Freeradius configuration on debian
leslie45
Posted messages
71
Status
Member
-
telecom14 Posted messages 26 Status Member -
telecom14 Posted messages 26 Status Member -
Hello everyone, I've been trying for weeks to configure Freeradius and LDAP to set up a captive portal! Help!!! I followed the commands I downloaded from Google but the configuration has never been successful!!!
22 answers
- 1
- 2
Next
Hello Leslie,
There are quite a few tutorials on the internet regarding the installation of FreeRADIUS.
Here are the main steps (for a Linux environment) below:
1- Check that you have two network interfaces (in a Linux environment Eth0 and Eth1) with one having internet access (usually Eth0).
2- Install package updates and download FreeRADIUS:
#apt-get update (for package updates)
#apt-get install freeradius (to install FreeRADIUS)
#apt-get install freeradius-ldap (for LDAP compatibility)
You now have the necessary components for FreeRADIUS - LDAP to function
--> Several configuration files need to be modified:
3-Configure your FreeRADIUS:
Open the file /etc/freeradius/radiusd.conf with a text editor (gedit, nano, vi,...)
This file contains the main elements needed for configuring FreeRADIUS, as well as additional modules (for us LDAP)
This file, like all FreeRADIUS configuration files, contains many lines by default (most of which are preceded by a "#"). This # means that these lines are commented out and therefore NOT INTERPRETED. --> It makes sense to uncomment the relevant lines (remove the #) to activate the features we are interested in. WARNING: there is almost NEVER anything to ADD to the configuration files. Generally, we just modify one or more parts and uncomment. The people who crash the server are often those who modify it the most (but by default everything works well, and everything is already present ;-) ).
In short: the part of this file that interests us is the LDAP module. You just need to find the section "modules{ " and CHECK that the line $INCLUDE {confdir}/modules/ is present, and if yes, you need to remove the # to enable it (but I believe this is already the case by default). This line means "include the modules that are in /etc/Freeradius/modules/ and if you take a look in this folder, you will see a nice file named "ldap" waiting patiently to be configured :-)
So far, no real difficulties, right?
Now that we have specified to radius which module to use, we need to "authorize" them
So we will go to the file /etc/Freeradius/sites-available/default to uncomment a bit ^^
--> in this default file, in the authorize{ section, you will see the word "file" is uncommented, which means that FreeRADIUS allows the use of a file to authenticate people (the "user" file to be precise). We want to use LDAP so find the word "ldap" in this same section and uncomment it. Likewise, in the authenticate{ section, find the 3 lines (in a row) that say Auth-Type LDAP{ ldap } and uncomment these 3 lines (you can use good old CTRL+F to find these lines if you're using a graphical text editor like gedit for example). You now have the correct configuration to use your LDAP with FreeRADIUS.
Alright! Do you remember our file "ldap" in /etc/Freeradius/modules/? Well, it's its turn now, and it's probably the most annoying part if you have a complicated LDAP directory ^^ Let's go in with a smile anyway:
In this file, we will modify information in the ldap{ section
--> find the line server=, uncomment it if it is not done by default, and then replace the value after the = with the IP address of your LDAP (to be put in quotes)(Windows Server I suppose). Then comes the line identity --> here you need to provide a user from your LDAP who will tell FreeRADIUS "ok it’s me Leslie, I have the right to read from the LDAP so let me through". Basically, they must have at least read access to the LDAP directory to fetch people.
--> So you fill in this line starting from the most specific point of your LDAP (the name) and move up its tree (example: identity = "cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL") Be careful to respect the case!. After that, fill in the correct terms otherwise the LDAP will throw you out! ^^
Next line: password = Well, here it’s simply the password of the person right above :-)
Next line: basedn = here you need to specify the folder where the LDAP users are stored (again starting from the most specific point) --> example: basedn = "ou=users,dc=DOMAIN,dc=LOCAL".
Well, usually issues come from here as mistakes are easily made when filling in these fields hehehe. We will see how to check that later. Moving on to the filter = line --> Do not modify this line unless you are using a Windows Active Directory. And if that’s the case, change the "uid=...etc" to sAMAccountName=...(the rest of the line remains unchanged)
Well, it’s not too bad now :-) Oh, and if you are still using a Windows Active Directory, uncomment the two lines chase_referrals = yes and rebind = yes a little further down in this same file (for compatibility with AD simply).
