Problems to authenticate against an Azure AD -Ldap
Uwe Faber
uf at zkm.de
Thu Sep 21 14:59:57 UTC 2023
Alan DeKok schrieb:
> On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf at zkm.de> wrote:
>> Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes.
>> Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
>>
>> for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error:
> So... "I did a bunch of stuff and it didn't work. How do I fix it?"
>
> Answer: do different stuff.
>
>> 5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.
>
> If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
>
> Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
here the debug output
(0) Received Access-Request Id 0 from 127.0.0.1:43649 to 127.0.0.1:1812
length 170
(0) User-Name = "anonymous at karlshochschule.de"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message =
0x02f3002101616e6f6e796d6f7573406b61726c73686f6368736368756c652e6465
(0) Message-Authenticator = 0x9d186575265e9dca32181993f9c38b65
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(0) suffix: Found realm "karlshochschule.de"
(0) suffix: Adding Stripped-User-Name = "anonymous"
(0) suffix: Adding Realm = "karlshochschule.de"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) if (!&Realm) {
(0) if (!&Realm) -> FALSE
(0) eap: Peer sent EAP Response (code 2) ID 243 length 33
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 244 length 6
(0) eap: EAP session adding &reply:State = 0x7147c84d71b3dd8c
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:43649
length 0
(0) EAP-Message = 0x01f400061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x7147c84d71b3dd8c1f070e9e942e974a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:43649 to 127.0.0.1:1812
length 345
(1) User-Name = "anonymous at karlshochschule.de"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message =
0x02f400be150016030100b3010000af0303cf3b445b29290ef9f32015e464ef9a751992d449f9c1e3fadd708884da021235000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b0004030001
(1) State = 0x7147c84d71b3dd8c1f070e9e942e974a
(1) Message-Authenticator = 0x60f1adc479ab8e933ce74dfd55181b1e
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(1) suffix: Found realm "karlshochschule.de"
(1) suffix: Adding Stripped-User-Name = "anonymous"
(1) suffix: Adding Realm = "karlshochschule.de"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) if (!&Realm) {
(1) if (!&Realm) -> FALSE
(1) eap: Peer sent EAP Response (code 2) ID 244 length 190
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(1) authenticate {
(1) eap: Expiring EAP session with state 0x7147c84d71b3dd8c
(1) eap: Finished EAP session with state 0x7147c84d71b3dd8c
(1) eap: Previous EAP request found for state 0x7147c84d71b3dd8c,
released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Got final TLS record fragment (184 bytes)
(1) eap_ttls: WARNING: Total received TLS record fragments (184 bytes),
does not equal indicated TLS record length (0 bytes)
(1) eap_ttls: [eaptls verify] = ok
(1) eap_ttls: Done initial handshake
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b3]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2 [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2 [length 06ae]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2 [length 022c]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2 [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 245 length 1014
(1) eap: EAP session adding &reply:State = 0x7147c84d70b2dd8c
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:43649
length 0
(1) EAP-Message =
0x01f503f615c00000092f160303003d0200003903036ead001a5fcd107ae275a24d91c469ce7db00ead3656cc2d444f574e4752440100c030000011ff01000100000b0004030001020017000016030306ae0b0006aa0006a70006a4308206a030820488a003020102020900bb42a628d2722440300d0609
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7147c84d70b2dd8c1f070e9e942e974a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:43649 to 127.0.0.1:1812
length 161
(2) User-Name = "anonymous at karlshochschule.de"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x02f500061500
(2) State = 0x7147c84d70b2dd8c1f070e9e942e974a
(2) Message-Authenticator = 0x63ba835e9e97dc2c21b2135cf8dab043
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(2) suffix: Found realm "karlshochschule.de"
(2) suffix: Adding Stripped-User-Name = "anonymous"
(2) suffix: Adding Realm = "karlshochschule.de"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) if (!&Realm) {
(2) if (!&Realm) -> FALSE
(2) eap: Peer sent EAP Response (code 2) ID 245 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(2) authenticate {
