Problemas de autenticação [FREERADIUS2 + LDAP + CP]
-
Olá,
fiz a instalação do Freeradius2 e configurei a autenticação via LDAP seguindo o manual do pfsense e outro tutorial indicado por ele. (1 e 2)
Porém, quando vou testar a autenticação no captive portal, retorna credencial inválida. Deixei o terminal rodando o radiusd -X pra pegar o log completo da requisição.
rad_recv: Access-Request packet from host 10.109.10.10 port 46503, id=68, length=192 NAS-IP-Address = 10.109.10.10 NAS-Identifier = "labfw.ifto.local" User-Name = "1822505" MS-CHAP2-Response = 0x010142f01b76420662af5ff05f3056315ff500000000000000001147f4763946d23c64713322ef9b309405d9907635de3e7f MS-CHAP-Challenge = 0x8e8ddc969becbad5ce723f84a9cf697a Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 8304 Framed-IP-Address = 10.109.0.1 Called-Station-Id = "10.109.10.10" Calling-Station-Id = "00:0c:29:cf:00:8a" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [suffix] No '@' in User-Name = "1822505", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "1822505", skipping NULL due to config. ++[ntdomain] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++policy redundant { [ldap] performing user authorization for 1822505 [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=1822505) [ldap] expand: cn=IFTO,cn=LOCAL -> cn=IFTO,cn=LOCAL [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.9.10.12:389, authentication 0 [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/ca_ldap1_cert.pem [ldap] setting TLS CACert Directory to /usr/local/etc/raddb/certs/ [ldap] setting TLS Require Cert to never [ldap] setting TLS Cert File to /usr/local/etc/raddb/certs/radius_ldap1_cert.crt [ldap] setting TLS Key File to /usr/local/etc/raddb/certs/radius_ldap1_cert.key [ldap] setting TLS Rand File to /usr/local/etc/raddb/certs/random [ldap] bind as CN=1822505,OU=PSO-CGTI,OU=CA-PARAISO,OU=REITORIA,OU=IFTO,cn=ifto,cn=local/##SENSITIVE## to 10.9.10.12:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap module configuration [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = fail ++} # policy redundant = fail +} # group authorize = fail expand: BAD_AUTH | %{User-Name} -> BAD_AUTH | 1822505 Invalid user: [1822505/<via auth-type="MSCHAP">] (from client CaptivePortalFreeRadiusCLient port 8304 cli 00:0c:29:cf:00:8a) BAD_AUTH | 1822505 Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 1822505 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 68 to 10.109.10.10 port 46503 Waking up in 4.9 seconds. Cleaning up request 0 ID 68 with timestamp +51 Ready to process requests. rad_recv: Accounting-Request packet from host 10.109.10.10 port 48955, id=136, length=74 NAS-IP-Address = 10.109.10.10 NAS-Identifier = "labfw.ifto.local" Acct-Status-Type = Accounting-Off NAS-IP-Address = 10.109.10.10 NAS-Identifier = "labfw.ifto.local" # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok ++update request { expand: %{Acct-Session-Time} -> ... expanding second conditional expand: %{Acct-Delay-Time} -> ... expanding second conditional expand: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} -> 1481153306 - 0 - 0 expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1481153306 ++} # update request = noop [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',NAS-Identifier = "labfw.ifto.local",NAS-IP-Address = 10.109.10.10,,' [acct_unique] Acct-Unique-Session-ID = "70b80b51711f946c". ++[acct_unique] = ok [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] = ok [ntdomain] Proxy reply, or no User-Name. Ignoring. ++[ntdomain] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 10.109.10.10 [detail] expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radacct/10.109.10.10/detail-20161207 [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radacct/10.109.10.10/detail-20161207 [detail] expand: %t -> Wed Dec 7 20:28:26 2016 ++[detail] = ok rlm_counter: We only run on Accounting-Stop packets. ++[daily] = noop rlm_counter: We only run on Accounting-Stop packets. ++[weekly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[monthly] = noop rlm_counter: We only run on Accounting-Stop packets. ++[forever] = noop ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) ?? Evaluating (request:Acct-Status-Type == Stop) -> FALSE ?? Evaluating (request:Acct-Status-Type == Interim-Update) -> FALSE ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> FALSE ++[unix] = noop [radutmp] expand: /var/log/radutmp -> /var/log/radutmp rlm_radutmp: NAS CaptivePortalFreeRadiusCLient rebooted (Accounting-Off packet seen) ++[radutmp] = ok ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> ++[attr_filter.accounting_response] = noop +} # group accounting = ok Sending Accounting-Response of id 136 to 10.109.10.10 port 48955 Finished request 1. Cleaning up request 1 ID 136 with timestamp +66 Going to the next request</via>
Alguma outra configuração que esqueci de fazer no meio do caminho?
[1] https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Microsoft_Active_Directory_and_LDAP
[2] https://docs.google.com/document/d/1UDg8Rt5wN_pGoepJyKTlAAnQdJgAsNXSrX3vkQu15DE/edit?pli=1