Problems to authenticate against an Azure AD -Ldap
Uwe Faber
uf at zkm.de
Tue Oct 3 13:10:52 UTC 2023
Hi,
so i changed like in the description, see the Text below, and it workes
fine with eap-tool, but when i try to use from an AP with the same
user that works with the eapool i got foloowing message:
(17) State = 0xc49a7b91c0156ec00a1a15f1faab1856
(17) Message-Authenticator = 0xfcd8e560453c0793ff01f894937ed387
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "karlshochschule.de" for User-Name =
"testuser at karlshochschule.de"
(17) suffix: Found realm "karlshochschule.de"
(17) suffix: Adding Stripped-User-Name = "testuser"
(17) suffix: Adding Realm = "karlshochschule.de"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) if (!&Realm) {
(17) if (!&Realm) -> FALSE
(17) eap: Peer sent EAP Response (code 2) ID 143 length 79
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(17) authenticate {
(17) eap: Expiring EAP session with state 0xc49a7b91c0156ec0
(17) eap: Finished EAP session with state 0xc49a7b91c0156ec0
(17) eap: Previous EAP request found for state 0xc49a7b91c0156ec0,
released from the list
(17) eap: Peer sent packet with method EAP TTLS (21)
(17) eap: Calling submodule eap_ttls to process data
(17) eap_ttls: Authenticate
(17) eap_ttls: Continuing EAP-TLS
(17) eap_ttls: Peer indicated complete TLS record size will be 69 bytes
(17) eap_ttls: Got complete TLS record (69 bytes)
(17) eap_ttls: [eaptls verify] = length included
(17) eap_ttls: [eaptls process] = ok
(17) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(17) eap_ttls: Got tunneled request
(17) eap_ttls: EAP-Message =
0x02000020017465737475736572406b61726c73686f6368736368756c652e6465
(17) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(17) eap_ttls: Got tunneled identity of testuser at karlshochschule.de
(17) eap_ttls: Setting default EAP type for tunneled EAP session
(17) eap_ttls: Sending tunneled request
(17) Virtual server inner-tunnel received request
(17) EAP-Message =
0x02000020017465737475736572406b61726c73686f6368736368756c652e6465
(17) FreeRADIUS-Proxied-To = 127.0.0.1
(17) User-Name = "testuser at karlshochschule.de"
(17) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(17) server inner-tunnel {
(17) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-khs
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "karlshochschule.de" for User-Name =
"testuser at karlshochschule.de"
(17) suffix: Found realm "karlshochschule.de"
(17) suffix: Adding Stripped-User-Name = "testuser"
(17) suffix: Adding Realm = "karlshochschule.de"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update control {
(17) &Proxy-To-Realm := LOCAL
(17) } # update control = noop
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for
227 seconds
rlm_ldap (ldap): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for
227 seconds
rlm_ldap (ldap): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for
224 seconds
rlm_ldap (ldap): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for
170 seconds
rlm_ldap (ldap): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for
170 seconds
rlm_ldap (ldap): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 10 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636
ldap_create
ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
TLS: warning: cacertdir not implemented for gnutls
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.karlshochschule.de:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 20.79.97.218:636
ldap_pvt_connect: fd: 3 tm: 10 async: 0
ldap_ndelay_on: 3
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 3 tm: 10
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap (ldap): Waiting for bind result...
