LDAP on GC with TLS in upgrade from FreeRadius 2 to FreeRadius 3 not working
Xin Huang
xin.huang at forescout.com
Wed Apr 20 16:11:09 UTC 2022
Hello Experts,
I am trying to troubleshoot an issue with the ldap module after upgrading from FreeRadius version 2.2.9 to FreeRadius version 3.0.19.
When using the GC LDAPs port (3269) the LDAP-Group search no longer works on FR3. It seems that the ldap module does not attempt to start tls on port 3269. In a packet capture I can see that there is no TLS certificate exchange, and FreeRadius sends cleartext username and password after TCP handshake, then the LDAP server immediately sends a RST.
In contrast, on FR2, there is a tls negotiation starting and then when successful it is able to perform the LDAP-Group search.
I would appreciate any guidance on whether LDAP queries over Global Catalogue port 3269 is supported with FR3, and if so, how to correct my configuration. Thanks.
Below are logs from failing connection on FR3.0.19 with ldap_debug enabled:
radiusd:7878:1650470518.551847:Wed Apr 20 11:01:58 2022: (10) EXPAND %{redis:hget %{Calling-Station-Id} domain}
radiusd:7878:1650470518.551861:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551879:Wed Apr 20 11:01:58 2022: (10) EXPAND %{0}
radiusd:7878:1650470518.551900:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551916:Wed Apr 20 11:01:58 2022: (10) EXPAND %{0}
radiusd:7878:1650470518.551930:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551944:Wed Apr 20 11:01:58 2022: (10) Searching for user in group "Domain Admins"
radiusd:7878:1650470518.551958:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): 0 of 0 connections in use. You may need to increase "spare"
radiusd:7878:1650470518.551979:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Opening additional connection (0), 1 of 5 pending slots used
radiusd:7878:1650470518.552000:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Connecting to ldap://csurf-dot1x-dc1.csurflab.local:3269
radiusd:7878:1650470518.552018:Wed Apr 20 11:01:58 2022: ldap_create
radiusd:7878:1650470518.552032:Wed Apr 20 11:01:58 2022: ldap_url_parse_ext(ldap://csurf-dot1x-dc1.csurflab.local:3269)
radiusd:7878:1650470518.552046:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception begins.
radiusd:7878:1650470518.552061:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: entry options follow:
radiusd:7878:1650470518.552082:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
radiusd:7878:1650470518.552101:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:7878:1650470518.552115:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:7878:1650470518.552130:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
radiusd:7878:1650470518.552146:Wed Apr 20 11:01:58 2022: tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
radiusd:7878:1650470518.685306:Wed Apr 20 11:01:58 2022: tlsmc_open_nssdb: INFO: initialized MozNSS context.
radiusd:7878:1650470518.685508:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--40F28B6BEE85E0CAEA6EFDCC04C35B59E70A6ECE6BF81E65B3E0FF324E9441CD'.
radiusd:7878:1650470518.685550:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: using the existing PEM dir.
radiusd:7878:1650470518.685568:Wed Apr 20 11:01:58 2022: tlsmc_convert: WARN: extracted cert file is not present.
radiusd:7878:1650470518.685597:Wed Apr 20 11:01:58 2022: tlsmc_convert: WARN: extracted key file is not present.
radiusd:7878:1650470518.688107:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: altered options follow:
radiusd:7878:1650470518.688313:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--40F28B6BEE85E0CAEA6EFDCC04C35B59E70A6ECE6BF81E65B3E0FF324E9441CD/cacerts'
radiusd:7878:1650470518.688345:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:7878:1650470518.688362:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:7878:1650470518.688383:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
radiusd:7878:1650470518.688400:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception ends.
