-->

Freeradius + Openldap ERROR: No authenticate metho

2019-07-21 15:09发布

站内文章 / 移动开发
101 0 0

问题:

after a couple of days searching in google I have to resign and ask :/

We're using a debian server with openldap and radius installed. When I connect to the radius using radtest everything is fine, but when I use an accesspoint (and the connection goes through the tunnel) I get the folloing result. The inner-tunnel looks like this:

authorize {
        update control {
               Proxy-To-Realm := LOCAL
        }


        eap {
                ok = return
    }

        files


        ldap {
                ok = return
        }


        expiration
        logintime

        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }


        Auth-Type CHAP {
                chap
        }

        #
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
    }
        unix

        eap

}




    [eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.2.110 port 33954
        EAP-Message = 0x0113004515800000003b14030100010116030100307485d545d269c20cba37d5a8e3f3dda1d7b0d7909407079307a1977c0d4a2a5960f66bd0a04ca5abe9493a46744ba417
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x37c6679131d5723a9d1ac717c8b684a5
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.110 port 33954, id=244, length=430
        Acct-Session-Id = "f9dbf293-00000006"
        NAS-Port = 7
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "CN35D335T4"
        NAS-IP-Address = 192.168.2.110
        Framed-MTU = 1496
        User-Name = "cwalonka"
        Calling-Station-Id = "88-63-DF-16-A1-C8"
        Called-Station-Id = "2C-44-FD-3C-E6-D1"
        Service-Type = Framed-User
        EAP-Message = 0x0213009f1580000000951703010090d5e4e84e029bbae0b1439267d5aafc0d726c399d77cba2eafa00c2a4b017bc8534ce405e39415114d39c5c1ef019a6230fb218df0fb61140d9d9be0a1d4b9b860fe559bd90083a5b618b2643300fa5da12094d111e77dabdcbfe5f7312675206636f235a111e0b6f9ca670cf825e8a6813a8693187457432e4dae68c5be7704a7f5c716bce9c75b96179b583744b0d28
        State = 0x37c6679131d5723a9d1ac717c8b684a5
        Colubris-AVPair = "ssid=Radius"
        Colubris-AVPair = "group=Default Group"
        Colubris-AVPair = "vsc-unique-id=2"
        Colubris-AVPair = "phytype=IEEE802dot11 "
        Colubris-Attr-250 = 0x00000000
        Colubris-Attr-249 = 0x00000000
        Message-Authenticator = 0x8a74e1eca7f77b377dacbdf3ec8c1a24
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "cwalonka"
        MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
        MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "cwalonka"
        MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
        MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
        FreeRADIUS-Proxied-To = 127.0.0.1
        Acct-Session-Id = "f9dbf293-00000006"
        NAS-Port = 7
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "CN35D335T4"
        NAS-IP-Address = 192.168.2.110
        Framed-MTU = 1496
        Calling-Station-Id = "88-63-DF-16-A1-C8"
        Called-Station-Id = "2C-44-FD-3C-E6-D1"
        Service-Type = Framed-User
        Colubris-AVPair = "ssid=Radius"
        Colubris-AVPair = "group=Default Group"
        Colubris-AVPair = "vsc-unique-id=2"
        Colubris-AVPair = "phytype=IEEE802dot11 "
        Colubris-Attr-250 = 0x00000000
        Colubris-Attr-249 = 0x00000000
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for cwalonka
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> cwalonka
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cwalonka)
[ldap]  expand: dc=it-economics,dc=de -> dc=it-economics,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=it-economics,dc=de, with filter (uid=cwalonka)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}ylX1rj9cfubaHAFc6XeV1Ne+tBFX36VA"
[ldap] looking for reply items in directory...
[ldap] user cwalonka authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

Thanks for your help

回答1:

I realized that it is not necessary put pap configuration when you can authenticate to ldap server. Official documentation says that when you have "passwords" you need pap, but it is not neccesary.

This is my setup in file /etc/raddb/sites-available/default , tested and running from a freeradius 3 connecting to redhat directory 10 (ldap)

server default {
    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
        limit {
        }
    }
    authorize {
         if (!control:Auth-Type) {
                ldap

                if (ok && User-Password) {
                        update {
                        control:Auth-Type := LDAP
                        }
                }
        }
        expiration
        logintime
    }
    authenticate {
        Auth-Type LDAP {
               ldap
        }
    }
    preacct {
        preprocess
        acct_unique
    }
    accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
    }
    session {
        radutmp
    }
    post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
    } 
    pre-proxy {
    }
    post-proxy {
        eap
    }
}


回答2:

LDAP module call should be:

authorize {
    ldap
    if (ok) {
        update control {
            Auth-Type := LDAP
        }
        return
    }
}

And you must also list LDAP in the authenticate section.

authenticate {
    ldap
}

All modules in FreeRADIUS have multiple methods that are called at different request processing stages.

The methods in authorize are for gathering additional subscriber information from databases. The methods in authenticate are for authenticating user credentials, and the methods in post-auth are for setting an authorizational policy (VLANs, session timeouts etc...).

For some modules the authorize method tells the server what module to use for authentication. For others this needs to be done manually.



回答3:

I can't comment on the previous answer as I don't have enough reputation, but I found alternate syntax in this mailing list post., although, that didn't work. Instead I used Auth-Type as a conditional like this:

authorize {
    files
    if (ok && User-Password) {
       update {
            control:Auth-Type := pap
        }
    }

    if (!control:Auth-Type) {
        ldap_files
        ldap

        if (ok && User-Password) {
           update {
                control:Auth-Type := LDAP
            }
        }
    }
    pap
}

This seems to achieve my goal of setting the Auth-Type properly as well as being able to limit the modules touched by authorization.



回答4:

Add on /etc/freeradius/3.0/users the line - 

ubuntu version

username Cleartext-Password := "passwordofuser"

And test again.



标签: authentication debian openldap radius freeradius
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~