Problemas de autenticação [FREERADIUS2 + LDAP + CP]



  • Olá,

    fiz a instalação do Freeradius2 e configurei a autenticação via LDAP seguindo o manual do pfsense e outro tutorial indicado por ele. (1 e 2)

    Porém, quando vou testar a autenticação no captive portal, retorna  credencial inválida. Deixei o terminal rodando o radiusd -X pra pegar o log completo da requisição.

    rad_recv: Access-Request packet from host 10.109.10.10 port 46503, id=68, length=192
    	NAS-IP-Address = 10.109.10.10
    	NAS-Identifier = "labfw.ifto.local"
    	User-Name = "1822505"
    	MS-CHAP2-Response = 0x010142f01b76420662af5ff05f3056315ff500000000000000001147f4763946d23c64713322ef9b309405d9907635de3e7f
    	MS-CHAP-Challenge = 0x8e8ddc969becbad5ce723f84a9cf697a
    	Service-Type = Login-User
    	NAS-Port-Type = Ethernet
    	NAS-Port = 8304
    	Framed-IP-Address = 10.109.0.1
    	Called-Station-Id = "10.109.10.10"
    	Calling-Station-Id = "00:0c:29:cf:00:8a"
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
    ++[mschap] = ok
    ++[digest] = noop
    [suffix] No '@' in User-Name = "1822505", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "1822505", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] = noop
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for 1822505
    [ldap] 	expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=1822505)
    [ldap] 	expand: cn=IFTO,cn=LOCAL -> cn=IFTO,cn=LOCAL
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] attempting LDAP reconnection
      [ldap] (re)connect to 10.9.10.12:389, authentication 0
      [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
      [ldap] setting TLS CACert Directory to /usr/local/etc/raddb/certs/
      [ldap] setting TLS Require Cert to never
      [ldap] setting TLS Cert File to /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
      [ldap] setting TLS Key File to /usr/local/etc/raddb/certs/radius_ldap1_cert.key
      [ldap] setting TLS Rand File to /usr/local/etc/raddb/certs/random
      [ldap] bind as CN=1822505,OU=PSO-CGTI,OU=CA-PARAISO,OU=REITORIA,OU=IFTO,cn=ifto,cn=local/##SENSITIVE## to 10.9.10.12:389
      [ldap] waiting for bind result ...
      [ldap] LDAP login failed: check identity, password settings in ldap module configuration
      [ldap] (re)connection attempt failed
    [ldap] search failed
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = fail
    ++} # policy redundant = fail
    +} # group authorize = fail
    	expand: BAD_AUTH | %{User-Name} -> BAD_AUTH | 1822505
    Invalid user: [1822505/<via auth-type="MSCHAP">] (from client CaptivePortalFreeRadiusCLient port 8304 cli 00:0c:29:cf:00:8a) BAD_AUTH | 1822505
    Using Post-Auth-Type Reject
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group REJECT {
    [attr_filter.access_reject] 	expand: %{User-Name} -> 1822505
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] = updated
    +} # group REJECT = updated
    Delaying reject of request 0 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 0
    Sending Access-Reject of id 68 to 10.109.10.10 port 46503
    Waking up in 4.9 seconds.
    Cleaning up request 0 ID 68 with timestamp +51
    Ready to process requests.
    rad_recv: Accounting-Request packet from host 10.109.10.10 port 48955, id=136, length=74
    	NAS-IP-Address = 10.109.10.10
    	NAS-Identifier = "labfw.ifto.local"
    	Acct-Status-Type = Accounting-Off
    	NAS-IP-Address = 10.109.10.10
    	NAS-Identifier = "labfw.ifto.local"
    # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
    +group preacct {
    ++[preprocess] = ok
    ++update request {
    	expand: %{Acct-Session-Time} -> 
    	... expanding second conditional
    	expand: %{Acct-Delay-Time} -> 
    	... expanding second conditional
    	expand:  %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} ->  1481153306 - 0 - 0
    	expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1481153306
    ++} # update request = noop
    [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
    [acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent
    [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
    [acct_unique] Hashing ',NAS-Identifier = "labfw.ifto.local",NAS-IP-Address = 10.109.10.10,,'
    [acct_unique] Acct-Unique-Session-ID = "70b80b51711f946c".
    ++[acct_unique] = ok
    [suffix] Proxy reply, or no User-Name.  Ignoring.
    ++[suffix] = ok
    [ntdomain] Proxy reply, or no User-Name.  Ignoring.
    ++[ntdomain] = ok
    ++[files] = noop
    +} # group preacct = ok
    # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
    +group accounting {
    [detail] 	expand: %{Packet-Src-IP-Address} -> 10.109.10.10
    [detail] 	expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radacct/10.109.10.10/detail-20161207
    [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radacct/10.109.10.10/detail-20161207
    [detail] 	expand: %t -> Wed Dec  7 20:28:26 2016
    ++[detail] = ok
    rlm_counter: We only run on Accounting-Stop packets.
    ++[daily] = noop
    rlm_counter: We only run on Accounting-Stop packets.
    ++[weekly] = noop
    rlm_counter: We only run on Accounting-Stop packets.
    ++[monthly] = noop
    rlm_counter: We only run on Accounting-Stop packets.
    ++[forever] = noop
    ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update))
    ?? Evaluating (request:Acct-Status-Type == Stop) -> FALSE
    ?? Evaluating (request:Acct-Status-Type == Interim-Update) -> FALSE
    ++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> FALSE
    ++[unix] = noop
    [radutmp] 	expand: /var/log/radutmp -> /var/log/radutmp
    rlm_radutmp: NAS CaptivePortalFreeRadiusCLient rebooted (Accounting-Off packet seen)
    ++[radutmp] = ok
    ++[exec] = noop
    [attr_filter.accounting_response] 	expand: %{User-Name} -> 
    ++[attr_filter.accounting_response] = noop
    +} # group accounting = ok
    Sending Accounting-Response of id 136 to 10.109.10.10 port 48955
    Finished request 1.
    Cleaning up request 1 ID 136 with timestamp +66
    Going to the next request</via> 
    

    Alguma outra configuração que esqueci de fazer no meio do caminho?

    [1] https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Microsoft_Active_Directory_and_LDAP
    [2] https://docs.google.com/document/d/1UDg8Rt5wN_pGoepJyKTlAAnQdJgAsNXSrX3vkQu15DE/edit?pli=1


Log in to reply