4-test
Well, the hardest part is behind us. We are going to do a little test to check the correct operation of our config:
Before running the test, you need to restart our FreeRADIUS server (otherwise the changes will not be taken into account :/ that would be silly)
#/etc/init.d/freeradius restart (or start if it is not running, but by default it is).
Now for the test:
We use the radtest command for this. It simulates a RADIUS authentication request with our current parameters.
Here is its syntax: radtest "login" "password" "@FreeRADIUS server" "connection port" "RADIUS secret"
A few explanations; well login and password should be fine, they are the credentials of the LDAP you want to test
, @FreeRADIUS server is "localhost" or "127.0.0.1" because the server is on your machine ^^, the default port is 1812 (for FreeRADIUS) but you can also put 0 it will work in our case. RADIUS secret is "testing123" because you probably already know this but FreeRADIUS contains a list of "clients" that users connect to (Wi-Fi router, switches, ...) identified in the /etc/Freeradius/clients.conf file but for our test the client is us (localhost) and if you take a look in the file, it already exists by default and has the secret "testing123" There you go.
If your command works: you should receive a nice message rad_recv: access-accept from host 127.0.0.1 ... which means that the authentication was successful!
If not, then there is definitely a configuration issue (either a line not uncommented (or incorrectly written) or an error in one of your LDAP paths.
In any case, I advise you to stop your FreeRADIUS (with the command /etc/init.d/freeradius stop) and restart it in "debug" mode (to see everything it does :D) with the command freeradius -X You will then see all the steps (in English of course) and likely the places where it gets stuck :-) )
As for your captive portal, I don’t know which one you plan to use, but I would be happy to share my knowledge if it’s Chillispot or Coova-chilli (which usually brings a lot of trouble)
Hoping to have helped you!!
Good luck
Jak
There are quite a few tutorials on the internet regarding the installation of FreeRADIUS.
Here are the main steps (for a Linux environment) below:
1- Check that you have two network interfaces (in a Linux environment Eth0 and Eth1) with one having internet access (usually Eth0).
2- Install package updates and download FreeRADIUS:
#apt-get update (for package updates)
#apt-get install freeradius (to install FreeRADIUS)
#apt-get install freeradius-ldap (for LDAP compatibility)
You now have the necessary components for FreeRADIUS - LDAP to function
--> Several configuration files need to be modified:
3-Configure your FreeRADIUS:
Open the file /etc/freeradius/radiusd.conf with a text editor (gedit, nano, vi,...)
This file contains the main elements needed for configuring FreeRADIUS, as well as additional modules (for us LDAP)
This file, like all FreeRADIUS configuration files, contains many lines by default (most of which are preceded by a "#"). This # means that these lines are commented out and therefore NOT INTERPRETED. --> It makes sense to uncomment the relevant lines (remove the #) to activate the features we are interested in. WARNING: there is almost NEVER anything to ADD to the configuration files. Generally, we just modify one or more parts and uncomment. The people who crash the server are often those who modify it the most (but by default everything works well, and everything is already present ;-) ).
In short: the part of this file that interests us is the LDAP module. You just need to find the section "modules{ " and CHECK that the line $INCLUDE {confdir}/modules/ is present, and if yes, you need to remove the # to enable it (but I believe this is already the case by default). This line means "include the modules that are in /etc/Freeradius/modules/ and if you take a look in this folder, you will see a nice file named "ldap" waiting patiently to be configured :-)
So far, no real difficulties, right?
Now that we have specified to radius which module to use, we need to "authorize" them
So we will go to the file /etc/Freeradius/sites-available/default to uncomment a bit ^^
--> in this default file, in the authorize{ section, you will see the word "file" is uncommented, which means that FreeRADIUS allows the use of a file to authenticate people (the "user" file to be precise). We want to use LDAP so find the word "ldap" in this same section and uncomment it. Likewise, in the authenticate{ section, find the 3 lines (in a row) that say Auth-Type LDAP{ ldap } and uncomment these 3 lines (you can use good old CTRL+F to find these lines if you're using a graphical text editor like gedit for example). You now have the correct configuration to use your LDAP with FreeRADIUS.
