issue using freeradius3 package with ldap
-
Hi,
i met an issue trying authenticate W10 with package freeradius on pfsense. (wired local network with netgear switch)
I use freeradius3 package on pfsense, i have an openLDAP server.
i entered information about my openLDAP server on the "LDAP" part of freeradius on pfsense.
i can authenticate the W10 using an user created from pfsense, but when i try to authenticate it with an user from my openLDAP, i met error message in system log part of pfsense:
(20) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [utest] (from client netgear port 0 via TLS tunnel)
(21) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [utest] (from client netgear port 8 cli 18-60-24-11-17-57)
log from /var/log/slapd.log:
Oct 11 11:31:02 openldap-test slapd[1074]: conn=1015 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 11 11:31:02 openldap-test slapd[1074]: conn=1021 op=1 SRCH base="dc=atgpedi,dc=net" scope=2 deref=0 filter="(uid=utest)"
Oct 11 11:31:02 openldap-test slapd[1074]: conn=1021 op=1 SRCH attr=radiusAuthType radiusSimultaneousUse radiusCalledStationId radiusCallingStationId lmPassword ntPassword sambaLmPassword sambaNtPassword ipaNTHash dBCSPwd userPassword acctFlags radiusExpiration radiusNASIpAddress radiusServiceType radiusFramedProtocol radiusFramedIPAddress radiusFramedIPNetmask radiusFramedRoute radiusFramedRouting radiusFilterId radiusFramedMTU radiusFramedCompression radiusLoginIPHost radiusLoginService radiusLoginTCPPort radiusCallbackNumber radiusCallbackId radiusFramedIPXNetwork radiusClass radiusSessionTimeout radiusIdleTimeout radiusTerminationAction radiusLoginLATService radiusLoginLATNode radiusLoginLATGroup radiusFramedAppleTalkLink radiusFramedAppleTalkNetwork radiusFramedAppleTalkZone radiusPortLimit radiusLoginLATPort radiusReplyMessage radiusTunnelType radiusTunnelMediumType radiusTunnelPrivateGroupId radiusControlAttribute radiusRequestAttribute radiusReplyAttributedoes anyone could help me with it?
-
I'd guess that's probably because Freeradius is trying to retrieve the users password from LDAP in order to authenticate itself but LDAP is not configured to do that. So you need to change that so Freeradius allows LDAP to do the authentication.
Steve
-
@stephenw10 Hi Steve,
Thanks for your answer,
What should i change in your opinion?
files conf here:
radius.conf
/usr/local/etc/raddb/mods-enabled/eap
EAP
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096md5 { } gtc { #challenge = "Password: " auth_type = PAP }pwd {
group = 19
server_id = theserver@example.com
fragment_size = 1020
virtual_server = "inner-tunnel"
}
tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" cipher_server_preference = nodisable_tlsv1_2 = no
ecdh_curve = "prime256v1" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yesMS SoH Server is disabled
virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 {send_error = no
identity = "FreeRADIUS"
}fast {
tls = tls-common
pac_lifetime = 604800
authority_identity = "1234"
pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
virtual_server = inner-tunnel
}
}
EAP
/usr/local/etc/raddb/mods-enabled/eap
EAP
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096md5 { } gtc { #challenge = "Password: " auth_type = PAP }pwd {
group = 19
server_id = theserver@example.com
fragment_size = 1020
virtual_server = "inner-tunnel"
}
tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" cipher_server_preference = nodisable_tlsv1_2 = no
ecdh_curve = "prime256v1" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yesMS SoH Server is disabled
virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 {send_error = no
identity = "FreeRADIUS"
}fast {
tls = tls-common
pac_lifetime = 604800
authority_identity = "1234"
pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
virtual_server = inner-tunnel
}
}
LDAP
/usr/local/etc/raddb/mods-enabled/ldap
ldap {
server = "openldap.atgpedi.net"
port = "389"
identity = "cn=pfsense_mtlm,ou=pfsense,ou=applications,dc=atgpedi,dc=net"
password = 'pfsenGP747'
base_dn = "dc=atgpedi,dc=net"user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ### access_attr = "dialupAccess" ### } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' ### name_attribute = cn ### ### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ### ### membership_attribute = radiusGroupName ### ### compare_check_items = yes ### ### do_xlat = yes ### ### access_attr_used_for_allow = yes ### } profile { filter = "(objectclass=radiusprofile)" ### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ### ### profile_attribute = "radiusProfileDn" ### }valuepair_attribute = 'radiusAttribute'
