LDAP on GC with TLS in upgrade from FreeRadius 2 to FreeRadius 3 not working

Alan DeKok aland at deployingradius.com
Wed Apr 20 16:16:12 UTC 2022

On Apr 20, 2022, at 12:11 PM, Xin Huang <xin.huang at forescout.com> wrote:
> I am trying to troubleshoot an issue with the ldap module after upgrading from FreeRadius version 2.2.9 to FreeRadius version 3.0.19.
> When using the GC LDAPs port (3269) the LDAP-Group search no longer works on FR3. It seems that the ldap module does not attempt to start tls on port 3269. In a packet capture I can see that there is no TLS certificate exchange, and FreeRadius sends cleartext username and password after TCP handshake, then the LDAP server immediately sends a RST.
> In contrast, on FR2, there is a tls negotiation starting and then when successful it is able to perform the LDAP-Group search.

  See https://networkradius.com/packages/

  Look for "ldap".

> ..
> radiusd:7878:1650470518.552032:Wed Apr 20 11:01:58 2022: ldap_url_parse_ext(ldap://csurf-dot1x-dc1.csurflab.local:3269)
> radiusd:7878:1650470518.552046:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception begins.

  Yeah, that's garbage.  It doesn't work.

  And PLEASE follow the documentation: http://wiki.freeradius.org

  We do NOT not need to see the server run with "-xxxxxxxxx".  It DOES NOT HELP.

  We do NOT need to see the configuration files.  It DOES NOT HELP.

  Following the documentation DOES help to debug and solve issues.

  Alan DeKok.

More information about the Freeradius-Users mailing list