radiusd:7878:1650470518.694859:Wed Apr 20 11:01:58 2022: ldap_bind
radiusd:7878:1650470518.695011:Wed Apr 20 11:01:58 2022: ldap_simple_bind
radiusd:7878:1650470518.695032:Wed Apr 20 11:01:58 2022: ldap_sasl_bind
radiusd:7878:1650470518.695066:Wed Apr 20 11:01:58 2022: ldap_send_initial_request
radiusd:7878:1650470518.695084:Wed Apr 20 11:01:58 2022: ldap_new_connection 1 1 0
radiusd:7878:1650470518.695099:Wed Apr 20 11:01:58 2022: ldap_int_open_connection
radiusd:7878:1650470518.695123:Wed Apr 20 11:01:58 2022: ldap_connect_to_host: TCP csurf-dot1x-dc1.csurflab.local:3269
radiusd:7878:1650470518.695615:Wed Apr 20 11:01:58 2022: ldap_new_socket: 24
radiusd:7878:1650470518.695713:Wed Apr 20 11:01:58 2022: ldap_prepare_socket: 24
radiusd:7878:1650470518.695738:Wed Apr 20 11:01:58 2022: ldap_connect_to_host: Trying 10.16.167.193:3269
radiusd:7878:1650470518.695758:Wed Apr 20 11:01:58 2022: ldap_pvt_connect: fd: 24 tm: 1 async: 0
radiusd:7878:1650470518.695782:Wed Apr 20 11:01:58 2022: ldap_ndelay_on: 24
radiusd:7878:1650470518.695801:Wed Apr 20 11:01:58 2022: attempting to connect:
radiusd:7878:1650470518.695817:Wed Apr 20 11:01:58 2022: connect errno: 115
radiusd:7878:1650470518.695835:Wed Apr 20 11:01:58 2022: ldap_int_poll: fd: 24 tm: 1
radiusd:7878:1650470518.696115:Wed Apr 20 11:01:58 2022: ldap_is_sock_ready: 24
radiusd:7878:1650470518.696146:Wed Apr 20 11:01:58 2022: ldap_ndelay_off: 24
radiusd:7878:1650470518.696171:Wed Apr 20 11:01:58 2022: ldap_pvt_connect: 0
radiusd:7878:1650470518.696201:Wed Apr 20 11:01:58 2022: ldap_open_defconn: successful
radiusd:7878:1650470518.696230:Wed Apr 20 11:01:58 2022: ldap_send_server_request
radiusd:7878:1650470518.696251:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Waiting for bind result...
radiusd:7878:1650470518.696290:Wed Apr 20 11:01:58 2022: ldap_result ld 0x244d5d0 msgid 1
radiusd:7878:1650470518.696310:Wed Apr 20 11:01:58 2022: wait4msg ld 0x244d5d0 msgid 1 (timeout 4000000 usec)
radiusd:7878:1650470518.696329:Wed Apr 20 11:01:58 2022: wait4msg continue ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.696357:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Connections:
radiusd:7878:1650470518.696384:Wed Apr 20 11:01:58 2022: * host: csurf-dot1x-dc1.csurflab.local port: 3269 (default)
radiusd:7878:1650470518.696407:Wed Apr 20 11:01:58 2022: refcnt: 2 status: Connected
radiusd:7878:1650470518.696437:Wed Apr 20 11:01:58 2022: last used: Wed Apr 20 11:01:58 2022
radiusd:7878:1650470518.696463:Wed Apr 20 11:01:58 2022:
radiusd:7878:1650470518.696488:Wed Apr 20 11:01:58 2022:
radiusd:7878:1650470518.696506:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Outstanding Requests:
radiusd:7878:1650470518.696530:Wed Apr 20 11:01:58 2022: * msgid 1, origid 1, status InProgress
radiusd:7878:1650470518.696557:Wed Apr 20 11:01:58 2022: outstanding referrals 0, parent count 0
radiusd:7878:1650470518.696577:Wed Apr 20 11:01:58 2022: ld 0x244d5d0 request count 1 (abandoned 0)
radiusd:7878:1650470518.696596:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Response Queue:
radiusd:7878:1650470518.696622:Wed Apr 20 11:01:58 2022: Empty
radiusd:7878:1650470518.696647:Wed Apr 20 11:01:58 2022: ld 0x244d5d0 response count 0
radiusd:7878:1650470518.696667:Wed Apr 20 11:01:58 2022: ldap_chkResponseList ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.696686:Wed Apr 20 11:01:58 2022: ldap_chkResponseList returns ld 0x244d5d0 NULL
radiusd:7878:1650470518.696721:Wed Apr 20 11:01:58 2022: ldap_int_select
radiusd:7878:1650470518.696941:Wed Apr 20 11:01:58 2022: read1msg: ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.697002:Wed Apr 20 11:01:58 2022: ldap_err2string
radiusd:7878:1650470518.697026:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Bind with Administrator at csurflab.local<mailto:Administrator at csurflab.local> to ldap://csurf-dot1x-dc1.csurflab.local:3269 failed: Can't contact LDAP server
========================================================================
For reference, this is logs from a different server running FreeRadius 2.2.9, connecting to the same LDAP server with same user, which works:
radiusd:232612:1650387580.465127:Tue Apr 19 11:59:40 2022: expand: (|(userPrincipalName=%{%{User-Name}:-%{Stripped-User-Name}:-%{mschap:User-Name}:-None}@csurflab.local)(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}:-None})) -> (|(userPrincipalName=anonymous at csurflab.local)(sAMAccountName=testuser1)<mailto:userPrincipalName=anonymous at csurflab.local)(sAMAccountName=testuser1)>)
radiusd:232612:1650387580.465156:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] ldap_get_conn: Checking Id: 0
radiusd:232612:1650387580.465195:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] ldap_get_conn: Got Id: 0
radiusd:232612:1650387580.465225:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] attempting LDAP reconnection
radiusd:232612:1650387580.465267:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] (re)connect to csurf-dot1x-dc1.csurflab.local:3269, authentication 0
radiusd:232612:1650387580.465288:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] setting TLS mode to 1
radiusd:232612:1650387580.465305:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] setting TLS CACert File to /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
radiusd:232612:1650387580.465322:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] bind as user/password to csurf-dot1x-dc1.csurflab.local:3269
radiusd:232612:1650387580.465373:Tue Apr 19 11:59:40 2022: ldap_bind
radiusd:232612:1650387580.465391:Tue Apr 19 11:59:40 2022: ldap_simple_bind
radiusd:232612:1650387580.465410:Tue Apr 19 11:59:40 2022: ldap_sasl_bind
radiusd:232612:1650387580.465427:Tue Apr 19 11:59:40 2022: ldap_send_initial_request
radiusd:232612:1650387580.465441:Tue Apr 19 11:59:40 2022: ldap_new_connection 1 1 0
radiusd:232612:1650387580.465461:Tue Apr 19 11:59:40 2022: ldap_int_open_connection
radiusd:232612:1650387580.465488:Tue Apr 19 11:59:40 2022: ldap_connect_to_host: TCP csurf-dot1x-dc1.csurflab.local:3269
radiusd:232612:1650387580.465518:Tue Apr 19 11:59:40 2022: ldap_new_socket: 36
radiusd:232612:1650387580.465544:Tue Apr 19 11:59:40 2022: ldap_prepare_socket: 36
radiusd:232612:1650387580.465560:Tue Apr 19 11:59:40 2022: ldap_connect_to_host: Trying 10.16.167.193:3269
radiusd:232612:1650387580.465577:Tue Apr 19 11:59:40 2022: ldap_pvt_connect: fd: 36 tm: 1 async: 0
radiusd:232612:1650387580.465592:Tue Apr 19 11:59:40 2022: ldap_ndelay_on: 36
radiusd:232612:1650387580.465609:Tue Apr 19 11:59:40 2022: attempting to connect:
radiusd:232612:1650387580.465626:Tue Apr 19 11:59:40 2022: connect errno: 115
radiusd:232612:1650387580.465644:Tue Apr 19 11:59:40 2022: ldap_int_poll: fd: 36 tm: 1
radiusd:232612:1650387580.465664:Tue Apr 19 11:59:40 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387580.465681:Tue Apr 19 11:59:40 2022: ldap_ndelay_off: 36
radiusd:232612:1650387580.465698:Tue Apr 19 11:59:40 2022: ldap_pvt_connect: 0
radiusd:232612:1650387580.465717:Tue Apr 19 11:59:40 2022: TLSMC: MozNSS compatibility interception begins.
radiusd:232612:1650387580.465735:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: entry options follow:
radiusd:232612:1650387580.465750:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
radiusd:232612:1650387580.465773:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:232612:1650387580.465805:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:232612:1650387580.465829:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
radiusd:232612:1650387580.465849:Tue Apr 19 11:59:40 2022: tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
radiusd:232612:1650387580.603137:Tue Apr 19 11:59:40 2022: tlsmc_open_nssdb: INFO: initialized MozNSS context.
radiusd:232612:1650387580.603321:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.603365:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: using the existing PEM dir.
radiusd:232612:1650387580.603391:Tue Apr 19 11:59:40 2022: tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.
radiusd:232612:1650387580.603414:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.603434:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping into directory `cacerts'.
radiusd:232612:1650387580.603453:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts'.
radiusd:232612:1650387580.603488:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `b66938e9.0'.
radiusd:232612:1650387580.603521:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `7719f463.0'.