update { control:Auth-Type := 'radiusAuthType' control:Simultaneous-Use := 'radiusSimultaneousUse' control:Called-Station-Id := 'radiusCalledStationId' control:Calling-Station-Id := 'radiusCallingStationId' control:LM-Password := 'lmPassword' control:NT-Password := 'ntPassword' control:LM-Password := 'sambaLmPassword' control:NT-Password := 'sambaNtPassword' control:NT-Password := 'ipaNTHash' control:LM-Password := 'dBCSPwd' control:Password-With-Header += 'userPassword' control:SMB-Account-CTRL-TEXT := 'acctFlags' control:Expiration := 'radiusExpiration' control:NAS-IP-Address := 'radiusNASIpAddress' reply:Service-Type := 'radiusServiceType' reply:Framed-Protocol := 'radiusFramedProtocol' reply:Framed-IP-Address := 'radiusFramedIPAddress' reply:Framed-IP-Netmask := 'radiusFramedIPNetmask' reply:Framed-Route := 'radiusFramedRoute' reply:Framed-Routing := 'radiusFramedRouting' reply:Filter-Id := 'radiusFilterId' reply:Framed-MTU := 'radiusFramedMTU' reply:Framed-Compression := 'radiusFramedCompression' reply:Login-IP-Host := 'radiusLoginIPHost' reply:Login-Service := 'radiusLoginService' reply:Login-TCP-Port := 'radiusLoginTCPPort' reply:Callback-Number := 'radiusCallbackNumber' reply:Callback-Id := 'radiusCallbackId' reply:Framed-IPX-Network := 'radiusFramedIPXNetwork' reply:Class := 'radiusClass' reply:Session-Timeout := 'radiusSessionTimeout' reply:Idle-Timeout := 'radiusIdleTimeout' reply:Termination-Action := 'radiusTerminationAction' reply:Login-LAT-Service := 'radiusLoginLATService' reply:Login-LAT-Node := 'radiusLoginLATNode' reply:Login-LAT-Group := 'radiusLoginLATGroup' reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink' reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork' reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone' reply:Port-Limit := 'radiusPortLimit' reply:Login-LAT-Port := 'radiusLoginLATPort' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir_account_policy_check = no options { idle = 60 probes = 3 interval = 3MS Active Directory Compatibility is disabled
# ldap_debug = 0x0028 res_timeout = 4 srv_timelimit = 3 net_timeout = 1 } pool { start = 0 min = 5 max = 5 spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } }}
ldap ldap2 {
server = "ldap.example.com"
port = "389"
identity = "cn=admin,o=My Company Ltd,c=US"
password = ''
base_dn = "o=My Company Ltd,c=US"user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ### access_attr = "dialupAccess" ### } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' ### name_attribute = cn ### ### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ### ### membership_attribute = radiusGroupName ### ### compare_check_items = yes ### ### do_xlat = yes ### ### access_attr_used_for_allow = yes ### } profile { filter = "(objectclass=radiusprofile)" ### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ### ### profile_attribute = "radiusProfileDn" ### }valuepair_attribute = 'radiusAttribute'
update { control:Auth-Type := 'radiusAuthType' control:Simultaneous-Use := 'radiusSimultaneousUse' control:Called-Station-Id := 'radiusCalledStationId' control:Calling-Station-Id := 'radiusCallingStationId' control:LM-Password := 'lmPassword' control:NT-Password := 'ntPassword' control:LM-Password := 'sambaLmPassword' control:NT-Password := 'sambaNtPassword' control:NT-Password := 'ipaNTHash' control:LM-Password := 'dBCSPwd' control:Password-With-Header += 'userPassword' control:SMB-Account-CTRL-TEXT := 'acctFlags' control:Expiration := 'radiusExpiration' control:NAS-IP-Address := 'radiusNASIpAddress' reply:Service-Type := 'radiusServiceType' reply:Framed-Protocol := 'radiusFramedProtocol' reply:Framed-IP-Address := 'radiusFramedIPAddress' reply:Framed-IP-Netmask := 'radiusFramedIPNetmask' reply:Framed-Route := 'radiusFramedRoute' reply:Framed-Routing := 'radiusFramedRouting' reply:Filter-Id := 'radiusFilterId' reply:Framed-MTU := 'radiusFramedMTU' reply:Framed-Compression := 'radiusFramedCompression' reply:Login-IP-Host := 'radiusLoginIPHost' reply:Login-Service := 'radiusLoginService' reply:Login-TCP-Port := 'radiusLoginTCPPort' reply:Callback-Number := 'radiusCallbackNumber' reply:Callback-Id := 'radiusCallbackId' reply:Framed-IPX-Network := 'radiusFramedIPXNetwork' reply:Class := 'radiusClass' reply:Session-Timeout := 'radiusSessionTimeout' reply:Idle-Timeout := 'radiusIdleTimeout' reply:Termination-Action := 'radiusTerminationAction' reply:Login-LAT-Service := 'radiusLoginLATService' reply:Login-LAT-Node := 'radiusLoginLATNode' reply:Login-LAT-Group := 'radiusLoginLATGroup' reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink' reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork' reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone' reply:Port-Limit := 'radiusPortLimit' reply:Login-LAT-Port := 'radiusLoginLATPort' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir_account_policy_check = no options { idle = 60 probes = 3 interval = 3MS Active Directory Compatibility is disabled
# ldap_debug = 0x0028 res_timeout = 4 srv_timelimit = 3 net_timeout = 1 } pool { start = 0 min = 5 max = 5 spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } }}
-
Did you include the EAP file twice there?
-
@stephenw10
Never mind, i gave up the package freeradius and i'll use a freeradius server with my users stored in openldap.Thank for you help.
mkal