Alright! Do you remember our file "ldap" in /etc/Freeradius/modules/? Well, it's its turn now, and it's probably the most annoying part if you have a complicated LDAP directory ^^ Let's go in with a smile anyway:
In this file, we will modify information in the ldap{ section
--> find the line server=, uncomment it if it is not done by default, and then replace the value after the = with the IP address of your LDAP (to be put in quotes)(Windows Server I suppose). Then comes the line identity --> here you need to provide a user from your LDAP who will tell FreeRADIUS "ok it’s me Leslie, I have the right to read from the LDAP so let me through". Basically, they must have at least read access to the LDAP directory to fetch people.
--> So you fill in this line starting from the most specific point of your LDAP (the name) and move up its tree (example: identity = "cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL") Be careful to respect the case!. After that, fill in the correct terms otherwise the LDAP will throw you out! ^^
Next line: password = Well, here it’s simply the password of the person right above :-)
Next line: basedn = here you need to specify the folder where the LDAP users are stored (again starting from the most specific point) --> example: basedn = "ou=users,dc=DOMAIN,dc=LOCAL".
Well, usually issues come from here as mistakes are easily made when filling in these fields hehehe. We will see how to check that later. Moving on to the filter = line --> Do not modify this line unless you are using a Windows Active Directory. And if that’s the case, change the "uid=...etc" to sAMAccountName=...(the rest of the line remains unchanged)
Well, it’s not too bad now :-) Oh, and if you are still using a Windows Active Directory, uncomment the two lines chase_referrals = yes and rebind = yes a little further down in this same file (for compatibility with AD simply).
4-test
Well, the hardest part is behind us. We are going to do a little test to check the correct operation of our config:
Before running the test, you need to restart our FreeRADIUS server (otherwise the changes will not be taken into account :/ that would be silly)
#/etc/init.d/freeradius restart (or start if it is not running, but by default it is).
Now for the test:
We use the radtest command for this. It simulates a RADIUS authentication request with our current parameters.
Here is its syntax: radtest "login" "password" "@FreeRADIUS server" "connection port" "RADIUS secret"
A few explanations; well login and password should be fine, they are the credentials of the LDAP you want to test
, @FreeRADIUS server is "localhost" or "127.0.0.1" because the server is on your machine ^^, the default port is 1812 (for FreeRADIUS) but you can also put 0 it will work in our case. RADIUS secret is "testing123" because you probably already know this but FreeRADIUS contains a list of "clients" that users connect to (Wi-Fi router, switches, ...) identified in the /etc/Freeradius/clients.conf file but for our test the client is us (localhost) and if you take a look in the file, it already exists by default and has the secret "testing123" There you go.
If your command works: you should receive a nice message rad_recv: access-accept from host 127.0.0.1 ... which means that the authentication was successful!
If not, then there is definitely a configuration issue (either a line not uncommented (or incorrectly written) or an error in one of your LDAP paths.
In any case, I advise you to stop your FreeRADIUS (with the command /etc/init.d/freeradius stop) and restart it in "debug" mode (to see everything it does :D) with the command freeradius -X You will then see all the steps (in English of course) and likely the places where it gets stuck :-) )
As for your captive portal, I don’t know which one you plan to use, but I would be happy to share my knowledge if it’s Chillispot or Coova-chilli (which usually brings a lot of trouble)
Hoping to have helped you!!
Good luck
Jak
Ah! There you go, that explains everything :)
You simply don't have LDAP
Well, the first mistake is mine:
My tutorial was about installing FreeRADIUS with LDAP COMPATIBILITY (hence the installation of the freeradius-ldap module) BUT ATTENTION, you absolutely need a configured and ready LDAP NEXT TO IT :)
I should have pointed that out, freeradius-ldap is not an LDAP but a compatibility module with an LDAP :)
I quote you:
apt-get install slapd
This is a daemon (a process) that manages the LDAP :) (based on OpenLDAP by the way)
First, you need to do
#sudo -s to be root and stay that way (it will ask you for the session password)
#apt-get install slapd to install an LDAP daemon (thus your LDAP)
#apt-get install ldap-utils (for your tests)
#dpkg-reconfigure slapd to configure your LDAP
Here it becomes important:
slapd will then ask you:
1. Pass the OpenLDAP configuration? you put "no"
followed by:
2. Domain name? answer: example.local (put the name of your company, school, home, whatever you want ^^)
3. Name of your company? answer: same name without the ".local"
4. What database? answer: hdb
5. Do you want the database to be erased ... Answer: yes
6. Delete old databases? Answer: yes
7. Administrator password? Answer: YourPassword
8. Confirm this password? Answer: the same password
9. Allow LDAPv2 protocol? Answer: no
after that your LDAP is created. Then open the file /etc/ldap/ldap.conf which should normally exist: here is its content
ldap_version 3
URI ldap://localhost:389
SIZELIMIT 0
TIMELIMIT 0
DEREF never
BASE dc=example, dc=com
Change your first dc="the name without .local that you provided earlier"
and your second dc="local"
then open /etc/ldap/slapd.conf and change it like this:
suffix "dc=thename without .local,dc=local"
directory "/var/lib/ldap"
rootdn "cn=Leslie or admin up to you,dc=name without .local,dc=local"
rootpw YourPassword
Next, you need to fill your LDAP (add "ou" (organizational units) and users (for example, our Leslie if you didn't put it above ^^)
INFO: example of a school LDAP for you to understand the architecture:
domain .............school.local
................................. /\.............................................
