I am tring to get freeradius working with ldap. The ldap server is on the same LAN as the RADIUS server. The local user test works. I have configured all files I can think are pertinent. In debug mode, I get: root#> freeradius -X .... .... } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. ----- In another terminal window I enter: root#> radtest username@mydomain.com "PASSWORD" 192.168.10.14 0 sharedsecret ending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 231 socket 3 ----- I get no output in the freeradius -X terminal window. I get no info in /var/log/freeradius. What am I missing? It won't complain and it won't work. --
On 06/21/2013 04:21 PM, Julian Macassey wrote:
I am tring to get freeradius working with ldap.
The ldap server is on the same LAN as the RADIUS server.
The local user test works.
I have configured all files I can think are pertinent.
In debug mode, I get:
root#> freeradius -X .... .... } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
----- In another terminal window I enter: root#> radtest username@mydomain.com "PASSWORD" 192.168.10.14 0 sharedsecret
ending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 231 socket 3
-----
I get no output in the freeradius -X terminal window. I get no info in /var/log/freeradius.
What am I missing? It won't complain and it won't work.
You've failed to provide the complete debug output, something which is stated as being required nearly every day on this list. This means we can't see how you've configured things, all that is in the debug output which you failed to provide. But I'll go out on a limb assume you configured the ldap module correctly and suggest you look at your firewall and make sure your ldap ports are open on both nodes. John
On 2013-06-21 at 16:34, John Dennis (jdennis@redhat.com) wrote:
What am I missing? It won't complain and it won't work.
You've failed to provide the complete debug output, something which is stated as being required nearly every day on this list. This means we can't see how you've configured things, all that is in the debug output which you failed to provide.
Here you go: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ldap-orig including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "d1sc0verplum" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "d1sc0verplum" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
The radius server is not seeing any client requests and your client is not getting a response from the server, either you've got the wrong address for the radius server or more likely your firewall is block their communication, this has nothing to do with ldap. Also, I don't see the rlm_ldap module being configured in the output you sent. John
On 2013-06-21 at 16:48, John Dennis (jdennis@redhat.com) wrote:
The radius server is not seeing any client requests and your client is not getting a response from the server, either you've got the wrong address for the radius server or more likely your firewall is block their communication, this has nothing to do with ldap.
The LDAP and RADIUS servers are virtual machines on the same LAN. I can ssh from from the RADIUS server to the ldap server which authenticates me via ldap. With my RADIUS test I am using my ldap username and password.
Also, I don't see the rlm_ldap module being configured in the output you sent.
I have configured /etc/freeradius/modules/ldap ----- ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "plumgrid-ldap1" #identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=PLUMGRID,c=UA" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" (This is an ubuntu 12.04 machine). -- "They: The makers of the Constitution: conferred, as against the government, the right to be let alone -- the most comprehensive of rights and the right most valued by civilized men." - Justice Louis D. Brandeis
On 06/21/2013 04:34 PM, John Dennis wrote:
On 06/21/2013 04:21 PM, Julian Macassey wrote:
I am tring to get freeradius working with ldap.
The ldap server is on the same LAN as the RADIUS server.
The local user test works.
I have configured all files I can think are pertinent.
In debug mode, I get:
root#> freeradius -X .... .... } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
----- In another terminal window I enter: root#> radtest username@mydomain.com "PASSWORD" 192.168.10.14 0 sharedsecret
ending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 231 socket 3
-----
I get no output in the freeradius -X terminal window. I get no info in /var/log/freeradius.
What am I missing? It won't complain and it won't work.
You've failed to provide the complete debug output, something which is stated as being required nearly every day on this list. This means we can't see how you've configured things, all that is in the debug output which you failed to provide.
But I'll go out on a limb assume you configured the ldap module correctly and suggest you look at your firewall and make sure your ldap ports are open on both nodes.
Looking at this more carefully also make sure port 1812 is open
On 2013-06-21 at 16:41, John Dennis (jdennis@redhat.com) wrote:
Looking at this more carefully also make sure port 1812 is open
That was my first guess. I asked the guy who set up the servers if they were open and he assured me they were. But my tests, just re-tried, show that 1812 is not open. I will pursue that avenue for the time being. Thanks for the help.
Hi, You have 2 modules ldap, one is ldap and the other is including configuration file /etc/freeradius/modules/ldap-orig Put /etc/freeradius/modules/ldap-orig out of modules directory. The dns goes right? I'll put the ldap server's ip instead of name. 2013/6/21 Julian Macassey <julian@tele.com>
On 2013-06-21 at 16:41, John Dennis (jdennis@redhat.com) wrote:
Looking at this more carefully also make sure port 1812 is open
That was my first guess. I asked the guy who set up the servers if they were open and he assured me they were.
But my tests, just re-tried, show that 1812 is not open.
