Yet another Freeradius+openldap eap-ttls pap issue
Hi there, this is my first post on the list and It's always a shame to start with a problem :) . I woul like to implement a freeradius authentication server that uses openldap as backend and supports both pap authentication (for the VPN client) and eap -ttls pap for the wi-fi lan. I think I've successfullyconfigured freeradius for the pap authentication with openldap since the radtest returns ok. In the ldap module I've also enabled the groupcheck since in my company they want to restrict vpn access through ldap group membership. This works great. To to this I've removed the comment from the groupcheck and added to the user file thinks like this: 188:DEFAULT LDAP-Group=="vpntest" 189: Reply-Message="Test per VPN", 190: Class="vpntest", 191: Fall-Through = Yes is this ugly? My company does not want to add radiuschema to the users. Ok now just forget for the small OT and let's focus on the real problem. These are the configs: root@ldap:/etc/freeradius# egrep -v '(#|^\s*$)' modules/ldap ldap { server = "test-ldap.newenergygroup.com" identity = "cn=admin,dc=newenergygroup,dc=com" password = XXXXXXXXX basedn = "dc=newenergygroup,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" password_attribute = userPassword ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName } egrep -v '(#|^\s*$)' sites-enabled/default authorize { preprocess chap mschap suffix eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } root@ldap:/etc/freeradius# egrep -v '(#|^\s*$)' eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } I'm testing the eap eapol_test -c eap_pool_test_config -a 127.0.0.1 -p 1812 -s testing123 -r1 and the config is: network={ eap=TTLS ssid="example" eapol_flags=0 key_mgmt=WPA-EAP identity="atest" password="atest" #ca_cert="/etc/freeradius/certs/ccaa.pem" phase2="auth=PAP" } the debug from radius is: rad_recv: Access-Request packet from host 127.0.0.1 port 33653, id=0, length=118 User-Name = "atest" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000a016174657374 Message-Authenticator = 0xf57a3eb5217b5475fcd4acf2ab929c6c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "atest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> atest [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to test-ldap.newenergygroup.com:389, authentication 0 [ldap] bind as cn=admin,dc=newenergygroup,dc=com/Ld4pPa$$w0rD to test-ldap.newenergygroup.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=newenergygroup,dc=com, with filter (uid=atest) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpnfullaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpnlowaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpntest)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (&(cn=vpntestadmin)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))) rlm_ldap::ldap_groupcmp: User found in group vpntestadmin [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 193 ++[files] returns ok [ldap] performing user authorization for atest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> atest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest) [ldap] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=newenergygroup,dc=com, with filter (uid=atest) [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user atest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY. ++[ldap] returns invalid Failed to authenticate the user. Login incorrect: [atest] (from client localhost port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> atest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 33653 Reply-Message = "Test per VPN ADMIN" Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +23 Ready to process requests. Thank you :), hope I'm not missing somithing stupid, I've read a lot of documentation here and there. ps. password on the LDAP are stored in hash form.
Work wrote:
I think I've successfullyconfigured freeradius for the pap authentication with openldap since the radtest returns ok.
Read raddb/sites-available/inner-tunnel. It describes how to test the *inner* portion of EAP. You should test that before going to the full EAP tests.
is this ugly? My company does not want to add radiuschema to the users.
It's fine.
These are the configs:
We don't want the configs. They're not helpful.
the debug from radius is:
Helpful.
[ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
Which seems OK.
Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
What part of that message is unclear?
Thank you :), hope I'm not missing somithing stupid, I've read a lot of documentation here and there.
Reading the debug output helps. Don't force "Auth-Type := ldap". The default configuration does NOT do this. So the only way it happens is if you changed the configuration to do this. Delete that, and it will work.
ps. password on the LDAP are stored in hash form.
Which means you can only use EAP-TTLS / PAP. All other EAP types will *not* work. Alan DeKok.
Hello Alan thanks for the reply I will try to recap how the whole process should perform -IMHO -. There are two virtual servers: -default -inner-tunnel the default should autenticate clients using the PAP method (for vpn remote access) and will be the responsible to the creation and maintenance of the TLS tunnel with the supplicant (for eap ttls pap). In the TLS tunnel the supplicant will perform the PAP that will be authenticated by the inner-tunnel virtual server. Since I'm using an openldap repository the PAP method is performed this way: the freeradius binds to the ldap server as admin(or any administrator user) and looks for the username and password of the supplicant and performs the password comparison (eventually using the hash method specified in the userPassword attribute). Is this correct? I've read online that there is the "oracle" mode to authenticate users against ldap. If I'm not wrong the oracle mode would still be fine for PAP even if it is a bit less powerful. Both default and inner PAP authentication works great (and perform the same operations according to the debug). Of course I've read the debug output from the previous test but I don't know where to look for the "guilty" line (since it's not a default config but someone else had worked a bit). If the analysis it is correct I would expect that the eap module changes the Auth-Method but I can't see any ldap line in the eap.conf. Thanks Il 28/11/2013 14:58, Alan DeKok ha scritto:
Work wrote:
I think I've successfullyconfigured freeradius for the pap authentication with openldap since the radtest returns ok. Read raddb/sites-available/inner-tunnel. It describes how to test the *inner* portion of EAP. You should test that before going to the full EAP tests.
is this ugly? My company does not want to add radiuschema to the users. It's fine.
