Unifi wifi SSHA passwords freeradius
Сергей Черевко
ink.dude at mail.ru
Wed Feb 12 11:59:33 CET 2020
Hi!
I have Unifi wifi — freeradius — ldap
In LDAP i have SSHA password for users.
This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
https://github.com/hacor/unifi-freeradius-ldap
i use ttls + pap
All ok, but i have some troubles with timeout (or something else)
After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
Logs
Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
Info: Need 6 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
Info: Need 5 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
Info: Need 4 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
Info: Need 3 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
An here is my config freeradius
EAP
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = XXX
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = " http://127.0.0.1/ocsp/ "
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = gtc
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
DEFAULT
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
digest
suffix
eap {
ok = return
#updated = return
}
files
-sql
ldap
expiration
logintime
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type PAP {
#pap
ldap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
#Auth-Type LDAP {
ldap
#}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
if (LDAP-Group == "vpn") {
vpn_l2tp_pool
}
elsif (LDAP-Group == "vpn-ext") {
vpn_l2tp_ext_pool
}
elsif (LDAP-Group == "vpn-1c") {
ok
}
else {
reject
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
INNER TUNNEL
server inner-tunnel {
listen {
ipaddr = *
port = 18120
type = auth
}
authorize {
filter_username
suffix
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
-sql
ldap
expiration
logintime
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type PAP {
#pap
ldap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
# Auth-Type LDAP {
ldap
# }
eap
}
session {
radutmp
}
post-auth {
-sql
if (LDAP-Group == "wifi") {
noop
} else {
reject
}
if (0) {
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
update {
&outer.session-state: += &reply:
}
}
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
pre-proxy {
}
post-proxy {
eap
}
}
LDAP
ldap {
server = 'localhost'
identity = 'cn=admin,dc=fusioncore,dc=local'
password = fusioncore
base_dn = 'ou=people,dc=fusioncore,dc=local'
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "ou=groups,dc=fusioncore,dc=local"
filter = '(objectClass=GroupOfNames)'
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = 'memberUid'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = no
}
ldap_connections_number = 5
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
More information about the Freeradius-Users
mailing list