Freeradius - LDAP Auth

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Freeradius - LDAP Auth

online@berg-ner.de
Hello to everyone,
 
after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
 
First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
 
After trying a lot of things, the same or even new errors will appear again and again.
The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
 
My question is: Is it because of some config that it does not work, or is it because of the domain controller?
 
ldap.conf:
-----------------------------------------------------------------------------------------------
ldap {
server = "ldap://intranet.***.de <ldap://intranet.***.de>"
            identity = "INTRANET\*USERNAME*"
            password = "*******"
            base_dn = "DC=intranet,DC=DC,DC=de"
 
            sasl {
            }
 
update {
            control:Password-With-Header    += 'userPassword'
            control:                        += 'radiusControlAttribute'
            request:                        += 'radiusRequestAttribute'
           reply:                          += 'radiusReplyAttribute'
            }
 
user {
            base_dn = "${..base_dn}"
            filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
            sasl {
            }
        }
 
group {
            base_dn = 'DC=intranet,DC=*DC*,DC=de'
            filter = '(objectClass=posixGroup)'
            scope = 'sub'
            name_attribute = cn
            membership_filter = "(member=%{control:Ldap-UserDn})"
            membership_attribute = 'memberOf'
            }
 
Profile {
            }
 
client {
            base_dn = "${..base_dn}"
            filter = '(objectClass=radiusClient)'
            template {
            }
            attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
            }
        }
 
accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"
 
                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }
 
                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }
 
                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }
 
post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }
 
options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                 interval = 3
                ldap_debug = 0x0028
        }
 
Tls {
}
 
pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
 
    lifetime = 0
                idle_timeout = 60
        }
}
 
-----------------------------------------------------------------------------------------------
 
Site-enabled/default and Innertunnel:
-----------------------------------------------------------------------------------------------
The files are both still standard. The only thing I have added is:
 
-ldap
        if ((ok || updated) && User-Password && !control:Auth-Type) {
                update {
                    control:Auth-Type := ldap
                }
            }
 
In the authorize-section.
-----------------------------------------------------------------------------------------------
 
 
FREERADIUS -X:
-----------------------------------------------------------------------------------------------
(7)   Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
(7)   User-Name = "*USERNAME*"
(7)   NAS-IP-Address = *AccessPoint-IP*
(7)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(7)   NAS-Port-Id = "00000001"
(7)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(7)   Acct-Multi-Session-Id = "97193BFF112F1388"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
(7)   State = 0x91de85df97e69c726c333a62068cc31c
(7)   Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 98
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x91de85df97e69c72
(7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap: Setting User-Name to *USERNAME*
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "*USERNAME*"
(7) eap_peap:   State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "*USERNAME*"
(7)   State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 67
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (samaccountname=*USERNAME*)
(7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
(7) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
(7)       [ldap] = ok
(7)       if ((ok || updated) && User-Password && !control:Auth-Type) {
(7)       if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(7) mschap: Creating challenge hash with username: *USERNAME*
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) eap_mschapv2:     [mschap] = reject
(7) eap_mschapv2:   } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 56 length 4
(7) eap: Freeing handler
(7)       [eap] = reject
(7)     } # authenticate = reject
(7)   Failed to authenticate the user
(7)   Using Post-Auth-Type Reject
(7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> *USERNAME*
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)       [attr_filter.access_reject] = updated
(7)       update outer.session-state {
(7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'
(7)       } # update outer.session-state = noop
(7)     } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7)   EAP-Message = 0x04380004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap:   EAP-Message = 0x04380004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap:   EAP-Message = 0x04380004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 57 length 46
(7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7)   Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
(7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
(7)   EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x91de85df96e79c726c333a62068cc31c
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
(8)   User-Name = "*USERNAME*"
(8)   NAS-IP-Address = *AccessPoint-IP*
(8)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(8)   NAS-Port-Id = "00000001"
(8)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
(8)   Connect-Info = "CONNECT 0Mbps 802.11b"
(8)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(8)   Acct-Multi-Session-Id = "97193BFF112F1388"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
(8)   State = 0x91de85df96e79c726c333a62068cc31c
(8)   Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8)   &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 57 length 46
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x91de85df96e79c72
(8) eap: Finished EAP session with state 0x91de85df96e79c72
(8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
(8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap:   to find out the reason why the user was rejected
(8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
(8) eap_peap:   what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 57 length 4
(8) eap: Failed in EAP select
(8)     [eap] = invalid
(8)   } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> *USERNAME*
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8)     [attr_filter.access_reject] = updated
(8)     [eap] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
(8)   EAP-Message = 0x04390004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 18 with timestamp +11
(1) Cleaning up request packet ID 19 with timestamp +11
(2) Cleaning up request packet ID 20 with timestamp +11
(3) Cleaning up request packet ID 21 with timestamp +11
(4) Cleaning up request packet ID 22 with timestamp +11
(5) Cleaning up request packet ID 23 with timestamp +11
(6) Cleaning up request packet ID 24 with timestamp +11
(7) Cleaning up request packet ID 25 with timestamp +11
(8) Cleaning up request packet ID 26 with timestamp +11
Ready to process requests





Sincerely yours

Florian Bergner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius - LDAP Auth

Michael Schwartzkopff-3
On 10.12.20 10:49, [hidden email] wrote:

