FreeRADIUS 3.0.x reconfiguration of from LDAP to Windows Server 2022 AD

chucho.valdez chucho.valdez at seznam.cz
Thu Aug 29 21:46:40 UTC 2024


Hello all,








Situation is like this:

FreeRADIUS server already installed with IP 192.168.81.12 and configured to 
authenticate against LDAP linux server with IP 192.168.92.25.
Authentication is working fine. But we need to switch from Linux LDAP to MS 
AD based on Windows server 2022 on IP 192.168.92.14.


I have configured Smaba on radius server to joint the AD and it's working 
fine.
Radius server joined the Domain, commands like wbinfo –a example_user%
mypassword or ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_
user are working fine as well.

However i have stuck on FreeRADIUS configuration.




Configuration changes made:
#####################################################
sites-enables/default
In authorize section
        pap
            if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }

In authenticate section
authenticate {
        Auth-Type PAP {
                ldap
        }
Uncommented word ldap on separate line in section Auth-Type LDAP

#       Auth-Type LDAP {
                ldap
#       }
#####################################################
mods-enabled/ldap

ip of ldap server changed to IP of new domain controler
ldap {
        server = 'ldap://192.168.92.14'

        identity = 'adminusername at mydomain.com'
        password = adminpassword
        base_dn = 'dc=mydomain,dc=com'

    start_tls = no
    require_cert    = 'allow'
#####################################################
mods-enabled/eap
eap {
    default_eap_type = peap
    }
ttls {
     default_eap_type = gtc
     }
tls-config tls-common {
    random_file = /dev/urandom
     }
#####################################################
proxy.conf
realm mydomain.com {

}
#####################################################

mods-enabled/mschap
with_ntdomain_hack = yes

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-
User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --
nt-response=%{%{mschap:NT-Response}:-00} --domain=%{mschap:NT-Domain}"
#####################################################
sites-enabled/inner-tunnel
authorize {
    ...
    #  Read the 'users' file
    files   # <--- This one!
    ...
}
#####################################################


After all modyfications i started freeradius in degub mode
freeradius -fxx -l stdout
and issued radtest command:
radtest myusername at mydomain.com mypassword localhost 10 testing123


This is output:

#####################################################

(0) Received Access-Request Id 87 from 127.0.0.1:34561 to 127.0.0.1:1812 
length 88
(0)   User-Name = "myusername at mydomain.com"
(0)   User-Password = "mypassword"
(0)   NAS-IP-Address = 192.168.81.12
(0)   NAS-Port = 10
(0)   Message-Authenticator = 0xc529dae657c9aa6feb8b4e2e64bc950e
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/
default
(0)   authorize {
(0)     policy filter_eduroam_realms {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (!(&User-Name =~ /@/)){
(0)         if (!(&User-Name =~ /@/)) -> FALSE
(0)         if (&User-Name =~ /@$/){
(0)         if (&User-Name =~ /@$/) -> FALSE
(0)         if (&User-Name =~ /@.+?@/){
(0)         if (&User-Name =~ /@.+?@/) -> FALSE
(0)         if (&User-Name =~ /@.+?[^[:alnum:]\.-]/){
(0)         if (&User-Name =~ /@.+?[^[:alnum:]\.-]/) -> FALSE
(0)         if (&User-Name =~ /@[\.-]/){
(0)         if (&User-Name =~ /@[\.-]/) -> FALSE
(0)         if (&User-Name =~ /@.+?[\.-]$/){
(0)         if (&User-Name =~ /@.+?[\.-]$/) -> FALSE
(0)         if (&User-Name =~ /@[^\.]+$/){
(0)         if (&User-Name =~ /@[^\.]+$/) -> FALSE
(0)         if (&User-Name =~ /@.+?\.\./){
(0)         if (&User-Name =~ /@.+?\.\./) -> FALSE
(0)         if (&User-Name =~ /@myabc\.com$/i){
(0)         if (&User-Name =~ /@myabc\.com$/i) -> FALSE
(0)         if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3
gppnetwork\.org$/i){
(0)         if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3
gppnetwork\.org$/i) -> FALSE
(0)         if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0)         if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0)         if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0)         if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0)         if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0)         if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) 
-> FALSE
(0)         if (&User-Name =~ /\.zc$/i){
(0)         if (&User-Name =~ /\.zc$/i) -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_eduroam_realms = notfound
(0)     policy filter_myusername {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> 
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_myusername = notfound
(0)     policy rewrite_calling_station_id {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})
[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})
[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy rewrite_calling_station_id = noop
(0)     policy operator-name.authorize {
(0)       if ("%{client:Operator-Name}") {
(0)       EXPAND %{client:Operator-Name}
(0)          -->
(0)       if ("%{client:Operator-Name}")  -> FALSE
(0)     } # policy operator-name.authorize = noop
(0)     if (Calling-Station-Id !~ /^70-6F-6C-6/) {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "mydomain.com" for User-Name = "myusername@
mydomain.com"
(0) suffix: Found realm "mydomain.com"
(0) suffix: Adding Stripped-User-Name = "myusername"
(0) suffix: Adding Realm = "mydomain.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: Searching for user in group "gzkouska"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots 
used
rlm_ldap (ldap): Connecting to ldap://192.168.92.14:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: Searching for user in group "ucitele-wifi"
rlm_ldap (ldap): Reserved connection (1)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (1)
(0) files: Searching for user in group "kabinety"
rlm_ldap (ldap): Reserved connection (2)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (2)
(0) files: Searching for user in group "zaci-wifi"
rlm_ldap (ldap): Reserved connection (3)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (3)
(0) files: Searching for user in group "ucebny"
rlm_ldap (ldap): Reserved connection (4)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (4)
(0) files: Searching for user in group "vpn-admin"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (0)
(0) files: Searching for user in group "VPN-ucitele"
rlm_ldap (ldap): Reserved connection (5)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files:    --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (5)
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=myusername)
(0) ldap: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) ldap: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(0)     [ldap] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting 
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is
available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = 
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> myusername at mydomain.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (Failed retrieving values required to evaluate 
condition): [myusername at mydomain.com] (from client localhost port 10)
(0) Delaying response for 1.000000 seconds
Thread 1 waiting to be assigned a request
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 87 from 127.0.0.1:1812 to 127.0.0.1:34561 length 
20
Waking up in 8.9 seconds.
#####################################################


Could you help me and advice where can be problem and what kind of 
misconfiguration can cause
ERROR: Failed retrieving values required to evaluate condition
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = 
Reject
errors?

Thank you very much.

Chucho Valdez



More information about the Freeradius-Users mailing list