...
radiusd:232612:1650387580.605095:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `6b99d060.0'.
radiusd:232612:1650387580.605119:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping out of the directory.
radiusd:232612:1650387580.605142:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing the directory itself.
radiusd:232612:1650387580.605167:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping out of the directory.
radiusd:232612:1650387580.605194:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing the directory itself.
radiusd:232612:1650387580.605212:Tue Apr 19 11:59:40 2022: tlsmc_convert: WARN: will try to create PEM dir.
radiusd:232612:1650387580.605231:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.605246:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
radiusd:232612:1650387580.605260:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
radiusd:232612:1650387580.619623:Tue Apr 19 11:59:40 2022: tlsmc_extract_cacerts: INFO: found cert nick=`Default Trust:ACCVRAIZ1', a trusted CA.
radiusd:232612:1650387580.619839:Tue Apr 19 11:59:40 2022: tlsmc_extract_cacerts: INFO: extracting cert nick=`Default Trust:ACCVRAIZ1' to file `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/cert0.pem'.
radiusd:232612:1650387580.624743:Tue Apr 19 11:59:40 2022: tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to /tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/a94d09e5.0.
...
radiusd:232612:1650387581.093069:Tue Apr 19 11:59:41 2022: tlsmc_extract_cacerts: INFO: extracting cert nick=`Default Trust:thawte Primary Root CA - G3' to file `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/cert154.pem'.
radiusd:232612:1650387581.095637:Tue Apr 19 11:59:41 2022: tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to /tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/ba89ed3b.0.
radiusd:232612:1650387581.097274:Tue Apr 19 11:59:41 2022: tlsmc_extract_cert_key_pair: WARN: supplied nickname is empty (NULL).
radiusd:232612:1650387581.099975:Tue Apr 19 11:59:41 2022: tlsmc_convert: WARN: extracted cert file is not present.
radiusd:232612:1650387581.100044:Tue Apr 19 11:59:41 2022: tlsmc_convert: WARN: extracted key file is not present.
radiusd:232612:1650387581.103887:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: altered options follow:
radiusd:232612:1650387581.103990:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts'
radiusd:232612:1650387581.104027:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:232612:1650387581.104053:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:232612:1650387581.104082:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
radiusd:232612:1650387581.104108:Tue Apr 19 11:59:41 2022: TLSMC: MozNSS compatibility interception ends.
radiusd:232612:1650387581.109580:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:before/connect initialization
radiusd:232612:1650387581.109714:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv2/v3 write client hello A
radiusd:232612:1650387581.109734:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
radiusd:232612:1650387581.109760:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ldap_int_tls_connect needs read
radiusd:232612:1650387581.109788:Tue Apr 19 11:59:41 2022: ldap_int_poll: fd: 36 tm: 1
radiusd:232612:1650387581.130236:Tue Apr 19 11:59:41 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387581.130424:Tue Apr 19 11:59:41 2022: ldap_ndelay_off: 36
radiusd:232612:1650387581.130453:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server hello A
radiusd:232612:1650387581.130568:Tue Apr 19 11:59:41 2022: TLS certificate verification: depth: 0, err: 20, subject: /CN=CSURF-DOT1X-DC1.csurflab.local, issuer: /DC=local/DC=csurflab/CN=CSURF-DOT1X-DC1-CA
radiusd:232612:1650387581.130626:Tue Apr 19 11:59:41 2022: TLS certificate verification: Error, unable to get local issuer certificate
radiusd:232612:1650387581.130654:Tue Apr 19 11:59:41 2022: TLS certificate verification: depth: 0, err: 21, subject: /CN=CSURF-DOT1X-DC1.csurflab.local, issuer: /DC=local/DC=csurflab/CN=CSURF-DOT1X-DC1-CA
radiusd:232612:1650387581.130693:Tue Apr 19 11:59:41 2022: TLS certificate verification: Error, unable to verify the first certificate
