a 2012R2 forest functional level (schema 69) as a member server? I've seen some posts stating that it's experimental as a DC but not whether a member server is working/stable.
It should work.
2. Is it compatible with a Windows Server 2016 forest functional level as we will be heading down that road soon?
If you changed Windows and it stopped working... blame Windows. Not FreeRADIUS.
3. Should it be possible to have certificate based authorizations AND LDAP group authorizations working on the same server. If yes, I would greatly appreciate any tips or help in figuring out how to get it configured correctly and working again.
If you had it working before, it should continue to work. Barring things like *old* certificates, or certificates which have deprecated message digest methods.
Thank you for any guidance you can provide, Travis
radiusd -X
Which shows the server starting up, but does *not* show it receiving any packets. Which means it's completely useless. You should be able to fix this with a bit of patience. 1) install 3.0.12 2) READ THE DEBUG OUTPUT FOR USERS WHO GET REJECTED 3) you may need to re-issue all certificates. Or maybe not, if the problem is only LDAP groups. Either way, you haven't posted enough information. I can only make wild guesses as to what the problem is. Alan DeKok.
On 20/10/16 22:40, TJ2718 via Freeradius-Users wrote:
Originally I was using CentoOS 7 with Samba 4.2.10 and FreeRadius 3.0.4 on a Windows network that was on Server 2003 and Forest Functional Level. We were using certificate base authentications for tablets and username and password for certain users. We upgraded the functional level to 2012R2 Native and it broke everything.
It's probably LDAP.
post-auth {
# if (Ldap-Group == "WiFi") { # noop # }
So you've commented out the Ldap-Group check and it works. My guess is that the AD functional upgrade has changed the schema or LDAP permissions and your group query is failing now.
and watching the radiusd -X debug.
As Alan says - you need to post a debug of a *failing* case. Better yet, look carefully at it the debug before posting it - the failure will probably be obvious. If not, post the full debug of a failure. Cheers, Phil
Following Alan's guidance from his post earlier, I have: 1) Removed FreeRADIUS 4.0.x and installed 3.0.12 2) I've read through the debug when a failure occurs. It looks like while I have the LDAP check enabled the computers using certificates get rejected because they are not found by the LDAP search/filter. (5) if (Ldap-Group == "WiFi") -> FALSE (5) else { (5) [reject] = reject (5) } # else = reject (5) } # post-auth = reject (5) Using Post-Auth-Type Reject 3) When the LDAP check is commented out the computers using certificates can connect so I have not reissued all certificates yet. From the debug failure it appears to be an LDAP query/filter issue. Am I interpreting the output correctly?
We upgraded the functional level to 2012R2 Native and it broke everything.
It's probably LDAP.
I believe it may be the LDAP group membership filter which is: membership_filter = "(|(member=%{control:Ldap-UserDn})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" The computers are joined to our domain and their computer accounts are in the WiFi security group. Their sAMAccountName ends with a $ Is that why there is not a match with the membership_filter?
post-auth {
# if (Ldap-Group == "WiFi") { # noop # }
So you've commented out the Ldap-Group check and it works. My guess is that the AD functional upgrade has changed the schema or LDAP permissions and your group query is failing now.
and watching the radiusd -X debug.
As Alan says - you need to post a debug of a *failing* case. Better yet, look carefully at it the debug before posting it - the failure will probably be obvious.
If not, post the full debug of a failure.
