FreeRADIUS Configuration - RADTEST errors

Brian Blater brian.blater+freeradius at digitalturbine.com
Tue Mar 19 17:16:10 UTC 2024 

I'm working to setup a FreeRADIUS server to authenticate our users for Wifi
connectivity. I've read a bunch of documentation and followed many
different guides, but things aren't coming together.

On the FR server when I run radtest, I'm seeing the following:
radtest brian.testing at digitalturbine.com <redacted> localhost 1812
testing123
Sent Access-Request Id 212 from 0.0.0.0:47042 to 127.0.0.1:1812 length 102
User-Name = "brian.testing at digitalturbine.com"
User-Password = "<redacted>"
NAS-IP-Address = 10.255.1.105
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "<redacted>"
Received Access-Reject Id 212 from 127.0.0.1:1812 to 127.0.0.1:47042 length
20
(0) -: Expected Access-Accept got Access-Reject

Obviously something must not be right in my configuration. If I go to the
freeradius -X screen I see the following:
Ready to process requests
(1) Received Access-Request Id 212 from 127.0.0.1:47042 to 127.0.0.1:1812
length 102
(1)   User-Name = "brian.testing at digitalturbine.com"
(1)   User-Password = "<redacted>"
(1)   NAS-IP-Address = 10.255.1.105
(1)   NAS-Port = 1812
(1)   Message-Authenticator = 0x816dbf275b3973f411280b940d311f82
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log:    --> /var/log/freeradius/radacct/
127.0.0.1/auth-detail-20240319
(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20240319
(1) auth_log: EXPAND %t
(1) auth_log:    --> Tue Mar 19 16:47:00 2024
(1)     [auth_log] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "digitalturbine.com" for User-Name = "
brian.testing at digitalturbine.com"
(1) suffix: No such realm "digitalturbine.com"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND
(&(objectClass=user)(uid=:%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com))
(1) ldap:    --> (&(objectClass=user)(uid=:brian.testing at digitalturbine.com
})(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com))
(1) ldap: Performing search in "ou=users,dc=digitalturbine,dc=okta,dc=com"
with filter "(&(objectClass=user)(uid=:brian.testing at digitalturbine.com})(memberOf:1.2.840.113556.1.4.1941:=cn=group,dc=digitalturbine,dc=okta,dc=com))",
scope "sub"
(1) ldap: Waiting for search result...
rlm_ldap (ldap): Reconnecting (0)
rlm_ldap (ldap): Connecting to ldaps://digitalturbine.ldap.okta.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
(1) ldap: WARNING: Search failed: Can't contact LDAP server. Got new
socket, retrying...
(1) ldap: Waiting for search result...
(1) ldap: ERROR: Failed performing search: Unknown error
rlm_ldap (ldap): Released connection (0)
Need 1 more connections to reach min connections (3)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://digitalturbine.ldap.okta.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing expired connection (5) - Hit idle_timeout limit
(1)     [ldap] = fail
(1)   } # authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> brian.testing at digitalturbine.com
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 212 from 127.0.0.1:1812 to 127.0.0.1:47042 length
20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 212 with timestamp +11949 due to
cleanup_delay was reached
Ready to process requests

First thing I see is "Looking up Realm" and "No such Realm." I have not
defined realm anywhere as the documentation points to this being needed for
Proxy and I'm not using a proxy.

Next I'm seeing a lot of "ber_get_next failed, errno=11" errors with the
rtm_ldap. I do eventually see the "bind successful" message.

Then comes the following:
(1) ldap: WARNING: Search failed: Can't contact LDAP server. Got new
socket, retrying...
(1) ldap: Waiting for search result...
(1) ldap: ERROR: Failed performing search: Unknown error
rlm_ldap (ldap): Released connection (0)

Not sure why it can't connect to LDAP server or why the search is failing.
An ldapsearch at the command line does connect to the LDAP server and will
show me info:
ldapsearch -x \
-H ldaps://digitalturbine.ldap.okta.com \
-D "uid=jamf.service at digitalturbine.com,ou=users,dc=digitalturbine,dc=okta,dc=com"
\
-W \
-b dc=digitalturbine,dc=okta,dc=com \
uid=brian.testing at digitalturbine.com \* +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=digitalturbine,dc=okta,dc=com> with scope subtree
# filter: uid=brian.testing at digitalturbine.com
# requesting: * +
#

# brian.testing at digitalturbine.com, users, digitalturbine.okta.com
dn: uid=brian.testing at digitalturbine.com
,ou=users,dc=digitalturbine,dc=okta,dc
 =com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: brian.testing at digitalturbine.com
uniqueIdentifier: 00u97lgr7yx8L83Ko696
organizationalStatus: ACTIVE
givenName: Brian
sn: Testing
cn: Brian Testing
mail: brian.testing at digitalturbine.com
displayName: Brian Testing
title: Testor

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So not quite sure what I'm missing. Any help you can give is very
appreciative.

More information about the Freeradius-Users mailing list