ldap_result ld 0x555727575600 msgid 1
wait4msg ld 0x555727575600 msgid 1 (timeout 20000000 usec)
wait4msg continue ld 0x555727575600 msgid 1 all 1
** ld 0x555727575600 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Oct 2 10:48:04 2023
** ld 0x555727575600 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x555727575600 request count 1 (abandoned 0)
** ld 0x555727575600 Response Queue:
Empty
ld 0x555727575600 response count 0
ldap_chkResponseList ld 0x555727575600 msgid 1 all 1
ldap_chkResponseList returns ld 0x555727575600 NULL
ldap_int_select
read1msg: ld 0x555727575600 msgid 1 all 1
read1msg: ld 0x555727575600 msgid 1 message type bind
read1msg: ld 0x555727575600 0 new referrals
read1msg: mark request completed, ld 0x555727575600 msgid 1
request done: ld 0x555727575600 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(17) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(17) ldap: --> (cn=testuser)
(17) ldap: Performing search in "OU=AADDC
Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub"
ldap_search_ext
put_filter: "(cn=testuser)"
put_filter: simple
put_simple_filter: "cn=testuser"
ldap_build_search_req ATTRS: userPassword ntPassword
ldap_send_initial_request
ldap_send_server_request
(17) ldap: Waiting for search result...
ldap_result ld 0x555727575600 msgid 2
wait4msg ld 0x555727575600 msgid 2 (timeout 20000000 usec)
wait4msg continue ld 0x555727575600 msgid 2 all 1
** ld 0x555727575600 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Oct 2 10:48:04 2023
** ld 0x555727575600 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x555727575600 request count 1 (abandoned 0)
** ld 0x555727575600 Response Queue:
Empty
ld 0x555727575600 response count 0
ldap_chkResponseList ld 0x555727575600 msgid 2 all 1
ldap_chkResponseList returns ld 0x555727575600 NULL
ldap_int_select
read1msg: ld 0x555727575600 msgid 2 all 1
read1msg: ld 0x555727575600 msgid 2 message type search-entry
read1msg: ld 0x555727575600 msgid 2 message type search-result
read1msg: ld 0x555727575600 0 new referrals
read1msg: mark request completed, ld 0x555727575600 msgid 2
request done: ld 0x555727575600 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
adding response ld 0x555727575600 msgid 2 type 101:
ldap_parse_result
ldap_get_dn
(17) ldap: User object found at DN "CN=testuser,OU=AADDC
Users,DC=karlshochschule,DC=de"
(17) ldap: Processing user attributes
ldap_get_values_len
ldap_get_values_len
(17) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(17) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
ldap_msgfree
rlm_ldap (ldap): Released connection (5)
Need 4 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (6), 1 of 9 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.karlshochschule.de:636
ldap_create
ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
TLS: warning: cacertdir not implemented for gnutls
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.karlshochschule.de:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 20.79.97.218:636
ldap_pvt_connect: fd: 4 tm: 10 async: 0
ldap_ndelay_on: 4
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 4 tm: 10
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap (ldap): Waiting for bind result...
ldap_result ld 0x5557273b7d10 msgid 1
wait4msg ld 0x5557273b7d10 msgid 1 (timeout 20000000 usec)
wait4msg continue ld 0x5557273b7d10 msgid 1 all 1
** ld 0x5557273b7d10 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Oct 2 10:48:04 2023
** ld 0x5557273b7d10 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x5557273b7d10 request count 1 (abandoned 0)
** ld 0x5557273b7d10 Response Queue:
Empty
ld 0x5557273b7d10 response count 0
ldap_chkResponseList ld 0x5557273b7d10 msgid 1 all 1
ldap_chkResponseList returns ld 0x5557273b7d10 NULL
ldap_int_select
read1msg: ld 0x5557273b7d10 msgid 1 all 1
read1msg: ld 0x5557273b7d10 msgid 1 message type bind
read1msg: ld 0x5557273b7d10 0 new referrals
read1msg: mark request completed, ld 0x5557273b7d10 msgid 1
request done: ld 0x5557273b7d10 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
rlm_ldap (ldap): Bind successful
(17) [ldap] = ok
(17) if ((ok || updated) && User-Password && !control:Auth-Type) {
(17) if ((ok || updated) && User-Password && !control:Auth-Type)
-> FALSE
(17) } # authorize = ok
