Unifi wifi SSHA passwords freeradius

Alan Buxey alan.buxey at gmail.com
Wed Feb 12 12:26:14 CET 2020


hi,

your ldap connection pool is borked. you have horrible values.   start
with the default (in fact, if you have no problem
with long lived connections then disable the auto pool stuff and just
have eg 8 connections.

alan

On Wed, 12 Feb 2020 at 10:59, Сергей Черевко via Freeradius-Users
<freeradius-users at lists.freeradius.org> wrote:
>
>
>
> Hi!
>
> I have Unifi wifi  — freeradius — ldap
>
> In LDAP i have SSHA password for users.
>
> This config on github help me to setup normal auth with SSHA passwords (instead plaintext)
> https://github.com/hacor/unifi-freeradius-ldap
>
> i use ttls + pap
>
> All ok, but i have some troubles with timeout (or something else)
>
> After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
>
> When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
>
>
> Logs
>
> Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds
> Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds
> Info: Need 6 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used
> Info: Need 5 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used
> Info: Need 4 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used
> Info: Need 3 more connections to reach 10 spares
> Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
>
> Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds
> Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds
> Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
>
> An here is my config freeradius
>
> EAP
>
> eap {
>     default_eap_type = ttls
>     timer_expire     = 60
>     ignore_unknown_eap_types = no
>     cisco_accounting_username_bug = no
>     max_sessions = ${max_requests}
>     md5 {
>     }
>     leap {
>     }
>     gtc {
>         auth_type = PAP
>     }
>     tls-config tls-common {
>         private_key_password = XXX
>         private_key_file = ${certdir}/server.pem
>         certificate_file = ${certdir}/server.pem
>         ca_file = ${cadir}/ca.pem
>         dh_file = ${certdir}/dh
>         ca_path = ${cadir}
>         cipher_list = "DEFAULT"
>         cipher_server_preference = no
>         ecdh_curve = "prime256v1"
>         cache {
>             enable = no
>             lifetime = 24 # hours
>         }
>         verify {
>         }
>         ocsp {
>             enable = no
>             override_cert_url = yes
>             url = " http://127.0.0.1/ocsp/ "
>         }
>     }
>
>     tls {
>         tls = tls-common
>     }
>     ttls {
>         tls = tls-common
>         default_eap_type = gtc
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>     }
>     peap {
>         tls = tls-common
>         default_eap_type = mschapv2
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>     }
>     mschapv2 {
>     }
> }
>
> DEFAULT
>
> server default {
> listen {
>     type = auth
>     ipaddr = *
>     port = 0
>     limit {
>           max_connections = 16
>           lifetime = 0
>           idle_timeout = 30
>     }
> }
> listen {
>     ipaddr = *
>     port = 0
>     type = acct
>     limit {
>     }
> }
> authorize {
>     filter_username
>     preprocess
>     digest
>     suffix
>     eap {
>         ok = return
>         #updated = return
>     }
>     files
>     -sql
>     ldap
>     expiration
>     logintime
>     pap
>         if (User-Password) {
>             update control {
>                    Auth-Type := ldap
>             }
>         }
> }
> authenticate {
>     Auth-Type PAP {
>         #pap
>         ldap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     mschap
>     digest
>     #Auth-Type LDAP {
>         ldap
>     #}
>     eap
> }
> preacct {
>     preprocess
>     acct_unique
>     suffix
>     files
> }
> accounting {
>     detail
>     unix
>     -sql
>     exec
>     attr_filter.accounting_response
> }
> session {
> }
> post-auth {
>     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
>         update reply {
>             &User-Name !* ANY
>         }
>     }
>     update {
>         &reply: += &session-state:
>     }
>
>         if (LDAP-Group == "vpn") {
>         vpn_l2tp_pool
>         }
>         elsif (LDAP-Group == "vpn-ext") {
>         vpn_l2tp_ext_pool
>         }
>         elsif (LDAP-Group == "vpn-1c") {
>         ok
>         }
>         else {
>         reject
>         }
>     -sql
>     exec
>     remove_reply_message_if_eap