................................./...\...........................................
................................/......\..........................................
.............................. /.........\.........................................
..................ou Teachers ..........ou Students..................../....................../................\......................
...cn=Jean Pierre ...........ou CM1.......ou CM2.................
... cn=Anne Marie..................|.................|.....................
............... ... ...................Jenny ........Thibault...............
........................................Louis ...........Karim...............
So fill your LDAP as you see fit :) by typing:
#gedit /etc/ldap/init.ldif (you may need to create it)
note: use this site to help you fill it: http://doc.ubuntu-fr.org/slapd (part 3: fill LDAP)
And let me know when you have finished all that :)
Come on, good luck!
Jak
You simply don't have LDAP
Well, the first mistake is mine:
My tutorial was about installing FreeRADIUS with LDAP COMPATIBILITY (hence the installation of the freeradius-ldap module) BUT ATTENTION, you absolutely need a configured and ready LDAP NEXT TO IT :)
I should have pointed that out, freeradius-ldap is not an LDAP but a compatibility module with an LDAP :)
I quote you:
apt-get install slapd
This is a daemon (a process) that manages the LDAP :) (based on OpenLDAP by the way)
First, you need to do
#sudo -s to be root and stay that way (it will ask you for the session password)
#apt-get install slapd to install an LDAP daemon (thus your LDAP)
#apt-get install ldap-utils (for your tests)
#dpkg-reconfigure slapd to configure your LDAP
Here it becomes important:
slapd will then ask you:
1. Pass the OpenLDAP configuration? you put "no"
followed by:
2. Domain name? answer: example.local (put the name of your company, school, home, whatever you want ^^)
3. Name of your company? answer: same name without the ".local"
4. What database? answer: hdb
5. Do you want the database to be erased ... Answer: yes
6. Delete old databases? Answer: yes
7. Administrator password? Answer: YourPassword
8. Confirm this password? Answer: the same password
9. Allow LDAPv2 protocol? Answer: no
after that your LDAP is created. Then open the file /etc/ldap/ldap.conf which should normally exist: here is its content
ldap_version 3
URI ldap://localhost:389
SIZELIMIT 0
TIMELIMIT 0
DEREF never
BASE dc=example, dc=com
Change your first dc="the name without .local that you provided earlier"
and your second dc="local"
then open /etc/ldap/slapd.conf and change it like this:
suffix "dc=thename without .local,dc=local"
directory "/var/lib/ldap"
rootdn "cn=Leslie or admin up to you,dc=name without .local,dc=local"
rootpw YourPassword
Next, you need to fill your LDAP (add "ou" (organizational units) and users (for example, our Leslie if you didn't put it above ^^)
INFO: example of a school LDAP for you to understand the architecture:
domain .............school.local
................................. /\.............................................
................................./...\...........................................
................................/......\..........................................
.............................. /.........\.........................................
..................ou Teachers ..........ou Students..................../....................../................\......................
...cn=Jean Pierre ...........ou CM1.......ou CM2.................
... cn=Anne Marie..................|.................|.....................
............... ... ...................Jenny ........Thibault...............
........................................Louis ...........Karim...............
So fill your LDAP as you see fit :) by typing:
#gedit /etc/ldap/init.ldif (you may need to create it)
note: use this site to help you fill it: http://doc.ubuntu-fr.org/slapd (part 3: fill LDAP)
And let me know when you have finished all that :)
Come on, good luck!
Jak
Hoo! Awesome!
