WPA Enterprise with Radius assigned VLAN from LDAP (Samba Active Directory)
Hello everybody, I successfully got Freeradius running for WPA Enterprise with Samba Active Diretory. OS: Debian Buster FreeRADIUS Version: 3.0.17 The /etc/freeradius/3.0/mods-available/ntlm_auth looks like this: exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=HOME --username=%{mschap:User-Name} --password=%{User-Password}" } Now I would also like to perform a VLAN assignment based on groups of the user in the AD. First my question: Is this in the post-auth over LDAP possible? For this I have setup in the LDAP config (/etc/freeradius/3.0/mods-available/ldap): ldap { server = "pdc.home.uhlmann.world" port = 389 identity = "cn=radius-auth,cn=users,DC=home,DC=uhlmann,DC=world" password = << secret password >> basedn = "CN=Users,DC=home,DC=uhlmann,DC=world" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" tls { start_tls = no } group { base_dn = "CN=Users,DC=home,DC=uhlmann,DC=world" name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberOf=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberOf' } options { chase_referrals = no rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } } In /etc/freeradius/3.0/sites-enabled/default I configured the following in the post-auth section: ldap if (LDAP-Group == "wlan-gast") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 851 } } elsif (LDAP-Group == "wlan-kinder") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 999 } } else { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 999 } } Unfortunately, the assignment to the VLAN 999 always takes place, the following can be seen in the debug output: (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (8) post-auth { (8) update { (8) No attributes updated (8) } # update = noop (8) [ldap] = noop (8) if (LDAP-Group == "wlan-gast") { (8) Searching for user in group "wlan-gast" rlm_ldap (ldap): Reserved connection (2) (8) Performing unfiltered search in "", scope "sub" (8) Waiting for search result... (8) The specified DN wasn't found (8) Search returned no results rlm_ldap (ldap): Released connection (2) (8) if (LDAP-Group == "wlan-gast") -> FALSE (8) elsif (LDAP-Group == "wlan-kinder") { (8) Searching for user in group "wlan-kinder" rlm_ldap (ldap): Reserved connection (3) (8) Performing unfiltered search in "", scope "sub" (8) Waiting for search result... (8) The specified DN wasn't found (8) Search returned no results rlm_ldap (ldap): Released connection (3) (8) elsif (LDAP-Group == "wlan-kinder") -> FALSE (8) else { (8) update reply { (8) Tunnel-type = VLAN (8) Tunnel-medium-type = IEEE-802 (8) Tunnel-Private-Group-Id = 999 (8) } # update reply = noop (8) } # else = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Login OK: [testgast/<via Auth-Type = eap>] (from client unifi port 0 cli 48-BF-6B-47-56-EC) (8) Sent Access-Accept Id 156 from 192.168.127.37:1812 to 192.168.127.197:54036 length 0 (8) MS-MPPE-Recv-Key = 0xdb66ce7a4780f479ecba8643b5408656d13b0affd455c45cc0598fb495e3815f (8) MS-MPPE-Send-Key = 0x02dd275fc9cd169117139666b81da0fb40b3e280174c546b15de84688cb91d91 (8) EAP-Message = 0x03540004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "testgast" (8) Tunnel-Type = VLAN (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Private-Group-Id = "999" (8) Finished request (In the appendix again the complete debug.log) As you can see, freeradius does not seem to search correctly in LDAP. Running a mnauelles with ldapsearch (as stated here https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-avail...) comes to the following result: ldapsearch -D cn=radius-auth,cn=users,DC=home,DC=uhlmann,DC=world -w << secret password >> -h pdc.home.uhlmann.world -b 'CN=Users,DC=home,DC=uhlmann,DC=world' '(&(objectClass=user)(sAMAccountName=testgast)(memberOf=CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world))' # extended LDIF # # LDAPv3 # base <CN=Users,DC=home,DC=uhlmann,DC=world> with scope subtree # filter: (&(objectClass=user)(sAMAccountName=testgast)(memberOf=CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world)) # requesting: ALL # # testgast, Users, home.uhlmann.world dn: CN=testgast,CN=Users,DC=home,DC=uhlmann,DC=world objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testgast givenName: testgast instanceType: 4 whenCreated: 20190216205554.0Z displayName: testgast uSNCreated: 13776 name: testgast objectGUID:: bd40XvQpbkSeX5icQ6HMwQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA0HcQPtkCCXK+0rCrrgUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: testgast sAMAccountType: 805306368 userPrincipalName: testgast@home.uhlmann.world objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=home,DC=uhlmann,DC=wor ld userAccountControl: 66048 memberOf: CN=wlan-gast,CN=Users,DC=home,DC=uhlmann,DC=world pwdLastSet: 131971360575227260 lockoutTime: 0 lastLogonTimestamp: 131971360685327730 whenChanged: 20190315150748.0Z uSNChanged: 14549 distinguishedName: CN=testgast,CN=Users,DC=home,DC=uhlmann,DC=world # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Can someone tell me if this is what I intend and possibly where my mistake lies? Thanks and Regards Christian
On Mar 17, 2019, at 10:06 AM, Christian Uhlmann <christian@uhlmann.it> wrote:
I successfully got Freeradius running for WPA Enterprise with Samba Active Diretory.
