G Suite Secure LDAP - FreeRADIUS (pfSense) - Authentication - Regarding
P.Thirunavukkarasu
drthiruna at tanuvas.org.in
Sat Jun 12 10:55:22 CEST 2021
Great. It is working now
Thanks a lot..
I need to configure the proxy.conf. But it is not loaded..
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
*including configuration file /usr/local/etc/raddb/radiusd.confincluding
configuration file /usr/local/etc/raddb/clients.conf*
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/counter
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/motp
including configuration file /usr/local/etc/raddb/mods-enabled/googleauth
including configuration file
/usr/local/etc/raddb/mods-enabled/datacounter_acct
including configuration file /usr/local/etc/raddb/mods-enabled/ldap
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file
/usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file
/usr/local/etc/raddb/policy.d/pfs_custom_policies
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap
--------------------
*This is the file *
*/usr/local/etc/raddb/radiusd.conf*
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-3.0.21
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_goodpass = "%{User-Name}"
msg_badpass = "%{User-Name}"
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
security {
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = no
# Disable this check since it may not be accurate due to how FreeBSD
patches OpenSSL
allow_vulnerable_openssl = yes
}
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
$INCLUDE ${confdir}/mods-enabled/
}
instantiate {
exec
expr
expiration
logintime
### Dis-/Enable sql instatiate
#sql
daily
weekly
monthly
forever
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
------------------------------------------------
Some warnings in the Output are....
*(17) WARNING: Outer and inner identities are the same. User privacy is
compromised.*
(17) server inner-tunnel-ttls {
(17) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
(17) authorize {
(17) [chap] = noop
(17) [mschap] = noop
(17) update control {
(17) &Proxy-To-Realm := LOCAL
(17) } # update control = noop
(17) eap: No EAP-Message, not doing EAP
(17) [eap] = noop
(17) [files] = noop
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 67
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Reserved connection (1)
(17) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(17) ldap: --> (uid=ldap)
(17) ldap: Performing search in "dc=tanuvas,dc=org,dc=in" with filter
"(uid=ldap)", scope "sub"
(17) ldap: Waiting for search result...
(17) ldap: User object found at DN
"uid=ldap,ou=Faculty,ou=People,ou=Registrar,ou=Users,dc=tanuvas,dc=org,dc=in"
(17) ldap: Processing user attributes
*(17) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute(17) ldap: WARNING: PAP
authentication will *NOT* work with Active Directory (if that is what you
were trying to configure)*rlm_ldap (ldap): Released connection (1)
Need 1 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (5), 1 of 1 pending slots
used
rlm_ldap (ldap): Connecting to ldap://127.0.0.1:1636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(17) [ldap] = ok
(17) [expiration] = noop
(17) [logintime] = noop
(17) [pap] = noop
(17) if (User-Password) {
(17) if (User-Password) -> TRUE
(17) if (User-Password) {
(17) update control {
(17) Auth-Type := LDAP
(17) } # update control = noop
(17) } # if (User-Password) = noop
(17) } # authorize = ok
(17) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(17) Found Auth-Type = LDAP
(17) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
(17) Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (3)
(17) ldap: Login attempt by "ldap"
(17) ldap: Using user DN from request
"uid=ldap,ou=Faculty,ou=People,ou=Registrar,ou=Users,dc=tanuvas,dc=org,dc=in"
(17) ldap: Waiting for bind result...
(17) ldap: Bind successful
(17) ldap: Bind as user
"uid=ldap,ou=Faculty,ou=People,ou=Registrar,ou=Users,dc=tanuvas,dc=org,dc=in"
was successful
rlm_ldap (ldap): Released connection (3)
(17) [ldap] = ok
(17) } # Auth-Type LDAP = ok
(17) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
(17) post-auth {
(17) if (1) {
(17) if (1) -> TRUE
(17) if (1) {
(17) update reply {
(17) User-Name !* ANY
(17) Message-Authenticator !* ANY
(17) EAP-Message !* ANY
(17) Proxy-State !* ANY
(17) MS-MPPE-Encryption-Types !* ANY
(17) MS-MPPE-Encryption-Policy !* ANY
(17) MS-MPPE-Send-Key !* ANY
(17) MS-MPPE-Recv-Key !* ANY
(17) } # update reply = noop
(17) update {
(17) No attributes updated for RHS &reply:
(17) } # update = noop
(17) } # if (1) = noop
(17) } # post-auth = noop
(17) EXPAND %{User-Name}
(17) --> ldap
(17) Login OK: [ldap] (from client IAP303VC port 0 via TLS tunnel) ldap
(17) } # server inner-tunnel-ttls
(17) Virtual server sending reply
(17) eap_ttls: Got tunneled Access-Accept
(17) eap: Sending EAP Success (code 3) ID 6 length 4
(17) eap: Freeing handler
(17) [eap] = ok
(17) } # authenticate = ok
(17) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(17) post-auth {
(17) update {
(17) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
(17) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(17) } # update = noop
(17) [exec] = noop
(17) policy remove_reply_message_if_eap {
(17) if (&reply:EAP-Message && &reply:Reply-Message) {
(17) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(17) else {
(17) [noop] = noop
(17) } # else = noop
(17) } # policy remove_reply_message_if_eap = noop
(17) } # post-auth = noop
(17) EXPAND %{User-Name}
(17) --> ldap
(17) Login OK: [ldap] (from client IAP303VC port 0 cli e01f882afe1f) ldap
(17) Sent Access-Accept Id 124 from 172.16.10.20:1812 to 172.16.11.2:55184
length 0
(17) MS-MPPE-Recv-Key =
0x580722b63c86773fa04c013221518a046abf915b0e4f596df698273c84823d59
(17) MS-MPPE-Send-Key =
0x5e597facb7eccf9b6e4ffacc5ff6d54260a42db31a48d0c0454595aeaec8b281
(17) EAP-Message = 0x03060004
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) User-Name = "ldap"
(17) Finished request
Waking up in 2.2 seconds.
(12) Cleaning up request packet ID 119 with timestamp +86
(13) Cleaning up request packet ID 120 with timestamp +86
(14) Cleaning up request packet ID 121 with timestamp +86
(15) Cleaning up request packet ID 122 with timestamp +86
(16) Cleaning up request packet ID 123 with timestamp +86
Waking up in 2.6 seconds.
(17) Cleaning up request packet ID 124 with timestamp +86
*Ready to process requests*
Best,
Thirunavukkarasu...
More information about the Freeradius-Users
mailing list