FreeRadius3 + OpenLDAP (JumpCloud's LDAP-as-a-Service)

Zero0ne

Hello internet people!

I'm reaching out to see if anyone has any advice.  We just acquired a pair of NetGate XG-1540's for our new office.  One of the "Wants" by the executive is to implement 802.1 Port based authentication to help secure our network.

So far I've been able to set everything up and validate that it all works with local users.  The issue is that we use JumpCloud as our IAM.  Jumpcloud offers something called  "LDAP-as-a-Service" which is really just opening up access to your account through LDAP.  A bit of light digging shows that they are simply using OpenLDAP to manage all of the accounts so at the end of the day I guess I'm really trying to get FreeRadius3 to work with OpenLDAP.

As I said, everything works fine if I create a local user within FreeRadius (on pfSense) and try to log in with it.  Everything falls apart when I try to use LDAP for authentication and authorization.

Before I go any further, something that bugs me a bit… can anyone shed some light on what this statement means in the Note of the LDAP authentication section?

Note that this means "check plain-text password against the LDAP database", which means that EAP won't work, as it does not supply a plain-text password.

Anyways… On to the error messages:

When a user tries to log in I get the following error in the log:

Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [testuser] (from client TestSwitch1 port 0 via TLS tunnel)

I feel like this message is related to the previous question because the radius server is sending my password to the OpenLDAP server via mschap when (as the quoted message above suggests) I need to present it in "Plain-text".

Anyways here is the error that I see in the logs:

Oct 3 16:31:03	radiusd	87300	(9) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [testuser] (from client TestSwitch1 port 95 cli 00-AA-BB-CC-DD-00)
Oct 3 16:31:03	radiusd	87300	(9) eap_peap: what went wrong, and how to fix the problem
Oct 3 16:31:03	radiusd	87300	(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Oct 3 16:31:03	radiusd	87300	(9) eap_peap: to find out the reason why the user was rejected
Oct 3 16:31:03	radiusd	87300	(9) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Oct 3 16:31:03	radiusd	87300	(8) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [testuser] (from client TestSwitch1 port 0 via TLS tunnel)
Oct 3 16:31:03	radiusd	87300	rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
Oct 3 16:31:03	radiusd	87300	Need 4 more connections to reach min connections (5)
Oct 3 16:31:03	radiusd	87300	rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
Oct 3 16:30:51	radiusd	87300	Ready to process requests

Attached are the config files.  I'm hoping someone can shed some light on what area I need to look toward to try to figure this out.  I have already reached out to JumpCloud support but they can only provide settings useful to connect to their service.

For reference they do have a pfSense doc that has been useful getting the user authentication working for OpenVPN: https://support.jumpcloud.com/customer/portal/articles/2440887-configuring-pfsense-vpn-to-work-with-jumpcloud-s-ldap-as-a-service

Thanks for taking the time to read and for any suggestions you might have.

Cheers,
Ken

ldap.txt
eap.txt
radiusd.conf.txt

Zero0ne

So… after a bit of back and fourth with JumpCloud support... it seems that the issue is that I need JumpCloud (OpenLDAP) to perform the actual authentication of the username/password.  Which is all to say that I need to configure FreeRADIUS to do PAP authentication.

FreeRADIUS treats LDAP as what LDAP was designed to be - a directory. This means that it retrieves the user's password from the directory and then does the authentication itself.

Sometimes however this is not possible. Examples include OpenLDAP with SASL pass-through authentication, where OpenLDAP will in turn defer its authentication to another mechanism, such as Kerberos. In this instance, FreeRADIUS will use LDAP as an external authentication oracle, i.e. it will accept the successful authentication on LDAP as a sign that the username and password matched and that it can return an Access-Accept packet.

Using LDAP as an authentication oracle restricts you to PAP authentication as per http://deployingradius.com/documents/protocols/oracles.html.

Source:
http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+source

So it seems that I need to figure out how to adapt the following instructions to my pfSense's FreeRADIUS3 install:

Step 1: Edit /etc/raddb/mods-available/ldap:

• Modify the server, port, identity, password and base_dn options to match those needed to access your server. If necessary, configure the TLS section for LDAPS support.

• To avoid the use of the LDAP-stored password, comment out the line(s) in the update section that retrieve the user password from LDAP as it is not required.

• Add any configuration items from LDAP that you would like to use later in FreeRADIUS (such as group information etc) in the update section.

• In the users section, amend the base_dn, filter, and scope settings as appropriate to retrieve a single user from LDAP to bind with.

Step 2: /etc/raddb/mods-available/eap:

• Modify the default_eap_type for EAP in general and for the ttls section in particular - set both to gtc. EAP-GTC allows PAP authentication to proceed. If you are using Cisco PEAP support (i.e. PEAPv1), you can also amend the default_eap_type in the peap section from its default of mschapv2 to gtc. If you are using Microsoft's PEAP (i.e. PEAPv0), then this section cannot be changed.

Step 3: Edit /etc/raddb/mods-available/inner-tunnel:

• Modify the authorize section to add the following block at the bottom after the pap statement:

if (User-Password) {
    update control {
        Auth-Type := ldap
    }
}

• Modify the authenticate section, edit the Auth-Type PAP block as follows:

Auth-Type PAP {
    #  pap
    ldap
}

• Also in the authenticate section, remove the comment from the ldap line (but not the remainder of the Auth-Type LDAP block).

Source:
http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+source

So far I've been able to determine that the files on the pfSense box are located in:

/usr/local/etc/raddb

However after taking my initial stab at some of this it's clear that the file locations are different… and even still... it seems that restarting the service some how overwrites my changes.

Does anyone have any thoughts/suggestions?

Cheers!

doktornotor

You cannot mess with configuration via shell if you have the GUI package installed. The configuration will not persist.

Zero0ne

@doktornotor:

You cannot mess with configuration via shell if you have the GUI package installed. The configuration will not persist.

Well that certainly does save me some time.  So then the objective is to try to determine if it's possible to even set these settings via the GUI.

Anyone have any suggestions where I might get more detailed info on the FreeRadius pfSense GUI options?  I've searched the pfSense book and have had no luck.  Any feedback is appreciated.

Cheers.

doktornotor

https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Related_Articles