FreeRadius 3 OpenLDAP and MAC based Auth

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3 OpenLDAP and MAC based Auth

Jürgen Northe
> On Jan 4, 2019, at 2:35 AM, Jürgen Northe <[hidden email]> wrote:
> >
Hello Alan,
> > I have already a running environment with Freeradius2 + OpenLDAP to provide a simple NAC solution but now its time to setup a replacement with version 3.
>
>   Did you follow the instructions in raddb/README.rst?  There is detail documentation on how to upgrade.
It is not an implace upgrade, I use a fresh installation of CentOS7 1810 with all the packages from the distro. The FR2 is running productive until I swich over.
>
> > So far everything is working but somehow the "authorize" of the client is not "processed". Compared with the version 2, I am missing the
> > rlm_ldap: radiusAuthType -> Auth-Type == Accept
> > along with the other attributes stored in the directory.
>
>   What did you change?  The default configuration works, and returns all attributes it finds in LDAP.
I went through the r2 config and searched for settings I made 7 years ago. Then I searched for the same default values in the FR3 configs and adjusted them with the new settings (IP, hostname, certificate stuff, passwords, ..) . I dumped the LDAP database, copied it to the new server and restored the content.
>
>   And what information is in LDAP?
Here is the result of the LDAP query of the testing laptop .  As you can see, the information regarding the VLAN-ID is stored in radiusProfileDn which I have posted below the query along with the content of ldap module.

 ldapsearch -D "cn=Manager,dc=firma,dc=de" -w  xxxxxxxxxxxxxxxxxxxx -h radldap1-215 -b  "dc=firma,dc=de" -s sub "cn=106530670342"
# extended LDIF
#
# LDAPv3
# base <dc=firma,dc=de> with scope subtree
# filter: cn=106530670342
# requesting: ALL
#

# NBBZ1807-134, 4.notebooks, 172.17.0.0, SUBNET, DHCP Config, firma
 .de
dn: cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=j
 unghans-microtec,dc=de
objectClass: radiusprofile
objectClass: dhcpHost
objectClass: top
cn: 10-65-30-67-03-42
cn: 106530670342
cn: NBBZ1807-134
dhcpHWAddress: ethernet 10:65:30:67:03:42
radiusCallingStationId: 10-65-30-67-03-42
radiusReplyMessage: Hello NBBZ1807-134
radiusProfileDn: cn=INTRA,ou=VLAN,ou=profiles,ou=radius,dc=firma,d
 c=de
dhcpStatements: fixed-address 172.17.4.134

# search result
search: 2
result: 0 Success

##### LDAP export:
dn: cn=INTRA,ou=VLAN,ou=profiles,ou=radius,dc=firma,dc=de
objectClass: top
objectClass: organizationalRole
objectClass: radiusprofile
cn: INTRA
radiusAuthType: Accept
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 170
radiusTunnelType: VLAN

##### ldap module:
ldap ldap1 {
        server = 'radldap1-215'
        identity = "cn=Manager,dc=firma,dc=de"
        password = xxxxxxxxxxxxxxxxxxxxxxxx
        base_dn = "dc=firma,dc=de"
        scope = "sub"
#       filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
        filter = "(|(cn=%{%{Stripped­User­Name}:­%{User­Name}})(macAddress=%{%{Stripped­User­Name}:­%{User­Name}}))"
        set_auth_type = no
        sasl {
        }
#       update {
#               control:Password-With-Header    += 'userPassword'
#               control:                        += 'radiusControlAttribute'
#               request:                        += 'radiusRequestAttribute'
#               reply:                          += 'radiusReplyAttribute'
#       }
        user {
                base_dn = "${..base_dn}"
                filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }
}
        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }
        profile {
        }
        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'
                template {
                }
                attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
                }
        }
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
               start_tls = no
            }
        profile_attribute = "radiusProfileDn"
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"
                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }
                        interim-update {
                                update {
                                       description := "Last seen at %S"
                                }
                        }
                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }
        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }
        options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }
        tls {
        }
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}
ldap ldap2 {
        server = 'radldap2-216'
        identity = "cn=Manager,dc=firma,dc=de"
        password = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        base_dn = "dc=firma,dc=de"
        scope = "sub"
#        filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
        filter = "(|(cn=%{%{Stripped­User­Name}:­%{User­Name}})(macAddress=%{%{Stripped­User­Name}:­%{User­Name}}))"
        set_auth_type = no
        sasl {
        }
#        update {
#               control:Password-With-Header    += 'userPassword'
#               control:                        += 'radiusControlAttribute'
#               request:                        += 'radiusRequestAttribute'
#               reply:                          += 'radiusReplyAttribute'
#        }
        user {
                base_dn = "${..base_dn}"
                filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
                sasl {
                }
        }
        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }
        profile {
        }
        client {
               base_dn = "${..base_dn}"
               filter = '(objectClass=radiusClient)'
               template {
               }
               attribute {
                       ipaddr                          = 'radiusClientIdentifier'
                       secret                          = 'radiusClientSecret'
               }
        }
        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"
                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }
                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }
                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }
        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }
        options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }
        tls {
        }
        pool {
               start = ${thread[pool].start_servers}
               min = ${thread[pool].min_spare_servers}
               max = ${thread[pool].max_servers}
               spare = ${thread[pool].max_spare_servers}
               uses = 0
               retry_delay = 30
               lifetime = 0
               idle_timeout = 60
        }
}

