Freeradius to authenticate against Google LDAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Freeradius to authenticate against Google LDAP

Christian Bednarz
Hi all.

I finally managed to get an Access-Accept in radtest (I apparently forgot to uncomment the ldap section in sites-enabled/default’s authenticate section), so I went on trying to implement the whole free radius solution within our Ubiquity network for VPN. And communication between client, vpn gateway, freeradius and Google LDAP itself seem to work fine, telling from the debug log, which makes me extremely happy.

But what fails it the authentication part while trying to connect with built-in VPN connect from macOS Big Sur (11.2.0). Here is the log:

(0) Received Access-Request Id 161 from 192.168.4.1:54219 to 192.168.5.119:1812 length 152
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   User-Name = "[hidden email]"
(0)   MS-CHAP-Challenge = 0x36169958932d4caae570b84f9d904bc4
(0)   MS-CHAP2-Response = 0x73005bd7ede08f3f079761ea9347b33f9ab1000000000000000006e7f9e1e8a8cf46c100571989fc4c56437a955c64263d4a
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 100000
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "lanes-planes.com" for User-Name = "[hidden email]"
(0) suffix: Found realm "lanes-planes.com"
(0) suffix: Adding Stripped-User-Name = "it-test"
(0) suffix: Adding Realm = "lanes-planes.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=it-test)
(0) ldap: Performing search in "dc=lanes-planes,dc=com" with filter "(uid=it-test)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=it-test,ou=Users,dc=lanes-planes,dc=com"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     if (User-Password) {
(0)     if (User-Password)  -> FALSE
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: Creating challenge hash with username: [hidden email]
(0) mschap: Client is using MS-CHAPv2
(0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> [hidden email]
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 161 from 192.168.5.119:1812 to 192.168.4.1:54219 length 103
(0)   MS-CHAP-Error = "sE=691 R=1 C=5d2530561851dae0ec888c0efaa2434c V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 161 with timestamp +43
Ready to process requests

Would anyone be so kind to point me to the right direction what exactly to change in this setup in order to get it to work? Any help much appreciated. I feel quite close to the solution, but I might be lacking the necessary understanding of authentication protocols to get this sorted. :-/ Thank you.

Best regards
Christian

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius to authenticate against Google LDAP

Alan DeKok-2
On Feb 10, 2021, at 4:48 AM, Christian Bednarz <[hidden email]> wrote:
>
> Hi all.
>
> I finally managed to get an Access-Accept in radtest (I apparently forgot to uncomment the ldap section in sites-enabled/default’s authenticate section), so I went on trying to implement the whole free radius solution within our Ubiquity network for VPN. And communication between client, vpn gateway, freeradius and Google LDAP itself seem to work fine, telling from the debug log, which makes me extremely happy.
>
> But what fails it the authentication part while trying to connect with built-in VPN connect from macOS Big Sur (11.2.0). Here is the log:

  Because OSX is doing MS-CHAP, and the password in Google is incompatible with it.

http://deployingradius.com/documents/protocols/compatibility.html

  It is impossible to use MS-CHAP with Google LDAP.

  Your choices are:

a) make the VPN use clear-text passwords

b) store clear-text password in a DB that your RADIUS server can use.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html