Ttys/pap and Active Directory

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Thu Jul 9 09:46:42 CEST 2020 

Hi
I have freeradius and Active Directory. I have configured the eap module
In /etc/freeradius/mods-enabled/eap


eap     {
	default_eap_type = ttls
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = ${max_requests}

	tls-config tls-common {
		private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key
		certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem
		ca_file = /etc/freeradius/certs/ca-certificates.crt
	        dh_file = ${certdir}/dh
		ca_path = ${cadir}
		cipher_list = "HIGH"
		cipher_server_preference = no
		disable_tlsv1_2 = no
		disable_tlsv1_1 = no
		disable_tlsv1 = no
		tls_min_version = "1.0"
		tls_max_version = "1.2"
		ecdh_curve = "prime256v1"
           }

	tls {
		tls = tls-common
	}
}

In /etc/freeradius/sites-enabled/default
authorize {
	filter_username
	preprocess
	mschap
	suffix
	eap {
		ok = return
	}
	files
	ldap
        if ((ok || updated) && User-Password) {
        update {
        control:Auth-Type := ldap
}
}
	pap
	expiration
	logintime


}


authenticate {

	Auth-Type LDAP {
		ldap
	}
   	Auth-Type eap {
    	eap
  	}
	pap
}



preacct {
	preprocess
	acct_unique
	suffix
	files
}


accounting {
	detail
	unix
	exec
	attr_filter.accounting_response
}

post-auth {
	update {
		&reply: += &session-state:
	}
	exec
}
post-proxy {
	eap
}

In /etc/freeradius/sites-enabled/inner-tunnel

server inner-tunnel {
authorize {
	filter_username
        filter_inner_identity

	pap
	suffix
	update control {
		&Proxy-To-Realm := LOCAL
	}
	if ((ok || updated) && User-Password) {
	    update {
        	control:Auth-Type := ldap
    }
  }
	files
	ldap

	expiration
	logintime
}



authenticate {

   Auth-Type eap {
    eap
  }
}
Auth-Type PAP {
    pap
  }
ldap

post-auth {


		if (0) {

		update reply {
			User-Name !* ANY
			Message-Authenticator !* ANY
			EAP-Message !* ANY
			Proxy-State !* ANY
			MS-MPPE-Encryption-Types !* ANY
			MS-MPPE-Encryption-Policy !* ANY
			MS-MPPE-Send-Key !* ANY
			MS-MPPE-Recv-Key !* ANY
		}


		update {
			&outer.session-state: += &reply:
		}
	}


	Post-Auth-Type REJECT {
		attr_filter.access_reject

		update outer.session-state {
			&Module-Failure-Message := &request:Module-Failure-Message
		}
	}
}



post-proxy {
	eap
}

}


Added ca to trusted root certificates and configured the ttls/pap client on windows. But the freeradius LDAP module is not accessed


freeradius -x in the attachment


I will accept any ideas with gratitude )

More information about the Freeradius-Users mailing list