> Hello to everyone,
>  
> after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
>  
> First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
>  
> After trying a lot of things, the same or even new errors will appear again and again.
> The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
>  
> My question is: Is it because of some config that it does not work, or is it because of the domain controller?
>  
> ldap.conf:
> -----------------------------------------------------------------------------------------------
> ldap {
> server = "ldap://intranet.***.de <ldap://intranet.***.de>"
>             identity = "INTRANET\*USERNAME*"
>             password = "*******"
>             base_dn = "DC=intranet,DC=DC,DC=de"
>  
>             sasl {
>             }
>  
> update {
>             control:Password-With-Header    += 'userPassword'
>             control:                        += 'radiusControlAttribute'
>             request:                        += 'radiusRequestAttribute'
>            reply:                          += 'radiusReplyAttribute'
>             }
>  
> user {
>             base_dn = "${..base_dn}"
>             filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>             sasl {
>             }
>         }
>  
> group {
>             base_dn = 'DC=intranet,DC=*DC*,DC=de'
>             filter = '(objectClass=posixGroup)'
>             scope = 'sub'
>             name_attribute = cn
>             membership_filter = "(member=%{control:Ldap-UserDn})"
>             membership_attribute = 'memberOf'
>             }
>  
> Profile {
>             }
>  
> client {
>             base_dn = "${..base_dn}"
>             filter = '(objectClass=radiusClient)'
>             template {
>             }
>             attribute {
>                         ipaddr                          = 'radiusClientIdentifier'
>                         secret                          = 'radiusClientSecret'
>             }
>         }
>  
> accounting {
>                 reference = "%{tolower:type.%{Acct-Status-Type}}"
>  
>                 type {
>                         start {
>                                 update {
>                                         description := "Online at %S"
>                                 }
>                         }
>  
>                         interim-update {
>                                 update {
>                                         description := "Last seen at %S"
>                                 }
>                         }
>  
>                         stop {
>                                 update {
>                                         description := "Offline at %S"
>                                 }
>                         }
>                 }
>         }
>  
> post-auth {
>                 update {
>                         description := "Authenticated at %S"
>                 }
>         }
>  
> options {
>                 chase_referrals = yes
>                 rebind = yes
>                 res_timeout = 10
>                 srv_timelimit = 3
>                 net_timeout = 1
>                 idle = 60
>                 probes = 3
>                  interval = 3
>                 ldap_debug = 0x0028
>         }
>  
> Tls {
> }
>  
> pool {
>                 start = ${thread[pool].start_servers}
>                 min = ${thread[pool].min_spare_servers}
>                 max = ${thread[pool].max_servers}
>                 spare = ${thread[pool].max_spare_servers}
>                 uses = 0
>                 retry_delay = 30
>  
>     lifetime = 0
>                 idle_timeout = 60
>         }
> }
>  
> -----------------------------------------------------------------------------------------------
>  
> Site-enabled/default and Innertunnel:
> -----------------------------------------------------------------------------------------------
> The files are both still standard. The only thing I have added is:
>  
> -ldap
>         if ((ok || updated) && User-Password && !control:Auth-Type) {
>                 update {
>                     control:Auth-Type := ldap
>                 }
>             }
>  
> In the authorize-section.
> -----------------------------------------------------------------------------------------------
>  
>  
> FREERADIUS -X:
> -----------------------------------------------------------------------------------------------
> (7)   Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
> (7)   User-Name = "*USERNAME*"
> (7)   NAS-IP-Address = *AccessPoint-IP*
> (7)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
> (7)   NAS-Port-Id = "00000001"
> (7)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
> (7)   NAS-Port-Type = Wireless-802.11
> (7)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
> (7)   Service-Type = Framed-User
> (7)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
> (7)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (7)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
> (7)   Acct-Multi-Session-Id = "97193BFF112F1388"
> (7)   WLAN-Pairwise-Cipher = 1027076
> (7)   WLAN-Group-Cipher = 1027076
> (7)   WLAN-AKM-Suite = 1027073
> (7)   Framed-MTU = 1400
> (7)   EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
> (7)   State = 0x91de85df97e69c726c333a62068cc31c
> (7)   Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
> (7) Restoring &session-state
> (7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (7)   &session-state:TLS-Session-Version = "TLS 1.2"
> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (7)   authorize {
> (7)     policy filter_username {
> (7)       if (&User-Name) {
> (7)       if (&User-Name)  -> TRUE
> (7)       if (&User-Name)  {
> (7)         if (&User-Name =~ / /) {
> (7)         if (&User-Name =~ / /)  -> FALSE
> (7)         if (&User-Name =~ /@[^@]*@/ ) {
> (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (7)         if (&User-Name =~ /\.\./ ) {
> (7)         if (&User-Name =~ /\.\./ )  -> FALSE
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (7)         if (&User-Name =~ /\.$/)  {
> (7)         if (&User-Name =~ /\.$/)   -> FALSE
> (7)         if (&User-Name =~ /@\./)  {
> (7)         if (&User-Name =~ /@\./)   -> FALSE
> (7)       } # if (&User-Name)  = notfound
> (7)     } # policy filter_username = notfound
> (7)     [preprocess] = ok
> (7)     [chap] = noop
> (7)     [mschap] = noop
> (7)     [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7)     [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 56 length 98
> (7) eap: Continuing tunnel setup
> (7)     [eap] = ok
> (7)   } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   authenticate {
> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
> (7) eap: Finished EAP session with state 0x91de85df97e69c72
> (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established.  Decoding tunneled attributes
> (7) eap_peap: PEAP state phase2
> (7) eap_peap: EAP method MSCHAPv2 (26)
> (7) eap_peap: Got tunneled request
> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
> (7) eap_peap: Setting User-Name to *USERNAME*
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
> (7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap:   User-Name = "*USERNAME*"
> (7) eap_peap:   State = 0x6d94a36d6dacb9f97126b7451b802a00
> (7) Virtual server inner-tunnel received request
> (7)   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
> (7)   FreeRADIUS-Proxied-To = 127.0.0.1
> (7)   User-Name = "*USERNAME*"
> (7)   State = 0x6d94a36d6dacb9f97126b7451b802a00
> (7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
> (7) server inner-tunnel {
> (7)   session-state: No cached attributes
> (7)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7)     authorize {
> (7)       policy filter_username {
> (7)         if (&User-Name) {
> (7)         if (&User-Name)  -> TRUE
> (7)         if (&User-Name)  {
> (7)           if (&User-Name =~ / /) {
> (7)           if (&User-Name =~ / /)  -> FALSE
> (7)           if (&User-Name =~ /@[^@]*@/ ) {
> (7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (7)           if (&User-Name =~ /\.\./ ) {
> (7)           if (&User-Name =~ /\.\./ )  -> FALSE
> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (7)           if (&User-Name =~ /\.$/)  {
> (7)           if (&User-Name =~ /\.$/)   -> FALSE
> (7)           if (&User-Name =~ /@\./)  {
> (7)           if (&User-Name =~ /@\./)   -> FALSE