>
> > I do have a the dictionary_mapping file and the entries in the enabled ldap module
>
>   There is no "dictionary_mapping" file in the LDAP module configuration for v3.  This is one thing that changed...
>
>   You can't just copy your v2 configuration to v3, and expect it to work.  That's what major version number changes mean... the configurations are *not* 100% compatible.
>
> > . I am fighting the whole day with this issue but can't even find hint in he running environment.
> > The Laptop exists in the LDAP (bind ok, object can be found) and has the usual radius attributes like Tunnel-Private-Group-Id set as the LDAP database is restored from the running one.
> >
> > With the following statement in default, I do get an "Accept", but still missing the required attributes like tunnel-type and all the others.

>   You're making random changes without really understanding what's going on.  That's not going to work.
7 years ago I had a 2day training but if you do not need it anymore, you forget things. At the beginning I was very optimistic with a quick success until I reached this state.  So I started to force a authorization with the" if" statement to see if the attributes of the ldap will apear  in the radius log  :)
> > radiusd -X
> > (1) Received Access-Request Id 186 from 192.168.0.7:3437 to 192.168.0.215:1812 length 240
>
>   No, that's an *edited* version of the debug output.  You've deleted information which may be important.  Don't do that.
The only thing I replaced is the company name by "firma" and passwords by xxxxx  the rest 100% is pure the output I got from "radiusd -X"
>
>   Alan DeKok.
Thank you Alan !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3 OpenLDAP and MAC based Auth

Alan DeKok-2
On Jan 7, 2019, at 9:07 AM, Jürgen Northe <[hidden email]> wrote:
>>  Did you follow the instructions in raddb/README.rst?  There is detail documentation on how to upgrade.
> It is not an implace upgrade, I use a fresh installation of CentOS7 1810 with all the packages from the distro. The FR2 is running productive until I swich over.

  OK...

> I went through the r2 config and searched for settings I made 7 years ago. Then I searched for the same default values in the FR3 configs and adjusted them with the new settings (IP, hostname, certificate stuff, passwords, ..) . I dumped the LDAP database, copied it to the new server and restored the content.

  Then FreeRADIUS should be able to find the information in LDAP.

> ##### ldap module:

  We don't need to see that.

  We DO need to see the debug output.

  ALL OF IT.

>>  No, that's an *edited* version of the debug output.  You've deleted information which may be important.  Don't do that.
> The only thing I replaced is the company name by "firma" and passwords by xxxxx  the rest 100% is pure the output I got from "radiusd -X"

  No, it's not.

  Read the documentation:  http://wiki.freeradius.org/list-help

  That tells you what you should post to the list:

* NOT configuration files
* radiusd -X

  When you ignore the documentation, that's bad.  When you make it hard for us to help you, it means it will take longer to fix the problem.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3 OpenLDAP and MAC based Auth

Alan Buxey
please send debug output... but i had a quick scan of your config and at
least one big error

filter =
"(|(cn=%{%{Stripped­User­Name}:­%{User­Name}})(macAddress=%{%{Stripped­User­Name}:­%{User­Name}}))"

you've taken the hyphens out of the variable names for some reason. that
wont work.

alan

On Mon, 7 Jan 2019 at 14:14, Alan DeKok <[hidden email]> wrote:

> On Jan 7, 2019, at 9:07 AM, Jürgen Northe <[hidden email]> wrote:
> >>  Did you follow the instructions in raddb/README.rst?  There is detail
> documentation on how to upgrade.
> > It is not an implace upgrade, I use a fresh installation of CentOS7 1810
> with all the packages from the distro. The FR2 is running productive until
> I swich over.
>
>   OK...
>
> > I went through the r2 config and searched for settings I made 7 years
> ago. Then I searched for the same default values in the FR3 configs and
> adjusted them with the new settings (IP, hostname, certificate stuff,
> passwords, ..) . I dumped the LDAP database, copied it to the new server
> and restored the content.
>
>   Then FreeRADIUS should be able to find the information in LDAP.
>
> > ##### ldap module:
>
>   We don't need to see that.
>
>   We DO need to see the debug output.
>
>   ALL OF IT.
>
> >>  No, that's an *edited* version of the debug output.  You've deleted
> information which may be important.  Don't do that.
> > The only thing I replaced is the company name by "firma" and passwords
> by xxxxx  the rest 100% is pure the output I got from "radiusd -X"
>
>   No, it's not.
>
>   Read the documentation:  http://wiki.freeradius.org/list-help
>
>   That tells you what you should post to the list:
>
> * NOT configuration files
> * radiusd -X
>
>   When you ignore the documentation, that's bad.  When you make it hard
> for us to help you, it means it will take longer to fix the problem.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html