Getting Freeradius working with LLDAP
Hi all, I'm new to Freeradius but want to get it working for our local hack/makerspace to ensure we can provide decent QoS on the WiFi for our members. My LDAP server is https://github.com/lldap/lldap and that *does not* expose a "plain text password" field. I am running Freeradius via docker and I've uploaded my config at https://gist.github.com/proffalken/a6213dc7266a6a9800432b3c0e1b264d (passwords and domains have been changed to protect the innocent!) As you can see from the log below, the LDAP lookup works, however the authentication request is rejected because the "Auth-Type" is not found. I'm sure this is an obvious fix, but I've not been able to find an answer in my searching! I'm using the following command to test: radtest mmw pass1234 10.x.x.5 0 testing123 and this is the log: -=-=-=-=-=-=-=-=-=-= freeradius_1 | rlm_ldap (ldap): Reserved connection (0) freeradius_1 | (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User- Name}}) freeradius_1 | (0) ldap: --> (uid=mmw) freeradius_1 | (0) ldap: Performing search in "ou=people,dc=auth,dc=mydomain,dc=co,dc=uk" with filter "(uid=mmw)", scope "sub" freeradius_1 | (0) ldap: Waiting for search result... freeradius_1 | (0) ldap: User object found at DN "uid=mmw,ou=people,dc=auth,dc=mydomain,dc=co,dc=uk" freeradius_1 | (0) ldap: Processing user attributes freeradius_1 | (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute freeradius_1 | (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) freeradius_1 | rlm_ldap (ldap): Released connection (0) freeradius_1 | (0) [ldap] = ok freeradius_1 | (0) [expiration] = noop freeradius_1 | (0) [logintime] = noop freeradius_1 | (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type freeradius_1 | (0) pap: WARNING: Authentication will fail unless a "known good" password is available freeradius_1 | (0) [pap] = noop freeradius_1 | (0) } # authorize = ok freeradius_1 | (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject freeradius_1 | (0) Failed to authenticate the user freeradius_1 | (0) Using Post-Auth-Type Reject freeradius_1 | (0) # Executing group from file /opt/etc/raddb/sites- enabled/default freeradius_1 | (0) Post-Auth-Type REJECT { freeradius_1 | (0) attr_filter.access_reject: EXPAND %{User-Name} freeradius_1 | (0) attr_filter.access_reject: --> mmw freeradius_1 | (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 freeradius_1 | (0) [attr_filter.access_reject] = updated freeradius_1 | (0) [eap] = noop freeradius_1 | (0) policy remove_reply_message_if_eap { freeradius_1 | (0) if (&reply:EAP-Message && &reply:Reply- Message) { freeradius_1 | (0) if (&reply:EAP-Message && &reply:Reply- Message) -> FALSE freeradius_1 | (0) else { freeradius_1 | (0) [noop] = noop freeradius_1 | (0) } # else = noop freeradius_1 | (0) } # policy remove_reply_message_if_eap = noop freeradius_1 | (0) } # Post-Auth-Type REJECT = updated -=-=-=-=-=-=-=-=-=-=- Thanks in advance! Matt
On May 17, 2023, at 7:03 AM, Matthew Macdonald-Wallace <matt@doics.co> wrote:
I'm new to Freeradius but want to get it working for our local hack/makerspace to ensure we can provide decent QoS on the WiFi for our members.
My LDAP server is https://github.com/lldap/lldap and that *does not* expose a "plain text password" field.
Then you need to set "Auth-Type = LDAP". See the comments in sites-available/default.
I am running Freeradius via docker and I've uploaded my config at https://gist.github.com/proffalken/a6213dc7266a6a9800432b3c0e1b264d (passwords and domains have been changed to protect the innocent!)
http://wiki.freeradius.org/list-help All of the documentation says we need the debug output. The configuration is not helpful.
As you can see from the log below, the LDAP lookup works, however the authentication request is rejected because the "Auth-Type" is not found.
Yes. If LDAP gives FreeRADIUS a "known good" password (clear-text, salted/hashed, etc.) then FreeRADIUS can figure out how to authenticate the user. If LDAP does not give FreeRADUS a password, then FreeRADIUS has no idea how to authenticate the user. You MUST tell it how to authenticate the user.
I'm sure this is an obvious fix, but I've not been able to find an answer in my searching!
See sites-available/default. Look for "ldap". This is documented.
I'm using the following command to test:
radtest mmw pass1234 10.x.x.5 0 testing123
and this is the log:
Please post *just* the output from FreeRADIUS, without extra things added.
-=-=-=-=-=-=-=-=-=-= freeradius_1 | rlm_ldap (ldap): Reserved connection (0) freeradius_1 | (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User- Name}}) freeradius_1 | (0) ldap: --> (uid=mmw)
All of those prefixes are noise, and are unhelpful. So read sites-available/ldap. Look for "ldap". There is documentation on how (and why) to set Auth-Type LDAP. This causes FreeRADIUS to bind to LDAP using the supplied username and password. The LDAP server can then return pass / fail to FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Matthew Macdonald-Wallace