Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problemas de autenticação [FREERADIUS2 + LDAP + CP]

    Scheduled Pinned Locked Moved Portuguese
    1 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smkbarbosa
      last edited by

      Olá,

      fiz a instalação do Freeradius2 e configurei a autenticação via LDAP seguindo o manual do pfsense e outro tutorial indicado por ele. (1 e 2)

      Porém, quando vou testar a autenticação no captive portal, retorna  credencial inválida. Deixei o terminal rodando o radiusd -X pra pegar o log completo da requisição.

      rad_recv: Access-Request packet from host 10.109.10.10 port 46503, id=68, length=192
	NAS-IP-Address = 10.109.10.10
	NAS-Identifier = "labfw.ifto.local"
	User-Name = "1822505"
	MS-CHAP2-Response = 0x010142f01b76420662af5ff05f3056315ff500000000000000001147f4763946d23c64713322ef9b309405d9907635de3e7f
	MS-CHAP-Challenge = 0x8e8ddc969becbad5ce723f84a9cf697a
	Service-Type = Login-User
	NAS-Port-Type = Ethernet
	NAS-Port = 8304
	Framed-IP-Address = 10.109.0.1
	Called-Station-Id = "10.109.10.10"
	Calling-Station-Id = "00:0c:29:cf:00:8a"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "1822505", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "1822505", skipping NULL due to config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++policy redundant {
[ldap] performing user authorization for 1822505
[ldap] 	expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=1822505)
[ldap] 	expand: cn=IFTO,cn=LOCAL -> cn=IFTO,cn=LOCAL
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 10.9.10.12:389, authentication 0
  [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
  [ldap] setting TLS CACert Directory to /usr/local/etc/raddb/certs/
  [ldap] setting TLS Require Cert to never
  [ldap] setting TLS Cert File to /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
  [ldap] setting TLS Key File to /usr/local/etc/raddb/certs/radius_ldap1_cert.key
  [ldap] setting TLS Rand File to /usr/local/etc/raddb/certs/random
  [ldap] bind as CN=1822505,OU=PSO-CGTI,OU=CA-PARAISO,OU=REITORIA,OU=IFTO,cn=ifto,cn=local/##SENSITIVE## to 10.9.10.12:389
  [ldap] waiting for bind result ...
  [ldap] LDAP login failed: check identity, password settings in ldap module configuration
  [ldap] (re)connection attempt failed
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = fail
++} # policy redundant = fail
+} # group authorize = fail
	expand: BAD_AUTH | %{User-Name} -> BAD_AUTH | 1822505
Invalid user: [1822505/<via auth-type="MSCHAP">] (from client CaptivePortalFreeRadiusCLient port 8304 cli 00:0c:29:cf:00:8a) BAD_AUTH | 1822505
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> 1822505
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 68 to 10.109.10.10 port 46503
Waking up in 4.9 seconds.
Cleaning up request 0 ID 68 with timestamp +51
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.109.10.10 port 48955, id=136, length=74
	NAS-IP-Address = 10.109.10.10
	NAS-Identifier = "labfw.ifto.local"
	Acct-Status-Type = Accounting-Off
	NAS-IP-Address = 10.109.10.10
	NAS-Identifier = "labfw.ifto.local"
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+group preacct {
++[preprocess] = ok
++update request {
	expand: %{Acct-Session-Time} -> 
	... expanding second conditional
	expand: %{Acct-Delay-Time} -> 
	... expanding second conditional
	expand:  %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0} ->  1481153306 - 0 - 0
	expand: %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}} -> 1481153306
++} # update request = noop
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing ',NAS-Identifier = "labfw.ifto.local",NAS-IP-Address = 10.109.10.10,,'
[acct_unique] Acct-Unique-Session-ID = "70b80b51711f946c".
++[acct_unique] = ok
[suffix] Proxy reply, or no User-Name.  Ignoring.
++[suffix] = ok
[ntdomain] Proxy reply, or no User-Name.  Ignoring.
++[ntdomain] = ok
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
+group accounting {
[detail] 	expand: %{Packet-Src-IP-Address} -> 10.109.10.10
[detail] 	expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radacct/10.109.10.10/detail-20161207
[detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radacct/10.109.10.10/detail-20161207
[detail] 	expand: %t -> Wed Dec  7 20:28:26 2016
++[detail] = ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] = noop
rlm_counter: We only run on Accounting-Stop packets.
++[weekly] = noop
rlm_counter: We only run on Accounting-Stop packets.
++[monthly] = noop
rlm_counter: We only run on Accounting-Stop packets.
++[forever] = noop
++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update))
?? Evaluating (request:Acct-Status-Type == Stop) -> FALSE
?? Evaluating (request:Acct-Status-Type == Interim-Update) -> FALSE
++? if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) -> FALSE
++[unix] = noop
[radutmp] 	expand: /var/log/radutmp -> /var/log/radutmp
rlm_radutmp: NAS CaptivePortalFreeRadiusCLient rebooted (Accounting-Off packet seen)
++[radutmp] = ok
++[exec] = noop
[attr_filter.accounting_response] 	expand: %{User-Name} -> 
++[attr_filter.accounting_response] = noop
+} # group accounting = ok
Sending Accounting-Response of id 136 to 10.109.10.10 port 48955
Finished request 1.
Cleaning up request 1 ID 136 with timestamp +66
Going to the next request</via>

      Alguma outra configuração que esqueci de fazer no meio do caminho?

      [1] https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Microsoft_Active_Directory_and_LDAP
      [2] https://docs.google.com/document/d/1UDg8Rt5wN_pGoepJyKTlAAnQdJgAsNXSrX3vkQu15DE/edit?pli=1

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.