• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

issue using freeradius3 package with ldap

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 2 Posters 711 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mkal
    last edited by Oct 11, 2022, 9:39 AM

    Hi,

    i met an issue trying authenticate W10 with package freeradius on pfsense. (wired local network with netgear switch)

    I use freeradius3 package on pfsense, i have an openLDAP server.

    i entered information about my openLDAP server on the "LDAP" part of freeradius on pfsense.

    i can authenticate the W10 using an user created from pfsense, but when i try to authenticate it with an user from my openLDAP, i met error message in system log part of pfsense:

    (20) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [utest] (from client netgear port 0 via TLS tunnel)

    (21) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [utest] (from client netgear port 8 cli 18-60-24-11-17-57)

    log from /var/log/slapd.log:

    Oct 11 11:31:02 openldap-test slapd[1074]: conn=1015 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
    Oct 11 11:31:02 openldap-test slapd[1074]: conn=1021 op=1 SRCH base="dc=atgpedi,dc=net" scope=2 deref=0 filter="(uid=utest)"
    Oct 11 11:31:02 openldap-test slapd[1074]: conn=1021 op=1 SRCH attr=radiusAuthType radiusSimultaneousUse radiusCalledStationId radiusCallingStationId lmPassword ntPassword sambaLmPassword sambaNtPassword ipaNTHash dBCSPwd userPassword acctFlags radiusExpiration radiusNASIpAddress radiusServiceType radiusFramedProtocol radiusFramedIPAddress radiusFramedIPNetmask radiusFramedRoute radiusFramedRouting radiusFilterId radiusFramedMTU radiusFramedCompression radiusLoginIPHost radiusLoginService radiusLoginTCPPort radiusCallbackNumber radiusCallbackId radiusFramedIPXNetwork radiusClass radiusSessionTimeout radiusIdleTimeout radiusTerminationAction radiusLoginLATService radiusLoginLATNode radiusLoginLATGroup radiusFramedAppleTalkLink radiusFramedAppleTalkNetwork radiusFramedAppleTalkZone radiusPortLimit radiusLoginLATPort radiusReplyMessage radiusTunnelType radiusTunnelMediumType radiusTunnelPrivateGroupId radiusControlAttribute radiusRequestAttribute radiusReplyAttribute

    does anyone could help me with it?

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Oct 11, 2022, 1:32 PM

      I'd guess that's probably because Freeradius is trying to retrieve the users password from LDAP in order to authenticate itself but LDAP is not configured to do that. So you need to change that so Freeradius allows LDAP to do the authentication.

      Steve

      M 1 Reply Last reply Oct 11, 2022, 2:44 PM Reply Quote 1
      • M
        mkal @stephenw10
        last edited by Oct 11, 2022, 2:44 PM

        @stephenw10 Hi Steve,

        Thanks for your answer,

        What should i change in your opinion?

        files conf here:

        radius.conf

        /usr/local/etc/raddb/mods-enabled/eap

        EAP

        eap {
        default_eap_type = peap
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096

        md5 {
}
gtc {
	#challenge = "Password: "
	auth_type = PAP
}

        pwd {

        group = 19

        server_id = theserver@example.com

        fragment_size = 1020

        virtual_server = "inner-tunnel"

        }

        tls-config tls-common {
	# private_key_password = whatever
	private_key_file = ${certdir}/server_key.pem
	certificate_file = ${certdir}/server_cert.pem
	ca_path = ${confdir}/certs
	ca_file = ${ca_path}/ca_cert.pem
#	auto_chain = yes
#	psk_identity = "test"
#	psk_hexphrase = "036363823"
	dh_file = ${certdir}/dh
	random_file = /dev/urandom
	fragment_size = 1024
	include_length = yes
	check_crl = no
	### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###
	### check_cert_cn = %{User-Name} ###
	cipher_list = "DEFAULT"
	cipher_server_preference = no

        disable_tlsv1_2 = no

        	ecdh_curve = "prime256v1"
	tls_min_version = "1.0"
	cache {
		enable = no
		lifetime = 24
		max_entries = 255
		#name = "EAP module"
		#persist_dir = "/tlscache"
	}
	verify {
#		skip_if_ocsp_ok = no
#		tmpdir = /tmp/radiusd
#		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
	}
	ocsp {
		enable = no
		override_cert_url = no
		url = "http://127.0.0.1/ocsp/"
		# use_nonce = yes
		# timeout = 0
		# softfail = no
	}
}
tls {
	tls = tls-common
#	virtual_server = check-eap-tls
}
ttls {
	tls = tls-common
	default_eap_type = md5
	copy_request_to_tunnel = no
	include_length = yes
#	require_client_cert = yes
	virtual_server = "inner-tunnel-ttls"
	#use_tunneled_reply is deprecated, new method happens in virtual-server
}	### end ttls
peap {
	tls = tls-common
	default_eap_type = mschapv2
	copy_request_to_tunnel = no
#	proxy_tunneled_request_as_eap = yes
#	require_client_cert = yes