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>         eap
>         remove_reply_message_if_eap
>     }
>     Post-Auth-Type Challenge {
>     }
> }
> pre-proxy {
> }
> post-proxy {
>     eap
> }
> }
>
> INNER TUNNEL
>
> server inner-tunnel {
> listen {
>        ipaddr = *
>        port = 18120
>        type = auth
> }
> authorize {
>     filter_username
>     suffix
>     update control {
>         &Proxy-To-Realm := LOCAL
>     }
>     eap {
>         ok = return
>     }
>     -sql
>     ldap
>     expiration
>     logintime
>     pap
>     if (User-Password) {
>             update control {
>                 Auth-Type := ldap
>             }
>         }
> }
> authenticate {
>     Auth-Type PAP {
>         #pap
>         ldap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     mschap
> #    Auth-Type LDAP {
>         ldap
> #    }
>     eap
> }
> session {
>     radutmp
> }
> post-auth {
>     -sql
>                 if (LDAP-Group == "wifi") {
>                 noop
>                 } else {
>                 reject
>                 }
>     if (0) {
>         update reply {
>             User-Name !* ANY
>             Message-Authenticator !* ANY
>             EAP-Message !* ANY
>             Proxy-State !* ANY
>             MS-MPPE-Encryption-Types !* ANY
>             MS-MPPE-Encryption-Policy !* ANY
>             MS-MPPE-Send-Key !* ANY
>             MS-MPPE-Recv-Key !* ANY
>         }
>         update {
>             &outer.session-state: += &reply:
>         }
>     }
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>         update outer.session-state {
>             &Module-Failure-Message := &request:Module-Failure-Message
>         }
>     }
> }
> pre-proxy {
> }
> post-proxy {
>     eap
> }
> }
>
> LDAP
>
> ldap {
>     server = 'localhost'
>     identity = 'cn=admin,dc=fusioncore,dc=local'
>     password = fusioncore
>     base_dn = 'ou=people,dc=fusioncore,dc=local'
>     sasl {
>     }
>     update {
>         control:Password-With-Header    += 'userPassword'
>         control:            += 'radiusControlAttribute'
>         request:            += 'radiusRequestAttribute'
>         reply:                += 'radiusReplyAttribute'
>     }
>     user {
>         base_dn = "${..base_dn}"
>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>         sasl {
>         }
>     }
>     group {
>         base_dn = "ou=groups,dc=fusioncore,dc=local"
>         filter = '(objectClass=GroupOfNames)'
>         name_attribute = cn
>         membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>         membership_attribute = 'memberUid'
>     }
>     profile {
>     }
>     client {
>         base_dn = "${..base_dn}"
>         filter = '(objectClass=radiusClient)'
>         template {
>         }
>         attribute {
>             ipaddr                = 'radiusClientIdentifier'
>             secret                = 'radiusClientSecret'
>         }
>     }
>     accounting {
>         reference = "%{tolower:type.%{Acct-Status-Type}}"
>         type {
>             start {
>                 update {
>                     description := "Online at %S"
>                 }
>             }
>             interim-update {
>                 update {
>                     description := "Last seen at %S"
>                 }
>             }
>             stop {
>                 update {
>                     description := "Offline at %S"
>                 }
>             }
>         }
>     }
>     post-auth {
>         update {
>             description := "Authenticated at %S"
>         }
>     }
>     options {
>         chase_referrals = yes
>         rebind = yes
>         res_timeout = 10
>         srv_timelimit = 3
>         net_timeout = 1
>         idle = 60
>         probes = 3
>         interval = 3
>         ldap_debug = 0x0028
>     }
>     tls {
>         start_tls = no
>     }
>     ldap_connections_number = 5
>     pool {
>         start = ${thread[pool].start_servers}
>         min = ${thread[pool].min_spare_servers}
>         max = ${thread[pool].max_servers}
>         spare = ${thread[pool].max_spare_servers}
>         uses = 0
>         retry_delay = 30
>         lifetime = 0
>         idle_timeout = 60
>     }
> }
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> ----------------------------------------------------------------------
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list