> (7)         } # if (&User-Name)  = notfound
> (7)       } # policy filter_username = notfound
> (7)       [chap] = noop
> (7)       [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7)       [suffix] = noop
> (7)       update control {
> (7)         &Proxy-To-Realm := LOCAL
> (7)       } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 56 length 67
> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
> (7)       [eap] = updated
> (7)       [files] = noop
> rlm_ldap (ldap): Reserved connection (1)
> (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (7) ldap:    --> (samaccountname=*USERNAME*)
> (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
> (7) ldap: Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
> (7) ldap: Processing user attributes
> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
> (7)       [ldap] = ok
> (7)       if ((ok || updated) && User-Password && !control:Auth-Type) {
> (7)       if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
> (7)       [expiration] = noop
> (7)       [logintime] = noop
> (7)       [pap] = noop
> (7)     } # authorize = updated
> (7)   Found Auth-Type = eap
> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7)     authenticate {
> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
> (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
> (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) eap_mschapv2:   authenticate {
> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (7) mschap: Creating challenge hash with username: *USERNAME*
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
> (7) eap_mschapv2:     [mschap] = reject
> (7) eap_mschapv2:   } # authenticate = reject
> (7) eap: Sending EAP Failure (code 4) ID 56 length 4
> (7) eap: Freeing handler
> (7)       [eap] = reject
> (7)     } # authenticate = reject
> (7)   Failed to authenticate the user
> (7)   Using Post-Auth-Type Reject
> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7)     Post-Auth-Type REJECT {
> (7) attr_filter.access_reject: EXPAND %{User-Name}
> (7) attr_filter.access_reject:    --> *USERNAME*
> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (7)       [attr_filter.access_reject] = updated
> (7)       update outer.session-state {
> (7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'
> (7)       } # update outer.session-state = noop
> (7)     } # Post-Auth-Type REJECT = updated
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7)   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
> (7)   EAP-Message = 0x04380004
> (7)   Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: Got tunneled reply code 3
> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
> (7) eap_peap:   EAP-Message = 0x04380004
> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: Got tunneled reply RADIUS code 3
> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
> (7) eap_peap:   EAP-Message = 0x04380004
> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: Tunneled authentication was rejected
> (7) eap_peap: FAILURE
> (7) eap: Sending EAP Request (code 1) ID 57 length 46
> (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
> (7)     [eap] = handled
> (7)   } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   Challenge { ... } # empty sub-section is ignored
> (7) session-state: Saving cached attributes
> (7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (7)   TLS-Session-Version = "TLS 1.2"
> (7)   Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
> (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
> (7)   EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
> (7)   Message-Authenticator = 0x00000000000000000000000000000000
> (7)   State = 0x91de85df96e79c726c333a62068cc31c
> (7) Finished request
> Waking up in 4.8 seconds.
> (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
> (8)   User-Name = "*USERNAME*"
> (8)   NAS-IP-Address = *AccessPoint-IP*
> (8)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
> (8)   NAS-Port-Id = "00000001"
> (8)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
> (8)   NAS-Port-Type = Wireless-802.11
> (8)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
> (8)   Service-Type = Framed-User
> (8)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
> (8)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (8)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
> (8)   Acct-Multi-Session-Id = "97193BFF112F1388"
> (8)   WLAN-Pairwise-Cipher = 1027076
> (8)   WLAN-Group-Cipher = 1027076
> (8)   WLAN-AKM-Suite = 1027073
> (8)   Framed-MTU = 1400
> (8)   EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
> (8)   State = 0x91de85df96e79c726c333a62068cc31c
> (8)   Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
> (8) Restoring &session-state
> (8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (8)   &session-state:TLS-Session-Version = "TLS 1.2"
> (8)   &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
> (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (8)   authorize {
> (8)     policy filter_username {
> (8)       if (&User-Name) {
> (8)       if (&User-Name)  -> TRUE
> (8)       if (&User-Name)  {
> (8)         if (&User-Name =~ / /) {
> (8)         if (&User-Name =~ / /)  -> FALSE
> (8)         if (&User-Name =~ /@[^@]*@/ ) {
> (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (8)         if (&User-Name =~ /\.\./ ) {
> (8)         if (&User-Name =~ /\.\./ )  -> FALSE
> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (8)         if (&User-Name =~ /\.$/)  {
> (8)         if (&User-Name =~ /\.$/)   -> FALSE
> (8)         if (&User-Name =~ /@\./)  {
> (8)         if (&User-Name =~ /@\./)   -> FALSE
> (8)       } # if (&User-Name)  = notfound
> (8)     } # policy filter_username = notfound
> (8)     [preprocess] = ok
> (8)     [chap] = noop
> (8)     [mschap] = noop
> (8)     [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8)     [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 57 length 46
> (8) eap: Continuing tunnel setup
> (8)     [eap] = ok
> (8)   } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (8)   authenticate {
> (8) eap: Expiring EAP session with state 0x91de85df96e79c72
> (8) eap: Finished EAP session with state 0x91de85df96e79c72
> (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established.  Decoding tunneled attributes
> (8) eap_peap: PEAP state send tlv failure
> (8) eap_peap: Received EAP-TLV response
> (8) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
> (8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
> (8) eap_peap:   to find out the reason why the user was rejected
> (8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
> (8) eap_peap:   what went wrong, and how to fix the problem
> (8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (8) eap: Sending EAP Failure (code 4) ID 57 length 4
> (8) eap: Failed in EAP select
> (8)     [eap] = invalid
> (8)   } # authenticate = invalid
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (8)   Post-Auth-Type REJECT {
> (8) attr_filter.access_reject: EXPAND %{User-Name}
> (8) attr_filter.access_reject:    --> *USERNAME*
> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (8)     [attr_filter.access_reject] = updated
> (8)     [eap] = noop
> (8)     policy remove_reply_message_if_eap {
> (8)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (8)       else {
> (8)         [noop] = noop
> (8)       } # else = noop
> (8)     } # policy remove_reply_message_if_eap = noop
> (8)   } # Post-Auth-Type REJECT = updated
> (8) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (8) Sending delayed response
> (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
> (8)   EAP-Message = 0x04390004
> (8)   Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.8 seconds.
> (0) Cleaning up request packet ID 18 with timestamp +11
> (1) Cleaning up request packet ID 19 with timestamp +11
> (2) Cleaning up request packet ID 20 with timestamp +11
> (3) Cleaning up request packet ID 21 with timestamp +11
> (4) Cleaning up request packet ID 22 with timestamp +11
> (5) Cleaning up request packet ID 23 with timestamp +11
> (6) Cleaning up request packet ID 24 with timestamp +11
> (7) Cleaning up request packet ID 25 with timestamp +11
> (8) Cleaning up request packet ID 26 with timestamp +11
> Ready to process requests
>
>
>
>
>
> Sincerely yours
>
> Florian Bergner
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Hi,

