FreeRadius and FreeIpa integration not working in our Lab setup

Michael Schwartzkopff ms at sys4.de
Mon Jul 25 08:19:14 UTC 2022


On 25.07.22 10:08, Krishna Chaitanya wrote:
> Can anyone suggest a guide to make ms-chap authentication work when using
> freeIPA + Freeradius.
> Thanks in Advance.
>
> *Krishna Chaitanya Ala*
> *Network and Operations Engineer*
>
> *QI Cap Markets LLP*
> *Bangalore,Karnataka*
> *Slack : krishna.chaitanya at qi-cap.com <krishna.chaitanya at qi-cap.com>*
>
>
>
> On Thu, 21 Jul 2022 at 17:35, Alan DeKok <aland at deployingradius.com> wrote:
>
>> On Jul 21, 2022, at 7:05 AM, Krishna Chaitanya <
>> krishna.chaitanya at qi-cap.com> wrote:
>>> FreeRADIUS: Using mschapv2 with freeipa for wireless authentication.
>>> I am following the below links to use mschapv2 authentication to have
>>> authenticate wireless users using FreeIPA+ Freeradius.
>>>
>> https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
>> https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
>>
>>    That documentation might work. On quick inspection it's not completely
>> wrong, which is a big win.
>>
>>> However, I am getting some bind errors when running radius in Debug
>>> mode.The Debug report shows that ldap bind is unsuccessful due to invalid
>>> credentials and am sure that bind credentials mentioned in
>> *mods-available/ldap
>>> *module is correct.
>>    Well, if FreeIPA says "invalid credentials", then the credentials are
>> invalid.
>>
>>    We don't need to see the module configuration.  All of the documentation
>> says to just post the debug output.
>>
>>> *   }rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>>> slots usedrlm_ldap (ldap): Connecting to ldap://122.1.5.84:389
>>> <http://122.1.5.84:389>rlm_ldap (ldap): Waiting for bind
>> result...rlm_ldap
>>> (ldap): Bind credentials incorrect: Invalid credentialsrlm_ldap (ldap):
>>> Opening connection failed (0)rlm_ldap (ldap): Removing connection
>>> pool/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module
>>    That's been "helpfully" reformatted to be difficult to read.  But OK...
>>
>>    If the credentials are invalid, then they're invalid.  That's really it.
>>
>>    The ldap module also contains instructions for how to test the
>> configuration using ldapsearch.  You can try that, too.
>>
>> ====================================================================================
>>> When I comment out *Identity and password* details in Ldap module radius
>>> can get started in debug mode.However, below radtest with mschap type is
>>> getting rejected.
>>    It's helpful to read the messages.  They tell you what's wrong.
>>
>>> Below is the radtest command on client and debug report on IPA server.
>>    We don't need to see radtest either.  The documentation is very clear on
>> this.
>>
>>> ...
>>> (0) ldap: Performing search in "cn=users,cn=accounts,dc=qi-cap,dc=com"
>> with
>>> filter "(uid=radius)", scope "sub"
>>> (0) ldap: Waiting for search result...
>>> (0) ldap: User object found at DN
>>> "uid=radius,cn=users,cn=accounts,dc=qi-cap,dc=com"
>>> (0) ldap: Processing user attributes
>>> (0) ldap: WARNING: No "known good" password added. Ensure the admin user
>>> has permission to read the password attribute
>>    FreeIPA isn't giving FreeRADiUS the users password.
>>
>>    You can't hand the MS-CHAP stuff to FreeIPA, as it doesn't do MS-CHAP.
>>   FreeRADIUS does MS-CHAP, but it needs the users password.  And FreeIPA
>> will only give the password to FreeRADIUS when FreeRADIUS uses a
>> "read-only" administrator account.
>>
>>    i.e. an account which has permission to read the password.
>>
>>    Use ldapsearch to test the FreeRADIUS configuration.  There are
>> instructions in the default mods-enabled/ldap file on how to do this.
>>
>>    Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Did you do the ldapsearch?

Do you get a password attribute from the FreeIPA LDAP?

for mschap auth the password does not work with salted hashes. See:

http://deployingradius.com/documents/protocols/compatibility.html


As far as I know, FreeIPA stores the password as salted hashes.


Perhaps you should take one step back and first thick about what you 
want to achieve.

What service do you want to authenticate with RADIUS?

What is the backend?

How does it store passwords?

How can you access the password attribute?

What AUTH protocol do you want to use?


And finally: Are your ideas technically feasible?


Without access to a password attribute, FreeRADIUS cannot authenticate 
nothing.

Do not work against the protocol compatibility matrix. It just won't work.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Freeradius-Users mailing list