FR 3 to AD via ldap
Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss. I use own certificates. PEAP with MSCHAPv2. I config. ldap module : server = "pegasus.fri.uniza.sk" port = 636 base_dn = "dc=fri,dc=uniza,dc=sk" user { base_dn = "ou=People,dc=fri,dc=uniza,dc=sk" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = 'sub' } options { chase_referrals = yes rebind = yes } tls { ca_path = ${certdir} ca_file = ${certdir}/cacert.cer certificate_file = ${certdir}/friradius.cer private_key_file = ${certdir}/friradius.key require_cert = "demand" } In sites-available/default and inner-tunnel I just added : authorize { ldap } In eap I config >eap { default_eap_type = peap tls { tls = tls-common } ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" }In mschap >mschap { use_mppe = no require_encryption = yes require_strong = yes passchange { }}Also added realm to proxy >realm fri.uniza.sk {}Its starting all-right : "Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 47617 Ready to process requests." But when I try radtest :radtest -t mschap matisko@fri.uniza.sk <password>localhost 0 testing123rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=213, length=20Debug is : (1) suffix : Looking up realm "fri.uniza.sk" for User-Name = "hajtmanek@fri.uniza.sk"(1) suffix : Found realm "fri.uniza.sk"(1) suffix : Adding Stripped-User-Name = "hajtmanek"(1) suffix : Adding Realm = "fri.uniza.sk"(1) suffix : Authentication realm is LOCAL.(1) [suffix] = ok(1) eap : No EAP-Message, not doing EAP(1) [eap] = noop(1) [files] = nooprlm_ldap (ldap): Reserved connection (4)(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(1) ldap : --> (uid=hajtmanek)(1) ldap : EXPAND ou=People,dc=fri,dc=uniza,dc=sk(1) ldap : --> ou=People,dc=fri,dc=uniza,dc=sk(1) ldap : Performing search in 'ou=People,dc=fri,dc=uniza,dc=sk' with filter '(uid=hajtmanek)', scope 'sub'(1) ldap : Waiting for search result...(1) ERROR: ldap : Failed performing search: Please set 'chas e_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.(1) ERROR: ldap : Server said: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1.rlm_ldap (ldap): Released connection (4)rlm_ldap (ldap): Opening additional connection (5)rlm_ldap (ldap): Connecting to pegasus.fri.uniza.sk:636TLS: warning: cacertdir not implemented for gnutlsrlm_ldap (ldap): Waiting for bind result...rlm_ldap (ldap): Bind successful(1) [ldap] = fail(1) } # authorize = fail(1) Invalid user (ldap: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.): [hajtmanek/pokus123] (from client localhost port 0)(1) Using Post-Auth-Type RejectBinding is succesfull, referals and rebind are changed. SSL handshake I think is ok (according to wireshark :) ).
On Sat, Apr 12, 2014 at 12:51:54AM +0200, Bc. Radovan Matisko wrote:
Hi, Im trying to use FR 3 to connect to remote AD via ldap module, tried playing with parameters but with no luck. Idk what i miss. I use own certificates. PEAP with MSCHAPv2.
You can't auth against LDAP when using PEAP/EAP-MSCHAPv2. http://deployingradius.com/documents/protocols/compatibility.html (AD LDAP won't give you the clear-text password or NT hash.) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
So when I want to stick to peap/mschapv2, I have to use ntlm_auth module then.
participants (2)
-
Bc. Radovan Matisko -
Matthew Newton