only members of a domain can authenticate against AD. This only works
with a local samba server on the radius server. See:

https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO


You also could use a different backend (not AD). Then local
authentication would work.


Do not work against the system. Just see what works, and what does not.

http://deployingradius.com/documents/protocols/compatibility.html

http://deployingradius.com/documents/protocols/oracles.html


When you read carefully through your logs, than you will see where the
problem is.


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Freeradius - LDAP Auth

online@berg-ner.de
Hello!

thanks for the quick answer!

The Freeradius I want to set up in my company, so logically I have a domain and I also try to connect to the radius (via an access point) in the WLAN from the company.

Unfortunately I have no other choice but LDAP authentication. I need to get this to work.

> Am 10.12.2020 um 11:43 schrieb Michael Schwartzkopff <[hidden email]>:
>
> On 10.12.20 10:49, [hidden email] <mailto:[hidden email]> wrote:
>> Hello to everyone,
>>
>> after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
>>
>> First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
>>
>> After trying a lot of things, the same or even new errors will appear again and again.
>> The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
>>
>> My question is: Is it because of some config that it does not work, or is it because of the domain controller?
>>
>> ldap.conf:
>> -----------------------------------------------------------------------------------------------
>> ldap {
>> server = "ldap://intranet.***.de <ldap://intranet.***.de> <ldap://intranet.***.de <ldap://intranet.***.de>>"
>>            identity = "INTRANET\*USERNAME*"
>>            password = "*******"
>>            base_dn = "DC=intranet,DC=DC,DC=de"
>>
>>            sasl {
>>            }
>>
>> update {
>>            control:Password-With-Header    += 'userPassword'
>>            control:                        += 'radiusControlAttribute'
>>            request:                        += 'radiusRequestAttribute'
>>           reply:                          += 'radiusReplyAttribute'
>>            }
>>
>> user {
>>            base_dn = "${..base_dn}"
>>            filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>>            sasl {
>>            }
>>        }
>>
>> group {
>>            base_dn = 'DC=intranet,DC=*DC*,DC=de'
>>            filter = '(objectClass=posixGroup)'
>>            scope = 'sub'
>>            name_attribute = cn
>>            membership_filter = "(member=%{control:Ldap-UserDn})"
>>            membership_attribute = 'memberOf'
>>            }
>>
>> Profile {
>>            }
>>
>> client {
>>            base_dn = "${..base_dn}"
>>            filter = '(objectClass=radiusClient)'
>>            template {
>>            }
>>            attribute {
>>                        ipaddr                          = 'radiusClientIdentifier'
>>                        secret                          = 'radiusClientSecret'
>>            }
>>        }
>>
>> accounting {
>>                reference = "%{tolower:type.%{Acct-Status-Type}}"
>>
>>                type {
>>                        start {
>>                                update {
>>                                        description := "Online at %S"
>>                                }
>>                        }
>>
>>                        interim-update {
>>                                update {
>>                                        description := "Last seen at %S"
>>                                }
>>                        }
>>
>>                        stop {
>>                                update {
>>                                        description := "Offline at %S"
>>                                }
>>                        }
>>                }
>>        }
>>
>> post-auth {
>>                update {
>>                        description := "Authenticated at %S"
>>                }
>>        }
>>
>> options {
>>                chase_referrals = yes
>>                rebind = yes
>>                res_timeout = 10
>>                srv_timelimit = 3
>>                net_timeout = 1
>>                idle = 60
>>                probes = 3
>>                 interval = 3
>>                ldap_debug = 0x0028
>>        }
>>
>> Tls {
>> }
>>
>> pool {
>>                start = ${thread[pool].start_servers}
>>                min = ${thread[pool].min_spare_servers}
>>                max = ${thread[pool].max_servers}
>>                spare = ${thread[pool].max_spare_servers}
>>                uses = 0
>>                retry_delay = 30
>>
>>    lifetime = 0
>>                idle_timeout = 60
>>        }
>> }
>>
>> -----------------------------------------------------------------------------------------------
>>
>> Site-enabled/default and Innertunnel:
>> -----------------------------------------------------------------------------------------------
>> The files are both still standard. The only thing I have added is:
>>
>> -ldap
>>        if ((ok || updated) && User-Password && !control:Auth-Type) {
>>                update {
>>                    control:Auth-Type := ldap
>>                }
>>            }
>>
>> In the authorize-section.
>> -----------------------------------------------------------------------------------------------
>>
>>
>> FREERADIUS -X:
>> -----------------------------------------------------------------------------------------------
>> (7)   Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
>> (7)   User-Name = "*USERNAME*"
>> (7)   NAS-IP-Address = *AccessPoint-IP*
>> (7)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>> (7)   NAS-Port-Id = "00000001"
>> (7)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>> (7)   NAS-Port-Type = Wireless-802.11
>> (7)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>> (7)   Service-Type = Framed-User
>> (7)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
>> (7)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> (7)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>> (7)   Acct-Multi-Session-Id = "97193BFF112F1388"
>> (7)   WLAN-Pairwise-Cipher = 1027076
>> (7)   WLAN-Group-Cipher = 1027076
>> (7)   WLAN-AKM-Suite = 1027073
>> (7)   Framed-MTU = 1400
>> (7)   EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
>> (7)   State = 0x91de85df97e69c726c333a62068cc31c
>> (7)   Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
>> (7) Restoring &session-state
>> (7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>> (7)   &session-state:TLS-Session-Version = "TLS 1.2"
>> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>> (7)   authorize {
>> (7)     policy filter_username {
>> (7)       if (&User-Name) {
>> (7)       if (&User-Name)  -> TRUE
>> (7)       if (&User-Name)  {
>> (7)         if (&User-Name =~ / /) {
>> (7)         if (&User-Name =~ / /)  -> FALSE
>> (7)         if (&User-Name =~ /@[^@]*@/ ) {
>> (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (7)         if (&User-Name =~ /\.\./ ) {
>> (7)         if (&User-Name =~ /\.\./ )  -> FALSE
>> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>> (7)         if (&User-Name =~ /\.$/)  {
>> (7)         if (&User-Name =~ /\.$/)   -> FALSE
>> (7)         if (&User-Name =~ /@\./)  {
>> (7)         if (&User-Name =~ /@\./)   -> FALSE
>> (7)       } # if (&User-Name)  = notfound
>> (7)     } # policy filter_username = notfound
>> (7)     [preprocess] = ok
>> (7)     [chap] = noop
>> (7)     [mschap] = noop
>> (7)     [digest] = noop
>> (7) suffix: Checking for suffix after "@"
>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>> (7) suffix: No such realm "NULL"
>> (7)     [suffix] = noop
>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 98
>> (7) eap: Continuing tunnel setup
>> (7)     [eap] = ok
>> (7)   } # authorize = ok
>> (7) Found Auth-Type = eap
>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (7)   authenticate {
>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>> (7) eap: Finished EAP session with state 0x91de85df97e69c72
>> (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
>> (7) eap: Peer sent packet with method EAP PEAP (25)
>> (7) eap: Calling submodule eap_peap to process data
>> (7) eap_peap: Continuing EAP-TLS
>> (7) eap_peap: [eaptls verify] = ok
>> (7) eap_peap: Done initial handshake
>> (7) eap_peap: [eaptls process] = ok
>> (7) eap_peap: Session established.  Decoding tunneled attributes
>> (7) eap_peap: PEAP state phase2
>> (7) eap_peap: EAP method MSCHAPv2 (26)
>> (7) eap_peap: Got tunneled request
>> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>> (7) eap_peap: Setting User-Name to *USERNAME*
>> (7) eap_peap: Sending tunneled request to inner-tunnel
>> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>> (7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
>> (7) eap_peap:   User-Name = "*USERNAME*"
>> (7) eap_peap:   State = 0x6d94a36d6dacb9f97126b7451b802a00
>> (7) Virtual server inner-tunnel received request
>> (7)   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>> (7)   FreeRADIUS-Proxied-To = 127.0.0.1
>> (7)   User-Name = "*USERNAME*"
>> (7)   State = 0x6d94a36d6dacb9f97126b7451b802a00
>> (7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
>> (7) server inner-tunnel {
>> (7)   session-state: No cached attributes
>> (7)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> (7)     authorize {
>> (7)       policy filter_username {
>> (7)         if (&User-Name) {
>> (7)         if (&User-Name)  -> TRUE
>> (7)         if (&User-Name)  {
>> (7)           if (&User-Name =~ / /) {
>> (7)           if (&User-Name =~ / /)  -> FALSE
>> (7)           if (&User-Name =~ /@[^@]*@/ ) {
>> (7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (7)           if (&User-Name =~ /\.\./ ) {
>> (7)           if (&User-Name =~ /\.\./ )  -> FALSE
>> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>> (7)           if (&User-Name =~ /\.$/)  {
>> (7)           if (&User-Name =~ /\.$/)   -> FALSE
>> (7)           if (&User-Name =~ /@\./)  {
>> (7)           if (&User-Name =~ /@\./)   -> FALSE
>> (7)         } # if (&User-Name)  = notfound
>> (7)       } # policy filter_username = notfound
>> (7)       [chap] = noop
>> (7)       [mschap] = noop
>> (7) suffix: Checking for suffix after "@"
>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>> (7) suffix: No such realm "NULL"