(2) eap: Expiring EAP session with state 0x7147c84d70b2dd8c
(2) eap: Finished EAP session with state 0x7147c84d70b2dd8c
(2) eap: Previous EAP request found for state 0x7147c84d70b2dd8c,
released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 246 length 1014
(2) eap: EAP session adding &reply:State = 0x7147c84d73b1dd8c
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:43649
length 0
(2) EAP-Message =
0x01f603f615c00000092f07a5bce150289ec883f5c159a3e4a90c89c78846700415571d88542761e9972724f4a90c8ee8bb817865b11ce9f05cc051b2014902535224805acc9dd5965593794322f617c3e9dead670d26818eccdbdad8133b1e2f78255b0203010001a3819430819130090603551d130402
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x7147c84d73b1dd8c1f070e9e942e974a
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:43649 to 127.0.0.1:1812
length 161
(3) User-Name = "anonymous at karlshochschule.de"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02f600061500
(3) State = 0x7147c84d73b1dd8c1f070e9e942e974a
(3) Message-Authenticator = 0x669f156a27bfaedd4a4b920612820d39
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(3) suffix: Found realm "karlshochschule.de"
(3) suffix: Adding Stripped-User-Name = "anonymous"
(3) suffix: Adding Realm = "karlshochschule.de"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) if (!&Realm) {
(3) if (!&Realm) -> FALSE
(3) eap: Peer sent EAP Response (code 2) ID 246 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(3) authenticate {
(3) eap: Expiring EAP session with state 0x7147c84d73b1dd8c
(3) eap: Finished EAP session with state 0x7147c84d73b1dd8c
(3) eap: Previous EAP request found for state 0x7147c84d73b1dd8c,
released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 247 length 353
(3) eap: EAP session adding &reply:State = 0x7147c84d72b0dd8c
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:43649
length 0
(3) EAP-Message =
0x01f7016115800000092fd193786f177d2c11a0db978590610aa2c9ccb04fd3a595cde36ece47874024cd74dc85d60501ccbd0b3d5327d3475e5796e0769cf14476f1fc0354e39d3b9e0312c66d542b08fb4c3f3d00931334fe4049158725e0ec6be1da2d4c7d2f7f7bd482b3c2159646137de9ec82be0e
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x7147c84d72b0dd8c1f070e9e942e974a
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:43649 to 127.0.0.1:1812
length 254
(4) User-Name = "anonymous at karlshochschule.de"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message =
0x02f70063150016030300251000002120bb1c8623cce4fcdd9969e81d38e5ce4869085c7f00628eab184bd12844bb205014030300010116030300289fba59a5dc9971e195f63c4b77230687c8ea837e3e4a0b8e30a742e55b6e05b64100a59dc08c19f2
(4) State = 0x7147c84d72b0dd8c1f070e9e942e974a
(4) Message-Authenticator = 0x65cf15a9d2b9b7a35991fa06afb4fb42
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(4) suffix: Found realm "karlshochschule.de"
(4) suffix: Adding Stripped-User-Name = "anonymous"
(4) suffix: Adding Realm = "karlshochschule.de"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) if (!&Realm) {
(4) if (!&Realm) -> FALSE
(4) eap: Peer sent EAP Response (code 2) ID 247 length 99
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(4) authenticate {
(4) eap: Expiring EAP session with state 0x7147c84d72b0dd8c
(4) eap: Finished EAP session with state 0x7147c84d72b0dd8c
(4) eap: Previous EAP request found for state 0x7147c84d72b0dd8c,
released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: [eaptls verify] = ok
(4) eap_ttls: Done initial handshake
(4) eap_ttls: TLS_accept: SSLv3/TLS write server done
(4) eap_ttls: <<< recv TLS 1.2 [length 0025]
(4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_ttls: <<< recv TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS read finished
(4) eap_ttls: >>> send TLS 1.2 [length 0001]
(4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_ttls: >>> send TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS write finished
(4) eap_ttls: (other): SSL negotiation finished successfully
(4) eap_ttls: SSL Connection Established
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 248 length 61
(4) eap: EAP session adding &reply:State = 0x7147c84d75bfdd8c
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:43649
length 0
(4) EAP-Message =
0x01f8003d15800000003314030300010116030300283af9c0e6b9e5a741c0c2e2290518e28dfbb7329ccf7ffa91ade72b6662636b4b7e404a85b4a3ed7a
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x7147c84d75bfdd8c1f070e9e942e974a
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:43649 to 127.0.0.1:1812
length 250
