OpenLdap + Freeradius on centos 6.5 Not working
Hi All, I guess this may be a very repetitive question but I stuck in configuring openldap+freeradius setup on centos 6.5 My FreeRadius settings is as below ++++++++++++++++++++++++++++++++++++ authorize { preprocess ldap { ok = return } } authenticate { Auth-Type LDAP { ldap } Auth-Type PAP { pap } } +++++++++++++++++++++++++++++++++++++++++ And when I try to make connection from Supplicant to this Radius Server, in log , I am flooded with message " *ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user*" But when I probe Radius Server directly using radtest or any othe tool, I got below logs. ++++++++++++++++++++++++++++++++++++++++++++++++ [ldap] login attempt by "radtest" with password "XXXXX" [ldap] user DN: uid=radtest,ou=People,dc=xxxx,dc=local [ldap] (re)connect to 127.0.0.1:389, authentication 1 [ldap] bind as uid=radtest,ou=People,dc=xxxx,dc=local/redhat to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user radtest authenticated succesfully ++[ldap] returns ok WARNING: Empty post-auth section. Using default return values. ++++++++++++++++++++++++ Please let me know if I am doing anything wrong here -- Regards, Vishesh Kumar
'Please let me know if I am doing anything wrong here' Yes. You're not looking at the debug log for when it's failing from the client. You gave us the basic results from the radtest (which is PAP) . look at the logs for when your client is failing. If you cannot proceed yourself then post those logs to the list for help. Likely that either your ldap isn't supporting the password method or that you haven't used the right ldap/radius attribute maps alan
Thanks for your response Alan, below are the logs I am getting in case of failure, ++++++++++++++++++++ rad_recv: Access-Request packet from host 10.0.30.51 port 52267, id=241, length=174 User-Name = "radtest" NAS-IP-Address = 10.0.30.51 NAS-Identifier = "24a43ce6fc81" NAS-Port = 0 Called-Station-Id = "2E-A4-3C-E7-FC-81:XXXX_Mgmt" Calling-Station-Id = "AC-38-70-99-E4-XX" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x027e000c0172616474657374 Message-Authenticator = 0xc9d515710f90d967171e7bff8e9b4d7d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [ldap] performing user authorization for radtest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for detail s [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> radtest [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=radtest) [ldap] expand: ou=people,dc=xxxx,dc=local -> ou=people,dc=xxxx,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as / to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=people,dc=xxxx,dc=local, with filter (uid=radt est) [ldap] checking if remote access for radtest is allowed by uid [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user radtest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested ac tion. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 241 to 10.0.30.51 port 52267 Tunnel-Private-Group-Id:0 = "10" Tunnel-Medium-Type:0 = 802 Tunnel-Type:0 = VLAN Waking up in 4.9 seconds. Cleaning up request 0 ID 241 with timestamp +17 Ready to process requests. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Mapping is done as below #cat /etc/raddb/ldap.attrmap checkItem User-Password userPassword replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId Thanks Vishesh Kumar On Thu, May 14, 2015 at 3:14 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
'Please let me know if I am doing anything wrong here'
Yes. You're not looking at the debug log for when it's failing from the client. You gave us the basic results from the radtest (which is PAP) . look at the logs for when your client is failing. If you cannot proceed yourself then post those logs to the list for help. Likely that either your ldap isn't supporting the password method or that you haven't used the right ldap/radius attribute maps
alan
-- Regards, Vishesh Kumar http://linuxmantra.com
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
In your LDAP, where is your password configured, I.e. Which attribute contains the password? An ldapsearch query may tell you. I suggest you do an ldapsearch for your user and see which attributes it returns. Then adjust ldap.attrmap (as below) to map the appropriate attribute to make it work.
#cat /etc/raddb/ldap.attrmap
checkItem User-Password userPassword replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
That's the default in FR 2.x AFAIK. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Thanks for response Stefan. In OpenLdap *userPassword *attribute contains the password. Thanks Vishesh Kumar On Thu, May 14, 2015 at 4:29 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
In your LDAP, where is your password configured, I.e. Which attribute contains the password? An ldapsearch query may tell you. I suggest you do an ldapsearch for your user and see which attributes it returns. Then adjust ldap.attrmap (as below) to map the appropriate attribute to make it work.
#cat /etc/raddb/ldap.attrmap
checkItem User-Password userPassword replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
That's the default in FR 2.x AFAIK.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com
Hi,
below are the logs I am getting in case of failure,
this is an EAP packet..... therefore you need to be in the inner-tunnel before you have any visibility of the password..... so you cannot check/auth in the outer-tunnel - this is one of those cases where you will likely need to set the Auth-Type to LDAP manually (in users file or via unlang) to ensure that the process continues and the server carries on into the inner-tunnel. alan
Thanks Alan, Let me configure EAP then, Thanks Vishesh Kumar On Thu, May 14, 2015 at 6:34 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
below are the logs I am getting in case of failure,
this is an EAP packet..... therefore you need to be in the inner-tunnel before you have any visibility of the password..... so you cannot check/auth in the outer-tunnel - this is one of those cases where you will likely need to set the Auth-Type to LDAP manually (in users file or via unlang) to ensure that the process continues and the server carries on into the inner-tunnel.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com
I am still struggling with below errors , WARNING: No "known good" password was found in LDAP. ............................... .................................................... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the u ser Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Below is my Default configuration Now +++++++++++++++++++++ authorize { preprocess ldap mschap } authenticate { Auth-Type LDAP{ ldap } mschap eap } ++++++++++++++++++++++++++++++++++++++++++ Below is my inner-tunnel configuration, ++++++++++++++++++++++++++++++ server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } files ldap expiration logintime pap } authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } +++++++++++++++++++++++++++++++++++++++++++++++++ I don't know what mistake I am doing here. Thanks Vishesh Kumar On Fri, May 15, 2015 at 2:20 PM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
Thanks Alan,
Let me configure EAP then,
Thanks Vishesh Kumar
On Thu, May 14, 2015 at 6:34 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
below are the logs I am getting in case of failure,
this is an EAP packet..... therefore you need to be in the inner-tunnel before you have any visibility of the password..... so you cannot check/auth in the outer-tunnel - this is one of those cases where you will likely need to set the Auth-Type to LDAP manually (in users file or via unlang) to ensure that the process continues and the server carries on into the inner-tunnel.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com
-- Regards, Vishesh Kumar http://linuxmantra.com
On May 15, 2015, at 7:35 AM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
I am still struggling with below errors ,
WARNING: No "known good" password was found in LDAP.