>> (7)       [suffix] = noop
>> (7)       update control {
>> (7)         &Proxy-To-Realm := LOCAL
>> (7)       } # update control = noop
>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 67
>> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
>> (7)       [eap] = updated
>> (7)       [files] = noop
>> rlm_ldap (ldap): Reserved connection (1)
>> (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>> (7) ldap:    --> (samaccountname=*USERNAME*)
>> (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
>> (7) ldap: Waiting for search result...
>> rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind successful
>> rlm_ldap (ldap): Bind successful
>> (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
>> (7) ldap: Processing user attributes
>> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>> rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
>> (7)       [ldap] = ok
>> (7)       if ((ok || updated) && User-Password && !control:Auth-Type) {
>> (7)       if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
>> (7)       [expiration] = noop
>> (7)       [logintime] = noop
>> (7)       [pap] = noop
>> (7)     } # authorize = updated
>> (7)   Found Auth-Type = eap
>> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> (7)     authenticate {
>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>> (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
>> (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
>> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
>> (7) eap: Calling submodule eap_mschapv2 to process data
>> (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> (7) eap_mschapv2:   authenticate {
>> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>> (7) mschap: Creating challenge hash with username: *USERNAME*
>> (7) mschap: Client is using MS-CHAPv2
>> (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
>> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (7) eap_mschapv2:     [mschap] = reject
>> (7) eap_mschapv2:   } # authenticate = reject
>> (7) eap: Sending EAP Failure (code 4) ID 56 length 4
>> (7) eap: Freeing handler
>> (7)       [eap] = reject
>> (7)     } # authenticate = reject
>> (7)   Failed to authenticate the user
>> (7)   Using Post-Auth-Type Reject
>> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>> (7)     Post-Auth-Type REJECT {
>> (7) attr_filter.access_reject: EXPAND %{User-Name}
>> (7) attr_filter.access_reject:    --> *USERNAME*
>> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (7)       [attr_filter.access_reject] = updated
>> (7)       update outer.session-state {
>> (7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'
>> (7)       } # update outer.session-state = noop
>> (7)     } # Post-Auth-Type REJECT = updated
>> (7) } # server inner-tunnel
>> (7) Virtual server sending reply
>> (7)   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>> (7)   EAP-Message = 0x04380004
>> (7)   Message-Authenticator = 0x00000000000000000000000000000000
>> (7) eap_peap: Got tunneled reply code 3
>> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>> (7) eap_peap:   EAP-Message = 0x04380004
>> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
>> (7) eap_peap: Got tunneled reply RADIUS code 3
>> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>> (7) eap_peap:   EAP-Message = 0x04380004
>> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
>> (7) eap_peap: Tunneled authentication was rejected
>> (7) eap_peap: FAILURE
>> (7) eap: Sending EAP Request (code 1) ID 57 length 46
>> (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
>> (7)     [eap] = handled
>> (7)   } # authenticate = handled
>> (7) Using Post-Auth-Type Challenge
>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (7)   Challenge { ... } # empty sub-section is ignored
>> (7) session-state: Saving cached attributes
>> (7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>> (7)   TLS-Session-Version = "TLS 1.2"
>> (7)   Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
>> (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
>> (7)   EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
>> (7)   Message-Authenticator = 0x00000000000000000000000000000000
>> (7)   State = 0x91de85df96e79c726c333a62068cc31c
>> (7) Finished request
>> Waking up in 4.8 seconds.
>> (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
>> (8)   User-Name = "*USERNAME*"
>> (8)   NAS-IP-Address = *AccessPoint-IP*
>> (8)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>> (8)   NAS-Port-Id = "00000001"
>> (8)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>> (8)   NAS-Port-Type = Wireless-802.11
>> (8)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>> (8)   Service-Type = Framed-User
>> (8)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
>> (8)   Connect-Info = "CONNECT 0Mbps 802.11b"
>> (8)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>> (8)   Acct-Multi-Session-Id = "97193BFF112F1388"
>> (8)   WLAN-Pairwise-Cipher = 1027076
>> (8)   WLAN-Group-Cipher = 1027076
>> (8)   WLAN-AKM-Suite = 1027073
>> (8)   Framed-MTU = 1400
>> (8)   EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
>> (8)   State = 0x91de85df96e79c726c333a62068cc31c
>> (8)   Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
>> (8) Restoring &session-state
>> (8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>> (8)   &session-state:TLS-Session-Version = "TLS 1.2"
>> (8)   &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
>> (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>> (8)   authorize {
>> (8)     policy filter_username {
>> (8)       if (&User-Name) {
>> (8)       if (&User-Name)  -> TRUE
>> (8)       if (&User-Name)  {
>> (8)         if (&User-Name =~ / /) {
>> (8)         if (&User-Name =~ / /)  -> FALSE
>> (8)         if (&User-Name =~ /@[^@]*@/ ) {
>> (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (8)         if (&User-Name =~ /\.\./ ) {
>> (8)         if (&User-Name =~ /\.\./ )  -> FALSE
>> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>> (8)         if (&User-Name =~ /\.$/)  {
>> (8)         if (&User-Name =~ /\.$/)   -> FALSE
>> (8)         if (&User-Name =~ /@\./)  {
>> (8)         if (&User-Name =~ /@\./)   -> FALSE
>> (8)       } # if (&User-Name)  = notfound
>> (8)     } # policy filter_username = notfound
>> (8)     [preprocess] = ok
>> (8)     [chap] = noop
>> (8)     [mschap] = noop
>> (8)     [digest] = noop
>> (8) suffix: Checking for suffix after "@"
>> (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>> (8) suffix: No such realm "NULL"
>> (8)     [suffix] = noop
>> (8) eap: Peer sent EAP Response (code 2) ID 57 length 46
>> (8) eap: Continuing tunnel setup
>> (8)     [eap] = ok
>> (8)   } # authorize = ok
>> (8) Found Auth-Type = eap
>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (8)   authenticate {
>> (8) eap: Expiring EAP session with state 0x91de85df96e79c72
>> (8) eap: Finished EAP session with state 0x91de85df96e79c72
>> (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
>> (8) eap: Peer sent packet with method EAP PEAP (25)
>> (8) eap: Calling submodule eap_peap to process data
>> (8) eap_peap: Continuing EAP-TLS
>> (8) eap_peap: [eaptls verify] = ok
>> (8) eap_peap: Done initial handshake
>> (8) eap_peap: [eaptls process] = ok
>> (8) eap_peap: Session established.  Decoding tunneled attributes
>> (8) eap_peap: PEAP state send tlv failure
>> (8) eap_peap: Received EAP-TLV response
>> (8) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
>> (8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
>> (8) eap_peap:   to find out the reason why the user was rejected
>> (8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
>> (8) eap_peap:   what went wrong, and how to fix the problem
>> (8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
>> (8) eap: Sending EAP Failure (code 4) ID 57 length 4
>> (8) eap: Failed in EAP select
>> (8)     [eap] = invalid
>> (8)   } # authenticate = invalid
>> (8) Failed to authenticate the user
>> (8) Using Post-Auth-Type Reject
>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (8)   Post-Auth-Type REJECT {
>> (8) attr_filter.access_reject: EXPAND %{User-Name}
>> (8) attr_filter.access_reject:    --> *USERNAME*
>> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (8)     [attr_filter.access_reject] = updated
>> (8)     [eap] = noop
>> (8)     policy remove_reply_message_if_eap {
>> (8)       if (&reply:EAP-Message && &reply:Reply-Message) {
>> (8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>> (8)       else {
>> (8)         [noop] = noop
>> (8)       } # else = noop
>> (8)     } # policy remove_reply_message_if_eap = noop
>> (8)   } # Post-Auth-Type REJECT = updated
>> (8) Delaying response for 1.000000 seconds
>> Waking up in 0.3 seconds.
>> Waking up in 0.6 seconds.
>> (8) Sending delayed response
>> (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
>> (8)   EAP-Message = 0x04390004
>> (8)   Message-Authenticator = 0x00000000000000000000000000000000
>> Waking up in 3.8 seconds.
>> (0) Cleaning up request packet ID 18 with timestamp +11
>> (1) Cleaning up request packet ID 19 with timestamp +11
>> (2) Cleaning up request packet ID 20 with timestamp +11
>> (3) Cleaning up request packet ID 21 with timestamp +11
>> (4) Cleaning up request packet ID 22 with timestamp +11
>> (5) Cleaning up request packet ID 23 with timestamp +11
>> (6) Cleaning up request packet ID 24 with timestamp +11
>> (7) Cleaning up request packet ID 25 with timestamp +11
>> (8) Cleaning up request packet ID 26 with timestamp +11
>> Ready to process requests
>>
>>
>>
>>
>>
>> Sincerely yours
>>
>> Florian Bergner
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>
>
>
> Hi,
>
> only members of a domain can authenticate against AD. This only works
> with a local samba server on the radius server. See:
>
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO>
>
>
> You also could use a different backend (not AD). Then local
> authentication would work.
>
>
> Do not work against the system. Just see what works, and what does not.
>
> http://deployingradius.com/documents/protocols/compatibility.html <http://deployingradius.com/documents/protocols/compatibility.html>
>
> http://deployingradius.com/documents/protocols/oracles.html <http://deployingradius.com/documents/protocols/oracles.html>
>
>
> When you read carefully through your logs, than you will see where the
> problem is.
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius - LDAP Auth

