Cache user access on eap-ttls with ldap as authenticate system
Hello, I'm using EAP-TTLS + LDAP with okta, all is working fine. But I would like to use the cache system of freeradius in case the internet goes down, if no internet access to contact the ldap server is it possible to use a cache? (21) Received Access-Request Id 117 from 192.168.31.239:32773 to 192.168.31.183:1812 length 294 (21) User-Name = "leon.wolf@domain.local" (21) Chargeable-User-Identity = 0x00 (21) Location-Capable = Civic-Location (21) Calling-Station-Id = "90-78-41-4f-dd-73" (21) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (21) NAS-Port = 1 (21) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (21) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (21) NAS-IP-Address = 192.168.31.239 (21) NAS-Identifier = "WLC1" (21) Airespace-Wlan-Id = 3 (21) Service-Type = Framed-User (21) Framed-MTU = 1300 (21) NAS-Port-Type = Wireless-802.11 (21) Tunnel-Type:0 = VLAN (21) Tunnel-Medium-Type:0 = IEEE-802 (21) Tunnel-Private-Group-Id:0 = "96" (21) EAP-Message = 0x020500061500 (21) State = 0xcab4fefcc8b1eb3813f65861255465ba (21) Message-Authenticator = 0x29f8146d52be66b41004b4ed9a6d1296 (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (21) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (21) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (21) auth_log: EXPAND %t (21) auth_log: --> Thu Jan 14 12:58:17 2021 (21) [auth_log] = ok (21) eap: Peer sent EAP Response (code 2) ID 5 length 6 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Auth-Type eap { (21) eap: Expiring EAP session with state 0xcab4fefcc8b1eb38 (21) eap: Finished EAP session with state 0xcab4fefcc8b1eb38 (21) eap: Previous EAP request found for state 0xcab4fefcc8b1eb38, released from the list (21) eap: Peer sent packet with method EAP TTLS (21) (21) eap: Calling submodule eap_ttls to process data (21) eap_ttls: Authenticate (21) eap_ttls: Continuing EAP-TLS (21) eap_ttls: Peer ACKed our handshake fragment (21) eap_ttls: [eaptls verify] = request (21) eap_ttls: [eaptls process] = handled (21) eap: Sending EAP Request (code 1) ID 6 length 957 (21) eap: EAP session adding &reply:State = 0xcab4fefcc9b2eb38 (21) [eap] = handled (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) EXPAND Response-Packet-Type (21) --> Access-Challenge (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (21) if (handled && (Response-Packet-Type == Access-Challenge)) { (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> leon.wolf@domain.local (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) [handled] = handled (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (21) } # Auth-Type eap = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (21) Post-Auth-Type Challenge { (21) policy remove_reply_message_if_eap { (21) if (&reply:EAP-Message && &reply:Reply-Message) { (21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (21) else { (21) [noop] = noop (21) } # else = noop (21) } # policy remove_reply_message_if_eap = noop (21) attr_filter.access_challenge: EXPAND %{User-Name} (21) attr_filter.access_challenge: --> leon.wolf@domain.local (21) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (21) [attr_filter.access_challenge.post-auth] = updated (21) } # Post-Auth-Type Challenge = updated (21) Sent Access-Challenge Id 117 from 192.168.31.183:1812 to 192.168.31.239:32773 length 0 (21) EAP-Message = 0x010603bd158000000b9f03020186304b06082b06010505070101043f303d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0xcab4fefcc9b2eb3813f65861255465ba (21) Finished request Waking up in 4.9 seconds. (22) Received Access-Request Id 118 from 192.168.31.239:32773 to 192.168.31.183:1812 length 424 (22) User-Name = "leon.wolf@domain.local" (22) Chargeable-User-Identity = 0x00 (22) Location-Capable = Civic-Location (22) Calling-Station-Id = "90-78-41-4f-dd-73" (22) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (22) NAS-Port = 1 (22) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (22) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (22) NAS-IP-Address = 192.168.31.239 (22) NAS-Identifier = "WLC1" (22) Airespace-Wlan-Id = 3 (22) Service-Type = Framed-User (22) Framed-MTU = 1300 (22) NAS-Port-Type = Wireless-802.11 (22) Tunnel-Type:0 = VLAN (22) Tunnel-Medium-Type:0 = IEEE-802 (22) Tunnel-Private-Group-Id:0 = "96" (22) EAP-Message = 0x0206008815800000007e160303004610000042410436fe757ae06837679e32e33eef46449bfb57126ab725fbc270219624e528203360ee7521080563eb18d57ed754f7079e1bf3c4423f5975e1d2aedd7597251c87140303000101160303002800000000000000009b5217d1d18538b885d7f88ff00291a7d352e5b47e9b660c263b64b9f36067dd (22) State = 0xcab4fefcc9b2eb3813f65861255465ba (22) Message-Authenticator = 0x6e609bd8d4caf0c99454c818de75af99 (22) session-state: No cached attributes (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (22) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (22) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (22) auth_log: EXPAND %t (22) auth_log: --> Thu Jan 14 12:58:17 2021 (22) [auth_log] = ok (22) eap: Peer sent EAP Response (code 2) ID 6 length 136 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Auth-Type eap { (22) eap: Expiring EAP session with state 0xcab4fefcc9b2eb38 (22) eap: Finished EAP session with state 0xcab4fefcc9b2eb38 (22) eap: Previous EAP request found for state 0xcab4fefcc9b2eb38, released from the list (22) eap: Peer sent packet with method EAP TTLS (21) (22) eap: Calling submodule eap_ttls to process data (22) eap_ttls: Authenticate (22) eap_ttls: Continuing EAP-TLS (22) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (22) eap_ttls: Got complete TLS record (126 bytes) (22) eap_ttls: [eaptls verify] = length included (22) eap_ttls: TLS_accept: SSLv3/TLS write server done (22) eap_ttls: <<< recv TLS 1.2 [length 0046] (22) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (22) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (22) eap_ttls: <<< recv TLS 1.2 [length 0010] (22) eap_ttls: TLS_accept: SSLv3/TLS read finished (22) eap_ttls: >>> send TLS 1.2 [length 0001] (22) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (22) eap_ttls: >>> send TLS 1.2 [length 0010] (22) eap_ttls: TLS_accept: SSLv3/TLS write finished (22) eap_ttls: Serialising session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f, and storing in cache (22) eap_ttls: WARNING: Wrote session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f to /var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1 (139 bytes) (22) eap_ttls: (other): SSL negotiation finished successfully (22) eap_ttls: TLS - Connection Established (22) eap_ttls: Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (22) eap_ttls: Attr-155.7 = 0x544c5320312e32 (22) eap_ttls: TLS - got 51 bytes of data (22) eap_ttls: [eaptls process] = handled (22) eap: Sending EAP Request (code 1) ID 7 length 61 (22) eap: EAP session adding &reply:State = 0xcab4fefcceb3eb38 (22) [eap] = handled (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) EXPAND Response-Packet-Type (22) --> Access-Challenge (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (22) if (handled && (Response-Packet-Type == Access-Challenge)) { (22) attr_filter.access_challenge: EXPAND %{User-Name} (22) attr_filter.access_challenge: --> leon.wolf@domain.local (22) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (22) [attr_filter.access_challenge.post-auth] = updated (22) [handled] = handled (22) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (22) } # Auth-Type eap = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Post-Auth-Type Challenge { (22) policy remove_reply_message_if_eap { (22) if (&reply:EAP-Message && &reply:Reply-Message) { (22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (22) else { (22) [noop] = noop (22) } # else = noop (22) } # policy remove_reply_message_if_eap = noop (22) attr_filter.access_challenge: EXPAND %{User-Name} (22) attr_filter.access_challenge: --> leon.wolf@domain.local (22) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (22) [attr_filter.access_challenge.post-auth] = updated (22) } # Post-Auth-Type Challenge = updated (22) session-state: Saving cached attributes (22) TLS-Cache-Filename = "/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1" (22) Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (22) Attr-155.7 = 0x544c5320312e32 (22) Sent Access-Challenge Id 118 from 192.168.31.183:1812 to 192.168.31.239:32773 length 0 (22) EAP-Message = 0x0107003d158000000033140303000101160303002836d8a1ff6b2afaae621fc261218f4483f1c4545f86a9b8fe41deae7225f2324e15c977fd19b170a0 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xcab4fefcceb3eb3813f65861255465ba (22) Finished request Waking up in 4.9 seconds. (23) Received Access-Request Id 119 from 192.168.31.239:32773 to 192.168.31.183:1812 length 387 (23) User-Name = "leon.wolf@domain.local" (23) Chargeable-User-Identity = 0x00 (23) Location-Capable = Civic-Location (23) Calling-Station-Id = "90-78-41-4f-dd-73" (23) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (23) NAS-Port = 1 (23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (23) NAS-IP-Address = 192.168.31.239 (23) NAS-Identifier = "WLC1" (23) Airespace-Wlan-Id = 3 (23) Service-Type = Framed-User (23) Framed-MTU = 1300 (23) NAS-Port-Type = Wireless-802.11 (23) Tunnel-Type:0 = VLAN (23) Tunnel-Medium-Type:0 = IEEE-802 (23) Tunnel-Private-Group-Id:0 = "96" (23) EAP-Message = 0x0207006315800000005917030300540000000000000001e70b56177cd34eacf86e9bd90e8fe557e020b9f6d814adddf9bde349e67f3e9a1dda72f8fd14224098f24cae3410220287d1814b3984a577db30a8289bd48a898a69c25b4667f3cc93b0ab0b (23) State = 0xcab4fefcceb3eb3813f65861255465ba (23) Message-Authenticator = 0x19e54adcb4aeb90d8bcb07f5984056ec (23) Restoring &session-state (23) &session-state:TLS-Cache-Filename = "/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1" (23) &session-state:Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834 (23) &session-state:Attr-155.7 = 0x544c5320312e32 (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (23) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (23) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (23) auth_log: EXPAND %t (23) auth_log: --> Thu Jan 14 12:58:17 2021 (23) [auth_log] = ok (23) eap: Peer sent EAP Response (code 2) ID 7 length 99 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # authorize = ok (23) Found Auth-Type = eap (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Auth-Type eap { (23) eap: Expiring EAP session with state 0xcab4fefcceb3eb38 (23) eap: Finished EAP session with state 0xcab4fefcceb3eb38 (23) eap: Previous EAP request found for state 0xcab4fefcceb3eb38, released from the list (23) eap: Peer sent packet with method EAP TTLS (21) (23) eap: Calling submodule eap_ttls to process data (23) eap_ttls: Authenticate (23) eap_ttls: Continuing EAP-TLS (23) eap_ttls: Peer indicated complete TLS record size will be 89 bytes (23) eap_ttls: Got complete TLS record (89 bytes) (23) eap_ttls: [eaptls verify] = length included (23) eap_ttls: [eaptls process] = ok (23) eap_ttls: Session established. Proceeding to decode tunneled attributes (23) eap_ttls: Got tunneled request (23) eap_ttls: User-Name = "leon.wolf@domain.local" (23) eap_ttls: User-Password = "scN3VXa4XZvm7N4!" (23) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (23) eap_ttls: Sending tunneled request (23) Virtual server default received request (23) User-Name = "leon.wolf@domain.local" (23) User-Password = "scN3VXa4XZvm7N4!" (23) FreeRADIUS-Proxied-To = 127.0.0.1 (23) Chargeable-User-Identity = 0x00 (23) Location-Capable = Civic-Location (23) Calling-Station-Id = "90-78-41-4f-dd-73" (23) Called-Station-Id = "00-b7-71-86-b8-80:testrd" (23) NAS-Port = 1 (23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e" (23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979" (23) NAS-IP-Address = 192.168.31.239 (23) NAS-Identifier = "WLC1" (23) Airespace-Wlan-Id = 3 (23) Service-Type = Framed-User (23) Framed-MTU = 1300 (23) NAS-Port-Type = Wireless-802.11 (23) Tunnel-Type:0 = VLAN (23) Tunnel-Medium-Type:0 = IEEE-802 (23) Tunnel-Private-Group-Id:0 = "96" (23) Event-Timestamp = "Jan 14 2021 12:58:17 WET" (23) WARNING: Outer and inner identities are the same. User privacy is compromised. (23) server default { (23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (23) auth_log: --> /var/log/freeradius/radacct/ 192.168.31.239/auth-detail-20210114 (23) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114 (23) auth_log: EXPAND %t (23) auth_log: --> Thu Jan 14 12:58:17 2021 (23) [auth_log] = ok (23) eap: No EAP-Message, not doing EAP (23) [eap] = noop (23) [expiration] = noop (23) [logintime] = noop (23) update control { (23) Cache-Status-Only = yes (23) } # update control = noop (23) cache: EXPAND %{User-Name} (23) cache: --> leon.wolf@domain.local (23) cache: Found entry for "leon.wolf@domain.local" (23) [cache] = ok (23) if (notfound) { (23) if (notfound) -> FALSE (23) if (User-Password) { (23) if (User-Password) -> TRUE (23) if (User-Password) { (23) update control { (23) Auth-Type := LDAP (23) } # update control = noop (23) } # if (User-Password) = noop (23) cache: EXPAND %{User-Name} (23) cache: --> leon.wolf@domain.local (23) cache: Found entry for "leon.wolf@domain.local" (23) cache: Merging cache entry into request (23) cache: &reply:Reply-Message += "Cache last updated at Thu Jan 14 11:57:02 2021" (23) cache: &reply:Class := 0x4b703872434c46586d6c6c6953624238735a644a42746459576945614b2e4e65 (23) [cache] = ok (23) } # authorize = ok (23) Found Auth-Type = LDAP (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Auth-Type LDAP { rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 162 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for 160 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (11), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389 rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (11) (23) [ldap] = fail (23) } # Auth-Type LDAP = fail (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Post-Auth-Type REJECT { (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> leon.wolf@domain.local (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) } # server default (23) Virtual server sending reply (23) Reply-Message = "Cache last updated at Thu Jan 14 11:57:02 2021" (23) eap_ttls: Got tunneled Access-Reject tls: Removing session 36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f from the cache (23) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (23) eap: Sending EAP Failure (code 4) ID 7 length 4 (23) eap: Failed in EAP select (23) [eap] = invalid (23) } # Auth-Type eap = invalid (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (23) Post-Auth-Type REJECT { (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> leon.wolf@domain.local (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (23) Sending delayed response (23) Sent Access-Reject Id 119 from 192.168.31.183:1812 to 192.168.31.239:32773 length 44 (23) EAP-Message = 0x04070004 (23) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (18) Cleaning up request packet ID 114 with timestamp +3690 (19) Cleaning up request packet ID 115 with timestamp +3690 (20) Cleaning up request packet ID 116 with timestamp +3690 (21) Cleaning up request packet ID 117 with timestamp +3690 (22) Cleaning up request packet ID 118 with timestamp +3690 (23) Cleaning up request packet ID 119 with timestamp +3690 Ready to process requests ***** Config for sites-enabled/default ****** server default { listen { type = auth ipaddr = 192.168.31.183 port = 0 limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { # Only for "proto = tcp". These are ignored for "udp" sockets. # } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess auth_log eap { ok = return updated = return } expiration logintime update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } if (User-Password) { # <- when using cache this it's here with True update control { Auth-Type := ldap } } cache } authenticate { Auth-Type PAP { #pap ldap # eap-ttls comes here for authentication } Auth-Type LDAP { ldap } Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } } } preacct { preprocess acct_unique suffix } accounting { detail -sql attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } Post-Auth-Type Challenge { remove_reply_message_if_eap attr_filter.access_challenge.post-auth } } pre-proxy { } post-proxy { eap } } ****** eap config **** eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_file = /etc/freeradius/3.0/certs/rsa/fullchain2.key certificate_file = /etc/freeradius/3.0/certs/rsa/fullchain2.pem ca_file = /etc/ssl/certs/ca-certificates.crt ca_file = /etc/freeradius/3.0/certs/rsa/rootDSTX3.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" ecdh_curve = "prime256v1" cache { enable = yes name = "EAP module" persist_dir = "${logdir}/tlscache" } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "default" } virtual_server = default }
On Jan 14, 2021, at 8:20 AM, André <netriver@gmail.com> wrote:
I'm using EAP-TTLS + LDAP with okta, all is working fine. But I would like to use the cache system of freeradius in case the internet goes down, if no internet access to contact the ldap server is it possible to use a cache?
