Freeradius - LDAP Auth
online at berg-ner.de
online at berg-ner.de
Thu Dec 10 10:49:09 CET 2020
Hello to everyone,
after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
After trying a lot of things, the same or even new errors will appear again and again.
The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
My question is: Is it because of some config that it does not work, or is it because of the domain controller?
ldap.conf:
-----------------------------------------------------------------------------------------------
ldap {
server = "ldap://intranet.***.de <ldap://intranet.***.de>"
identity = "INTRANET\*USERNAME*"
password = "*******"
base_dn = "DC=intranet,DC=DC,DC=de"
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = 'DC=intranet,DC=*DC*,DC=de'
filter = '(objectClass=posixGroup)'
scope = 'sub'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
membership_attribute = 'memberOf'
}
Profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
Tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
-----------------------------------------------------------------------------------------------
Site-enabled/default and Innertunnel:
-----------------------------------------------------------------------------------------------
The files are both still standard. The only thing I have added is:
-ldap
if ((ok || updated) && User-Password && !control:Auth-Type) {
update {
control:Auth-Type := ldap
}
}
In the authorize-section.
-----------------------------------------------------------------------------------------------
FREERADIUS -X:
-----------------------------------------------------------------------------------------------
(7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
(7) User-Name = "*USERNAME*"
(7) NAS-IP-Address = *AccessPoint-IP*
(7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(7) NAS-Port-Id = "00000001"
(7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(7) NAS-Port-Type = Wireless-802.11
(7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "6A-95-50-D9-1B-DC"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(7) Acct-Multi-Session-Id = "97193BFF112F1388"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
(7) State = 0x91de85df97e69c726c333a62068cc31c
(7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 98
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x91de85df97e69c72
(7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap: Setting User-Name to *USERNAME*
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "*USERNAME*"
(7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "*USERNAME*"
(7) State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 67
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (samaccountname=*USERNAME*)
(7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
(7) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
(7) [ldap] = ok
(7) if ((ok || updated) && User-Password && !control:Auth-Type) {
(7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(7) mschap: Creating challenge hash with username: *USERNAME*
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) eap_mschapv2: [mschap] = reject
(7) eap_mschapv2: } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 56 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> *USERNAME*
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) EAP-Message = 0x04380004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04380004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04380004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 57 length 46
(7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
(7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x91de85df96e79c726c333a62068cc31c
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
(8) User-Name = "*USERNAME*"
(8) NAS-IP-Address = *AccessPoint-IP*
(8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(8) NAS-Port-Id = "00000001"
(8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(8) NAS-Port-Type = Wireless-802.11
(8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "6A-95-50-D9-1B-DC"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(8) Acct-Multi-Session-Id = "97193BFF112F1388"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
(8) State = 0x91de85df96e79c726c333a62068cc31c
(8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 57 length 46
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x91de85df96e79c72
(8) eap: Finished EAP session with state 0x91de85df96e79c72
(8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 57 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> *USERNAME*
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
(8) EAP-Message = 0x04390004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 18 with timestamp +11
(1) Cleaning up request packet ID 19 with timestamp +11
(2) Cleaning up request packet ID 20 with timestamp +11
(3) Cleaning up request packet ID 21 with timestamp +11
(4) Cleaning up request packet ID 22 with timestamp +11
(5) Cleaning up request packet ID 23 with timestamp +11
(6) Cleaning up request packet ID 24 with timestamp +11
(7) Cleaning up request packet ID 25 with timestamp +11
(8) Cleaning up request packet ID 26 with timestamp +11
Ready to process requests
Sincerely yours
Florian Bergner
More information about the Freeradius-Users
mailing list