(17) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type
= Reject
(17) Failed to authenticate the user
(17) Using Post-Auth-Type Reject
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-khs
(17) Post-Auth-Type REJECT {
(17) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(17) inner_tunnel_linelog: --> messages.Access-Reject
(17) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}]
(%{request:Module-Failure-Message}) (cli
%{outer.request:Calling-Station-Id} via TLS tunnel)
(17) inner_tunnel_linelog: --> Login incorrect:
[testuser at karlshochschule.de] (No Auth-Type found: rejecting the user
via Post-Auth-Type = Reject) (cli 90-9C-4A-B9-FD-41 via TLS tunnel)
(17) [inner_tunnel_linelog] = ok
(17) attr_filter.access_reject: EXPAND %{User-Name}
(17) attr_filter.access_reject: --> testuser at karlshochschule.de
(17) attr_filter.access_reject: Matched entry DEFAULT at line 11
(17) [attr_filter.access_reject] = updated
(17) update outer.session-state {
(17) &Module-Failure-Message := &request:Module-Failure-Message
-> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
(17) } # update outer.session-state = noop
(17) } # Post-Auth-Type REJECT = updated
(17) EXPAND badpass
(17) --> badpass
(17) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [testuser/<no User-Password attribute>] (from
client 10.09.9.240 port 0 via TLS tunnel) badpass
(17) } # server inner-tunnel
(17) Virtual server sending reply
(17) eap_ttls: Got tunneled Access-Reject
(17) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP
sub-module failed
(17) eap: Sending EAP Failure (code 4) ID 143 length 4
(17) eap: Failed in EAP select
(17) [eap] = invalid
(17) } # authenticate = invalid
(17) Failed to authenticate the user
(17) Using Post-Auth-Type Reject
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
***********************************************************************
ldap {
server = 'ldaps://ldap.karlshochschule.de'
port = 636
identity = 'CN=Bind User,OU=AADDC Users,dc=karlshochschule,dc=de'
password = password
base_dn = 'OU=AADDC Users,dc=karlshochschule,dc=de'
user {
preprocess
suffix
base_dn = "${..base_dn}"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
}
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
ldap_debug = 0xFFFF
}
tls {
ca_file = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs/
certificate_file =
/etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt
private_key_file =
/etc/ssl/private/rad-ka-swlan.karlshochschule.de.key
}
}
************************************************************************
eap {
default_eap_type = ttls
max_sessions = ${max_requests}
tls-config tls-common {
#certificate_file = ${certdir}/name-of-certificate-file.pem
#private_key_file = ${certdir}/name-of-private-key-file.key
#dh_file = ${certdir}/dh
certificate_file =
/etc/ssl/private/rad-ka-swlan.karlshochschule.de.crt
private_key_file =
/etc/ssl/private/rad-ka-swlan.karlshochschule.de.key
ca_file = /etc/ssl/certs/ca-certificates.crt
cipher_list = "DEFAULT !kRSA !PSK !SRP !SSLv3"
ecdh_curve = ""
}
ttls {
tls = tls-common
virtual_server = inner-tunnel
}
peap {
tls = tls-common
virtual_server = inner-tunnel
}
}
***********************************************************************
server inner-tunnel {
authorize {
filter_username
suffix
update control {
&Proxy-To-Realm := LOCAL
}
ldap
if ((ok || updated) && User-Password && !control:Auth-Type) {
update {
control:Auth-Type := ldap
}
}
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
post-auth {
inner_tunnel_linelog
Post-Auth-Type REJECT {
inner_tunnel_linelog
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
**********************************************************************************************************
server default {
listen {
type = auth
ipv4addr = *
port = 0
}
authorize {
filter_username
suffix
if (!&Realm) {
reject
}
eap {
ok = return
}
}
authenticate {
eap
}
post-auth {
if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
outer_linelog
remove_reply_message_if_eap
Post-Auth-Type REJECT {
outer_linelog
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
*******************************************************************************************************************************
More information about the Freeradius-Users
mailing list