Getting Freeradius working with LLDAP

Matthew Macdonald-Wallace matt at doics.co
Wed May 17 11:03:11 UTC 2023 

Hi all,

I'm new to Freeradius but want to get it working for our local
hack/makerspace to ensure we can provide decent QoS on the WiFi for our
members.

My LDAP server is https://github.com/lldap/lldap and that *does not*
expose a "plain text password" field.

I am running Freeradius via docker and I've uploaded my config at
https://gist.github.com/proffalken/a6213dc7266a6a9800432b3c0e1b264d
(passwords and domains have been changed to protect the innocent!)

As you can see from the log below, the LDAP lookup works, however the
authentication request is rejected because the "Auth-Type" is not found.

I'm sure this is an obvious fix, but I've not been able to find an
answer in my searching!

I'm using the following command to test: 

radtest mmw pass1234 10.x.x.5 0 testing123

and this is the log:

-=-=-=-=-=-=-=-=-=-=
freeradius_1  | rlm_ldap (ldap): Reserved connection (0)
freeradius_1  | (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-
Name}})
freeradius_1  | (0) ldap:    --> (uid=mmw)
freeradius_1  | (0) ldap: Performing search in
"ou=people,dc=auth,dc=mydomain,dc=co,dc=uk" with filter "(uid=mmw)",
scope "sub"
freeradius_1  | (0) ldap: Waiting for search result...
freeradius_1  | (0) ldap: User object found at DN
"uid=mmw,ou=people,dc=auth,dc=mydomain,dc=co,dc=uk"
freeradius_1  | (0) ldap: Processing user attributes
freeradius_1  | (0) ldap: WARNING: No "known good" password added.
Ensure the admin user has permission to read the password attribute
freeradius_1  | (0) ldap: WARNING: PAP authentication will *NOT* work
with Active Directory (if that is what you were trying to configure)
freeradius_1  | rlm_ldap (ldap): Released connection (0)
freeradius_1  | (0)     [ldap] = ok
freeradius_1  | (0)     [expiration] = noop
freeradius_1  | (0)     [logintime] = noop
freeradius_1  | (0) pap: WARNING: No "known good" password found for the
user.  Not setting Auth-Type
freeradius_1  | (0) pap: WARNING: Authentication will fail unless a
"known good" password is available
freeradius_1  | (0)     [pap] = noop
freeradius_1  | (0)   } # authorize = ok
freeradius_1  | (0) ERROR: No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject
freeradius_1  | (0) Failed to authenticate the user
freeradius_1  | (0) Using Post-Auth-Type Reject
freeradius_1  | (0) # Executing group from file /opt/etc/raddb/sites-
enabled/default
freeradius_1  | (0)   Post-Auth-Type REJECT {
freeradius_1  | (0) attr_filter.access_reject: EXPAND %{User-Name}
freeradius_1  | (0) attr_filter.access_reject:    --> mmw
freeradius_1  | (0) attr_filter.access_reject: Matched entry DEFAULT at
line 11
freeradius_1  | (0)     [attr_filter.access_reject] = updated
freeradius_1  | (0)     [eap] = noop
freeradius_1  | (0)     policy remove_reply_message_if_eap {
freeradius_1  | (0)       if (&reply:EAP-Message && &reply:Reply-
Message) {
freeradius_1  | (0)       if (&reply:EAP-Message && &reply:Reply-
Message)  -> FALSE
freeradius_1  | (0)       else {
freeradius_1  | (0)         [noop] = noop
freeradius_1  | (0)       } # else = noop
freeradius_1  | (0)     } # policy remove_reply_message_if_eap = noop
freeradius_1  | (0)   } # Post-Auth-Type REJECT = updated

-=-=-=-=-=-=-=-=-=-=-

Thanks in advance!

Matt

More information about the Freeradius-Users mailing list