        MS SoH Server is disabled

        	virtual_server = "inner-tunnel-peap"
	#use_tunneled_reply is deprecated, new method happens in virtual-server
}
mschapv2 {

        send_error = no

        identity = "FreeRADIUS"

        }

        fast {

        tls = tls-common

        pac_lifetime = 604800

        authority_identity = "1234"

        pac_opaque_key = "0123456789abcdef0123456789ABCDEF"

        virtual_server = inner-tunnel

        }

        }

        EAP

        /usr/local/etc/raddb/mods-enabled/eap

        EAP

        eap {
        default_eap_type = peap
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096

        md5 {
}
gtc {
	#challenge = "Password: "
	auth_type = PAP
}

        pwd {

        group = 19

        server_id = theserver@example.com

        fragment_size = 1020

        virtual_server = "inner-tunnel"

        }

        tls-config tls-common {
	# private_key_password = whatever
	private_key_file = ${certdir}/server_key.pem
	certificate_file = ${certdir}/server_cert.pem
	ca_path = ${confdir}/certs
	ca_file = ${ca_path}/ca_cert.pem
#	auto_chain = yes
#	psk_identity = "test"
#	psk_hexphrase = "036363823"
	dh_file = ${certdir}/dh
	random_file = /dev/urandom
	fragment_size = 1024
	include_length = yes
	check_crl = no
	### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###
	### check_cert_cn = %{User-Name} ###
	cipher_list = "DEFAULT"
	cipher_server_preference = no

        disable_tlsv1_2 = no

        	ecdh_curve = "prime256v1"
	tls_min_version = "1.0"
	cache {
		enable = no
		lifetime = 24
		max_entries = 255
		#name = "EAP module"
		#persist_dir = "/tlscache"
	}
	verify {
#		skip_if_ocsp_ok = no
#		tmpdir = /tmp/radiusd
#		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
	}
	ocsp {
		enable = no
		override_cert_url = no
		url = "http://127.0.0.1/ocsp/"
		# use_nonce = yes
		# timeout = 0
		# softfail = no
	}
}
tls {
	tls = tls-common
#	virtual_server = check-eap-tls
}
ttls {
	tls = tls-common
	default_eap_type = md5
	copy_request_to_tunnel = no
	include_length = yes
#	require_client_cert = yes
	virtual_server = "inner-tunnel-ttls"
	#use_tunneled_reply is deprecated, new method happens in virtual-server
}	### end ttls
peap {
	tls = tls-common
	default_eap_type = mschapv2
	copy_request_to_tunnel = no
#	proxy_tunneled_request_as_eap = yes
#	require_client_cert = yes

        MS SoH Server is disabled

        	virtual_server = "inner-tunnel-peap"
	#use_tunneled_reply is deprecated, new method happens in virtual-server
}
mschapv2 {

        send_error = no

        identity = "FreeRADIUS"

        }

        fast {

        tls = tls-common

        pac_lifetime = 604800

        authority_identity = "1234"

        pac_opaque_key = "0123456789abcdef0123456789ABCDEF"

        virtual_server = inner-tunnel

        }

        }

        LDAP

        /usr/local/etc/raddb/mods-enabled/ldap
        ldap {
        server = "openldap.atgpedi.net"
        port = "389"
        identity = "cn=pfsense_mtlm,ou=pfsense,ou=applications,dc=atgpedi,dc=net"
        password = 'pfsenGP747'
        base_dn = "dc=atgpedi,dc=net"

        user {
	base_dn = "${..base_dn}"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	### access_attr = "dialupAccess" ###
}
group {
	base_dn = "${..base_dn}"
	filter = '(objectClass=posixGroup)'
	### name_attribute = cn ###
	### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
	### membership_attribute = radiusGroupName ###
	### compare_check_items = yes ###
	### do_xlat = yes ###
	### access_attr_used_for_allow = yes ###
}
profile {
	filter = "(objectclass=radiusprofile)"
	### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
	### profile_attribute = "radiusProfileDn" ###
}

        valuepair_attribute = 'radiusAttribute'

