FreeRadius and FreeIpa integration not working in our Lab setup
Alan DeKok
aland at deployingradius.com
Thu Jul 21 12:04:54 UTC 2022
On Jul 21, 2022, at 7:05 AM, Krishna Chaitanya <krishna.chaitanya at qi-cap.com> wrote:
> FreeRADIUS: Using mschapv2 with freeipa for wireless authentication.
> I am following the below links to use mschapv2 authentication to have
> authenticate wireless users using FreeIPA+ Freeradius.
> https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
> https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
That documentation might work. On quick inspection it's not completely wrong, which is a big win.
> However, I am getting some bind errors when running radius in Debug
> mode.The Debug report shows that ldap bind is unsuccessful due to invalid
> credentials and am sure that bind credentials mentioned in *mods-available/ldap
> *module is correct.
Well, if FreeIPA says "invalid credentials", then the credentials are invalid.
We don't need to see the module configuration. All of the documentation says to just post the debug output.
> * }rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
> slots usedrlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
> <http://122.1.5.84:389>rlm_ldap (ldap): Waiting for bind result...rlm_ldap
> (ldap): Bind credentials incorrect: Invalid credentialsrlm_ldap (ldap):
> Opening connection failed (0)rlm_ldap (ldap): Removing connection
> pool/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module
That's been "helpfully" reformatted to be difficult to read. But OK...
If the credentials are invalid, then they're invalid. That's really it.
The ldap module also contains instructions for how to test the configuration using ldapsearch. You can try that, too.
> ====================================================================================
> When I comment out *Identity and password* details in Ldap module radius
> can get started in debug mode.However, below radtest with mschap type is
> getting rejected.
It's helpful to read the messages. They tell you what's wrong.
> Below is the radtest command on client and debug report on IPA server.
We don't need to see radtest either. The documentation is very clear on this.
> ...
> (0) ldap: Performing search in "cn=users,cn=accounts,dc=qi-cap,dc=com" with
> filter "(uid=radius)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN
> "uid=radius,cn=users,cn=accounts,dc=qi-cap,dc=com"
> (0) ldap: Processing user attributes
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
FreeIPA isn't giving FreeRADiUS the users password.
You can't hand the MS-CHAP stuff to FreeIPA, as it doesn't do MS-CHAP. FreeRADIUS does MS-CHAP, but it needs the users password. And FreeIPA will only give the password to FreeRADIUS when FreeRADIUS uses a "read-only" administrator account.
i.e. an account which has permission to read the password.
Use ldapsearch to test the FreeRADIUS configuration. There are instructions in the default mods-enabled/ldap file on how to do this.
Alan DeKok.
More information about the Freeradius-Users
mailing list