FreeRadius2 With TLS
-
Running the latest version of the FreeRADIUS2 package with LDAP to a Samba AD environment with TLS enabled. The STARTLS is created successfully and the initial bind appears to proceed normally; however the second bind is then sent in the clear outside the TLS tunnel and Samba rejects it.
Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS CACert File to /usr/local/etc/raddb/certs/ca_ldap1_cert.pem Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS CACert Directory to /usr/local/etc/raddb/certs/ Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS Require Cert to demand Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS Cert File to /usr/local/etc/raddb/certs/radius_ldap1_cert.crt Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS Key File to /usr/local/etc/raddb/certs/radius_ldap1_cert.key Mon Jun 5 11:51:15 2017 : Debug: [ldap] setting TLS Rand File to /usr/local/etc/raddb/certs/random Mon Jun 5 11:51:15 2017 : Debug: [ldap] starting TLS Mon Jun 5 11:51:15 2017 : Debug: [ldap] bind as cn=ldap,cn=users,dc=corp,dc=contoso,dc=com/[REDACTED] to hypnotoad.corp.contoso.com:389 Mon Jun 5 11:51:15 2017 : Debug: [ldap] waiting for bind result ... Mon Jun 5 11:51:15 2017 : Debug: [ldap] Bind was successful Mon Jun 5 11:51:15 2017 : Debug: [ldap] performing search in dc=corp,dc=contoso,dc=com, with filter (userPrincipalName=test@corp.contoso.com) Mon Jun 5 11:51:15 2017 : Debug: [ldap] rebind to URL ldap://corp.contoso.com/CN=Configuration,DC=corp,DC=contoso,DC=com Mon Jun 5 11:51:19 2017 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Mon Jun 5 11:51:19 2017 : Info: [ldap] search failed
Rebind in the clear fails. PCAP can be provided. Given that freeRADIUS2 has been given an expiration date in freshports it may be worth migrating PFSense to the newer freeRADIUS3 package.
-
I suppose this would be better posted to a FreeRADIUS board; I'll experiment with FreeRADIUS 3 as well to see if rebinds are done within the existing TLS session as I would expect or if they are attempted in the clear.