Yes. There's a "cache" module. See mods-available/cache. But... if the database is critical, it should be hosted locally. That way you're in control. Alan DeKok.
Yes... But it seems it's not working correctly as I configured it. In the configuration above you can see it's still querying the ldap server. Can you have a look at the config and provide some suggestions? Best regards, On Thu, Jan 14, 2021 at 1:41 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 8:20 AM, André <netriver@gmail.com> wrote:
I'm using EAP-TTLS + LDAP with okta, all is working fine. But I would like to use the cache system of freeradius in case the
internet
goes down, if no internet access to contact the ldap server is it possible to use a cache?
Yes. There's a "cache" module. See mods-available/cache.
But... if the database is critical, it should be hosted locally. That way you're in control.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2021, at 9:20 AM, André <netriver@gmail.com> wrote:
Yes... But it seems it's not working correctly as I configured it.
What did you configure?
In the configuration above you can see it's still querying the ldap server.
No.
Can you have a look at the config and provide some suggestions?
No. It is not appropriate to just dump a configuration file on the list and ask us to fix it. See http://wiki.freeradius.org/list-help for more details. You need to describe WHAT you did, WHY you did it, and WHAT you expected to see. Right now, all you're saying is "I did stuff, it doesn't work, you guys figure out why!" Just... no. Alan DeKok.
Hello, Sorry. To be more explicit: In sites-enabled/default in authorize I did the following: update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } if (User-Password) { # <- when using cache this it's here with True update control { Auth-Type := ldap } } cache } However this makes the server still use the ldap connection in authentication. rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389 rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (11) (23) [ldap] = fail Why I did it? Following the example from the link below: https://wiki.freeradius.org/modules/Rlm_cache I did try to use this code in authenticate but the server does not accept it. Also I have eap cache enabled , but that is not being hit as I do have nothing extra to cache other that the user data. Above you can still see it's trying to connect to the ldap server because this still hits authentication. Does this clarification help? Best regards, On Thu, Jan 14, 2021 at 2:53 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 9:20 AM, André <netriver@gmail.com> wrote:
Yes... But it seems it's not working correctly as I configured it.
What did you configure?
In the configuration above you can see it's still querying the ldap server.
No.
Can you have a look at the config and provide some suggestions?
No.
It is not appropriate to just dump a configuration file on the list and ask us to fix it. See http://wiki.freeradius.org/list-help for more details.
You need to describe WHAT you did, WHY you did it, and WHAT you expected to see.
Right now, all you're saying is "I did stuff, it doesn't work, you guys figure out why!"
Just... no.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2021, at 10:17 AM, André <netriver@gmail.com> wrote: In sites-enabled/default in authorize I did the following:
If you read the debug output, you'll see that it's checking the password in the "inner-tunnel" virtual server. Put the caching there.
However this makes the server still use the ldap connection in authentication. rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389 rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (11) (23) [ldap] = fail
Yes. Read ALL of the debug output. Especially the bits where it checks the passwords. Which is in the "inner-tunnel" virtual server. Alan DeKok.
I did remove the inner-tunnel and it worked. But I could not see where you found inner-tunnel Thank you On Thu, Jan 14, 2021 at 3:33 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 10:17 AM, André <netriver@gmail.com> wrote: In sites-enabled/default in authorize I did the following:
If you read the debug output, you'll see that it's checking the password in the "inner-tunnel" virtual server.
Put the caching there.
