How "bind as user" mode works?

Alan DeKok aland at deployingradius.com
Thu Aug 17 14:49:07 UTC 2023 

On Aug 17, 2023, at 10:17 AM, Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
> 
> Can you point me where in the debug output it shows that i'ts doing PEAP+MSCHAP?

  The point is not to just post to the list and complain.  The point is to *understand* what the server is doing.

  You should also not be surprised that my guess is wrong, because you've been careful to provide as little information as possible until about 4 messages into the conversation.  I don't understand why there's such a need to ignore the documentation, and to post vague questions.

  I also said that TTLS + PAP will work.  The only condition is that it needs to be configured properly.  With LDAP "bind as user" set in the inner tunnel.

  The debug log shows the important bit:

> ...
> (5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (1)
> (5)       [ldap] = ok
> (5)       [expiration] = noop
> (5)       [logintime] = noop
> (5)       [pap] = noop
> (5)     } # authorize = ok
> (5)   ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

  If you had posted the full debug log at the start, all of this back and forth could have been avoided.  You would have had a simple and clear answer within about ten minutes.  Instead, you're getting frustrated that you don't have a solution, and I'm frustrated that you're working hard to avoid getting a solution.

  And even here you've edited the debug output to remove a good chunk of it.  The beginning pieces are often useful when fixing problems like this.  That's why we keep saying in ALL of the documentation to post ALL of the debug output.  Just... read the documentation and do what it says.  It's not hard, and it makes everything easier.

  The problem here is that you didn't configure the LDAP "bind as user" functionality.  Which I said was needed for AD.

  Go back and read raddb/sites-enabled/inner-tunnel.

  Look for:

	#  Uncomment this section if you want to use ldap for
	#  authentication.  The "Auth-Type ldap { ...}" configuration
	#  section below also has to be uncommented.

  And then follow the instructions.

  If the "inner-tunnel" doesn't contain that text, then either it was deleted, or you're running an old version of the server which hasn't had the documentation updated.  But I don't know what version you're actually running, because the debug output has been edited, and doesn't show that.

  You can read the updated documentation on GitHub:  https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/inner-tunnel

  Follow those instructions, add the "Auth-Type := LDAP" as documented, and it will work.

  This is why we write documentation.  This is why we ask people to follow documentation.  These issues with AD have been known for 15+ years.  The main reason people still have difficulty with this is because the documentation is being ignored.

  Alan DeKok.

More information about the Freeradius-Users mailing list