radiusd:232612:1650387581.130715:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server certificate A
radiusd:232612:1650387581.130742:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server key exchange A
radiusd:232612:1650387581.130771:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server certificate request A
radiusd:232612:1650387581.130791:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server done A
radiusd:232612:1650387581.130809:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write client certificate A
radiusd:232612:1650387581.135259:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write client key exchange A
radiusd:232612:1650387581.135447:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write change cipher spec A
radiusd:232612:1650387581.135472:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write finished A
radiusd:232612:1650387581.135505:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 flush data
radiusd:232612:1650387581.135537:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv3 read finished A
radiusd:232612:1650387581.135559:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv3 read finished A
radiusd:232612:1650387581.135577:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ld 0x230d190 0 s 328594 us to go
radiusd:232612:1650387581.135600:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ldap_int_tls_connect needs read
radiusd:232612:1650387581.135626:Tue Apr 19 11:59:41 2022: ldap_int_poll: fd: 36 tm: 0
radiusd:232612:1650387581.137318:Tue Apr 19 11:59:41 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387581.137465:Tue Apr 19 11:59:41 2022: ldap_ndelay_off: 36
radiusd:232612:1650387581.137517:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read finished A
radiusd:232612:1650387581.137575:Tue Apr 19 11:59:41 2022: TLS: unable to get peer certificate.
radiusd:232612:1650387581.137600:Tue Apr 19 11:59:41 2022: ldap_open_defconn: successful
radiusd:232612:1650387581.137618:Tue Apr 19 11:59:41 2022: ldap_send_server_request
radiusd:232612:1650387581.137637:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] waiting for bind result ...
radiusd:232612:1650387581.137673:Tue Apr 19 11:59:41 2022: ldap_result ld 0x230d190 msgid 1
radiusd:232612:1650387581.137691:Tue Apr 19 11:59:41 2022: wait4msg ld 0x230d190 msgid 1 (timeout 4000000 usec)
radiusd:232612:1650387581.137709:Tue Apr 19 11:59:41 2022: wait4msg continue ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.137731:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Connections:
radiusd:232612:1650387581.137752:Tue Apr 19 11:59:41 2022: * host: csurf-dot1x-dc1.csurflab.local port: 3269 (default)
radiusd:232612:1650387581.137770:Tue Apr 19 11:59:41 2022: refcnt: 2 status: Connected
radiusd:232612:1650387581.137797:Tue Apr 19 11:59:41 2022: last used: Tue Apr 19 11:59:41 2022
radiusd:232612:1650387581.137815:Tue Apr 19 11:59:41 2022:
radiusd:232612:1650387581.137842:Tue Apr 19 11:59:41 2022:
radiusd:232612:1650387581.137861:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Outstanding Requests:
radiusd:232612:1650387581.137879:Tue Apr 19 11:59:41 2022: * msgid 1, origid 1, status InProgress
radiusd:232612:1650387581.137893:Tue Apr 19 11:59:41 2022: outstanding referrals 0, parent count 0
radiusd:232612:1650387581.137911:Tue Apr 19 11:59:41 2022: ld 0x230d190 request count 1 (abandoned 0)
radiusd:232612:1650387581.137928:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Response Queue:
radiusd:232612:1650387581.137943:Tue Apr 19 11:59:41 2022: Empty
radiusd:232612:1650387581.137960:Tue Apr 19 11:59:41 2022: ld 0x230d190 response count 0
radiusd:232612:1650387581.137976:Tue Apr 19 11:59:41 2022: ldap_chkResponseList ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.137990:Tue Apr 19 11:59:41 2022: ldap_chkResponseList returns ld 0x230d190 NULL
radiusd:232612:1650387581.138007:Tue Apr 19 11:59:41 2022: ldap_int_select
radiusd:232612:1650387581.139158:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.139254:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 msgid 1 message type bind
radiusd:232612:1650387581.139284:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 0 new referrals
radiusd:232612:1650387581.139314:Tue Apr 19 11:59:41 2022: read1msg: mark request completed, ld 0x230d190 msgid 1