That's good.
Now I would also like to perform a VLAN assignment based on groups of the user in the AD.
First my question: Is this in the post-auth over LDAP possible?
Yes.
For this I have setup in the LDAP config (/etc/freeradius/3.0/mods-available/ldap): ... membership_filter = "(|(member=%{control:Ldap-UserDn})(memberOf=%{%{Stripped-User-Name}:-%{User-Name}}))"
That's may be wrong. It should likely be: membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" The default config in 3.0.18, which has more documentation on AD interaction. The above string is likely in the default config for 3.0.17 , too.
Can someone tell me if this is what I intend and possibly where my mistake lies?
If you configure it as documented, it should work. If the "ldapsearch" works, then FreeRADIUS should work. If it doesn't work, I'd blame AD. Most LDAP servers don't have these problems. Only AD. :( Alan DeKok.
Hello Alan, Thank you for the info. Am 17.03.2019 um 15:13 schrieb Alan DeKok:
That's may be wrong. It should likely be:
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
I have changed the setting as specified by you, unfortunately it does not work anyway.
If it doesn't work, I'd blame AD.
I would like to continue analyzing, even if my problem here on the list has nothing to do now. I think from the debug this area is where the error happens: (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x01b98a12064b9307 (9) eap: Finished EAP session with state 0x01b98a12064b9307 (9) eap: Previous EAP request found for state 0x01b98a12064b9307, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 242 length 4 (9) eap: Freeing handler (9) [eap] = ok (9)} # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9)} # update = noop (9) [ldap] = noop (9) if (LDAP-Group == "wlan-guest") { (9) Searching for user in group "wlan-guest" rlm_ldap (ldap): Reserved connection (2) (9) Performing unfiltered search in "", scope "sub" (9) Waiting for search result ... (9) The specified DN was not found (9) Search returned no results rlm_ldap (ldap): Released connection (2) (9) if (LDAP-Group == "wlan-guest") -> FALSE (9) elsif (ldap-group == "wlan-kinder") { (9) Searching for user in group "wlan-children" rlm_ldap (ldap): Reserved connection (3) (9) Performing unfiltered search in "", scope "sub" (9) Waiting for search result ... (9) The specified DN was not found (9) Search returned no results rlm_ldap (ldap): Released connection (3) (9) elsif (ldap-group == "wlan-kinder") -> FALSE (9) else { (9) update reply { (9) tunnel-type = VLAN (9) tunnel-medium-type = IEEE-802 (9) tunnel private group id = 999 (9)} # update reply = noop (9)} # else = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (& reply: EAP-Message && & reply: Reply-Message) { (9) if (& reply: EAP-Message && & reply: Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9)} # else = noop (9)} # policy remove_reply_message_if_eap = noop (9)} # post-auth = noop (9) Login OK: [testgast / <via Auth-Type = eap>] (from client unifi port 0 cli 48-BF-6B-47-56-EC) (9) Sent Access-Accept Id 227 from 192.168.127.37:1812 to 192.168.127.197:54036 length 0 (9) MS-MPPE-Recv-Key = 0x19a77ae380df1d5293501b8c1c2c8d36212dd5c98e1019f9ba1a6b26c66a3d7e (9) MS-MPPE Send Key = 0x7a6ccc2807ea006f4bb39a6080f462b71c9831ee5cc9e54607452273cdafeebd (9) EAP message = 0x03f20004 (9) Message Authenticator = 0x00000000000000000000000000000000 (9) User name = "test guest" (9) Tunnel Type = VLAN (9) Tunnel Medium Type = IEEE-802 (9) Tunnel private group id = "999" (9) Finished request Particularly: "Performing unfiltered search in" ", scope" sub "" or the entire block: rlm_ldap (ldap): Reserved connection (3) (9) Performing unfiltered search in "", scope "sub" (9) Waiting for search result ... (9) The specified DN was not found (9) Search returned no results Should not something stand here which has relation to my ldap config? How can I view the LDAP request in more detail here? Are there any more debug possibilities. Thanks and Greetings Christian
On Mar 21, 2019, at 4:48 PM, Christian Uhlmann <christian@uhlmann.it> wrote:
I would like to continue analyzing, even if my problem here on the list has nothing to do now. I think from the debug this area is where the error happens:
Ok...
... (9) Performing unfiltered search in "", scope "sub"
That isn't what's in the default configuration.
Particularly: "Performing unfiltered search in" ", scope" sub ""
Yes.
Should not something stand here which has relation to my ldap config?
Yes. The ldap module configuration is broken. Fix it. The default ldap module configuration has *something*. Not " ". So it was edited on your machine, and now it doesn't work. Read the debug log to see which file it's using for the ldap module configuration. Then, fix that file.
How can I view the LDAP request in more detail here? Are there any more debug possibilities.
No. The ldap module configuration is broken. Alan DeKok.
Am 21.03.2019 um 21:52 schrieb Alan DeKok:
Should not something stand here which has relation to my ldap config?
Yes. The ldap module configuration is broken. Fix it.
The default ldap module configuration has *something*. Not " ". So it was edited on your machine, and now it doesn't work. Thanks for the right hint. After I loaded the current default config from github and entered my values, everything works as expected.
participants (2)
-
Alan DeKok -
Christian Uhlmann