Michael Schwartzkopff-3
On 10.12.20 11:51, [hidden email] wrote:
> Hello!
>
> thanks for the quick answer!
>
> The Freeradius I want to set up in my company, so logically I have a domain and I also try to connect to the radius (via an access point) in the WLAN from the company.
>
> Unfortunately I have no other choice but LDAP authentication. I need to get this to work.


If the way you want to go is technically impossible, it makes no sense
to complain.

I told you how it is possible. Read the docs.



>> Am 10.12.2020 um 11:43 schrieb Michael Schwartzkopff <[hidden email]>:
>>
>> On 10.12.20 10:49, [hidden email] <mailto:[hidden email]> wrote:
>>> Hello to everyone,
>>>
>>> after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
>>>
>>> First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
>>>
>>> After trying a lot of things, the same or even new errors will appear again and again.
>>> The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
>>>
>>> My question is: Is it because of some config that it does not work, or is it because of the domain controller?
>>>
>>> ldap.conf:
>>> -----------------------------------------------------------------------------------------------
>>> ldap {
>>> server = "ldap://intranet.***.de <ldap://intranet.***.de> <ldap://intranet.***.de <ldap://intranet.***.de>>"
>>>            identity = "INTRANET\*USERNAME*"
>>>            password = "*******"
>>>            base_dn = "DC=intranet,DC=DC,DC=de"
>>>
>>>            sasl {
>>>            }
>>>
>>> update {
>>>            control:Password-With-Header    += 'userPassword'
>>>            control:                        += 'radiusControlAttribute'
>>>            request:                        += 'radiusRequestAttribute'
>>>           reply:                          += 'radiusReplyAttribute'
>>>            }
>>>
>>> user {
>>>            base_dn = "${..base_dn}"
>>>            filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>>>            sasl {
>>>            }
>>>        }
>>>
>>> group {
>>>            base_dn = 'DC=intranet,DC=*DC*,DC=de'
>>>            filter = '(objectClass=posixGroup)'
>>>            scope = 'sub'
>>>            name_attribute = cn
>>>            membership_filter = "(member=%{control:Ldap-UserDn})"
>>>            membership_attribute = 'memberOf'
>>>            }
>>>
>>> Profile {
>>>            }
>>>
>>> client {
>>>            base_dn = "${..base_dn}"
>>>            filter = '(objectClass=radiusClient)'
>>>            template {
>>>            }
>>>            attribute {
>>>                        ipaddr                          = 'radiusClientIdentifier'
>>>                        secret                          = 'radiusClientSecret'
>>>            }
>>>        }
>>>
>>> accounting {
>>>                reference = "%{tolower:type.%{Acct-Status-Type}}"
>>>
>>>                type {
>>>                        start {
>>>                                update {
>>>                                        description := "Online at %S"
>>>                                }
>>>                        }
>>>
>>>                        interim-update {
>>>                                update {
>>>                                        description := "Last seen at %S"
>>>                                }
>>>                        }
>>>
>>>                        stop {
>>>                                update {
>>>                                        description := "Offline at %S"
>>>                                }
>>>                        }
>>>                }
>>>        }
>>>
>>> post-auth {
>>>                update {
>>>                        description := "Authenticated at %S"
>>>                }
>>>        }
>>>
>>> options {
>>>                chase_referrals = yes
>>>                rebind = yes
>>>                res_timeout = 10
>>>                srv_timelimit = 3
>>>                net_timeout = 1
>>>                idle = 60
>>>                probes = 3
>>>                 interval = 3
>>>                ldap_debug = 0x0028
>>>        }
>>>
>>> Tls {
>>> }
>>>
>>> pool {
>>>                start = ${thread[pool].start_servers}
>>>                min = ${thread[pool].min_spare_servers}
>>>                max = ${thread[pool].max_servers}
>>>                spare = ${thread[pool].max_spare_servers}
>>>                uses = 0
>>>                retry_delay = 30
>>>
>>>    lifetime = 0
>>>                idle_timeout = 60
>>>        }
>>> }
>>>
>>> -----------------------------------------------------------------------------------------------
>>>
>>> Site-enabled/default and Innertunnel:
>>> -----------------------------------------------------------------------------------------------
>>> The files are both still standard. The only thing I have added is:
>>>
>>> -ldap
>>>        if ((ok || updated) && User-Password && !control:Auth-Type) {
>>>                update {
>>>                    control:Auth-Type := ldap
>>>                }
>>>            }
>>>
>>> In the authorize-section.
>>> -----------------------------------------------------------------------------------------------
>>>
>>>
>>> FREERADIUS -X:
>>> -----------------------------------------------------------------------------------------------
>>> (7)   Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
>>> (7)   User-Name = "*USERNAME*"
>>> (7)   NAS-IP-Address = *AccessPoint-IP*
>>> (7)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>>> (7)   NAS-Port-Id = "00000001"
>>> (7)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>>> (7)   NAS-Port-Type = Wireless-802.11
>>> (7)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>>> (7)   Service-Type = Framed-User
>>> (7)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
>>> (7)   Connect-Info = "CONNECT 0Mbps 802.11b"
>>> (7)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>>> (7)   Acct-Multi-Session-Id = "97193BFF112F1388"
>>> (7)   WLAN-Pairwise-Cipher = 1027076
>>> (7)   WLAN-Group-Cipher = 1027076
>>> (7)   WLAN-AKM-Suite = 1027073
>>> (7)   Framed-MTU = 1400
>>> (7)   EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
>>> (7)   State = 0x91de85df97e69c726c333a62068cc31c
>>> (7)   Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
>>> (7) Restoring &session-state
>>> (7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (7)   &session-state:TLS-Session-Version = "TLS 1.2"
>>> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>>> (7)   authorize {
>>> (7)     policy filter_username {
>>> (7)       if (&User-Name) {
>>> (7)       if (&User-Name)  -> TRUE
>>> (7)       if (&User-Name)  {
>>> (7)         if (&User-Name =~ / /) {
>>> (7)         if (&User-Name =~ / /)  -> FALSE
>>> (7)         if (&User-Name =~ /@[^@]*@/ ) {
>>> (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>> (7)         if (&User-Name =~ /\.\./ ) {
>>> (7)         if (&User-Name =~ /\.\./ )  -> FALSE
>>> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>> (7)         if (&User-Name =~ /\.$/)  {
>>> (7)         if (&User-Name =~ /\.$/)   -> FALSE