radiusd:232612:1650387581.139337:Tue Apr 19 11:59:41 2022: request done: ld 0x230d190 msgid 1
radiusd:232612:1650387581.139357:Tue Apr 19 11:59:41 2022: res_errno: 0, res_error: <>, res_matched: <>
radiusd:232612:1650387581.139378:Tue Apr 19 11:59:41 2022: ldap_free_request (origid 1, msgid 1)
radiusd:232612:1650387581.139404:Tue Apr 19 11:59:41 2022: ldap_parse_result
radiusd:232612:1650387581.139428:Tue Apr 19 11:59:41 2022: ldap_msgfree
radiusd:232612:1650387581.139444:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] Bind was successful
radiusd:232612:1650387581.139464:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] performing search in dc=CSURFLAB,dc=LOCAL, with filter (|(userPrincipalName=anonymous at csurflab.local)(sAMAccountName=testuser1)<mailto:userPrincipalName=anonymous at csurflab.local)(sAMAccountName=testuser1)>)
radiusd:232612:1650387581.139521:Tue Apr 19 11:59:41 2022: ldap_search
These are the configurations from FR3 (not working):
[root at csurf-dot1x-ca2 dot1x]# cat /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/ldap/ldap_enc__CSURFLAB
ldap ldap__CSURFLAB {
server = "csurf-dot1x-dc1.csurflab.local"
port = 3269
identity = Administrator at csurflab.local<mailto:Administrator at csurflab.local>
password = a51a7127ea9bd74b0c46e0dfb41237235a7b8d385483975e9aee4427d16b09581fa
base_dn = "dc=CSURFLAB,dc=LOCAL"
#enable_krb5_with_ccache = "/usr/local/forescout/plugin/dot1x/fs_radius/var/run/radiusd/krb5_ccache.CSURFLAB.LOCAL"
#krb5_ccache_init_cmd = "/usr/bin/fstool dot1x_kinit -d CSURFLAB"
sasl {
#mech = 'GSSAPI'
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}})"
}
group {
base_dn = "${..base_dn}"
membership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
membership_attribute = memberOf
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
ldap_debug = 0x8887
chase_referrals = no
rebind = no
res_timeout = 4
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
tls_mode = yes
ca_file = /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
ca_path = /etc/openldap/certs
require_cert = "allow"
}
# Forescout: Uncomment for global catalog port over TLS
tls_mode = yes
pool {
start = 0
min = 0
max = 5
spare = 5
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
And working configuration from FR2:
[root at csurf-d1x-ca1-b ~]# cat /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/ldap/ldap_enc.CSURFLAB
# -*- text -*-
#
# $Id: 5538b945a8298024bdd5b31f8fdce912dbbc39b9 $
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap ldap.CSURFLAB {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "csurf-dot1x-dc1.csurflab.local"
identity = Administrator at csurflab.local<mailto:Administrator at csurflab.local>
password = a02bc81b407a7bc21b11f4acc38635114a2896ab9e2d8d960b9b3560e612497b3ea
basedn = "dc=CSURFLAB,dc=LOCAL"
filter = "(|(userPrincipalName=%{%{User-Name}:-%{Stripped-User-Name}:-%{mschap:User-Name}:-None}@csurflab.local)(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}:-None}))"
#base_filter = "(objectclass=radiusprofile)"
# Enable krb5 authentication using given credential cache
#enable_krb5_with_ccache = "/var/run/radiusd/krb5_ccache"
#
# A script to init krb5 credentials if needed, it will be
# invoked with conf arguments: ccache principal password
#krb5_ccache_init_cmd = "/usr/my_kinit_script"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses = 0
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls = no
# able to be used.
port = 3269
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = no
cacertfile = /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "allow"
}
# Forescout: Uncomment for global catalog port over TLS
tls_mode = yes
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
chase_referrals =
rebind =
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x8887
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Thanks,
Xin L. Huang, FSCA
Software Engineer
ForeScout Technologies, Inc.
xin.huang at forescout.com<mailto:xin.huang at forescout.com>
m: 617.549.9754
WARNING - CONFIDENTIAL INFORMATION:
________________________________
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns about this process, please contact us privacy at forescout.com.
More information about the Freeradius-Users
mailing list