Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Wed May 12 11:19:02 CEST 2021 

Alan DeKok <aland at deployingradius.com> ezt írta (időpont: 2021. máj. 11.,
K, 14:15):

> On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta at gmail.com> wrote:
> >
> > Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS
> > authentication. It works strangely. I can connect from Windows10 with the
> > built-in client... *once*, and when I disconnect and try to connect
> again,
> > I get "The PPP link control protocol was terminated" error. the
> recommended
> > solution didn't work:
> >
> https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-establish-dial-up-connection
>
>   If only there was some kind of debug output you could look at, to see
> what the server is doing.
>

It seems the problem isn't on the Freeradius side, because it sends Access
Accept response... I will try to find a solution for that.

>
> > Ok, I then tried the SoftEther client. It works if I write
> > DEFAULT         Auth-Type := LDAP
>
>   Which forces ALL requests to use LDAP.  This isn't what you want.
>
> > in the users file. But when I try to connect with the built-in Windows
> > client with this setting, on the server side I see a big warning:
> > ldap: WARNING: You have set "Auth-Type := LDAP" somewhere
> > (0) ldap: WARNING: *********************************************
> > (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
> > (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> > (0) ldap: WARNING: *********************************************
> > (0) ldap: ERROR: Attribute "User-Password" is required for authentication
>
>   See?  It doesn't work.
>
> > Ok, I force the ldap auth, but without it, the authentication doesn't
> work.
>   The WHAT authentication doesn't work?
>   VPN authentication?
>
When I connect with the Win10 built-in VPN client, it uses MSCHAP-v2. The
Softether client uses PAP.
Both client initiate VPN connection.

>
>   The solution to that is simple.  Write a policy rule which detects VPN
> access, and then sets "Auth-Type := LDAP" for that.
>
>   What is that policy supposed to be?  We don't know.  We don't have
> access to your VPN server, and you're not posting the debug output.
>
I examined the outputs. When I force the auth type in the users
(=authorize) file, Freeradius uses files:

(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (samaccountname=vpn)
(0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with
filter "(samaccountname=vpn)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user

When I enable ldap in the authorize section of the default site, and don't
use default auth-type in users, the debug output is different:

(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (samaccountname=vpn)
(0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with
filter "(samaccountname=vpn)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user

It doesn't use files. What is the difference between the two? When I use
ldap in the default site for authorization, it doesn't work, but when I
force the ldap in the users (authorize), it works.

Thanks,

Tamás.

More information about the Freeradius-Users mailing list