(5) User-Name = "anonymous at karlshochschule.de"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02f8005f150017030300549fba59a5dc9971e230a9475002c0b31b27bf0b18d9f6e4f771bd336049231946679c2ea83f4182f9d7ef3ecc42edaec13bae2ba1834c278e0523839e9ba7f6453bb6528656531ed0d33bb3cb18f0859d68b35f9d
(5) State = 0x7147c84d75bfdd8c1f070e9e942e974a
(5) Message-Authenticator = 0x7e43e268618f2c1c4c230df9a130c81e
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default-khs
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "karlshochschule.de" for User-Name =
"anonymous at karlshochschule.de"
(5) suffix: Found realm "karlshochschule.de"
(5) suffix: Adding Stripped-User-Name = "anonymous"
(5) suffix: Adding Realm = "karlshochschule.de"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) if (!&Realm) {
(5) if (!&Realm) -> FALSE
(5) eap: Peer sent EAP Response (code 2) ID 248 length 95
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(5) authenticate {
(5) eap: Expiring EAP session with state 0x7147c84d75bfdd8c
(5) eap: Finished EAP session with state 0x7147c84d75bfdd8c
(5) eap: Previous EAP request found for state 0x7147c84d75bfdd8c,
released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: [eaptls process] = ok
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: User-Name = "testuser at karlshochschule.de"
(5) eap_ttls: User-Password = "password"
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) User-Name = "testuser at karlshochschule.de"
(5) User-Password = "password"
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-khs
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "karlshochschule.de" for User-Name =
"testuser at karlshochschule.de"
(5) suffix: Found realm "karlshochschule.de"
(5) suffix: Adding Stripped-User-Name = "testuser"
(5) suffix: Adding Realm = "karlshochschule.de"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
rlm_ldap (ldap_khs): Closing connection (0): Hit idle_timeout, was idle
for 117 seconds
rlm_ldap (ldap_khs): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap_khs): Closing connection (1): Hit idle_timeout, was idle
for 116 seconds
rlm_ldap (ldap_khs): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap_khs): Closing connection (2): Hit idle_timeout, was idle
for 116 seconds
rlm_ldap (ldap_khs): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap_khs): Closing connection (3): Hit idle_timeout, was idle
for 116 seconds
rlm_ldap (ldap_khs): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap_khs): Closing connection (4): Hit idle_timeout, was idle
for 116 seconds
rlm_ldap (ldap_khs): You probably need to lower "min"
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap (ldap_khs): 0 of 0 connections in use. You may need to
increase "spare"
rlm_ldap (ldap_khs): Opening additional connection (5), 1 of 10 pending
slots used
rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636
ldap_create
ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
TLS: warning: cacertdir not implemented for gnutls
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.karlshochschule.de:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 20.79.97.218:636
ldap_pvt_connect: fd: 3 tm: 10 async: 0
ldap_ndelay_on: 3
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 3 tm: 10
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap (ldap_khs): Waiting for bind result...
ldap_result ld 0x564774e6aaa0 msgid 1
wait4msg ld 0x564774e6aaa0 msgid 1 (timeout 20000000 usec)
wait4msg continue ld 0x564774e6aaa0 msgid 1 all 1
** ld 0x564774e6aaa0 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Sep 21 16:52:17 2023
** ld 0x564774e6aaa0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x564774e6aaa0 request count 1 (abandoned 0)
** ld 0x564774e6aaa0 Response Queue:
Empty
ld 0x564774e6aaa0 response count 0
ldap_chkResponseList ld 0x564774e6aaa0 msgid 1 all 1
ldap_chkResponseList returns ld 0x564774e6aaa0 NULL
ldap_int_select
read1msg: ld 0x564774e6aaa0 msgid 1 all 1
read1msg: ld 0x564774e6aaa0 msgid 1 message type bind
read1msg: ld 0x564774e6aaa0 0 new referrals
read1msg: mark request completed, ld 0x564774e6aaa0 msgid 1
request done: ld 0x564774e6aaa0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
rlm_ldap (ldap_khs): Bind successful
rlm_ldap (ldap_khs): Reserved connection (5)
(5) ldap_khs: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap_khs: --> (cn=testuser)
(5) ldap_khs: Performing search in "OU=AADDC
Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub"
ldap_search_ext
put_filter: "(cn=testuser)"
put_filter: simple
put_simple_filter: "cn=testuser"
ldap_build_search_req ATTRS: userPassword ntPassword
ldap_send_initial_request
ldap_send_server_request
(5) ldap_khs: Waiting for search result...
