Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRadius2 With TLS

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 1 Posters 681 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gerby123
      last edited by

      Running the latest version of the FreeRADIUS2 package with LDAP to a Samba AD environment with TLS enabled. The STARTLS is created successfully and the initial bind appears to proceed normally; however the second bind is then sent in the clear outside the TLS tunnel and Samba rejects it.

      
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS CACert Directory to /usr/local/etc/raddb/certs/
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS Require Cert to demand
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS Cert File to /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS Key File to /usr/local/etc/raddb/certs/radius_ldap1_cert.key
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] setting TLS Rand File to /usr/local/etc/raddb/certs/random
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] starting TLS
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] bind as cn=ldap,cn=users,dc=corp,dc=contoso,dc=com/[REDACTED] to hypnotoad.corp.contoso.com:389
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] waiting for bind result ...
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] Bind was successful
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] performing search in dc=corp,dc=contoso,dc=com, with filter (userPrincipalName=test@corp.contoso.com)
Mon Jun  5 11:51:15 2017 : Debug:   [ldap] rebind to URL ldap://corp.contoso.com/CN=Configuration,DC=corp,DC=contoso,DC=com
Mon Jun  5 11:51:19 2017 : Error:   [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Mon Jun  5 11:51:19 2017 : Info: [ldap] search failed

      Rebind in the clear fails.  PCAP can be provided.  Given that freeRADIUS2 has been given an expiration date in freshports it may be worth migrating PFSense to the newer freeRADIUS3 package.

      1 Reply Last reply Reply Quote 0
      • G
        gerby123
        last edited by

        I suppose this would be better posted to a FreeRADIUS board; I'll experiment with FreeRADIUS 3 as well to see if rebinds are done within the existing TLS session as I would expect or if they are attempted in the clear.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.