        update {
	control:Auth-Type		:= 'radiusAuthType'
	control:Simultaneous-Use	:= 'radiusSimultaneousUse'
	control:Called-Station-Id	:= 'radiusCalledStationId'
	control:Calling-Station-Id	:= 'radiusCallingStationId'
	control:LM-Password		:= 'lmPassword'
	control:NT-Password		:= 'ntPassword'
	control:LM-Password		:= 'sambaLmPassword'
	control:NT-Password		:= 'sambaNtPassword'
	control:NT-Password		:= 'ipaNTHash'
	control:LM-Password		:= 'dBCSPwd'
	control:Password-With-Header	+= 'userPassword'
	control:SMB-Account-CTRL-TEXT	:= 'acctFlags'
	control:Expiration		:= 'radiusExpiration'
	control:NAS-IP-Address		:= 'radiusNASIpAddress'
	reply:Service-Type		:= 'radiusServiceType'
	reply:Framed-Protocol		:= 'radiusFramedProtocol'
	reply:Framed-IP-Address		:= 'radiusFramedIPAddress'
	reply:Framed-IP-Netmask		:= 'radiusFramedIPNetmask'
	reply:Framed-Route		:= 'radiusFramedRoute'
	reply:Framed-Routing		:= 'radiusFramedRouting'
	reply:Filter-Id			:= 'radiusFilterId'
	reply:Framed-MTU		:= 'radiusFramedMTU'
	reply:Framed-Compression	:= 'radiusFramedCompression'
	reply:Login-IP-Host		:= 'radiusLoginIPHost'
	reply:Login-Service		:= 'radiusLoginService'
	reply:Login-TCP-Port		:= 'radiusLoginTCPPort'
	reply:Callback-Number		:= 'radiusCallbackNumber'
	reply:Callback-Id		:= 'radiusCallbackId'
	reply:Framed-IPX-Network	:= 'radiusFramedIPXNetwork'
	reply:Class			:= 'radiusClass'
	reply:Session-Timeout		:= 'radiusSessionTimeout'
	reply:Idle-Timeout		:= 'radiusIdleTimeout'
	reply:Termination-Action	:= 'radiusTerminationAction'
	reply:Login-LAT-Service		:= 'radiusLoginLATService'
	reply:Login-LAT-Node		:= 'radiusLoginLATNode'
	reply:Login-LAT-Group		:= 'radiusLoginLATGroup'
	reply:Framed-AppleTalk-Link	:= 'radiusFramedAppleTalkLink'
	reply:Framed-AppleTalk-Network	:= 'radiusFramedAppleTalkNetwork'
	reply:Framed-AppleTalk-Zone	:= 'radiusFramedAppleTalkZone'
	reply:Port-Limit		:= 'radiusPortLimit'
	reply:Login-LAT-Port		:= 'radiusLoginLATPort'
	reply:Reply-Message		:= 'radiusReplyMessage'
	reply:Tunnel-Type		:= 'radiusTunnelType'
	reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
	reply:Tunnel-Private-Group-Id	:= 'radiusTunnelPrivateGroupId'
	control:			+= 'radiusControlAttribute'
	request:			+= 'radiusRequestAttribute'
	reply:				+= 'radiusReplyAttribute'
}

edir_account_policy_check = no

options {
	idle = 60
	probes = 3
	interval = 3

        MS Active Directory Compatibility is disabled

        	# ldap_debug = 0x0028
	res_timeout = 4
	srv_timelimit = 3
	net_timeout = 1
}

pool {
	start = 0
	min = 5
	max = 5
	spare = ${thread[pool].max_spare_servers}
	uses = 0
	retry_delay = 30
	lifetime = 0
	idle_timeout = 60
}
accounting {
	reference = "%{tolower:type.%{Acct-Status-Type}}"
	type {
		start {
			update {
				description := "Online at %S"
			}
		}
		interim-update {
			update {
				description := "Last seen at %S"
			}
		}
		stop {
			update {
				description := "Offline at %S"
			}
		}
	}
}
post-auth {
	update {
		description := "Authenticated at %S"
	}
}

        }

        ldap ldap2 {
        server = "ldap.example.com"
        port = "389"
        identity = "cn=admin,o=My Company Ltd,c=US"
        password = ''
        base_dn = "o=My Company Ltd,c=US"

        user {
	base_dn = "${..base_dn}"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	### access_attr = "dialupAccess" ###
}
group {
	base_dn = "${..base_dn}"
	filter = '(objectClass=posixGroup)'
	### name_attribute = cn ###
	### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
	### membership_attribute = radiusGroupName ###
	### compare_check_items = yes ###
	### do_xlat = yes ###
	### access_attr_used_for_allow = yes ###
}
profile {
	filter = "(objectclass=radiusprofile)"
	### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
	### profile_attribute = "radiusProfileDn" ###
}