Please see debug below. I would like to configure it so that if the computer has a valid certificate it would use EAP-TLS and be connected, if no certificate is presented FreeRADIUS would prompt for username and password and use LDAP-Group membership being the determining factor whether or not the user is granted access. Thank you for your input. ***DEBUG*** Ready to process requests (0) Received Access-Request Id 27 from 10.10.2.5:32809 to 10.10.0.238:1812 length 197 (0) User-Name = "host/TElsberry10-Tab" (0) NAS-IP-Address = 10.10.2.5 (0) NAS-Identifier = "dc9fdb7003d4" (0) NAS-Port = 0 (0) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (0) Calling-Station-Id = "88-53-2E-7C-FD-DA" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0231001901686f73742f54456c73626572727931302d546162 (0) Message-Authenticator = 0x8b480d049454b1777cceef127c71a9bc (0) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (0) ntdomain: No such realm "NULL" (0) [ntdomain] = noop (0) eap: Peer sent EAP Response (code 2) ID 49 length 25 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new EAP-TLS session (0) eap_tls: Flushing SSL sessions (of #0) (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 50 length 6 (0) eap: EAP session adding &reply:State = 0xe1b5c235e187cf19 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 27 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (0) EAP-Message = 0x013200060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe1b5c235e187cf190cf7c580ecd5b37c (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 28 from 10.10.2.5:32809 to 10.10.0.238:1812 length 404 (1) User-Name = "host/TElsberry10-Tab" (1) NAS-IP-Address = 10.10.2.5 (1) NAS-Identifier = "dc9fdb7003d4" (1) NAS-Port = 0 (1) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (1) Calling-Station-Id = "88-53-2E-7C-FD-DA" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x023200d60d80000000cc16030300c7010000c30303580e438e2c3ba26409542c6b43b8236cc0add76d5f301b22f977a5639f4ee00420b34e87a7414a2363c38f425676fe4f42d2ae22d16561ca32a2d9ed6aaa5463fa003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013003900 (1) State = 0xe1b5c235e187cf190cf7c580ecd5b37c (1) Message-Authenticator = 0x3de565fdd57ae1d8ecf2966261faf36d (1) session-state: No cached attributes (1) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (1) ntdomain: No such realm "NULL" (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 50 length 214 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe1b5c235e187cf19 (1) eap: Finished EAP session with state 0xe1b5c235e187cf19 (1) eap: Previous EAP request found for state 0xe1b5c235e187cf19, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Peer indicated complete TLS record size will be 204 bytes (1) eap_tls: Got complete TLS record (204 bytes) (1) eap_tls: [eaptls verify] = length included (1) eap_tls: (other): before/accept initialization (1) eap_tls: TLS_accept: before/accept initialization (1) eap_tls: <<< recv TLS 1.2 [length 00c7] (1) eap_tls: TLS_accept: SSLv3 read client hello A (1) eap_tls: >>> send TLS 1.2 [length 0059] (1) eap_tls: TLS_accept: SSLv3 write server hello A (1) eap_tls: >>> send TLS 1.2 [length 085c] (1) eap_tls: TLS_accept: SSLv3 write certificate A (1) eap_tls: >>> send TLS 1.2 [length 014d] (1) eap_tls: TLS_accept: SSLv3 write key exchange A (1) eap_tls: >>> send TLS 1.2 [length 00c6] (1) eap_tls: TLS_accept: SSLv3 write certificate request A (1) eap_tls: TLS_accept: SSLv3 flush data (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: In SSL Handshake Phase (1) eap_tls: In SSL Accept mode (1) eap_tls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 51 length 1004 (1) eap: EAP session adding &reply:State = 0xe1b5c235e086cf19 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 28 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (1) EAP-Message = 0x013303ec0dc000000adc160303005902000055030354f2b96677d828e24af212a93d25dc6911e0f6d5662710489e0f21fd09b95c69201a364ac83fb12e7e36891f3bab987c5f3155520aa2fb3391dac9551a778e70b0c03000000dff01000100000b000403000102160303085c0b0008580008550003a4 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xe1b5c235e086cf190cf7c580ecd5b37c (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 29 