>>> (7)         if (&User-Name =~ /@\./)  {
>>> (7)         if (&User-Name =~ /@\./)   -> FALSE
>>> (7)       } # if (&User-Name)  = notfound
>>> (7)     } # policy filter_username = notfound
>>> (7)     [preprocess] = ok
>>> (7)     [chap] = noop
>>> (7)     [mschap] = noop
>>> (7)     [digest] = noop
>>> (7) suffix: Checking for suffix after "@"
>>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (7) suffix: No such realm "NULL"
>>> (7)     [suffix] = noop
>>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 98
>>> (7) eap: Continuing tunnel setup
>>> (7)     [eap] = ok
>>> (7)   } # authorize = ok
>>> (7) Found Auth-Type = eap
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (7)   authenticate {
>>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Finished EAP session with state 0x91de85df97e69c72
>>> (7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
>>> (7) eap: Peer sent packet with method EAP PEAP (25)
>>> (7) eap: Calling submodule eap_peap to process data
>>> (7) eap_peap: Continuing EAP-TLS
>>> (7) eap_peap: [eaptls verify] = ok
>>> (7) eap_peap: Done initial handshake
>>> (7) eap_peap: [eaptls process] = ok
>>> (7) eap_peap: Session established.  Decoding tunneled attributes
>>> (7) eap_peap: PEAP state phase2
>>> (7) eap_peap: EAP method MSCHAPv2 (26)
>>> (7) eap_peap: Got tunneled request
>>> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7) eap_peap: Setting User-Name to *USERNAME*
>>> (7) eap_peap: Sending tunneled request to inner-tunnel
>>> (7) eap_peap:   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
>>> (7) eap_peap:   User-Name = "*USERNAME*"
>>> (7) eap_peap:   State = 0x6d94a36d6dacb9f97126b7451b802a00
>>> (7) Virtual server inner-tunnel received request
>>> (7)   EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
>>> (7)   FreeRADIUS-Proxied-To = 127.0.0.1
>>> (7)   User-Name = "*USERNAME*"
>>> (7)   State = 0x6d94a36d6dacb9f97126b7451b802a00
>>> (7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
>>> (7) server inner-tunnel {
>>> (7)   session-state: No cached attributes
>>> (7)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7)     authorize {
>>> (7)       policy filter_username {
>>> (7)         if (&User-Name) {
>>> (7)         if (&User-Name)  -> TRUE
>>> (7)         if (&User-Name)  {
>>> (7)           if (&User-Name =~ / /) {
>>> (7)           if (&User-Name =~ / /)  -> FALSE
>>> (7)           if (&User-Name =~ /@[^@]*@/ ) {
>>> (7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>> (7)           if (&User-Name =~ /\.\./ ) {
>>> (7)           if (&User-Name =~ /\.\./ )  -> FALSE
>>> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>> (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>> (7)           if (&User-Name =~ /\.$/)  {
>>> (7)           if (&User-Name =~ /\.$/)   -> FALSE
>>> (7)           if (&User-Name =~ /@\./)  {
>>> (7)           if (&User-Name =~ /@\./)   -> FALSE
>>> (7)         } # if (&User-Name)  = notfound
>>> (7)       } # policy filter_username = notfound
>>> (7)       [chap] = noop
>>> (7)       [mschap] = noop
>>> (7) suffix: Checking for suffix after "@"
>>> (7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (7) suffix: No such realm "NULL"
>>> (7)       [suffix] = noop
>>> (7)       update control {
>>> (7)         &Proxy-To-Realm := LOCAL
>>> (7)       } # update control = noop
>>> (7) eap: Peer sent EAP Response (code 2) ID 56 length 67
>>> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
>>> (7)       [eap] = updated
>>> (7)       [files] = noop
>>> rlm_ldap (ldap): Reserved connection (1)
>>> (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (7) ldap:    --> (samaccountname=*USERNAME*)
>>> (7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
>>> (7) ldap: Waiting for search result...
>>> rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de><ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>>
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Bind successful
>>> (7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
>>> (7) ldap: Processing user attributes
>>> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
>>> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
>>> rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
>>> (7)       [ldap] = ok
>>> (7)       if ((ok || updated) && User-Password && !control:Auth-Type) {
>>> (7)       if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
>>> (7)       [expiration] = noop
>>> (7)       [logintime] = noop
>>> (7)       [pap] = noop
>>> (7)     } # authorize = updated
>>> (7)   Found Auth-Type = eap
>>> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7)     authenticate {
>>> (7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
>>> (7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
>>> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
>>> (7) eap: Calling submodule eap_mschapv2 to process data
>>> (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7) eap_mschapv2:   authenticate {
>>> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>> (7) mschap: Creating challenge hash with username: *USERNAME*
>>> (7) mschap: Client is using MS-CHAPv2
>>> (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
>>> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> (7) eap_mschapv2:     [mschap] = reject
>>> (7) eap_mschapv2:   } # authenticate = reject
>>> (7) eap: Sending EAP Failure (code 4) ID 56 length 4
>>> (7) eap: Freeing handler
>>> (7)       [eap] = reject
>>> (7)     } # authenticate = reject
>>> (7)   Failed to authenticate the user
>>> (7)   Using Post-Auth-Type Reject
>>> (7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
>>> (7)     Post-Auth-Type REJECT {
>>> (7) attr_filter.access_reject: EXPAND %{User-Name}
>>> (7) attr_filter.access_reject:    --> *USERNAME*
>>> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>> (7)       [attr_filter.access_reject] = updated
>>> (7)       update outer.session-state {
>>> (7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'
>>> (7)       } # update outer.session-state = noop
>>> (7)     } # Post-Auth-Type REJECT = updated
>>> (7) } # server inner-tunnel
>>> (7) Virtual server sending reply
>>> (7)   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7)   EAP-Message = 0x04380004
>>> (7)   Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Got tunneled reply code 3
>>> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7) eap_peap:   EAP-Message = 0x04380004
>>> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Got tunneled reply RADIUS code 3
>>> (7) eap_peap:   MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
>>> (7) eap_peap:   EAP-Message = 0x04380004
>>> (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
>>> (7) eap_peap: Tunneled authentication was rejected
>>> (7) eap_peap: FAILURE
>>> (7) eap: Sending EAP Request (code 1) ID 57 length 46
>>> (7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
>>> (7)     [eap] = handled
>>> (7)   } # authenticate = handled
>>> (7) Using Post-Auth-Type Challenge