However this makes the server still use the ldap connection in authentication. rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389 rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (11) (23) [ldap] = fail
Yes. Read ALL of the debug output. Especially the bits where it checks the passwords. Which is in the "inner-tunnel" virtual server.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2021, at 10:45 AM, André <netriver@gmail.com> wrote:
I did remove the inner-tunnel and it worked.
I have no idea what that means. You edited sites-enabled/default. I was trying to tell you that the code block you posted should go into the sites-enabled/inner-tunnel file. If you deleted the inner-tunnel virtual server, then EAP won't work without many other changes.
But I could not see where you found inner-tunnel
In the default configuration. It works. The more you edit it, the more likely it is that you'll break something. Start with the default configuration. Configure the LDAP module. Then add the cache code you posted to the list to the sites-enabled/inner-tunnel virtual server. Alan DeKok.
Hello, This only caches ldap attributes, it's not able to store results Access-Accept for example from a existing ldap confirmed authentication? Would it be possible to store the result "Access-Accept" for a user + password combination for future approval? Best regards, On Thu, Jan 14, 2021 at 3:54 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 10:45 AM, André <netriver@gmail.com> wrote:
I did remove the inner-tunnel and it worked.
I have no idea what that means.
You edited sites-enabled/default. I was trying to tell you that the code block you posted should go into the sites-enabled/inner-tunnel file.
If you deleted the inner-tunnel virtual server, then EAP won't work without many other changes.
But I could not see where you found inner-tunnel
In the default configuration. It works. The more you edit it, the more likely it is that you'll break something.
Start with the default configuration. Configure the LDAP module. Then add the cache code you posted to the list to the sites-enabled/inner-tunnel virtual server.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2021, at 12:00 PM, André <netriver@gmail.com> wrote:
This only caches ldap attributes, it's not able to store results Access-Accept for example from a existing ldap confirmed authentication?
No.
Would it be possible to store the result "Access-Accept" for a user + password combination for future approval?
No. That's not how EAP works. You *cannot* just cache EAP packets and expect it to work. Your options are: a) cache the Cleartext-Password (or whatever) returned from LDAP b) set up session resumption caching. See the "cache" subsection of mods-available/eap c) both of the above Alan DeKok.
Hello Alan, I was thinking about a hack...
From the established/Accepted connection from the person I would store the password encrypted sha512 or a better mechanism to encrypt. with a TTL in a database MariaDB or the like. If the system hits the cache, update control { Cache-Status-Only = 'yes' } cache if (User-Password && !notfound) { ldap if (!ok) { update control { Auth-Type := perl # Perl / Python script controls if the server is available or not, # If not uses the cache to do auth with the user password against the local hashed pass + username # Can do additional controls like OTP } } } if (User-Password && notfound) { update control { Auth-Type := ldap } } cache
In authorize { I have Auth-Type perl { if (!notfound) { perl } Any comments? } On Thu, Jan 14, 2021 at 5:36 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 12:00 PM, André <netriver@gmail.com> wrote:
This only caches ldap attributes, it's not able to store results Access-Accept for example from a existing ldap confirmed authentication?
No.
Would it be possible to store the result "Access-Accept" for a user + password combination for future approval?
No.
That's not how EAP works. You *cannot* just cache EAP packets and expect it to work.
Your options are:
a) cache the Cleartext-Password (or whatever) returned from LDAP
b) set up session resumption caching. See the "cache" subsection of mods-available/eap
c) both of the above
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2021, at 1:13 PM, André <netriver@gmail.com> wrote:
I was thinking about a hack...
Why not keep it simple until you get this working?
From the established/Accepted connection from the person I would store the password encrypted sha512 or a better mechanism to encrypt.
Get it working first. Alan DeKok.
The process is working. Missing is the cache if the ldap server is down. A quinta, 14/01/2021, 19:56, Alan DeKok <aland@deployingradius.com> escreveu:
On Jan 14, 2021, at 1:13 PM, André <netriver@gmail.com> wrote:
I was thinking about a hack...
Why not keep it simple until you get this working?
From the established/Accepted connection from the person I would store the password encrypted sha512 or a better mechanism to encrypt.
Get it working first.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
André