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (2) User-Name = "host/TElsberry10-Tab" (2) NAS-IP-Address = 10.10.2.5 (2) NAS-Identifier = "dc9fdb7003d4" (2) NAS-Port = 0 (2) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (2) Calling-Station-Id = "88-53-2E-7C-FD-DA" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x023300060d00 (2) State = 0xe1b5c235e086cf190cf7c580ecd5b37c (2) Message-Authenticator = 0xeba2bda8b2853a7e3d1ae63406185608 (2) session-state: No cached attributes (2) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) ntdomain: Checking for prefix before "\" (2) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (2) ntdomain: No such realm "NULL" (2) [ntdomain] = noop (2) eap: Peer sent EAP Response (code 2) ID 51 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xe1b5c235e086cf19 (2) eap: Finished EAP session with state 0xe1b5c235e086cf19 (2) eap: Previous EAP request found for state 0xe1b5c235e086cf19, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: Continuing EAP-TLS (2) eap_tls: Peer ACKed our handshake fragment (2) eap_tls: [eaptls verify] = request (2) eap_tls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 52 length 1004 (2) eap: EAP session adding &reply:State = 0xe1b5c235e381cf19 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 29 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (2) EAP-Message = 0x013403ec0dc000000adc3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b300906035504061302555331133011 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xe1b5c235e381cf190cf7c580ecd5b37c (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 30 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (3) User-Name = "host/TElsberry10-Tab" (3) NAS-IP-Address = 10.10.2.5 (3) NAS-Identifier = "dc9fdb7003d4" (3) NAS-Port = 0 (3) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (3) Calling-Station-Id = "88-53-2E-7C-FD-DA" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x023400060d00 (3) State = 0xe1b5c235e381cf190cf7c580ecd5b37c (3) Message-Authenticator = 0x3ed9b3db9703668243209cb24444213b (3) session-state: No cached attributes (3) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) ntdomain: Checking for prefix before "\" (3) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (3) ntdomain: No such realm "NULL" (3) [ntdomain] = noop (3) eap: Peer sent EAP Response (code 2) ID 52 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xe1b5c235e381cf19 (3) eap: Finished EAP session with state 0xe1b5c235e381cf19 (3) eap: Previous EAP request found for state 0xe1b5c235e381cf19, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: Continuing EAP-TLS (3) eap_tls: Peer ACKed our handshake fragment (3) eap_tls: [eaptls verify] = request (3) eap_tls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 53 length 802 (3) eap: EAP session adding &reply:State = 0xe1b5c235e280cf19 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 30 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (3) EAP-Message = 0x013503220d8000000adc57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa1329 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xe1b5c235e280cf190cf7c580ecd5b37c (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 31 from 10.10.2.5:32809 to 10.10.0.238:1812 length 1535 (4) User-Name = "host/TElsberry10-Tab" (4) NAS-IP-Address = 10.10.2.5 (4) NAS-Identifier = "dc9fdb7003d4" (4) NAS-Port = 0 (4) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (4) Calling-Station-Id = "88-53-2E-7C-FD-DA" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x023505370d800000052d16030304f50b0003a30003a000039d3082039930820281a0030201020202009c300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c30 (4) State = 0xe1b5c235e280cf190cf7c580ecd5b37c (4) Message-Authenticator = 0xe4d02148bbf11903f7995c2ea5760ecc (4) session-state: No cached attributes (4) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) ntdomain: Checking for prefix before "\" (4) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (4) ntdomain: No such realm "NULL" (4) [ntdomain] = noop (4) eap: Peer sent EAP Response (code 2) ID 53 length 1335 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xe1b5c235e280cf19 (4) eap: Finished EAP session with state 0xe1b5c235e280cf19 (4) eap: Previous EAP request