pfSense Gold Subscription

Author Topic: NEW Package: freeRADIUS 2.x  (Read 105181 times)

0 Members and 1 Guest are viewing this topic.

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #90 on: January 09, 2012, 07:56:46 am »
I'm trying to get LDAP working but I'm getting the following output:

Code: [Select]
  [ldap] ldap_search() failed: Operations error
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user:  [USER/PASSW]

Does anyone know why this is happening? When I manually do an ldap search with another program with the same user I do get a result back.

you didn't give anything about your config, but I'll try guess:

If you have MS AD try to filter:
(sAMAccountName=%{mschap:User-Name})
otherwise maybe:
 (uid=%{mschap:User-Name})

I don't know if you have your Identity configured properly, show it for us

Offline sandern

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #91 on: January 09, 2012, 08:17:50 am »
Hi,

Sorry, its indeed MS AD (2008R2). I already tried with the sAMAccountName but didn't had the MSCHAP in it, tried it again, but still no luck:

Code: [Select]
radtest nas PASSW localhost 1 testpass
Code: [Select]
[ldap] performing user authorization for nas
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas)
[ldap]  expand: o=intersui,c=local -> o=intersui,c=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 10.10.1.1:389, authentication 0
  [ldap] bind as WDSINST/***** to 10.10.1.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in o=intersui,c=local, with filter (sAMAccountName=nas)
  [ldap] ldap_search() failed: Operations error
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [nas/****] (from client pfsense2 port 1)

Base Filter: (objectclass=*)
Filter: (sAMAccountName=%{mschap:User-Name})
Basedn: o=intersui,c=local

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #92 on: January 09, 2012, 08:28:12 am »
Hi,

Sorry, its indeed MS AD (2008R2). I already tried with the sAMAccountName but didn't had the MSCHAP in it, tried it again, but still no luck:

Code: [Select]
radtest nas PASSW localhost 1 testpass
Code: [Select]
[ldap] performing user authorization for nas
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas)
[ldap]  expand: o=intersui,c=local -> o=intersui,c=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 10.10.1.1:389, authentication 0
  [ldap] bind as WDSINST/***** to 10.10.1.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in o=intersui,c=local, with filter (sAMAccountName=nas)
  [ldap] ldap_search() failed: Operations error
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [nas/****] (from client pfsense2 port 1)

Base Filter: (objectclass=*)
Filter: (sAMAccountName=%{mschap:User-Name})
Basedn: o=intersui,c=local

change basedn to
basedn: cn=Users,dc=intersui,dc=local
as far as I know if you want filter sAMAccountName you have to use Microsoft style, so dc, dc ;)

Offline sandern

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #93 on: January 09, 2012, 10:19:57 am »
That did the trick :) BUT he still doesn't give me an accept message:

Code: [Select]
++[files] returns noop
[ldap] performing user authorization for nas
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas)
[ldap]  expand: ou=Accounts,dc=intersui,dc=local -> ou=Accounts,dc=intersui,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Accounts,dc=intersui,dc=local, with filter (sAMAccountName=nas)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user nas authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] returns noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [nas/*****] (from client pfsense2 port 1)
Using Post-Auth-Type Reject

On Google this gives me lots of results but not really a solution. (The DN bind user is Administrator, so its not a permission issue - found some posts refering to this)

Also "set_auth_type = yes/no" as mentioned on Google doesn't help.
« Last Edit: January 09, 2012, 10:27:20 am by sandern »

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2754
  • Karma: +1/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #94 on: January 09, 2012, 10:44:21 am »
@pszafer

Thank you very much for your feedback. I read about the samba and winbind "problematic" to use an Active Directory with freeradius. But I am not sure at all now - I thought that Win Server 2003 and higher has LDAP compatibility but you first have to enable something on Windows Server. But I am not sure on that and I do not find the documentation...

freeradius2 has an "rlm_smb" module but this is still experimental. This is the excerpt of the makefile:
Code: [Select]
# No SMB option yet; rlm_smb is still unbuildable
.ifdef(WITH_SMB)
LIB_DEPENDS= smbclient.0:${PORTSDIR}/net/samba-libsmbclient
CONFIGURE_ARGS+=--with-rlm_smb
CONFIGURE_ARGS+=--with-rlm-smb-lib-dir=${LOCALBASE}/lib
CONFIGURE_ARGS+=--with-rlm-smb-include-dir=${LOCALBASE}/include
PLIST_SUB+= SMB=""
.else
CONFIGURE_ARGS+=--without-rlm_smb
PLIST_SUB+= SMB="@comment "
.endif

# SMB module is still experimental
.if defined(WITH_SMB) && !defined(WITH_EXPERIMENTAL)
WITH_EXPERIMENTAL= yes
.endif

The third thing I read about here in the forum is/was that someone had installed samba on pfsense but it breaks the hole system.

@pszafer:
You wrote you worked on freeradius2 (compiling) in the past. Did you use it on pfsense and how did you get it work with LDAP and/or AD ?
If there are samba binaries which don't breake the system I am sure we can add these to freeradius2 package and the create a GUI to edit the smb.conf. That shouldn't be to hard if we know the command lines.

