Active Directory authenticated VPN

Alan DeKok aland at
Thu May 6 13:39:35 CEST 2021

On May 6, 2021, at 5:57 AM, Pisch Tamás <pischta at> wrote:
> Great, thanks. I feel myself lost in a jungle.

  That's RADIUS.  :(

  The problem with RADIUS isn't just RADIUS.  Getting packets in and out of a server is fairly trivial.  Doing everything people want is much harder.  This situation is a good example.

  You want to use RADIUS, but that really means using LDAP, Kerberos, SASL, and GSSAPI.  How do all those work together?  I don't know, I've got way too many other things to remember.

  One of the main frustrations we see on the list is the attitude that "you wrote the RADIUS server, therefore you must understand how X works".  Where X is something entirely unrelated to RADIUS.  Some people have a very hard time understanding that we're not experts in all of the libraries used by FreeRADIUS, and all of the dozens of things we connect to, and all of the dozens of protocols used.

  Instead, we rely on the end users to figure out a good chunk of the rarely-used situations like this.  Then, we rely on them to describe what they did.  Either so that we can update the docs, or that they can supply a patch to update the docs.

  But as we see with the complaint the other day, some people are enthusiastic about laying blame, but are horrified at the thought of contributing.  They have some narcissistic sense of entitlement, that they *deserve* a world-class product for free, and if it isn't perfect, they *deserve* to complain about it, and they expect me to be grateful for their feedback that "the documentation is crap".   I have no patience (or respect) for that kind of abusive behavior.

  That's not what you're doing here, of course.  But I thought it was worth pointing out that what's-his-name who complained pretty much proved my point that he would rather kill himself than contribute. 

> This is why I wrote to the
> list, and the read the documentation answer doesn't help me. Surely I could
> find these somewhere in the documentation someday, but concrete helps me a
> lot.

  The documentation is full of concrete examples.  Sadly, not this one.  So... if you figure out it, PLEASE tell us, so we can document it, and no one else has to go through this pain.

>> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
> Ok, I did it. When I use kinit, I can see messages in the log. When I start
> freeradius, nothing new appears in the log with
> tls {
> start_tls = no
> }
> sasl {
> mech = 'GSSAPI'
> realm = ''
> }
> I tried with start_tls again, with
> require_cert<-->= 'allow'
> But it didn't help. I still get "Strong(er) authentication required"
> message.

  So the issue is that your LDAP server doesn't do TLS, but something else.  And then there's the issue of chaining together a complex solution of FreeRADIUS to libldap to SASL GSSAP to Kerberos, and finally to LDAP.

  Which explains why this isn't documented.  Most people don't do it, because it's complex and fragile.  Instead, just use TLS.  Maybe issue a client certificate, and then configure FreeRADIUS to use that.  That process is documented, tested, and works.

  The more complex the system, the more moving parts it has.  And the more likely it is that one of the moving parts breaks, or just plain doesn't work.

  Sorry we can't help, but this is a rare situation, it's extremely complex, and few people have done this before.  Which makes it difficult to give useful advice.

  Alan DeKok.

More information about the Freeradius-Users mailing list