found for state 0xe1b5c235e280cf19, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: Continuing EAP-TLS (4) eap_tls: Peer indicated complete TLS record size will be 1325 bytes (4) eap_tls: Got complete TLS record (1325 bytes) (4) eap_tls: [eaptls verify] = length included (4) eap_tls: <<< recv TLS 1.2 [length 03a7] (4) eap_tls: Creating attributes from certificate OIDs (4) eap_tls: TLS-Cert-Serial := "a793227a08ee79ec" (4) eap_tls: TLS-Cert-Expiration := "400316212404Z" (4) eap_tls: TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority" (4) eap_tls: Creating attributes from certificate OIDs (4) eap_tls: TLS-Client-Cert-Serial := "9c" (4) eap_tls: TLS-Client-Cert-Expiration := "260822222730Z" (4) eap_tls: TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab@rsd.net" (4) eap_tls: TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (4) eap_tls: TLS-Client-Cert-Common-Name := "TElsberry10-Tab" (4) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (4) eap_tls: TLS_accept: SSLv3 read client certificate A (4) eap_tls: <<< recv TLS 1.2 [length 0046] (4) eap_tls: TLS_accept: SSLv3 read client key exchange A (4) eap_tls: <<< recv TLS 1.2 [length 0108] (4) eap_tls: TLS_accept: SSLv3 read certificate verify A (4) eap_tls: <<< recv TLS 1.2 [length 0001] (4) eap_tls: <<< recv TLS 1.2 [length 0010] (4) eap_tls: TLS_accept: SSLv3 read finished A (4) eap_tls: >>> send TLS 1.2 [length 0001] (4) eap_tls: TLS_accept: SSLv3 write change cipher spec A (4) eap_tls: >>> send TLS 1.2 [length 0010] (4) eap_tls: TLS_accept: SSLv3 write finished A (4) eap_tls: TLS_accept: SSLv3 flush data (4) eap_tls: (other): SSL negotiation finished successfully (4) eap_tls: SSL Connection Established (4) eap_tls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 54 length 61 (4) eap: EAP session adding &reply:State = 0xe1b5c235e583cf19 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 31 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0 (4) EAP-Message = 0x0136003d0d8000000033140303000101160303002842b8eeefd7fa470e6317261c9fbe1ab5c6ba81a8691930eecd62774bb3bd248f9cbfac2dc45404ec (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe1b5c235e583cf190cf7c580ecd5b37c (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 32 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196 (5) User-Name = "host/TElsberry10-Tab" (5) NAS-IP-Address = 10.10.2.5 (5) NAS-Identifier = "dc9fdb7003d4" (5) NAS-Port = 0 (5) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET" (5) Calling-Station-Id = "88-53-2E-7C-FD-DA" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x023600060d00 (5) State = 0xe1b5c235e583cf190cf7c580ecd5b37c (5) Message-Authenticator = 0xb44d62e8c23068a4e0c13849488f835d (5) session-state: No cached attributes (5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) ntdomain: Checking for prefix before "\" (5) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL (5) ntdomain: No such realm "NULL" (5) [ntdomain] = noop (5) eap: Peer sent EAP Response (code 2) ID 54 length 6 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe1b5c235e583cf19 (5) eap: Finished EAP session with state 0xe1b5c235e583cf19 (5) eap: Previous EAP request found for state 0xe1b5c235e583cf19, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: Continuing EAP-TLS (5) eap_tls: Peer ACKed our handshake fragment. handshake is finished (5) eap_tls: [eaptls verify] = success (5) eap_tls: [eaptls process] = success (5) eap_tls: caching TLS-Cert-Serial := "a793227a08ee79ec" (5) eap_tls: caching TLS-Cert-Expiration := "400316212404Z" (5) eap_tls: caching TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Client-Cert-Serial := "9c" (5) eap_tls: caching TLS-Client-Cert-Expiration := "260822222730Z" (5) eap_tls: caching TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab@rsd.net" (5) eap_tls: caching TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry@rsd.net/CN=RSD RADIUS Certificate Authority" (5) eap_tls: caching TLS-Client-Cert-Common-Name := "TElsberry10-Tab" (5) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (5) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (5) eap: Sending EAP Success (code 3) ID 54 length 4 (5) eap: Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default (5) post-auth { (5) if (!