Google LDAP Authentication for WIFI Setup issues
Joseph Allen
joseph.l.allen at gmail.com
Thu Nov 7 22:47:09 UTC 2024
Hello,
I have been working on this for several days and am tired of asking an AI
for help. I have freeRadius installed on a RPI4 through apt, so its a 3.0
version.
First I tried following google workspace instructions, it connects and
looks up users fine, but it keeps trying to verify passwords in clear
texts...no good.
Next I noticed there is a mod named ldap_google in the mods-available,
which says it will bind users and void the clear text issue. I configured
that to connect to my workspace, fairly simple.
Next I moved that file to the enabled mods folder as well as moving the
google-ldap-auth file to the sites-enable folder. (I say move, I did a
symbolic link). After lots of troubleshooting, I removed the default from
the sites-enabled just to try and simplify everything.
First I ran into issues with the filter_inner_identity, I don't quite
understand why that is failing, but I saw somewhere else that is not
needed, so I commented it out. Now I keep seeing this:
(0) Received Access-Request Id 26 from 192.168.52.1:59099 to
192.168.52.155:1812 length 249
(0) User-Name = "test at test.com"
(0) NAS-IP-Address = 192.168.1.89
(0) Called-Station-Id = "9A-7F-54-27-FD-35:***WIFI SSID****"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "BE-35-1A-04-D3-70"
(0) Connect-Info = "CONNECT 24Mbps 802.11a"
(0) Acct-Session-Id = "C349A45BB76F8134"
(0) Acct-Multi-Session-Id = "9A4E5DCFE2DA284C"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027077
(0) WLAN-Group-Mgmt-Cipher = 1027078
(0) Framed-MTU = 1400
(0) EAP-Message = 0x027b0012017465737440746573742e636f6d
(0) Message-Authenticator = 0xf88e64c655b98a2aa22e62a2844fe21d
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/google-ldap-auth
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy split_username_nai {
(0) if (&User-Name && (&User-Name =~
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(0) if (&User-Name && (&User-Name =~
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(0) if (&User-Name && (&User-Name =~
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(0) update request {
(0) EXPAND %{1}
(0) --> test
(0) &Stripped-User-Name := test
(0) } # update request = noop
(0) if ("%{3}" != '') {
(0) EXPAND %{3}
(0) --> test.com
(0) if ("%{3}" != '') -> TRUE
(0) if ("%{3}" != '') {
(0) update request {
(0) EXPAND %{3}
(0) --> test.com
(0) &Stripped-User-Domain = test.com
(0) } # update request = noop
(0) } # if ("%{3}" != '') = noop
(0) [updated] = updated
(0) } # if (&User-Name && (&User-Name =~
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy split_username_nai = updated
(0) update control {
(0) &Cache-Status-Only := yes
(0) } # update control = noop
(0) cache_auth_accept: EXPAND
%{md5:%{%{Stripped-User-Name}:-%{User-Name}}%{User-Password}}
(0) cache_auth_accept: --> 098f6bcd4621d373cade4e832627b4f6
(0) cache_auth_accept: No cache entry found for
"098f6bcd4621d373cade4e832627b4f6"
(0) [cache_auth_accept] = notfound
(0) if (ok) {
(0) if (ok) -> FALSE
(0) update control {
(0) &Cache-Status-Only := yes
(0) } # update control = noop
(0) cache_auth_reject: EXPAND
%{md5:%{Calling-Station-Id}%{Stripped-User-Name}%{User-Password}}
(0) cache_auth_reject: --> c12fe59cbee87c80dea47e15189a1410
(0) cache_auth_reject: No cache entry found for
"c12fe59cbee87c80dea47e15189a1410"
(0) [cache_auth_reject] = notfound
(0) if (ok) {
(0) if (ok) -> FALSE
(0) if (&User-Password && !control:Auth-Type) {
(0) if (&User-Password && !control:Auth-Type) -> FALSE
(0) } # authorize = updated
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/google-ldap-auth
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test at test.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) if (&control:Auth-Type == ldap) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) update control {
(0) &Cache-TTL := 0
(0) } # update control = noop
(0) cache_ldap_user_dn: EXPAND %{Stripped-User-Name}
(0) cache_ldap_user_dn: --> test
(0) cache_ldap_user_dn: No cache entry found for "test"
(0) cache_ldap_user_dn: Creating new cache entry
(0) cache_ldap_user_dn: Merging cache entry into request
(0) cache_ldap_user_dn: Committed entry, TTL 86400 seconds
(0) [cache_ldap_user_dn] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [test at test.com/<no User-Password attribute>]
(from client 192.168.52.1 port 0 cli BE-35-1A-04-D3-70)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 26 from 192.168.52.155:1812 to 192.168.52.1:59099
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 26 with timestamp +19 due to
cleanup_delay was reached
There is an IF condition in the site config to check for the User-Password
before it sets the Auth-Type, however it appears there is no user password,
so the condition fails and it never even attempts to connect to LDAP.
So the big question, is why is there no password? I am testing with my
iPad, and I am typing in a password when connecting to the Wifi. The wifi
config is set to WPA Enterprise.
Thanks in advance for any help
More information about the Freeradius-Users
mailing list