ldap_result ld 0x564774e6aaa0 msgid 2
wait4msg ld 0x564774e6aaa0 msgid 2 (timeout 20000000 usec)
wait4msg continue ld 0x564774e6aaa0 msgid 2 all 1
** ld 0x564774e6aaa0 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Sep 21 16:52:17 2023
** ld 0x564774e6aaa0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x564774e6aaa0 request count 1 (abandoned 0)
** ld 0x564774e6aaa0 Response Queue:
Empty
ld 0x564774e6aaa0 response count 0
ldap_chkResponseList ld 0x564774e6aaa0 msgid 2 all 1
ldap_chkResponseList returns ld 0x564774e6aaa0 NULL
ldap_int_select
read1msg: ld 0x564774e6aaa0 msgid 2 all 1
read1msg: ld 0x564774e6aaa0 msgid 2 message type search-entry
read1msg: ld 0x564774e6aaa0 msgid 2 message type search-result
read1msg: ld 0x564774e6aaa0 0 new referrals
read1msg: mark request completed, ld 0x564774e6aaa0 msgid 2
request done: ld 0x564774e6aaa0 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
adding response ld 0x564774e6aaa0 msgid 2 type 101:
ldap_parse_result
ldap_get_dn
(5) ldap_khs: User object found at DN "CN=testuser,OU=AADDC
Users,DC=karlshochschule,DC=de"
(5) ldap_khs: Processing user attributes
ldap_get_values_len
ldap_get_values_len
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
ldap_msgfree
rlm_ldap (ldap_khs): Released connection (5)
Need 4 more connections to reach min connections (5)
rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending
slots used
rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636
ldap_create
ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
TLS: warning: cacertdir not implemented for gnutls
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.karlshochschule.de:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 20.79.97.218:636
ldap_pvt_connect: fd: 4 tm: 10 async: 0
ldap_ndelay_on: 4
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 4 tm: 10
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap (ldap_khs): Waiting for bind result...
ldap_result ld 0x564773fe1710 msgid 1
wait4msg ld 0x564773fe1710 msgid 1 (timeout 20000000 usec)
wait4msg continue ld 0x564773fe1710 msgid 1 all 1
** ld 0x564773fe1710 Connections:
* host: ldap.karlshochschule.de port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Sep 21 16:52:17 2023
** ld 0x564773fe1710 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x564773fe1710 request count 1 (abandoned 0)
** ld 0x564773fe1710 Response Queue:
Empty
ld 0x564773fe1710 response count 0
ldap_chkResponseList ld 0x564773fe1710 msgid 1 all 1
ldap_chkResponseList returns ld 0x564773fe1710 NULL
ldap_int_select
read1msg: ld 0x564773fe1710 msgid 1 all 1
read1msg: ld 0x564773fe1710 msgid 1 message type bind
read1msg: ld 0x564773fe1710 0 new referrals
read1msg: mark request completed, ld 0x564773fe1710 msgid 1
request done: ld 0x564773fe1710 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
rlm_ldap (ldap_khs): Bind successful
(5) [ldap_khs] = ok
(5) inner_eap: No EAP-Message, not doing EAP
(5) [inner_eap] = noop
(5) [pap] = noop
(5) } # authorize = ok
(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-khs
(5) Post-Auth-Type REJECT {
(5) inner_tunnel_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(5) inner_tunnel_linelog: --> messages.Access-Reject
(5) inner_tunnel_linelog: EXPAND Login incorrect: [%{User-Name}]
(%{request:Module-Failure-Message}) (cli
%{outer.request:Calling-Station-Id} via TLS tunnel)
(5) inner_tunnel_linelog: --> Login incorrect:
[testuser at karlshochschule.de] (No Auth-Type found: rejecting the user
via Post-Auth-Type = Reject) (cli 02-00-00-00-00-01 via TLS tunnel)
(5) [inner_tunnel_linelog] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> testuser at karlshochschule.de
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) update outer.session-state {
(5) &Module-Failure-Message := &request:Module-Failure-Message
-> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
(5) } # update outer.session-state = noop
(5) } # Post-Auth-Type REJECT = updated
(5) EXPAND badpass
(5) --> badpass
(5) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [testuser/234Tu45$%] (from client localhost
port 0 via TLS tunnel) badpass
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(5) eap: Sending EAP Failure (code 4) ID 248 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default-khs
(5) Post-Auth-Type REJECT {
(5) outer_linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(5) outer_linelog: --> messages.Access-Reject
(5) outer_linelog: EXPAND Login incorrect: [%{User-Name}]
(%{%{reply:Reply-Message}:-%{request:Module-Failure-Message}}) (cli
%{request:Calling-Station-Id})
(5) outer_linelog: --> Login incorrect:
[anonymous at karlshochschule.de] (eap: Failed continuing EAP TTLS (21)
session. EAP sub-module failed) (cli 02-00-00-00-00-01)
(5) [outer_linelog] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> anonymous at karlshochschule.de
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) EXPAND badpass
(5) --> badpass
(5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP
sub-module failed): [anonymous/<via Auth-Type = eap>] (from client
localhost port 0 cli 02-00-00-00-00-01) badpass
(5) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:43649 length 44
(5) EAP-Message = 0x04f80004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 0 with timestamp +116
(1) Cleaning up request packet ID 1 with timestamp +116
(2) Cleaning up request packet ID 2 with timestamp +116
(3) Cleaning up request packet ID 3 with timestamp +116
(4) Cleaning up request packet ID 4 with timestamp +116
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 5 with timestamp +116
Ready to process requests
^Croot at radsec:~#
More information about the Freeradius-Users
mailing list