In my ldap.conf file, I had exactly the same as what I mentioned to you a few messages above. So, I added what you said. For the second dc, should I just put "local"? Or "cequetuasmarqué.local"?
Then I don't have a file /etc/ldap/slapd.conf!! In the /etc/ldap/ directory, the files present are: ldap.conf, sasl2, schema, slapd.d. The ones in bold are files
I feel like the end is near! :D
Usbeth
In my ldap.conf file, I had exactly the same as what I mentioned to you a few messages above. So, I added what you said. For the second dc, should I just put "local"? Or "cequetuasmarqué.local"?
Then I don't have a file /etc/ldap/slapd.conf!! In the /etc/ldap/ directory, the files present are: ldap.conf, sasl2, schema, slapd.d. The ones in bold are files
I feel like the end is near! :D
Usbeth
The init.ldif file:
Do I need to replace all the example with "nomsans.local" and com with "local"? And lionel Porcheron with the created profile? I don't quite understand the tutorial that guy made :/
Sorry ^^"
# data file: ~/init.ldif dn: dc=nomsans,dc=local objectClass: dcObject objectClass: organizationalUnit dc: nomsans ou: Nomsans Dot Local dn: ou=people,dc=nomsans,dc=local objectClass: organizationalUnit ou: people dn: ou=groups,dc=nomsans,dc=local objectClass: organizationalUnit ou: groups dn: uid=lionel,ou=people,dc=nomsans,dc=local objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lionel sn: Porcheron givenName: Lionel cn: Lionel Porcheron displayName: Lionel Porcheron uidNumber: 1000 gidNumber: 10000 gecos: Lionel Porcheron loginShell: /bin/bash homeDirectory: /home/lionel shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: lionel.porcheron@nomsans.local postalCode: 31000 l: Toulouse o: Nomsans mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: LP dn: cn=example,ou=groups,dc=nomsans,dc=local objectClass: posixGroup cn: example gidNumber: 10000 displayName: Example group
Do I need to replace all the example with "nomsans.local" and com with "local"? And lionel Porcheron with the created profile? I don't quite understand the tutorial that guy made :/
Sorry ^^"
Hello Usbeth :)
Indeed, if your LDAP server is not "on", you can make all the changes you want on FreeRADIUS without results ^^
For your last message:
I have the impression that "Leslie" is connecting correctly (except that the server is missing xD):
[ldap] bind as cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL/mypass to 10.1.69.50:389
It's just an impression; in fact, your FreeRADIUS log is simply using your ldap file (freeradius module) to display this nice line, but it's not even attempting to look it up.
But, well, you found the problem, and that's the main thing :)
You need to start your ldap (to make it functional), and I really can't help you without additional information (what commands did you type to install/configure your ldap). In my case, it was a Windows LDAP created with a Windows Server 2008R2.
I have no idea about yours (you only indicated that it was not OpenLDAP :) )
You're getting close :)
Hang in there!
Jak
Indeed, if your LDAP server is not "on", you can make all the changes you want on FreeRADIUS without results ^^
For your last message:
I have the impression that "Leslie" is connecting correctly (except that the server is missing xD):
[ldap] bind as cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL/mypass to 10.1.69.50:389
It's just an impression; in fact, your FreeRADIUS log is simply using your ldap file (freeradius module) to display this nice line, but it's not even attempting to look it up.
But, well, you found the problem, and that's the main thing :)
You need to start your ldap (to make it functional), and I really can't help you without additional information (what commands did you type to install/configure your ldap). In my case, it was a Windows LDAP created with a Windows Server 2008R2.
I have no idea about yours (you only indicated that it was not OpenLDAP :) )
You're getting close :)
Hang in there!
Jak
Hey!! Thank you very much for answering my call. But right now I'm just on launching the radtest command and I'm getting the response: no response from the server!
I've checked out a few tutorials but nothing has changed.
I'm definitely in root but the problem is that I don't see any freeradius in /etc/init.d, which means the server isn't even running. I've tried service freeradius start, and it responds "service unrecognized". Yet when I run radiusd -X, I get "ready for request".
Can anyone help me?
I've checked out a few tutorials but nothing has changed.
I'm definitely in root but the problem is that I don't see any freeradius in /etc/init.d, which means the server isn't even running. I've tried service freeradius start, and it responds "service unrecognized". Yet when I run radiusd -X, I get "ready for request".
Can anyone help me?
