LDAP authentication for Unifi wireless APs

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

LDAP authentication for Unifi wireless APs

Erwin Rutgers
Hello freeradius community,

To start off, this is my first post to the community so if there is anything I am doing wrong despite readying the help pages, please point this out to me and it will never happen again.

Then to the plan and the problems: We are using Unifi Access points and like to switch to WPA-Enterprise authentication against our internal ldap. The ldap server is a freeipa server which contains the username and password for all of our users. After installation of freeradius, I entered a cleartext-password user in /etc/raddb/users and added the Aps as clients. In the Unifi controller, I configured a new RADIUS profile pointing to the freeradius server and added this to a test network. Wireless EAP authentication  was successful.
After that, I went on and configured the ldap module with the filters and ldap settings that apply for our freeipa server. That worked too then with a radtest command and I got a an Accept-Accept result with the credentials from a testuser in the ldap server. I already removed the Clear-text password user from the /etc/raddb/users file.

From here on, I'm not quite sure on how to get both methods to connect properly. To get the ldap to work in the above test, I mainly wanted to prove that the freeradius ldap module was able to authenticate against our ldap at all. To get this to work I uncommented the following section in /etc/raddb/sites-available:
Auth-Type LDAP {
                ldap
        }

Your guides specifically stated that this should be avoided and when I ran a wireless connection test, the radiusd -X output gave a pretty clear message stating that setting Auth-Type will not work.
So then, I disabled this section and ran another test. See the attached file: failed_attempt2.txt.
Then I restored the /etc/raddb/mods-config/files/authorize file to it's original state and added "ldap" to the /etc/raddb/sites-available/default file instead of the Auth-Type LDAP part.
I ran another test and added the debug information in file freeradius_debug2.

Initially I chose for the ldap module instead of the ntlm_auth method because the ldap module allowed for better directory filtering to my liking. I did try to setup a samba ntlm connection to the freeipa server though, but the guides did not seem to work for freeipa.

I hope this is enough information for anyone to work with. I'm looking forward to your insights.
Thanks in advance and thank you for your time!

Kind regards,
Erwin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

failed_attempt2.txt (170K) Download Attachment
freeradius_debug2 (103K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: LDAP authentication for Unifi wireless APs

Alan DeKok-2
On Nov 17, 2020, at 6:03 AM, Erwin Rutgers <[hidden email]> wrote:
> Then to the plan and the problems: We are using Unifi Access points and like to switch to WPA-Enterprise authentication against our internal ldap. The ldap server is a freeipa server which contains the username and password for all of our users. After installation of freeradius, I entered a cleartext-password user in /etc/raddb/users and added the Aps as clients. In the Unifi controller, I configured a new RADIUS profile pointing to the freeradius server and added this to a test network. Wireless EAP authentication  was successful.
> After that, I went on and configured the ldap module with the filters and ldap settings that apply for our freeipa server. That worked too then with a radtest command and I got a an Accept-Accept result with the credentials from a testuser in the ldap server. I already removed the Clear-text password user from the /etc/raddb/users file.

  That's good.

> From here on, I'm not quite sure on how to get both methods to connect properly. To get the ldap to work in the above test, I mainly wanted to prove that the freeradius ldap module was able to authenticate against our ldap at all. To get this to work I uncommented the following section in /etc/raddb/sites-available:
> Auth-Type LDAP {
>                ldap
>        }
>
> Your guides specifically stated that this should be avoided and when I ran a wireless connection test, the radiusd -X output gave a pretty clear message stating that setting Auth-Type will not work.

  It will work in *some* cases.  But if the debug output says "it won't work", then it won't work.

> So then, I disabled this section and ran another test. See the attached file: failed_attempt2.txt.
> Then I restored the /etc/raddb/mods-config/files/authorize file to it's original state and added "ldap" to the /etc/raddb/sites-available/default file instead of the Auth-Type LDAP part.
> I ran another test and added the debug information in file freeradius_debug2.
>
> Initially I chose for the ldap module instead of the ntlm_auth method because the ldap module allowed for better directory filtering to my liking. I did try to setup a samba ntlm connection to the freeipa server though, but the guides did not seem to work for freeipa.

  You don't need Samba and ntlm_auth for freeipa.

  It's best to _read_ the debug output.  See http://wiki.freeradius.org/radiusd-X   Look for "warning" or "error".  If you're running in a terminal window, warnings will be yellow, and errors will be red.

  In this case:

(1) ldap: Performing search in "cn=users,cn=accounts,dc=enshore,dc=local" with filter "(uid=testuser)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN "uid=testuser,cn=users,cn=accounts,dc=enshore,dc=local"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)

  Fix that before doing *anything* else.

  LDAP is a database which stores passwords.  FreeRADIUS is an authentication server which implements authentication protocols.  LDAP doesn't do EAP.  FreeRADIUS does EAP.

  But the only way that FreeRADIUS can do EAP is if the LDAP database gives FreeRADIUS the users correct password.  If LDAP doesn't do that, then FreeRADIUS can't do anything.

  Also read this:  http://deployingradius.com/documents/protocols/compatibility.html

  If the passwords in LDAP are salted / hashed (i.e. not cleartext), then PEAP / MS-CHAP will not work.  And no, there is no magic setting to make it work.  The protocols were designed to be incompatible.  There's nothing _anyone_ can do to fix that incompatibility.

  You have to either (a) store passwords in a way which is compatible with PEAP / MS-CHAP.  Or, you have to use TTLS + PAP.  Those are pretty much your only two choices.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html