FreeRadius with Windows Active Directory
-
Hello everyone i would like to config freeradius with LDAP auth but i i get error can you help me? I have configured NPS service in MS AD and it works
Here is my conf./usr/local/etc/raddb/mods-enabled/ldap ldap { server = "192.168.1.5" port = "389" identity = "CN=pfsense,CN=Users,DC=adm,DC=ad,DC=roodell,DC=uz" password = 'password' base_dn = "OU=Company,DC=my,DC=ad,DC=company,DC=com" user { base_dn = "${..base_dn}" filter = "(SAMAccountName=%{mschap:User-Name})" ### access_attr = "dialupAccess" ### } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' ### name_attribute = cn ### ### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ### ### membership_attribute = radiusGroupName ### ### compare_check_items = yes ### ### do_xlat = yes ### ### access_attr_used_for_allow = yes ### } profile { filter = "(objectclass=radiusprofile)" ### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ### ### profile_attribute = "radiusProfileDn" ### } # valuepair_attribute = 'radiusAttribute' update { control:Auth-Type := 'radiusAuthType' control:Simultaneous-Use := 'radiusSimultaneousUse' control:Called-Station-Id := 'radiusCalledStationId' control:Calling-Station-Id := 'radiusCallingStationId' control:LM-Password := 'lmPassword' control:NT-Password := 'ntPassword' control:LM-Password := 'sambaLmPassword' control:NT-Password := 'sambaNtPassword' control:NT-Password := 'ipaNTHash' control:LM-Password := 'dBCSPwd' control:Password-With-Header += 'userPassword' control:SMB-Account-CTRL-TEXT := 'acctFlags' control:Expiration := 'radiusExpiration' control:NAS-IP-Address := 'radiusNASIpAddress' reply:Service-Type := 'radiusServiceType' reply:Framed-Protocol := 'radiusFramedProtocol' reply:Framed-IP-Address := 'radiusFramedIPAddress' reply:Framed-IP-Netmask := 'radiusFramedIPNetmask' reply:Framed-Route := 'radiusFramedRoute' reply:Framed-Routing := 'radiusFramedRouting' reply:Filter-Id := 'radiusFilterId' reply:Framed-MTU := 'radiusFramedMTU' reply:Framed-Compression := 'radiusFramedCompression' reply:Login-IP-Host := 'radiusLoginIPHost' reply:Login-Service := 'radiusLoginService' reply:Login-TCP-Port := 'radiusLoginTCPPort' reply:Callback-Number := 'radiusCallbackNumber' reply:Callback-Id := 'radiusCallbackId' reply:Framed-IPX-Network := 'radiusFramedIPXNetwork' reply:Class := 'radiusClass' reply:Session-Timeout := 'radiusSessionTimeout' reply:Idle-Timeout := 'radiusIdleTimeout' reply:Termination-Action := 'radiusTerminationAction' reply:Login-LAT-Service := 'radiusLoginLATService' reply:Login-LAT-Node := 'radiusLoginLATNode' reply:Login-LAT-Group := 'radiusLoginLATGroup' reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink' reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork' reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone' reply:Port-Limit := 'radiusPortLimit' reply:Login-LAT-Port := 'radiusLoginLATPort' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir_account_policy_check = no options { idle = 60 probes = 3 interval = 3 chase_referrals = yes rebind = yes # ldap_debug = 0x0028 res_timeout = 4 srv_timelimit = 3 net_timeout = 1 } pool { start = 0 min = 5 max = 5 spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } } ldap ldap2 { server = "ldap.example.com" port = "389" identity = "cn=admin,o=My Company Ltd,c=US" password = '' base_dn = "o=My Company Ltd,c=US" user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ### access_attr = "dialupAccess" ### } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' ### name_attribute = cn ### ### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ### ### membership_attribute = radiusGroupName ### ### compare_check_items = yes ### ### do_xlat = yes ### ### access_attr_used_for_allow = yes ### } profile { filter = "(objectclass=radiusprofile)" ### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ### ### profile_attribute = "radiusProfileDn" ### } # valuepair_attribute = 'radiusAttribute' update { control:Auth-Type := 'radiusAuthType' control:Simultaneous-Use := 'radiusSimultaneousUse' control:Called-Station-Id := 'radiusCalledStationId' control:Calling-Station-Id := 'radiusCallingStationId' control:LM-Password := 'lmPassword' control:NT-Password := 'ntPassword' control:LM-Password := 'sambaLmPassword' control:NT-Password := 'sambaNtPassword' control:NT-Password := 'ipaNTHash' control:LM-Password := 'dBCSPwd' control:Password-With-Header += 'userPassword' control:SMB-Account-CTRL-TEXT := 'acctFlags' control:Expiration := 'radiusExpiration' control:NAS-IP-Address := 'radiusNASIpAddress' reply:Service-Type := 'radiusServiceType' reply:Framed-Protocol := 'radiusFramedProtocol' reply:Framed-IP-Address := 'radiusFramedIPAddress' reply:Framed-IP-Netmask := 'radiusFramedIPNetmask' reply:Framed-Route := 'radiusFramedRoute' reply:Framed-Routing := 'radiusFramedRouting' reply:Filter-Id := 'radiusFilterId' reply:Framed-MTU := 'radiusFramedMTU' reply:Framed-Compression := 'radiusFramedCompression' reply:Login-IP-Host := 'radiusLoginIPHost' reply:Login-Service := 'radiusLoginService' reply:Login-TCP-Port := 'radiusLoginTCPPort' reply:Callback-Number := 'radiusCallbackNumber' reply:Callback-Id := 'radiusCallbackId' reply:Framed-IPX-Network := 'radiusFramedIPXNetwork' reply:Class := 'radiusClass' reply:Session-Timeout := 'radiusSessionTimeout' reply:Idle-Timeout := 'radiusIdleTimeout' reply:Termination-Action := 'radiusTerminationAction' reply:Login-LAT-Service := 'radiusLoginLATService' reply:Login-LAT-Node := 'radiusLoginLATNode' reply:Login-LAT-Group := 'radiusLoginLATGroup' reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink' reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork' reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone' reply:Port-Limit := 'radiusPortLimit' reply:Login-LAT-Port := 'radiusLoginLATPort' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir_account_policy_check = no options { idle = 60 probes = 3 interval = 3 ### MS Active Directory Compatibility is disabled ### # ldap_debug = 0x0028 res_timeout = 4 srv_timelimit = 3 net_timeout = 1 } pool { start = 0 min = 5 max = 5 spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } }And here is radiusd -X
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=Name Surname ,OU=Users,OU=Office,OU=Company,OU=City,OU=Users,DC=my,DC=ad,DC=company,DC=com"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 4 more connections to reach min connections (5)
Need more connections to reach 0 spares
rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.1.5:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) } # redundant = ok
(0) if (notfound || noop) {
(0) if (notfound || noop) -> FALSE
(0) } # if (true) = ok
(0) } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(0) [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(0) [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(0) [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(0) [forever] = noop
(0) if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: Creating challenge hash with username: US0001
(0) mschap: Client is using MS-CHAPv2
(0) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> US0001
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (Failed retrieving values required to evaluate condition): [DR0225] (from client pfsense port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 35 from 127.0.0.1:1812 to 127.0.0.1:38148 length 103
(0) MS-CHAP-Error = "\001E=691 R=1 C=addf7dec7df8e8e54c7be8af73a9e73f V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 35 with timestamp +0 due to cleanup_delay was reached
Ready to process requests
-
@dochy Please anybody can you help?
-
Look here : Captive Portal Bandwidth-Max-Up Down Radius so I deduct that it is possible.
I've posted links to the official doc over there, which contains debug info on the 'Windows' side also.
Can't say anything more, as I'm using FreeRadius myself, not LDAP.
edit : this :
Login incorrect (Failed retrieving values required to evaluate condition): [DR0225]A login request is metitted.
Does it reach the other 'LDAP' side ?
No : so pfSense can't reach the other side - check LDAP side why.
Yes : user/password error, (or way these are communicated, etc)Don't know why this is logged :
@dochy said in FreeRadius with Windows Active Directory:
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
I don't think this is a generic message : no password means : login problems for sure.
(0) ldap: WARNING: PAP authentication will
NOT
work with Active Directory (if that is what you were trying to configure)You are using "PAP authentication" ?
-
@Gertjan said in FreeRadius with Windows Active Directory:
You are using "PAP authentication" ?
Should FreeRadius work with Active Direcroty throught NPS Radius or as LDAP autorization? i think it work as LDAP, as there are Base DN Filter and Base Filter attributes. i have configured in pfsense LDAP authentification to web page and there are also Base DN attributes thats why i think it works not throught NPS.
Here is my LDAP web authentification