I will pursue that avenue for the time being. Thanks for the help.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
On 2013-06-22 at 01:23, Roberto Ortega Ramiro (roberto.ortega@esj.es) wrote:
Hi, You have 2 modules ldap, one is ldap and the other is including configuration file /etc/freeradius/modules/ldap-orig Put /etc/freeradius/modules/ldap-orig out of modules directory.
Done. As per the docs, and common practice, I keep an original copy of any configuration file, so should I break anything, I can start again at the beginning.
The dns goes right? I'll put the ldap server's ip instead of name.
Yes, DNS is working and the IP is for the ldap server.
On 21.06.2013 22:21, Julian Macassey wrote:
In another terminal window I enter: root#> radtest username@mydomain.com "PASSWORD" 192.168.10.14 0 sharedsecret
ending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 231 to 192.168.10.14 port 1812 User-Name = "username@domain.com" User-Password = "PASSWORD" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 231 socket 3
in your config you didn't configure any other client than 127.0.0.1 you're sending your request to 192.168.10.14 which mean it's over the network. add a client for the machine on which you run radtest, and it will work. freeradius silently drop packets from unknown client. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 2013-06-22 at 01:20, Olivier Beytrison (olivier@heliosnet.org) wrote:
On 21.06.2013 22:21, Julian Macassey wrote:
in your config you didn't configure any other client than 127.0.0.1 you're sending your request to 192.168.10.14 which mean it's over the network. add a client for the machine on which you run radtest, and it will work.
freeradius silently drop packets from unknown client.
I added in /etc/freeradius/clients.conf: client plumgrid-ldap1 { # # secret and password are mapped through the "secrets" # file. secret = <MYSECRET> shortname = ldap # # the following three fields are optional, but may be # used by # # checkrad.pl for simultaneous usage checks ipaddr = 192.168.10.14 nastype = other ## login = !root # password = someadminpas } ----- When I fire up freeradius: freeradius -X FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/off-ldap-orig including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "d1sc0verplum" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client plumgrid-ldap1 { ipaddr = 192.168.10.14 require_message_authenticator = no secret = "d1sc0verplum" shortname = "ldap" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. ----- I still get: Sending Access-Request of id 94 to 192.168.10.14 port 1812 User-Name = "evergreen@plumgrid.com" User-Password = "evergreen's password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 94 to 192.168.10.14 port 1812 User-Name = "evergreen@plumgrid.com" User-Password = "evergreen's password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Sending Access-Request of id 94 to 192.168.10.14 port 1812 User-Name = "evergreen@plumgrid.com" User-Password = "evergreen's password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 radclient: no response from server for ID 94 socket 3 -----
On 06/24/2013 12:18 PM, Julian Macassey wrote:
I added in /etc/freeradius/clients.conf:
client plumgrid-ldap1 { # # secret and password are mapped through the "secrets" # file. secret = <MYSECRET> shortname = ldap # # the following three fields are optional, but may be # used by # # checkrad.pl for simultaneous usage checks ipaddr = 192.168.10.14 nastype = other ## login = !root # password = someadminpas }
radiusd: #### Loading Clients #### client plumgrid-ldap1 { ipaddr = 192.168.10.14 require_message_authenticator = no secret = "d1sc0verplum" shortname = "ldap" nastype = "other" }
----- I still get:
Sending Access-Request of id 94 to 192.168.10.14 port 1812 User-Name = "evergreen@plumgrid.com" User-Password = "evergreen's password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0
I don't follow what you're doing. Is your radius server on 192.168.10.14, the same as your client? Because it looks like your sending your access-request to the client, not the server (unless they're both the same box). If they are the same box then make sure port 1812 is open. Also your NAS-IP-Address in your request is not your client address of 192.168.10.14. Also, 127.0.1.1 seems like an odd address, localhost is normally 127.0.0.1, what's in your /etc/hosts file? Also I don't see what this has to do with ldap, nothing as far as I can tell. Also, be careful with making configuration files backups in the config directory, the sever reads everything it finds in the config directory, do you really mean to load /etc/freeradius/modules/off-ldap-orig?
On 2013-06-24 at 13:24, John Dennis (jdennis@redhat.com) wrote:
On 06/24/2013 12:18 PM, Julian Macassey wrote:
I added in /etc/freeradius/clients.conf:
client plumgrid-ldap1 { # # secret and password are mapped through the "secrets" # file. secret = <MYSECRET> shortname = ldap # # the following three fields are optional, but may be # used by # # checkrad.pl for simultaneous usage checks ipaddr = 192.168.10.14 nastype = other ## login = !root # password = someadminpas }
radiusd: #### Loading Clients #### client plumgrid-ldap1 { ipaddr = 192.168.10.14 require_message_authenticator = no secret = "d1sc0verplum" shortname = "ldap" nastype = "other" }
----- I still get:
Sending Access-Request of id 94 to 192.168.10.14 port 1812 User-Name = "evergreen@plumgrid.com" User-Password = "evergreen's password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0
I don't follow what you're doing. Is your radius server on 192.168.10.14, the same as your client?
