NEW Package: freeRADIUS 2.x
-
ok, it's simplier that I thought.
Because I wanna to my AD Win Server 2008 to be CA, but I can just copy CA certificate to the pfSense freeradius, so nevermind about kerberos and certs ;)I'll try to test everything you suggested as soon as possible, but it could be monday or tuesday because I had some new PC's in work and it would take some time to configure them
Hey, no stress :D
Your feedback is great and testing is good :D
All what we could test and what is working will be put into the pfsense docs.
Perhaps in the next week I will find some time to try with my colleague (linuy geek) to setup MySQL and OpenLDAP ans test both with freeradius2.Further I will add some new EAP types to the package.
-
Updates pkg v1.5.1
-
Added: additional eap.conf options (fragment size, include_length, enable cache)
-
Added: More authentication protocls and methods based on the follwoing links:
http://hostap.epitest.fi/wpa_supplicant/
http://freeradius.org/features/eap.html
-
-
Hi,
Anyone use SQL function? Does it work now?
I tried it here,but it's still not working but I did see a lot of new options.
One more question, is there any log I can analyse what's wrong with SQL? I checked with system log and /var/log/radius.log. There is no information.
Many thanks for your great work!
ZLYZWY
-
Hi,
Anyone use SQL function? Does it work now?
I tried it here,but it's still not working but I did see a lot of new options.
One more question, is there any log I can analyse what's wrong with SQL? I checked with system log and /var/log/radius.log. There is no information.
Many thanks for your great work!
ZLYZWY
Hi zlyzwy,
MySQL and PostgreSQL should work. FreeRADIUS is compiled with these modules and the bug with the missing lib after areboot should be fixed (only MySQL). Of course, if you enable SQL but FreeRADIUS could not connect to the database, the service fails and freeradius stops. MySQL connection error is displayed fast. PostgreSQL takes ~30-60s to fail - if not connectable to a database.
If you want to debug output of RADIUS and SQL, then do all the configs from GUI and after you did that, stop the service, connect with SSH to your pfsense and then type:radiusd -XThis is debugging mode. There you will get all output. You can post it here if neccessary. Perhaps we can help.
-
Hi Nachtfalke,
Really thanks for such a quick reply~~
here is the output for debug:
# radiusd -X FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jan 3 201 2 at 23:44:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/clients.conf[2]: Expecting section start brace '{' after "c lient PF" Errors reading /usr/local/etc/raddb/radiusd.confCan you help to analyse the error?
UPDATE
I can read sql.conf file from web interface. here is the output:/usr/local/etc/raddb/sql.conf sql { database = "mysql" driver = "rlm_sql_${database}" server = "IP" port = 3306 login = "xxx" password = "XXX" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 readclients = yes nas_table = "nas" $INCLUDE sql/${database}/dialup.conf } sql sql2 { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" port = 3306 login = "radius" password = "radpass" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 readclients = yes nas_table = "nas" $INCLUDE sql/${database}/dialup.conf }I create a database in MySQL named "radius". That's all my settings.
Should I create the tables first, if yes, then what's the structure of these tables? -
On the client you can should then choose PEAP and MSCHAPv2. You will be prompted to accept the CA-Certificate of the freeradius server.
Than you will be prompted for a username and password - thats the one you entered in freeradius2 users.Thats fine for non-domain computers but as the network link isn't established before logon, network scripts can't be executed nor 'll they be able to logon.
-
On the client you can should then choose PEAP and MSCHAPv2. You will be prompted to accept the CA-Certificate of the freeradius server.
Than you will be prompted for a username and password - thats the one you entered in freeradius2 users.Thats fine for non-domain computers but as the network link isn't established before logon, network scripts can't be executed nor 'll they be able to logon.
Then you have to create a "Computer logon" which will be executed before user logon:
http://pcloadletter.co.uk/2011/07/11/cisco-wifi-active-directory-auth/ -
I downloaded the FreeRadius's package and there are some *.sql for mysql. I run the script and it did create some tables.
About the error can't export the debug info, I solve it by re-install the package.
Then I run the debug again, here is the info about SQL.
(Full log here:http://pastebin.com/rSi3xWra)Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "192.168.1.25" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = yes sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@192.168.1.25:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released sql socket id: 4Still the same problem, no matter what I did in web setting, there is no log MySQL. :(
=================================================================================================
Just a quick update:
Now I think there is some progress, I can see the log in MySQL.Table radpostauth
1 test test123 Access-Accept 2012-01-15 22:42:55I am going to test more with Captive Portal.
:)))
-
Did you solve the probem in "clients.conf" ? There was an error because of an open brace "{". This shouldn't happen if you create the clients from the GUI.
The log output you posted on pastebin shows the "probem":
Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[36]: Error binding to port for 0.0.0.0 port 1812This is happening if you start the freeradius service from GUI than it is listening on the auth port. If you then start it again on console with "radiusd -X" than the service gets startet two times. So first stop the service from GUI or kill it from console with
killall -9 radiusdOnly if there is no other radiusd service running, start it in debug mode from GUI with "radiusd -X"
MySQL:
You have to create the MySQL database by hand and you have to create the tables and you have to put the data into the tables. FreeRADIUS is only reading the table (authentication). The SQL GUI shows you the default names of the tables. If you choose other table names you have to correct this in the web GUI.On pfsense there are several example .sql files. I don't know the exxact path at the moment because I do not have access to any pfsense.
Try to search the files with:
find / -iname "*.sql*"There are the tables for MySQL, PostgreSQL and so on. If you open the tables with an editor (vi) than there is explained how the table should look like and for what you should use it.
Here you can see how to import the example freeradius .sql structure into your database:
http://wiki.freeradius.org/SQL-HOWTO#Create+MySQL+Database–--- edit -----
Some more information about MySQL database creation:
http://www.howtoforge.com/setting-up-a-freeradius-based-aaa-server-with-mysql-and-management-with-daloradius -
Did you solve the probem in "clients.conf" ? There was an error because of an open brace "{". This shouldn't happen if you create the clients from the GUI.
I always create the client from the GUI. I am sure I can solve it by remove all the clients from GUI and add the clients again.
This is happening when I upgrade/re-install the package.=========================================================================
By entering the debug mode, I also find the problem. Do the following step in console will be all right.
1.```
service radiusd stop2\.``` Radiusd -XThe debug is really useful~~
=========================================================================
I must prepare the database first. The SQL script can be found at latest Freeradius release.
(freeradius-server-2.1.12\raddb\sql\mysql) -
Updates pkg v1.5.2:
-
Added: "Amount of Time" and "Amount of Traffic" per user connected through captive portal and freeradius2
-
Updated: FreeRADIUS 2.x package on pfSense documentation
-
-
I tried to upgrade package to v1.5.2 and it get stuck at "Loading package instructions…"
-
I tried to upgrade package to v1.5.2 and it get stuck at "Loading package instructions…"
No problems here on amd64 and i386. Updating from pkg v1.5.1 to v1.5.2.
Removing freeradius2 components... Tabs items... done. Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. Beginning package installation for freeradius2... Downloading package configuration file... done. Saving updated package information... done. Downloading freeradius2 and its dependencies... Checking for package installation... Loading package configuration... done. Configuring package components... Additional files... done. Loading package instructions... Custom commands... Executing custom_php_install_command()...done. Executing custom_php_resync_config_command()...done. Custom commands... Executing custom_php_install_command()...done. Executing custom_php_resync_config_command()...done. Menu items... done. Integrated Tab items... done. Services... done. Writing configuration... done. Package reinstalled. -
ok, first I want show you that PAP working for me:
first question:
radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP Sending Access-Request of id 172 to 10.8.0.1 port 1812 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20Now on radiusd -X side:
Ready to process requests. rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "addressbook", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for addressbook [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook) [ldap] expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.p.t:389, authentication 0 [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user addressbook authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "addressbook" with password "ppp123PPP" [ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t [ldap] (re)connect to server.p.t:389, authentication 1 [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user addressbook authenticated succesfully ++[ldap] returns ok Login OK: [addressbook] (from client admin port 1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 172 to 10.8.0.1 port 63417 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 172 with timestamp +5 Ready to process requests.Now I'm trying to get ktutil work, but not sure if really needed it.
-
ok, first I want show you that PAP working for me:
first question:
radtest -t pap addressbook ppp123PPP 10.8.0.1 1 ppp123PPP Sending Access-Request of id 172 to 10.8.0.1 port 1812 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.8.0.1 port 1812, id=172, length=20Now on radiusd -X side:
Ready to process requests. rad_recv: Access-Request packet from host 10.8.0.1 port 63417, id=172, length=81 User-Name = "addressbook" User-Password = "ppp123PPP" NAS-IP-Address = 10.8.0.1 NAS-Port = 1 Message-Authenticator = 0x84a2dbf3faa9c1eed0e6b541fe4773bb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "addressbook", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "addressbook", skipping NULL due to config. ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for addressbook [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=addressbook) [ldap] expand: cn=Users,dc=p,dc=t -> cn=Users,dc=p,dc=t [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.p.t:389, authentication 0 [ldap] bind as cn=addressbook,cn=Users,dc=p,dc=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in cn=Users,dc=p,dc=t, with filter (sAMAccountName=addressbook) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user addressbook authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "addressbook" with password "ppp123PPP" [ldap] user DN: CN=addressbook,CN=Users,DC=p,DC=t [ldap] (re)connect to server.p.t:389, authentication 1 [ldap] bind as CN=addressbook,CN=Users,DC=p,DC=t/ppp123PPP to server.p.t:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user addressbook authenticated succesfully ++[ldap] returns ok Login OK: [addressbook] (from client admin port 1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 172 to 10.8.0.1 port 63417 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 172 with timestamp +5 Ready to process requests.Now I'm trying to get ktutil work, but not sure if really needed it.
Looks good as far as I can see that.
It is ok that there are some warnings and some other auth-types which fail but this is the order of the auth-type modules.
And the output shows that the user gets authenticated with auth-type ldap. :)Not sure for what we need ktutil !?!
Perhaps you can write a little how-to how you configured that, whats your domain name, what you entered on AD and so on. It would help me and others. Did you have to edit some other files by hand ? If yes then tell me what and I will try to implement that into GUI if needed!
So far thank you very much for taking time and testing this - testing my package and functionalities I could not test at the moment! I really appreciate your help! :)
-
of course I will write about this soon, but this is not what we want to accomplish.
why?
PAP in Windows 7 is disabled by group policy and I agree with MS in that, because sending password in plain text via WiFi would be irresponsibleI need ktutil because that util is used in how to from link you gave ;)
-
so trully it is not so much to do:
1. Edit /usr/local/etc/raddb/sites-enabled/default
in authorize section (I'm not sure if it wasn't like this originally):
- comment unix line #
- uncomment line ntdomain
- uncomment ldap line
- uncomment or add pap line
in authenticate section:
- add or uncomment
Auth-Type PAP { pap }in preacct section:
- uncomment ntdomain line
post-auth section:
- comment ldap section
===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/
===========================
modules/ldap looks like this:
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "server.p.t" identity = "cn=freeradiususer,cn=Users,dc=p,dc=t" password = ppp123PPP basedn = "cn=Users,dc=p,dc=t" filter = "(sAMAccountName=%{mschap:User-Name})" #base_filter = "(objectclass=radiusprofile)"I think that's it.
Now I'm trying to understand what we need to get MSCHAP working!
-
so trully it is not so much to do:
1. Edit /usr/local/etc/raddb/sites-enabled/default
in authorize section (I'm not sure if it wasn't like this originally):
- comment unix line #
- uncomment line ntdomain
- uncomment ldap line
- uncomment or add pap line
This is the default if you install freeradius2 package. I did all these changes. Unis line is commented by default. I configured ntdomain as you need it here. LDAP line will be commented or uncommented if we enable/disable it on LDAP GUI (authorization).
in authenticate section:
- add or uncomment
Auth-Type PAP { pap }This is default. If we do not need LDAP in authentication than we can enable/disable this from LDAP GUI. PAP is there by default.
in preacct section:
- uncomment ntdomain line
I did that in the past and it is default after package installation.
post-auth section:
- comment ldap section
Is by default commented. We do not have any option to change that from GUI.
===========================
in radiusd.conf add in the end of file:
$INCLUDE policy.conf
$INCLUDE sites-enabled/This is by default.
modules/ldap looks like this:
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "server.p.t" identity = "cn=freeradiususer,cn=Users,dc=p,dc=t" password = ppp123PPP basedn = "cn=Users,dc=p,dc=t" filter = "(sAMAccountName=%{mschap:User-Name})" #base_filter = "(objectclass=radiusprofile)"I added the commented lines to the GUI. So they are now UNcommented. Not sure if the default entries are ok or not.
But I think we can change this when we need to. When you telling me this :DI think that's it.
Now I'm trying to understand what we need to get MSCHAP working!
Great! :-)
-
What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.
-
Hi Nachtfalke,
I just tested with Captive Portal + FreeRadius + MySQL for a Hotspot site.
Basically it's now working here, I can login through CP and see the login information in MySQL.
There are still two options that I can't work it around.
1. per-user bandwidth restriction
This option is available in CP. But it's a global setting which means it will effect all clients with same setting.
I think there should have the same settings according to account? Does FreeRadius support it yet?2. RADIUS MAC authentication
I tested this function, it doesn't work. I always get the login page even I added the MAC in FreeRadius.
With the same setting, pass-through MACs in CP does work properly. Once I add the MAC, it works immediately.Thanks for your patient.