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #95 on: January 09, 2012, 02:18:32 pm »
@sandern
in /usr/local/etc/raddb/sites-enabled/default
you have authentication section

so far we've got plaint text password and this is our problem, we need nt-domain hash.
you could try comment line with unix auth
and uncomment Auth-Type LDAP, but this will propably cause other errors.
I've done this before so linux users with pap auth were authenticated succesfully,  but trully I remove this and backuped in wrong place (it's gone) so I can't easy come back to this, but I don't want to.

@Nachtfalke
AD is compatible with LDAP in way we wanted to.
We need Kerberos to get ticket to get authenticated - http://www.google.pl/imgres?q=kerberos+eap&um=1&hl=pl&authuser=0&biw=1920&bih=913&tbm=isch&tbnid=4SMvBpPK_Big9M:&imgrefurl=http://anil-identity.blogspot.com/2009_02_01_archive.html&docid=xeW3QfB9c27wtM&imgurl=http://identitymeme.org/wp-content/uploads/2009/02/krbandweb-opps_06-700x366.png&w=700&h=366&ei=gUcLT5qpEcmq-AaFwL20AQ&zoom=1&iact=hc&vpx=1506&vpy=159&dur=1520&hovh=162&hovw=311&tx=119&ty=97&sig=107427534317749718724&page=1&tbnh=86&tbnw=164&start=0&ndsp=53&ved=1t:429,r:8,s:0

To get Kerberos working with AD we need get winbind (which is in Samba packet). Winbind is service allows to get authenticated over Windows PDC.
rlm_smb is something worth to try and interesting.

About Samba compiling, I think someone could try to use samba as file sharing server so firewall would be messed up.
I wanted to use Samba only for purpose to authenticate user and I think it is possible ;)

Two weeks ago I've bought new netgear router to my workplace, upgraded to OpenWRT and wanted to authenticate wifi via 802.1x.
As Domain Controller shouldn't be used for this for security reasons I decided to do it on pfsense router. Didn't search forum what's going on with this packet, didn't see this in GUI so recompiled freeradius on freebsd virtual machine and added necessary libraries for that.
I've come here because I was exhausted for tryin' ntlm_auth to work. Squid package has some ntlm_auth without samba, so I assumed it is possible. Now I think my assumption was wrong :P

Okay, now I'm reading about rlm_smb, maybe do something with that.


--------------------
one weird thing, in dd-wrt it is for 5 years and it is still experimental? am I missing something?
« Last Edit: January 09, 2012, 02:20:29 pm by pszafer »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #96 on: January 09, 2012, 02:22:24 pm »
Quote
I wanted to use Samba only for purpose to authenticate user and I think it is possible

Only if you do it by hand, installing freebsd packages.Samba as a pfSense package is really not a good idea for firewall.

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #97 on: January 09, 2012, 02:39:10 pm »
in freebsd packages there are no security=ads. Unfortunately we need only this from samba :/

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #98 on: January 09, 2012, 02:50:50 pm »
Ddid you tried with kerberos? there is a way to do this without samba.

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #99 on: January 09, 2012, 03:16:38 pm »
@marcelloc
I will try tomorrow morning do this (in 7 hours) [other time zone  ;)]

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2754
  • Karma: +1/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #100 on: January 09, 2012, 04:48:30 pm »
Updates pkg v1.4.8:

  • Added: Support for Redundant / LoadBalancing two LDAP Servers (authorize and authentication)

I will add redundant SQL server support in near futur, too.

PS: I found something about MS AD and LDAP and how to enable LDAP in MS Server 2003 and higher. This is not directly pointed to freeradius but perhaps it will help the guys who know more about this than me :D

http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #101 on: January 10, 2012, 12:50:39 am »
Hello, here is the same and shorter version for 2008 AD, http://technet.microsoft.com/pl-pl/library/cc816788(WS.10).aspx,
but I'm not sure if this is what we want to do.
Make connection safer in one place, but less safe in other place.

Offline sandern

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #102 on: January 10, 2012, 02:18:49 am »
Hello, here is the same and shorter version for 2008 AD, http://technet.microsoft.com/pl-pl/library/cc816788(WS.10).aspx,
but I'm not sure if this is what we want to do.
Make connection safer in one place, but less safe in other place.

I don't think this is the case here. We are authenticating to ldap so its not anonymous as in the technet article. I'll try some more this afternoon to get this working.

Offline pszafer

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #103 on: January 10, 2012, 02:45:54 am »
just tell me, is command kinit working for you?
I have problem with a lot of libraries.
Now I'm stuck at error:
/usr/local/lib/libgssrpc.so: Undefined symbol "gss_mech_krb5"

-----------------------------

@marcelloc
look at this configure error of compiling Kerberos from hand :P

configure: error: krb5 libs don't have all features required for Active Directory support
« Last Edit: January 10, 2012, 03:21:24 am by pszafer »

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2754
  • Karma: +1/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #104 on: January 10, 2012, 06:00:30 am »
Hi,

I got this on i386 and amd64 - does this help you?
Code: [Select]
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(1): kinit
/libexec/ld-elf.so.1: /usr/local/lib/libkrb5.so: Undefined symbol "add_error_table"