These are the configs: We don't want the configs. They're not helpful.
the debug from radius is: Helpful.
[ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items Which seems OK.
Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY. What part of that message is unclear?
Thank you :), hope I'm not missing somithing stupid, I've read a lot of documentation here and there. Reading the debug output helps. Don't force "Auth-Type := ldap". The default configuration does NOT do this. So the only way it happens is if you changed the configuration to do this.
Delete that, and it will work.
ps. password on the LDAP are stored in hash form. Which means you can only use EAP-TTLS / PAP. All other EAP types will *not* work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
If the analysis it is correct I would expect that the eap module changes the Auth-Method but I can't see any ldap line in the eap.conf.
correct. the eap.conf is only for the EAP stuff. for ldap stuff you need to check the ldap module config file (which tells LDAP how to do things, what servers to connect to etc), the ldap attrmap table and the inner-tunnel (you want to use ldap in the EAP so the ldap module must be called in the inner-tunnel virtual server alan
Thank you all for the answers, @alan : so why do I get that message only when trying to authenticate with eap? With pap and chap (with the clear-text passowrd on ldap) on default and inner do not face this problem. @Phil: actually I've read the debug and I've tried to solve that by my self, but I'm not able to find the issue. Line 193 in the users file mathes when the user is member of a certain ldap group and does not set Auth-Type := LDAP :( . Thank you Il 28/11/2013 16:55, A.L.M.Buxey@lboro.ac.uk ha scritto:
Hi,
If the analysis it is correct I would expect that the eap module changes the Auth-Method but I can't see any ldap line in the eap.conf. correct. the eap.conf is only for the EAP stuff. for ldap stuff you need to check the ldap module config file (which tells LDAP how to do things, what servers to connect to etc), the ldap attrmap table and the inner-tunnel (you want to use ldap in the EAP so the ldap module must be called in the inner-tunnel virtual server
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
@alan : so why do I get that message only when trying to authenticate with eap? With pap and chap (with the clear-text passowrd on ldap) on default and inner do not face this problem.
PAP and CHAP without EAP dont use inner-tunnel if you arent calling LDAP module in the inner-tunnel then an EAP method that relies on ldap will simply not work. alan
Il 28/11/2013 17:28, A.L.M.Buxey@lboro.ac.uk ha scritto:
Hi,
PAP and CHAP without EAP dont use inner-tunnel
if you arent calling LDAP module in the inner-tunnel then an EAP method that relies on ldap will simply not work.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I do call LDAP in the inner-tunnel otherwise I think I will not have this output I guess:
rad_recv: Access-Request packet from host 127.0.0.1 port 44972, id=102, length=57 User-Name = "atest" User-Password = "atest" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "atest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for atest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> atest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest) [ldap] expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to test-ldap.newenergygroup.com:389, authentication 0 [ldap] bind as cn=admin,dc=newenergygroup,dc=com/Ld4pPa$$w0rD to test-ldap.newenergygroup.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=newenergygroup,dc=com, with filter (uid=atest) [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user atest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "atest" [pap] Using MD5 encryption. [pap] Normalizing MD5-Password from base64 encoding [pap] User authenticated successfully ++[pap] returns ok Login OK: [atest] (from client localhost port 10) +- entering group post-auth {...} ++[ldap] returns noop } # server inner-tunnel Sending Access-Accept of id 102 to 127.0.0.1 port 44972 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 102 with timestamp +3 Ready to process requests. Thanks
So. ... this shows a fine authentication access-accept ..... so what is your problem? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On 28/11/13 12:31, Work wrote:
These are the configs:
No. These aren't needed. All you needed to send was a full debug, gathered with: radiusd -X ...instead of a debug you trimmed the start off, because you didn't think it was important.
rad_recv: Access-Request packet from host 127.0.0.1 port 33653, id=0, length=118 User-Name = "atest" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000a016174657374
This is an EAP packet:
[files] users: Matched entry DEFAULT at line 193 ++[files] returns ok
What is the entry at line #193? I think you have something like this: DEFAULT Auth-Type := LDAP ...which causes:
Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
This. The error is clear. Please read the debugs before posting.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Phil Mayers -
Work