Active Directory authenticated VPN
Pisch Tamás
pischta at gmail.com
Wed May 12 11:44:02 CEST 2021
I found the solution, you answered it there:
http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737.html
But my question remains from my previous letter: why freeradius cannot use
ldap without it, when I try to use pap?
Thanks,
Tamás.
Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2021. máj. 12., Sze,
11:19):
> Alan DeKok <aland at deployingradius.com> ezt írta (időpont: 2021. máj. 11.,
> K, 14:15):
>
>> On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta at gmail.com> wrote:
>> >
>> > Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS
>> > authentication. It works strangely. I can connect from Windows10 with
>> the
>> > built-in client... *once*, and when I disconnect and try to connect
>> again,
>> > I get "The PPP link control protocol was terminated" error. the
>> recommended
>> > solution didn't work:
>> >
>> https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-establish-dial-up-connection
>>
>> If only there was some kind of debug output you could look at, to see
>> what the server is doing.
>>
>
> It seems the problem isn't on the Freeradius side, because it sends Access
> Accept response... I will try to find a solution for that.
>
>>
>> > Ok, I then tried the SoftEther client. It works if I write
>> > DEFAULT Auth-Type := LDAP
>>
>> Which forces ALL requests to use LDAP. This isn't what you want.
>>
>> > in the users file. But when I try to connect with the built-in Windows
>> > client with this setting, on the server side I see a big warning:
>> > ldap: WARNING: You have set "Auth-Type := LDAP" somewhere
>> > (0) ldap: WARNING: *********************************************
>> > (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT.
>> > (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
>> > (0) ldap: WARNING: *********************************************
>> > (0) ldap: ERROR: Attribute "User-Password" is required for
>> authentication
>>
>> See? It doesn't work.
>>
>> > Ok, I force the ldap auth, but without it, the authentication doesn't
>> work.
>> The WHAT authentication doesn't work?
>> VPN authentication?
>>
> When I connect with the Win10 built-in VPN client, it uses MSCHAP-v2. The
> Softether client uses PAP.
> Both client initiate VPN connection.
>
>>
>> The solution to that is simple. Write a policy rule which detects VPN
>> access, and then sets "Auth-Type := LDAP" for that.
>>
>> What is that policy supposed to be? We don't know. We don't have
>> access to your VPN server, and you're not posting the debug output.
>>
> I examined the outputs. When I force the auth type in the users
> (=authorize) file, Freeradius uses files:
>
> (0) suffix: Authentication realm is LOCAL
> (0) [suffix] = ok
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (samaccountname=vpn)
> (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with
> filter "(samaccountname=vpn)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN "CN=vpn,CN=Users,DC=ad,DC=ourdomain
> ,DC=hu"
> (0) ldap: Processing user attributes
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (0) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
>
> When I enable ldap in the authorize section of the default site, and don't
> use default auth-type in users, the debug output is different:
>
> (0) suffix: Authentication realm is LOCAL
> (0) [suffix] = ok
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (samaccountname=vpn)
> (0) ldap: Performing search in "cn=Users,dc=ad,dc=ourdomain,dc=hu" with
> filter "(samaccountname=vpn)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN
> "CN=vpn,CN=Users,DC=ad,DC=ourdomain,DC=hu"
> (0) ldap: Processing user attributes
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (0) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
>
> It doesn't use files. What is the difference between the two? When I use
> ldap in the default site for authorization, it doesn't work, but when I
> force the ldap in the users (authorize), it works.
>
> Thanks,
>
> Tamás.
>
>
>
More information about the Freeradius-Users
mailing list