        valuepair_attribute = 'radiusAttribute'

        update {
	control:Auth-Type		:= 'radiusAuthType'
	control:Simultaneous-Use	:= 'radiusSimultaneousUse'
	control:Called-Station-Id	:= 'radiusCalledStationId'
	control:Calling-Station-Id	:= 'radiusCallingStationId'
	control:LM-Password		:= 'lmPassword'
	control:NT-Password		:= 'ntPassword'
	control:LM-Password		:= 'sambaLmPassword'
	control:NT-Password		:= 'sambaNtPassword'
	control:NT-Password		:= 'ipaNTHash'
	control:LM-Password		:= 'dBCSPwd'
	control:Password-With-Header	+= 'userPassword'
	control:SMB-Account-CTRL-TEXT	:= 'acctFlags'
	control:Expiration		:= 'radiusExpiration'
	control:NAS-IP-Address		:= 'radiusNASIpAddress'
	reply:Service-Type		:= 'radiusServiceType'
	reply:Framed-Protocol		:= 'radiusFramedProtocol'
	reply:Framed-IP-Address		:= 'radiusFramedIPAddress'
	reply:Framed-IP-Netmask		:= 'radiusFramedIPNetmask'
	reply:Framed-Route		:= 'radiusFramedRoute'
	reply:Framed-Routing		:= 'radiusFramedRouting'
	reply:Filter-Id			:= 'radiusFilterId'
	reply:Framed-MTU		:= 'radiusFramedMTU'
	reply:Framed-Compression	:= 'radiusFramedCompression'
	reply:Login-IP-Host		:= 'radiusLoginIPHost'
	reply:Login-Service		:= 'radiusLoginService'
	reply:Login-TCP-Port		:= 'radiusLoginTCPPort'
	reply:Callback-Number		:= 'radiusCallbackNumber'
	reply:Callback-Id		:= 'radiusCallbackId'
	reply:Framed-IPX-Network	:= 'radiusFramedIPXNetwork'
	reply:Class			:= 'radiusClass'
	reply:Session-Timeout		:= 'radiusSessionTimeout'
	reply:Idle-Timeout		:= 'radiusIdleTimeout'
	reply:Termination-Action	:= 'radiusTerminationAction'
	reply:Login-LAT-Service		:= 'radiusLoginLATService'
	reply:Login-LAT-Node		:= 'radiusLoginLATNode'
	reply:Login-LAT-Group		:= 'radiusLoginLATGroup'
	reply:Framed-AppleTalk-Link	:= 'radiusFramedAppleTalkLink'
	reply:Framed-AppleTalk-Network	:= 'radiusFramedAppleTalkNetwork'
	reply:Framed-AppleTalk-Zone	:= 'radiusFramedAppleTalkZone'
	reply:Port-Limit		:= 'radiusPortLimit'
	reply:Login-LAT-Port		:= 'radiusLoginLATPort'
	reply:Reply-Message		:= 'radiusReplyMessage'
	reply:Tunnel-Type		:= 'radiusTunnelType'
	reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
	reply:Tunnel-Private-Group-Id	:= 'radiusTunnelPrivateGroupId'
	control:			+= 'radiusControlAttribute'
	request:			+= 'radiusRequestAttribute'
	reply:				+= 'radiusReplyAttribute'
}

edir_account_policy_check = no

options {
	idle = 60
	probes = 3
	interval = 3

        MS Active Directory Compatibility is disabled

        	# ldap_debug = 0x0028
	res_timeout = 4
	srv_timelimit = 3
	net_timeout = 1
}
pool {
	start = 0
	min = 5
	max = 5
	spare = ${thread[pool].max_spare_servers}
	uses = 0
	retry_delay = 30
	lifetime = 0
	idle_timeout = 60
}
accounting {
	reference = "%{tolower:type.%{Acct-Status-Type}}"
	type {
		start {
			update {
				description := "Online at %S"
			}
		}
		interim-update {
			update {
				description := "Last seen at %S"
			}
		}
		stop {
			update {
				description := "Offline at %S"
			}
		}
	}
}
post-auth {
	update {
		description := "Authenticated at %S"
	}
}

        }

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Oct 11, 2022, 4:05 PM

          Did you include the EAP file twice there?

          M 1 Reply Last reply Oct 12, 2022, 7:41 AM Reply Quote 0
          • M
            mkal @stephenw10
            last edited by Oct 12, 2022, 7:41 AM

            @stephenw10
            Never mind, i gave up the package freeradius and i'll use a freeradius server with my users stored in openldap.

            Thank for you help.

            mkal

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received