FreeRadius ldap queries are not executed

Matvey Teplov matvey.teplov at nomios.nl
Mon Mar 17 09:44:22 UTC 2025 

Hi,

After excessive troubleshooting, I am coming to the following error:
"/etc/freeradius/3.0/sites-enabled/default[43]: Expecting section start brace '{' after "ldap ms_ad" is coming up while debugging with freeradius -X.
FreeRADIUS fails to parse the configuration file during startup, expecting the server definition in the post_auth, while it should use the ms_ad to refer to the module definition.

Did anyone experience this behaviour before?

Thank you,
Best regards Matvey Teplov

________________________________
From: Freeradius-Users <freeradius-users-bounces+matvey.teplov=nomios.nl at lists.freeradius.org> on behalf of Matvey Teplov via Freeradius-Users <freeradius-users at lists.freeradius.org>
Sent: 14 March 2025 13:23
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Cc: Matvey Teplov <matvey.teplov at nomios.nl>
Subject: FreeRadius ldap queries are not executed

Hi,

I am having a problem making FreeRADIUS querying for the group presence. Generally, authentication consists of two stages. The first stage is verifying the user with the RADIUS server via proxy; in the second stage, freeradius has to confirm if the user belongs to one of the groups defined LDAP and populate VSA's. So, the first stage ran successfully, LDAP connections were established at the startup, but pulling groups at the second stage is not happening. The log is:


(6) Received Access-Request Id 239 from 127.0.0.1:55766 to 127.0.0.1:1825 length 101
(6)   Message-Authenticator = 0xc70aa4ebf93116a15e305fbe97e49bb8
(6)   User-Name = "generic-ms-user"
(6)   User-Password = "*********"
(6)   NAS-IP-Address = 172.17.0.6
(6)   NAS-Port = 1
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     [preprocess] = ok
(6) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log:    --> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20250311
(6) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20250311
(6) auth_log: EXPAND %t
(6) auth_log:    --> Tue Mar 11 12:38:06 2025
(6)     [auth_log] = ok
(6) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(6) pap: WARNING: Authentication will fail unless a "known good" password is available
(6)     [pap] = noop
(6)     update control {
(6)       Proxy-to-Realm := "radius_server"
(6)     } # update control = noop
(6)   } # authorize = ok
(6) Starting proxy to home server 100.127.1.24 port 1823
(6) server default {
(6) }
(6) Proxying request to home server 100.127.1.24 port 1823 timeout 10.000000
(6) Sent Access-Request Id 171 from 0.0.0.0:57934 to 100.127.1.24:1823 length 112
(6)   Message-Authenticator = 0xc70aa4ebf93116a15e305fbe97e49bb8
(6)   User-Name = "generic-ms-user"
(6)   User-Password = "*********"
(6)   NAS-IP-Address = 172.17.0.6
(6)   NAS-Port = 1
(6)   Event-Timestamp = "Mar 11 2025 12:38:06 UTC"
(6)   Proxy-State = 0x323339
Waking up in 0.3 seconds.
(6) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(6) BlastRADIUS check: Received packet without Message-Authenticator from home_server radius_server1
(6) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(6) The packet does not contain Message-Authenticator, which is a security issue
(6) UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
(6) Once the home server is upgraded, set "require_message_authenticator = true" for home_server radius_server1
(6) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(6) Clearing existing &reply: attributes
(6) Received Access-Accept Id 171 from 100.127.1.24:1823 to 172.17.0.6:57934 length 25
(6)   Proxy-State = 0x323339
(6) server default {
(6) }
(6) Found Auth-Type = Accept
(6) Auth-Type = Accept, accepting the user
(6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(6)   post-auth {
(6)     [ldap_server] = noop
(6)     if (&control:LDAP-Group == "Radius_Admin_Group") {
(6)     ERROR: Failed retrieving values required to evaluate condition
(6)     elsif (&control:LDAP-Group == "Radius_ReadOnly_Group") {
(6)     ERROR: Failed retrieving values required to evaluate condition
(6)     elsif (&control:LDAP-Group == "Radius_ReadWrite_Group") {
(6)     ERROR: Failed retrieving values required to evaluate condition
(6)     else {
(6)       update control {
(6)         Auth-Type := Reject
(6)       } # update control = noop
(6)       update reply {
(6)         Reply-Message := "Access denied: Unauthorized group."
(6)       } # update reply = noop
(6)     } # else = noop
(6)   } # post-auth = noop
(6) Login OK: [generic-ms-user] (from client localhost port 1)
(6) Sent Access-Accept Id 239 from 127.0.0.1:1825 to 127.0.0.1:55766 length 0
(6)   Reply-Message := "Access denied: Unauthorized group."
(6) Finished request
Waking up in 4.9 seconds.

Any ideas will be appreciated!

Best regards Matvey Teplov

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list