FreeRadius and FreeIpa integration not working in our Lab setup
Krishna Chaitanya
krishna.chaitanya at qi-cap.com
Mon Jul 25 08:08:21 UTC 2022
Can anyone suggest a guide to make ms-chap authentication work when using
freeIPA + Freeradius.
Thanks in Advance.
*Krishna Chaitanya Ala*
*Network and Operations Engineer*
*QI Cap Markets LLP*
*Bangalore,Karnataka*
*Slack : krishna.chaitanya at qi-cap.com <krishna.chaitanya at qi-cap.com>*
On Thu, 21 Jul 2022 at 17:35, Alan DeKok <aland at deployingradius.com> wrote:
> On Jul 21, 2022, at 7:05 AM, Krishna Chaitanya <
> krishna.chaitanya at qi-cap.com> wrote:
> > FreeRADIUS: Using mschapv2 with freeipa for wireless authentication.
> > I am following the below links to use mschapv2 authentication to have
> > authenticate wireless users using FreeIPA+ Freeradius.
> >
> https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
> >
> https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
>
> That documentation might work. On quick inspection it's not completely
> wrong, which is a big win.
>
> > However, I am getting some bind errors when running radius in Debug
> > mode.The Debug report shows that ldap bind is unsuccessful due to invalid
> > credentials and am sure that bind credentials mentioned in
> *mods-available/ldap
> > *module is correct.
>
> Well, if FreeIPA says "invalid credentials", then the credentials are
> invalid.
>
> We don't need to see the module configuration. All of the documentation
> says to just post the debug output.
>
> > * }rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
> > slots usedrlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
> > <http://122.1.5.84:389>rlm_ldap (ldap): Waiting for bind
> result...rlm_ldap
> > (ldap): Bind credentials incorrect: Invalid credentialsrlm_ldap (ldap):
> > Opening connection failed (0)rlm_ldap (ldap): Removing connection
> > pool/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module
>
> That's been "helpfully" reformatted to be difficult to read. But OK...
>
> If the credentials are invalid, then they're invalid. That's really it.
>
> The ldap module also contains instructions for how to test the
> configuration using ldapsearch. You can try that, too.
>
> >
> ====================================================================================
> > When I comment out *Identity and password* details in Ldap module radius
> > can get started in debug mode.However, below radtest with mschap type is
> > getting rejected.
>
> It's helpful to read the messages. They tell you what's wrong.
>
> > Below is the radtest command on client and debug report on IPA server.
>
> We don't need to see radtest either. The documentation is very clear on
> this.
>
> > ...
> > (0) ldap: Performing search in "cn=users,cn=accounts,dc=qi-cap,dc=com"
> with
> > filter "(uid=radius)", scope "sub"
> > (0) ldap: Waiting for search result...
> > (0) ldap: User object found at DN
> > "uid=radius,cn=users,cn=accounts,dc=qi-cap,dc=com"
> > (0) ldap: Processing user attributes
> > (0) ldap: WARNING: No "known good" password added. Ensure the admin user
> > has permission to read the password attribute
>
> FreeIPA isn't giving FreeRADiUS the users password.
>
> You can't hand the MS-CHAP stuff to FreeIPA, as it doesn't do MS-CHAP.
> FreeRADIUS does MS-CHAP, but it needs the users password. And FreeIPA
> will only give the password to FreeRADIUS when FreeRADIUS uses a
> "read-only" administrator account.
>
> i.e. an account which has permission to read the password.
>
> Use ldapsearch to test the FreeRADIUS configuration. There are
> instructions in the default mods-enabled/ldap file on how to do this.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list