>>> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (7)   Challenge { ... } # empty sub-section is ignored
>>> (7) session-state: Saving cached attributes
>>> (7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (7)   TLS-Session-Version = "TLS 1.2"
>>> (7)   Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
>>> (7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
>>> (7)   EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
>>> (7)   Message-Authenticator = 0x00000000000000000000000000000000
>>> (7)   State = 0x91de85df96e79c726c333a62068cc31c
>>> (7) Finished request
>>> Waking up in 4.8 seconds.
>>> (8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
>>> (8)   User-Name = "*USERNAME*"
>>> (8)   NAS-IP-Address = *AccessPoint-IP*
>>> (8)   NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
>>> (8)   NAS-Port-Id = "00000001"
>>> (8)   Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
>>> (8)   NAS-Port-Type = Wireless-802.11
>>> (8)   Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
>>> (8)   Service-Type = Framed-User
>>> (8)   Calling-Station-Id = "6A-95-50-D9-1B-DC"
>>> (8)   Connect-Info = "CONNECT 0Mbps 802.11b"
>>> (8)   Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
>>> (8)   Acct-Multi-Session-Id = "97193BFF112F1388"
>>> (8)   WLAN-Pairwise-Cipher = 1027076
>>> (8)   WLAN-Group-Cipher = 1027076
>>> (8)   WLAN-AKM-Suite = 1027073
>>> (8)   Framed-MTU = 1400
>>> (8)   EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
>>> (8)   State = 0x91de85df96e79c726c333a62068cc31c
>>> (8)   Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
>>> (8) Restoring &session-state
>>> (8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (8)   &session-state:TLS-Session-Version = "TLS 1.2"
>>> (8)   &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
>>> (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
>>> (8)   authorize {
>>> (8)     policy filter_username {
>>> (8)       if (&User-Name) {
>>> (8)       if (&User-Name)  -> TRUE
>>> (8)       if (&User-Name)  {
>>> (8)         if (&User-Name =~ / /) {
>>> (8)         if (&User-Name =~ / /)  -> FALSE
>>> (8)         if (&User-Name =~ /@[^@]*@/ ) {
>>> (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>>> (8)         if (&User-Name =~ /\.\./ ) {
>>> (8)         if (&User-Name =~ /\.\./ )  -> FALSE
>>> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>>> (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>>> (8)         if (&User-Name =~ /\.$/)  {
>>> (8)         if (&User-Name =~ /\.$/)   -> FALSE
>>> (8)         if (&User-Name =~ /@\./)  {
>>> (8)         if (&User-Name =~ /@\./)   -> FALSE
>>> (8)       } # if (&User-Name)  = notfound
>>> (8)     } # policy filter_username = notfound
>>> (8)     [preprocess] = ok
>>> (8)     [chap] = noop
>>> (8)     [mschap] = noop
>>> (8)     [digest] = noop
>>> (8) suffix: Checking for suffix after "@"
>>> (8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
>>> (8) suffix: No such realm "NULL"
>>> (8)     [suffix] = noop
>>> (8) eap: Peer sent EAP Response (code 2) ID 57 length 46
>>> (8) eap: Continuing tunnel setup
>>> (8)     [eap] = ok
>>> (8)   } # authorize = ok
>>> (8) Found Auth-Type = eap
>>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (8)   authenticate {
>>> (8) eap: Expiring EAP session with state 0x91de85df96e79c72
>>> (8) eap: Finished EAP session with state 0x91de85df96e79c72
>>> (8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
>>> (8) eap: Peer sent packet with method EAP PEAP (25)
>>> (8) eap: Calling submodule eap_peap to process data
>>> (8) eap_peap: Continuing EAP-TLS
>>> (8) eap_peap: [eaptls verify] = ok
>>> (8) eap_peap: Done initial handshake
>>> (8) eap_peap: [eaptls process] = ok
>>> (8) eap_peap: Session established.  Decoding tunneled attributes
>>> (8) eap_peap: PEAP state send tlv failure
>>> (8) eap_peap: Received EAP-TLV response
>>> (8) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
>>> (8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
>>> (8) eap_peap:   to find out the reason why the user was rejected
>>> (8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
>>> (8) eap_peap:   what went wrong, and how to fix the problem
>>> (8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
>>> (8) eap: Sending EAP Failure (code 4) ID 57 length 4
>>> (8) eap: Failed in EAP select
>>> (8)     [eap] = invalid
>>> (8)   } # authenticate = invalid
>>> (8) Failed to authenticate the user
>>> (8) Using Post-Auth-Type Reject
>>> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (8)   Post-Auth-Type REJECT {
>>> (8) attr_filter.access_reject: EXPAND %{User-Name}
>>> (8) attr_filter.access_reject:    --> *USERNAME*
>>> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>> (8)     [attr_filter.access_reject] = updated
>>> (8)     [eap] = noop
>>> (8)     policy remove_reply_message_if_eap {
>>> (8)       if (&reply:EAP-Message && &reply:Reply-Message) {
>>> (8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>>> (8)       else {
>>> (8)         [noop] = noop
>>> (8)       } # else = noop
>>> (8)     } # policy remove_reply_message_if_eap = noop
>>> (8)   } # Post-Auth-Type REJECT = updated
>>> (8) Delaying response for 1.000000 seconds
>>> Waking up in 0.3 seconds.
>>> Waking up in 0.6 seconds.
>>> (8) Sending delayed response
>>> (8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
>>> (8)   EAP-Message = 0x04390004
>>> (8)   Message-Authenticator = 0x00000000000000000000000000000000
>>> Waking up in 3.8 seconds.
>>> (0) Cleaning up request packet ID 18 with timestamp +11
>>> (1) Cleaning up request packet ID 19 with timestamp +11
>>> (2) Cleaning up request packet ID 20 with timestamp +11
>>> (3) Cleaning up request packet ID 21 with timestamp +11
>>> (4) Cleaning up request packet ID 22 with timestamp +11
>>> (5) Cleaning up request packet ID 23 with timestamp +11
>>> (6) Cleaning up request packet ID 24 with timestamp +11
>>> (7) Cleaning up request packet ID 25 with timestamp +11
>>> (8) Cleaning up request packet ID 26 with timestamp +11
>>> Ready to process requests
>>>
>>>
>>>
>>>
>>>
>>> Sincerely yours
>>>
>>> Florian Bergner
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>>
>>
>> Hi,
>>
>> only members of a domain can authenticate against AD. This only works
>> with a local samba server on the radius server. See:
>>
>> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO>
>>
>>
>> You also could use a different backend (not AD). Then local
>> authentication would work.
>>
>>
>> Do not work against the system. Just see what works, and what does not.
>>
>> http://deployingradius.com/documents/protocols/compatibility.html <http://deployingradius.com/documents/protocols/compatibility.html>
>>
>> http://deployingradius.com/documents/protocols/oracles.html <http://deployingradius.com/documents/protocols/oracles.html>
>>
>>
>> When you read carefully through your logs, than you will see where the
>> problem is.
>>
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment