Problème serveur Radius et connexion LDAP

clemkam

Bonjour,

Tout d'abord merci pour la réponse :)

Pour l'IP publique c'est l'habitude des TPs ^^, mais bon l'important c'est le masque.

Pour le REALM je croyais que c'était uniquement avec Kerberos et j'ai vu nul part ou le spécifier dans freeradius2.

J'ai regardé les connexion sur mon AD, quand je fait la demande de connexion, celui-ci est bien intérrogé..

Est-il possible que le pare-feu bloque la réponse ? Etant donné que je n'ai aucune règle côté WAN.

J'ai éssayé avec un RADIUS externe, un NAS Synology, l'authentification fonctionne.

Avec freeradius2 je n'ai pas réussi à me connecter une seul fois, avec les users de l'AD.

Merci encore de m'aider,

Cordialement.

Florian22

POUVEZ VOUS s'il vous plait identifier clairement ce qui va et ne va pas.

je n'ai toujours pas compris quels types d'annuaires fonctionnent et quels ne fonctionnent pas avec ce proxy radius (fonctionne totalement pas)

oui, merci de nous fournir la topologie entre l'ad et le LAN en passant par le proxy radius.

et d envoyer vos rules

–

concernant l'ip, c'est inexcusable, TP ou pas TP, vous allez arriver dans le métier, et je suis désolé, mais même si derriere un NAT ca fonctionne, c'est totalement dégueulasse d'assigner a des postes internes des IP publiques.

et encore, il doit bien y avoir des cas ou ca cree des conflits... DNS... par ex.

c'est la base pour vous qui allez entrer dans le metier dans moins de 24 mois, de savoir dès le premier mois de cours, que les Ip locales sont 192.198, 10.10 et 172...

--

concernant le realm, OUI je vous confirme bien qu'un username AD se compose d'un username, d une arobase, d'un domaine
avez vous essayé de fournir a radius l'username sous la forme user@domain ?

sous windows vous vous identifiez même parfois sous forme \domaine\user

si vous ne le faites pas, c est que l'admin a prévu le coup et a mis un realm, le suppliquant d'authentification connait le royaume. il va interroger 'user" du royaume "domaine"

voila

Florian22

et passez par la commande radiusd -X quand vous faites vos radtests.

le serveur radius est tres verbeux, il décrit de lui même tout ce quil fait, et ne fait pas, ou ne veut pas faire.

vous pourrez peut etre tres bien voir une requete partir de radius, et la réponse ne vient jamais > reseau

ou voir une requete et une reponse > qui pourrait expliquer le refus

ou voir une requete malformée

ou voir autre chose

clemkam

Ce qui fonctionne :

Authentifiaction avec user de l'AD via radius externe –> NAS dans le domaine.

AD -- NAS (radius) --WAN--|pfsense|-- LAN -- Client

Athentification avec user local au radius de pfsense

WAN --|Pfsense (radius)|-- LAN -- Client

Ce qui ne fonctionne pas :

Authentification avec user de l'AD via pfsense en serveur Radius.

AD --WAN--|pfsense (Radius)|-- LAN -- Client

Règles du parefeu :
WAN : Aucune
LAN :

- - LAN Address 80 * * Anti-Lockout Rule
    22

IPv4 * LAN net * * * * none Default allow LAN to any rule

IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule

(Je n'ai pas touché au règles par défaut)

Je viens d'essayer de me connecter avec les logins suivant :
domain\login
login@domain

Le résultat est le même.

Maintenant concernant les classes d'ip, oui je les connais.
Mais je pense que vous ne devrier pas rencontrer les admins réseaux de l'iut d'Annecy tout l'adressage est en 10.x.x.x... ^^

Merci de prendre du temps pour m'aider.
Cordialement.

Florian22

adresser en 10.10 est normal

adresser en 11 ….. c'est autre chose

est il possible d avoir des captures de ces rules?

merci d avoir un copié collé du debug radius avec une tentative locale et une tentative ad

merci de me les separer, vous demarrez en debug, vous faites vous stoppez, vous copiez, vous le refaites..

car ca va bien faire une 100e de lignes pour chaque, ne me les melangez pas.

clemkam

Bonjour,

Pour les rules j'ai lié une capture au post.

Ensuite par rapport à la commande radiusd -X, je n'ai pas compris son utilisation par rapport aux tentative local ou ad.

Ayant regardé la manpage de cet commande je ne vois pas comment spécifier ces tests car elle diffère de la commande radtest qui demande un login/mdp.

Après la commande radiusd -X me retourne ces lignes la :

[2.1.5-RELEASE][admin@portailcaptif.domain.local]/root(4): radiusd -X
radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built on Sep 29 2014 at 22:08:50
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files …
including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf
including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/wimax
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/always
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cache
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/counter
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.example.com
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/detail.log
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/digest
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/etc_group
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/files
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ippool
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/linelog
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/passwd
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/policy
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radrelay
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/realm
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/redis
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/rediswho
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/replicate
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/smsotp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sql_log
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf
including files in directory /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/
including configuration file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/pbi/freeradius-i386"
localstatedir = "/var"
sbindir = "/usr/pbi/freeradius-i386/sbin"
logdir = "/var/log"
run_dir = "/var/run"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_badpass = ""
msg_goodpass = ""
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client portailcaptif {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "123456789"
shortname = "portailcaptif"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/pbi/freeradius-i386/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expr
Module: Linked to module rlm_counter
Module: Instantiating module "daily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter daily {
filename = "/var/log/radacct/timecounter/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1423124940 [2015-02-05 09:29:00], Next reset 1423177200 [2015-02-06 00:00:00]
Module: Instantiating module "weekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter weekly {
filename = "/var/log/radacct/timecounter/db.weekly"
key = "User-Name"
reset = "weekly"
count-attribute = "Acct-Session-Time"
counter-name = "Weekly-Session-Time"
check-name = "Max-Weekly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Weekly-Session-Time is number 11275
rlm_counter: Current Time: 1423124940 [2015-02-05 09:29:00], Next reset 1423350000 [2015-02-08 00:00:00]
Module: Instantiating module "monthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter monthly {
filename = "/var/log/radacct/timecounter/db.monthly"
key = "User-Name"
reset = "monthly"
count-attribute = "Acct-Session-Time"
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Monthly-Session-Time is number 11277
rlm_counter: Current Time: 1423124940 [2015-02-05 09:29:00], Next reset 1425164400 [2015-03-01 00:00:00]
Module: Instantiating module "forever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/counter
counter forever {
filename = "/var/log/radacct/timecounter/db.forever"
key = "User-Name"
reset = "never"
count-attribute = "Acct-Session-Time"
counter-name = "Forever-Session-Time"
check-name = "Max-Forever-Session"
reply-name = "Session-Timeout"
cache-size = 5000
}
rlm_counter: Counter attribute Forever-Session-Time is number 11279
rlm_counter: Current Time: 1423124940 [2015-02-05 09:29:00], Next reset 0 [2015-02-05 09:00:00]
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/pbi/freeradius-i386/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/pbi/freeradius-i386/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?▒?(▒▒0(rlm_logintime
modules {
Module: Creating Auth-Type = MOTP
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = LDAP
Module: Creating Autz-Type = Status-Server
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {…} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Instantiating module "motp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/motp
exec motp {
wait = yes
program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/pbi/freeradius-i386/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
ldap {
server = "xxx.xxx.x.x"
port = 389
password = "mdpadmin"
expect_password = yes
identity = "cn=administrateur,cn=Users,dc=domaine,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem"
cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/"
certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt"
keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key"
randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
require_cert = "never"
}
basedn = "dc=domaine,dc=local"
filter = "(samaccountname=%{User-Name})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x285163c0
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/pbi/freeradius-i386/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server.pem"
certificate_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/server.pem"
CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh"
random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups"
hints = "/usr/pbi/freeradius-i386/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Instantiating module "ntdomain" from file /usr/pbi/freeradius-i386/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = ""
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/pbi/freeradius-i386/etc/raddb/modules/files
files {
usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users"
acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users"
preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users
Module: Linked to module rlm_checkval
Module: Instantiating module "checkval" from file /usr/pbi/freeradius-i386/etc/raddb/modules/checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/pbi/freeradius-i386/etc/raddb/modules/detail
detail {
detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "datacounterdaily" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterdaily {
wait = yes
program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterweekly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterweekly {
wait = yes
program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacountermonthly" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacountermonthly {
wait = yes
program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Instantiating module "datacounterforever" from file /usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
exec datacounterforever {
wait = yes
program = "/bin/sh /usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.post-proxy" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1812
Failed binding to authentication address 127.0.0.1 port 1812: Address already in use
/usr/pbi/freeradius-i386/etc/raddb/radiusd.conf[36]: Error binding to port for 127.0.0.1 port 1812

Je ne comprend pas le message de la fin sur l'adresse de loopback et le port 1812.

Est-ce à cause de l'utilisation de celle-ci dans l'onglet "NAS/Clients" et "Interfaces" de freeradius ?

Cordialement,

rulespfsense.png_thumb

Florian22

la commande radius x permet de demarrer le serveur en mode debug

il vous faut l arretter avant

et constater la présence a la fin de la mention READY TO SERVE REQUESTS

or la ya un failed car vous ne l avez pas stoppé avant

par ailleurs la commande liste la config

assurez vous bien que tout ce qui suit est conforme ad aura besoin peut etre d une connexion securisée..

par ailleurs, je trouve vos timeouts bien faibles.

stoppez radius, lancez le en X, faites les deux tests, et on verra d'abord si il nous parle

par ailleurs je trouve vos timeouts peut etre un peu serrés
on verra
d abord les tests

Module: Instantiating module "ldap" from file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
ldap {
server = "xxx.xxx.x.x"
port = 389
password = "mdpadmin"
expect_password = yes
identity = "cn=administrateur,cn=Users,dc=domaine,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem"
cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/"
certfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt"
keyfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key"
randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
require_cert = "never"
}
basedn = "dc=domaine,dc=local"
filter = "(samaccountname=%{User-Name})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}

clemkam

Les timeout sont ceux par défaut, il fautdrait que je les monte ?

Pour la connexion sur user de l'AD :

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 38541, id=35, length=18 9
NAS-IP-Address = 11.0.0.1
NAS-Identifier = "portailcaptif.domain.local"
User-Name = "user"
MS-CHAP-Response = 0x010100000000000000000000000000000000000000000000000 048cb88194dfcacd9dfb52cc768f4186b7c9839344f3ba926
MS-CHAP-Challenge = 0xc4776b5b15bcf670
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2002
Framed-IP-Address = 11.0.0.14
Called-Station-Id = "11.0.0.1"
Calling-Station-Id = "08:00:27:60:eb:f9"

Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites -enabled/default

+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "user", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '' in User-Name = "user", skipping NULL due to config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++policy redundant {
[ldap] performing user authorization for user
[ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=user)
[ldap] expand: dc=domaine,dc=local -> dc=domaine,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to xxx.xxx.xxx.xxx:389, authentication 0
[ldap] setting TLS CACert File to /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
[ldap] setting TLS CACert Directory to /usr/pbi/freeradius-i386/etc/raddb/certs/
[ldap] setting TLS Require Cert to never
[ldap] setting TLS Cert File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
[ldap] setting TLS Key File to /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
[ldap] setting TLS Rand File to /usr/pbi/freeradius-i386/etc/raddb/certs/random
[ldap] bind as cn=administrateur,cn=Users,dc=domaine,dc=local/mdp to xxx.xxx.xxx.xxx:389
[ldap] waiting for bind result …
[ldap] Bind was successful
[ldap] performing search in dc=domain,dc=local, with filter (samaccountname=user)
[ldap] looking for check items in directory…
[ldap] looking for reply items in directory…
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: 08:00:27:60:eb:f9
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP

Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default

+group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] = reject
+} # group MS-CHAP = reject
Failed to authenticate the user.
expand: ->
Login incorrect: [user] (from client portailcaptif port 2002 cli 08:00:27:60:eb:f9)
Using Post-Auth-Type REJECT

Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default

+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 35 to 127.0.0.1 port 38541
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +56
Ready to process requests.

Via un user local :
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 23631, id=54, length=185
NAS-IP-Address = 11.0.0.1
NAS-Identifier = "portailcaptif.domaine.local"
User-Name = "test"
MS-CHAP-Response = 0x01010000000000000000000000000000000000000000000000002ad43226d807038c818e3a5eda2499074a5e2930e8086819
MS-CHAP-Challenge = 0xfcd914bbee9227bf
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2002
Framed-IP-Address = 11.0.0.14
Called-Station-Id = "11.0.0.1"
Calling-Station-Id = "08:00:27:60:eb:f9"

Executing section authorize from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default

+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "test", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '' in User-Name = "test", skipping NULL due to config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry test at line 2
++[files] = ok
++policy redundant {
[ldap] performing user authorization for test
[ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=test)
[ldap] expand: dc=domain,dc=local -> dc=domain,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=domain,dc=local, with filter (samaccountname=test)
[ldap] looking for check items in directory…
[ldap] looking for reply items in directory…
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: 08:00:27:60:eb:f9
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP

Executing group from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default

+group MS-CHAP {
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
expand: ->
Login OK: [test] (from client portailcaptif port 2002 cli 08:00:27:60:eb:f9)

Executing section post-auth from file /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default

+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 54 to 127.0.0.1 port 23631
MS-CHAP-MPPE-Keys = 0x01fc5a6be7bc69292066656e05c22f3a995ad9ecfed913d60000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 54 with timestamp +385
Ready to process requests.

Je vois qu'il me parle du mot de passe, mais j'utilise ce compte tous les jours et je suis certain du mot de passe. De plus avec d'autre compte cela ne fonctionne pas.
Peut être est-ce à cause du cryptage ?

Cordialement.

clemkam

Ok, j'ai trouvé pourquoi ça ne marchait pas,

Merci Florian22 de m'avoir mis sur la voie.

Grâce au log du radius j'ai vu que le cryptage attendu était le PAP, j'avais sélection le MSCHAPv2.

Juste une dernière question, est-il préférable d'utiliser le PAP ou le MSCHAPv2 ?

Et s'il faut utiliser le MSCHAPv2, comment forcer le radius à l'utiliser ?

Cordialement.

Florian22

je vous invite quand même a garder les timeouts quelque part dans votre tete.
il est possible que vous ayez des "erreurs inopinées" a l avenir, a cause de ces timeouts qui ne vont pas laisser le temps a AD et au transport réseau.

si l'AD est distant.. d'autant plus

concernant la reste :

tout dépend, PAP les messages sont en clair

1/ vous n utilisez pas le socket securisé de l'AD (pas bon)

2/ vous pouvez tres bien laisser en clair, des lors que sur pf un VPN part vers l'AD (vpn dédié a cela), il vous suffit alors de dire a pfsense via une rule "si tu dialogues avec ad, tu passes par le vpn"

dans ce cas vous vous en foutez d'utiliser le port non secure de ad, et d'avoir les msg en clair entre ad et pf

vu que vous avez le vpn qui est une securité physique.

de toutes manière, les messages radius ne sont pas censés transiter hors vpn.

en effet contrairement a diameter, radius ne fait que faire de l'udp en clair. (il a été concu pour les dialups telephoniques a la base..) d'ou le choix d'udp
et d'ou sa securité relaative.

apres concernant les fichiers de conf de radius, il vous faudrait plus vous rapprocher des forums de freeradius..

Florian22

ca c'est clairement un refus en provenance de AD

[ldap] performing search in dc=domain,dc=local, with filter (samaccountname=user)
[ldap] looking for check items in directory…
[ldap] looking for reply items in directory…
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok

et voila la raison

+group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] = reject
+} # group MS-CHAP = reject
Failed to authenticate the user.
expand: ->

vous devez donc soit:

adapter la config CP à AD

ou adapter la conf AD au CP

c'est a vous de voir
mais les deux doivent etre synchro sur les dialogues

clemkam

D'accord,

Je vous remercis en tout cas de l'aide que vous m'avez apporté.

Cordialement.