My radius server is: 192.168.10.16 My ldap server is: 192.168.10.14
Because it looks like your sending your access-request to the client, not the server (unless they're both the same box). If they are the same box then make sure port 1812 is open.
Also your NAS-IP-Address in your request is not your client address of 192.168.10.14.
I note that. But I have that in my /etc/freeradius/clients.conf file: client plumgrid-ldap1 { # # secret and password are mapped through the "secrets" # file. secret = d1sc0verplum shortname = ldap # # the following three fields are optional, but may be # used by # # checkrad.pl for simultaneous usage checks ipaddr = 192.168.10.14 nastype = other ## login = !root # password = someadminpas } -----
Also, 127.0.1.1 seems like an odd address, localhost is normally 127.0.0.1, what's in your /etc/hosts file?
This seems to be an ubuntu oddity. I have modified it 127.0.0.1 localhost plumgrid-radius1.plumgrid.com plumgrid-radius1 #127.0.1.1 plumgrid-radius1.plumgrid.com plumgrid-radius1 Yet, I still get 127.0.1.1 in my freeradius radtest. I can still ping 127.0.1.1 -- plumgrid-radius1:freeradius root#> ping 127.0.1.1 PING 127.0.1.1 (127.0.1.1) 56(84) bytes of data. 64 bytes from 127.0.1.1: icmp_req=1 ttl=64 time=0.032 ms 64 bytes from 127.0.1.1: icmp_req=2 ttl=64 time=0.035 ms -----
Also I don't see what this has to do with ldap, nothing as far as I can tell.
Well, I have a a radius server that I would like to use the ldap server to authenticate. It works using localhost and the users file.
Also, be careful with making configuration files backups in the config directory, the sever reads everything it finds in the config directory, do you really mean to load /etc/freeradius/modules/off-ldap-orig?
I have moved it away. -- "They: The makers of the Constitution: conferred, as against the government, the right to be let alone -- the most comprehensive of rights and the right most valued by civilized men." - Justice Louis D. Brandeis
On 06/24/2013 02:01 PM, Julian Macassey wrote:
I don't follow what you're doing. Is your radius server on 192.168.10.14, the same as your client?
My radius server is: 192.168.10.16
My ldap server is: 192.168.10.14
Because it looks like your sending your access-request to the client, not the server (unless they're both the same box). If they are the same box then make sure port 1812 is open.
I don't know what to say, you've got a lot of misconceptions going on and as far as I can figure you you haven't tried to read the documentation. For starters: You need to send radius requests to the radius server but you're sending them to your ldap server (huh???) radius client != ldap, radius client == nas You need to configure radius to work with ldap, but you haven't done that. You have to uncomment the ldap module from /etc/raddb/sites-enabled/default in the authorize section and also configure your ldap values in /etc/raddb/modules/ldap. You haven't done either of those. I'm afraid I can't help anymore, you need to start helping yourself first, pay attention to what you're doing, don't fail about, start with a vanilla configuration, put it under source control so you can revert, make only one change at a time, change only what you understand, and read the doc, most of it is inside the config files themselves.
Also your NAS-IP-Address in your request is not your client address of 192.168.10.14.
I note that. But I have that in my /etc/freeradius/clients.conf file:
client plumgrid-ldap1 { # # secret and password are mapped through the "secrets" # file. secret = d1sc0verplum shortname = ldap # # the following three fields are optional, but may be # used by # # checkrad.pl for simultaneous usage checks ipaddr = 192.168.10.14 nastype = other ## login = !root # password = someadminpas } -----
Also, 127.0.1.1 seems like an odd address, localhost is normally 127.0.0.1, what's in your /etc/hosts file?
This seems to be an ubuntu oddity.
I have modified it
127.0.0.1 localhost plumgrid-radius1.plumgrid.com plumgrid-radius1 #127.0.1.1 plumgrid-radius1.plumgrid.com plumgrid-radius1
Yet, I still get 127.0.1.1 in my freeradius radtest.
I can still ping 127.0.1.1
-- plumgrid-radius1:freeradius root#> ping 127.0.1.1 PING 127.0.1.1 (127.0.1.1) 56(84) bytes of data. 64 bytes from 127.0.1.1: icmp_req=1 ttl=64 time=0.032 ms 64 bytes from 127.0.1.1: icmp_req=2 ttl=64 time=0.035 ms -----
Also I don't see what this has to do with ldap, nothing as far as I can tell.
Well, I have a a radius server that I would like to use the ldap server to authenticate. It works using localhost and the users file.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
John Dennis -
Julian Macassey -
Olivier Beytrison -
Roberto Ortega Ramiro