Read the messages BEFORE that one. FreeRADIUS prints out the LDAP query it's using. You can run the same query manually, to see what is being returned from the LDAP server. Odds are that the query is wrong. And therefore returning the wrong data (or no data), which doesn't include a password. Or, the LDAP server is Active Directory. In which case you have to use ntlm_auth for authentication. Alan DeKok.
Thanks for response Alan, No My LDAP is not AD it is openldap 2.4, and below response I am geeting ++++++++++++++++++++++++++++++++++++++++++++++++ [ldap] performing user authorization for radtest [ldap] expand: (uid=%u) -> (uid=radtest) [ldap] expand: dc=xxxx,dc=local -> dc=xxxx,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as / to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=xxxx,dc=local, with filter (uid=radtest) [ldap] checking if remote access for radtest is allowed by uid [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ++++++++++++++++++++++++++++ While is conf of ldap is below, # vi /etc/raddb/modules/ldap ldap { server = "127.0.0.1" basedn = "dc=xxxx,dc=local" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no profile_attribute = "radiusprofile" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 120 timelimit = 50 net_timeout = 40 set_auth_type = no password_header = "{SSHA}" password-attribute = userPassword } +++++++++++++++++++++++++++++++++++++++++++ I am able to execute ldapsearch command successfully, with username/password and anonymously as well. Thanks Vishesh Kumar On Fri, May 15, 2015 at 5:51 PM, Alan DeKok <aland@deployingradius.com> wrote:
On May 15, 2015, at 7:35 AM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
I am still struggling with below errors ,
WARNING: No "known good" password was found in LDAP.
Read the messages BEFORE that one. FreeRADIUS prints out the LDAP query it's using. You can run the same query manually, to see what is being returned from the LDAP server.
Odds are that the query is wrong. And therefore returning the wrong data (or no data), which doesn't include a password.
Or, the LDAP server is Active Directory. In which case you have to use ntlm_auth for authentication.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com
On May 15, 2015, at 9:22 AM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
No My LDAP is not AD it is openldap 2.4, and below response I am getting
What I said was: Read the messages BEFORE that one. FreeRADIUS prints out the LDAP query it's using. You can run the same query manually, to see what is being returned from the LDAP server. I did NOT say: Post the post the query here, because I intend to do all of your work for you. What part of the email was unclear? YOU have access to your LDAP server. I don't. YOU need to compare the LDAP queries to see what the differences are. YOU need to copy the LDAP query printed by FreeRADIUS, and run it manually, to see what LDAP returns. YOU need to see if that output is what you expect. YOU need to fix the LDAP queries to be correct.
While is conf of ldap is below,
I didn't ask for that. Because it's useless. You're doing everything EXCEPT following instructions.
I am able to execute ldapsearch command successfully, with username/password and anonymously as well.
Did you try running the LDAP query that FreeRADIUS prints out? No. Probably because I asked you to, and you don't think it's relevant. Well, it is relevant. Do it. Now. Alan DeKok.
I think my EAP setup is faulty and Supplicant sending EAP authentication request. Let me correct the setup first. Thanks Vishesh Kumar On Fri, May 15, 2015 at 5:05 PM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
I am still struggling with below errors ,
WARNING: No "known good" password was found in LDAP. ............................... .................................................... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the u ser Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Below is my Default configuration Now +++++++++++++++++++++ authorize { preprocess ldap mschap } authenticate { Auth-Type LDAP{ ldap } mschap eap } ++++++++++++++++++++++++++++++++++++++++++
Below is my inner-tunnel configuration, ++++++++++++++++++++++++++++++ server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } files ldap expiration logintime pap } authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } +++++++++++++++++++++++++++++++++++++++++++++++++
I don't know what mistake I am doing here.
Thanks Vishesh Kumar
On Fri, May 15, 2015 at 2:20 PM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
Thanks Alan,
Let me configure EAP then,
Thanks Vishesh Kumar
On Thu, May 14, 2015 at 6:34 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
below are the logs I am getting in case of failure,
this is an EAP packet..... therefore you need to be in the inner-tunnel before you have any visibility of the password..... so you cannot check/auth in the outer-tunnel - this is one of those cases where you will likely need to set the Auth-Type to LDAP manually (in users file or via unlang) to ensure that the process continues and the server carries on into the inner-tunnel.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com
-- Regards, Vishesh Kumar http://linuxmantra.com
-- Regards, Vishesh Kumar http://linuxmantra.com
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Stefan Paetow -
Vishesh kumar