&reply:State) { (5) if (!&reply:State) -> TRUE (5) if (!&reply:State) { (5) update reply { (5) EXPAND 0x%{randstr:16h} (5) --> 0x20d7cf39b7874998bcfb45bb907815d98a (5) State := 0x20d7cf39b7874998bcfb45bb907815d98a (5) } # update reply = noop (5) } # if (!&reply:State) = noop (5) update { (5) No attributes updated (5) } # update = noop (5) [exec] = noop (5) if (Ldap-Group == "WiFi") { (5) Searching for user in group "WiFi" rlm_ldap (ldap): Reserved connection (0) (5) EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (5) --> (sAMAccountName=host/TElsberry10-Tab) (5) Performing search in "dc=rsdtc,dc=com" with filter "(sAMAccountName=host/TElsberry10-Tab)", scope "sub" (5) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.RSDTC.COM/DC=ForestDnsZones,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.RSDTC.COM/DC=DomainDnsZones,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://RSDTC.COM/CN=Configuration,DC=RSDTC,DC=COM rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (5) Search returned no results rlm_ldap (ldap): Deleting connection (0) rlm_ldap (ldap): Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://dc12vm.rsdtc.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) if (Ldap-Group == "WiFi") -> FALSE (5) else { (5) [reject] = reject (5) } # else = reject (5) } # post-auth = reject (5) Using Post-Auth-Type Reject (5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) [eap] = noop (5) } # Post-Auth-Type REJECT = noop (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 32 from 10.10.0.238:1812 to 10.10.2.5:32809 length 201 (5) MS-MPPE-Recv-Key = 0xdc168503ebb9e9734af7d32965b70a9405abf628204ab5e1dd626bccc9e820d0 (5) MS-MPPE-Send-Key = 0xd395f9b1bcb934dc4ccdfeb8e7bb2bd26d136d1ec1eadb9770d165200a08d35e (5) EAP-Message = 0x03360004 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) User-Name = "host/TElsberry10-Tab" (5) State := 0x20d7cf39b7874998bcfb45bb907815d98a Waking up in 3.7 seconds. (0) Cleaning up request packet ID 27 with timestamp +6 (1) Cleaning up request packet ID 28 with timestamp +6 (2) Cleaning up request packet ID 29 with timestamp +6 (3) Cleaning up request packet ID 30 with timestamp +6 (4) Cleaning up request packet ID 31 with timestamp +6 (5) Cleaning up request packet ID 32 with timestamp +6 Ready to process requests
On 24/10/2016 22:07, tj2718@aol.com wrote:
It looks like while I have the LDAP check enabled the computers using certificates get rejected because they are not found by the LDAP search/filter.
(5) if (Ldap-Group == "WiFi") -> FALSE
I was bitten by that too. Try changing it to: if (&Ldap-Group == "WiFi") Reason: Ldap-Group is a "magic" attribute. Rather than actually being stored on an AV list, a comparison operator which references this attribute triggers some code which performs the actual LDAP lookup(s). However, whereas in most places in FreeRADIUS the & is optional, here it's not. If you miss it, it silently fails; perhaps it is looking on the "real" AV list instead. In addition: since Ldap-Group is multi-valued, and you want to check if *any* of the groups is "WiFi", you may want to write instead if (&Ldap-Group[*] == "WiFi") If this were a normal attribute, missing the [*] would mean you only check against the first value of a multi-valued attribute. With a "magic" attribute I don't know if it's necessary, but it doesn't harm to have it. There is another way to deal with this, which is to enable one of these settings: cacheable_name = 'no' cacheable_dn = 'no' They cause the LDAP group query to be performed up-front and the results stored as real AV pairs (either the group names or the group DNs respectively). Then you can use them just like any normal attribute, e.g. in string expansions, and the '&' is optional again. Regards, Brian.
Hi,
However, whereas in most places in FreeRADIUS the & is optional, here it's not. If you miss it, it silently fails; perhaps it is looking on the "real" AV list instead.
going forward, its mandatory. if you run 3.x versions with extra debug - eg radiusd -fxxx -lstdout (note, 3 x's, not one or 2) you will see the yellow WARNING messages for each incantation where & should be present. alan
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian Candler -
Phil Mayers -
TJ2718 -
tj2718@aol.com