Yet another Freeradius+openldap eap-ttls pap issue

Work piepoli.antonio at gmail.com
Thu Nov 28 13:31:49 CET 2013


Hi there,

this is my first post on the list and It's always a shame to start with 
a problem :) .

I woul like to implement a freeradius authentication server that uses 
openldap as backend and supports both pap authentication (for the VPN 
client) and eap -ttls pap for the wi-fi lan.

I think I've successfullyconfigured freeradius for the pap 
authentication with openldap since the radtest returns ok. In the ldap 
module I've also enabled the groupcheck since in my company they want to 
restrict vpn access through ldap group membership. This works great. To 
to this I've removed the comment from the groupcheck and added to the 
user file thinks like this:

188:DEFAULT LDAP-Group=="vpntest"
189:    Reply-Message="Test per VPN",
190:    Class="vpntest",
191:    Fall-Through = Yes

is this ugly? My company does not want to add radiuschema to the users.


Ok now just forget for the small OT and let's focus on the real problem.

These are the configs:

root at ldap:/etc/freeradius# egrep -v '(#|^\s*$)' modules/ldap
ldap {
         server = "test-ldap.newenergygroup.com"
         identity = "cn=admin,dc=newenergygroup,dc=com"
         password = XXXXXXXXX
         basedn = "dc=newenergygroup,dc=com"
         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
         password_attribute = userPassword
         ldap_connections_number = 5
         timeout = 4
         timelimit = 3
         net_timeout = 1
         tls {
                 start_tls = no
         }
         dictionary_mapping = ${confdir}/ldap.attrmap
         edir_account_policy_check = no
          groupname_attribute = cn
          groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
          groupmembership_attribute = radiusGroupName
}

egrep -v '(#|^\s*$)' sites-enabled/default
authorize {
         preprocess
         chap
         mschap
         suffix
         eap {
                 ok = return
         }
         files
         ldap
         expiration
         logintime
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
         unix
         Auth-Type LDAP {
                 ldap
         }

root at ldap:/etc/freeradius# egrep -v '(#|^\s*$)' eap.conf
         eap {
                 default_eap_type = ttls
                 timer_expire     = 60
                 ignore_unknown_eap_types = no
                 cisco_accounting_username_bug = no
                 max_sessions = 4096
                 md5 {
                 }
                 leap {
                 }
                 gtc {
                         auth_type = PAP
                 }
                 tls {
                         certdir = ${confdir}/certs
                         cadir = ${confdir}/certs
                         private_key_password = whatever
                         private_key_file = ${certdir}/server.key
                         certificate_file = ${certdir}/server.pem
                         CA_file = ${cadir}/ca.pem
                         dh_file = ${certdir}/dh
                         random_file = ${certdir}/random
                         cipher_list = "DEFAULT"
                         make_cert_command = "${certdir}/bootstrap"
                         cache {
                               enable = no
                               max_entries = 255
                         }
                 }
                 ttls {
                         default_eap_type = md5
                         copy_request_to_tunnel = no
                         use_tunneled_reply = no
                         virtual_server = "inner-tunnel"
                 }
                 peap {
                         default_eap_type = mschapv2
                         copy_request_to_tunnel = no
                         use_tunneled_reply = no
                         virtual_server = "inner-tunnel"
                 }
                 mschapv2 {
                 }
         }

I'm testing the eap eapol_test  -c eap_pool_test_config -a 127.0.0.1 -p 
1812 -s testing123 -r1 and the config is:

network={
eap=TTLS
ssid="example"
eapol_flags=0
key_mgmt=WPA-EAP
identity="atest"
password="atest"
#ca_cert="/etc/freeradius/certs/ccaa.pem"
phase2="auth=PAP"
}

the debug from radius is:

rad_recv: Access-Request packet from host 127.0.0.1 port 33653, id=0, 
length=118
         User-Name = "atest"
         NAS-IP-Address = 127.0.0.1
         Calling-Station-Id = "02-00-00-00-00-01"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 11Mbps 802.11b"
         EAP-Message = 0x0200000a016174657374
         Message-Authenticator = 0xf57a3eb5217b5475fcd4acf2ab929c6c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "atest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> atest
[files]         expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=atest)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to test-ldap.newenergygroup.com:389, authentication 0
   [ldap] bind as cn=admin,dc=newenergygroup,dc=com/Ld4pPa$$w0rD to 
test-ldap.newenergygroup.com:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(uid=atest)
   [ldap] ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(&(cn=vpnfullaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in 
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(&(cn=vpnlowaccess)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in 
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(&(cn=vpntest)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in 
uid=atest,ou=people,dc=newenergygroup,dc=com, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(&(cn=vpntestadmin)(|(&(objectClass=GroupOfNames)(member=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3datest\2cou\3dpeople\2cdc\3dnewenergygroup\2cdc\3dcom))))
rlm_ldap::ldap_groupcmp: User found in group vpntestadmin
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 193
++[files] returns ok
[ldap] performing user authorization for atest
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> atest
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=atest)
[ldap]  expand: dc=newenergygroup,dc=com -> dc=newenergygroup,dc=com
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=newenergygroup,dc=com, with filter 
(uid=atest)
[ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user atest authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
   [ldap] Attribute "User-Password" is required for authentication.
   You seem to have set "Auth-Type := LDAP" somewhere.
   THAT CONFIGURATION IS WRONG.  DELETE IT.
   YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
++[ldap] returns invalid
Failed to authenticate the user.
Login incorrect: [atest] (from client localhost port 0 cli 
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> atest
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 127.0.0.1 port 33653
         Reply-Message = "Test per VPN ADMIN"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +23
Ready to process requests.



Thank you :), hope I'm not missing somithing stupid, I've read a lot of 
documentation here and there.

ps. password on the LDAP are stored in hash form.








More information about the Freeradius-Users mailing list