Hello,
I just implemented everything you said. However, I am encountering an error during the test. I can't seem to find it! Can you help me?
I am on Ubuntu.
Here are all my config files (just the strict minimum):
radiusd.conf :
The following line is correctly uncommented:
default :
ldap :
I've checked it I don't know how many times and I can't find the error!
Here's the command I run with radtest:
This is what I see in the terminal when I execute this command:
And this is what I get in my xterm (another terminal with the freeradius -X command enabled):
I hope you can help me, I'm a bit lost in all this..
Thanks in advance,
Usbeth
Check out my website ;)
www.frayday.wordpress.com
I just implemented everything you said. However, I am encountering an error during the test. I can't seem to find it! Can you help me?
I am on Ubuntu.
Here are all my config files (just the strict minimum):
radiusd.conf :
The following line is correctly uncommented:
$INCLUDE ${confdir}/modules/ default :
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest should unix Auth-Type LDAP { ldap } ldap :
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "10.1.69.50" identity = "cn=Mickael,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL" password = "123456789" basedn = "ou=utilisateurs,dc=DOMAINE,dc=LOCAL" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" I've checked it I don't know how many times and I can't find the error!
Here's the command I run with radtest:
radtest Mickael 123456789 127.0.0.1 1812 testing123
This is what I see in the terminal when I execute this command:
Sending Access-Request of id 210 to 127.0.0.1 port 1812 User-Name = "Mickael" User-Password = "123456789" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=210, length=20
And this is what I get in my xterm (another terminal with the freeradius -X command enabled):
rad_recv: Access-Request packet from host 127.0.0.1 port 42438, id=210, length=77 User-Name = "Mickael" User-Password = "123456789" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0xbb5ae6f22954f4567b3d356bc2a9b10c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "Mickael", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for Mickael [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Mickael [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=Mickael) [ldap] expand: ou=utilisateurs,dc=DOMAINE,dc=LOCAL -> ou=utilisateurs,dc=DOMAINE,dc=LOCAL [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.1.69.50:389, authentication 0 [ldap] bind as cn=Mickael,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL/123456789 to 10.1.69.50:389 [ldap] cn=Mickael,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL bind to 10.1.69.50:389 failed: Can't contact LDAP server [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Mickael attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 210 to 127.0.0.1 port 42438 Waking up in 4.9 seconds. Cleaning up request 0 ID 210 with timestamp +28 Ready to process requests. I hope you can help me, I'm a bit lost in all this..
Thanks in advance,
Usbeth
Check out my website ;)
www.frayday.wordpress.com
Hello Usbeth,
Your log radius speaks for itself by giving you the reason for the radtest failure:
10.1.69.50:389 failed: Can't contact LDAP server
[ldap] (re)connection attempt failed
This means that before FreeRADIUS even tries to look for Mickael in your LDAP, it is already unable to contact it.
I notice that your LDAP address is 10.1.69.50
so suggestion:
Are you able to ping 10.1.69.50 from your server machine?
--> Try a # ping 10.1.69.50
If the ping doesn’t go through (network unreachable or other), then you need to make sure you are on the same network as your LDAP server, or at least ensure that you can reach it.
On the other hand, if the ping goes through, then we will dig deeper into the issue..
Good luck to you,
Jak
Your log radius speaks for itself by giving you the reason for the radtest failure:
10.1.69.50:389 failed: Can't contact LDAP server
[ldap] (re)connection attempt failed
This means that before FreeRADIUS even tries to look for Mickael in your LDAP, it is already unable to contact it.
I notice that your LDAP address is 10.1.69.50
so suggestion:
Are you able to ping 10.1.69.50 from your server machine?
--> Try a # ping 10.1.69.50
If the ping doesn’t go through (network unreachable or other), then you need to make sure you are on the same network as your LDAP server, or at least ensure that you can reach it.
On the other hand, if the ping goes through, then we will dig deeper into the issue..
Good luck to you,
Jak
Hi,
First of all, thank you for your response.
Well, actually FreeRadius & Ldap are on the same machine, which is 10.1.69.50.
Since the IP address 10.1.69.50 is the IP address of the PC I am trying to ping. Whatever my configuration is, I can ping it.
That's why I don't understand. Since I'm doing everything on the same machine, why can't I contact the Ldap server? I expected to have an issue, but not this kind.
Yet, I followed exactly what you said in your tutorial. Well, except for any oversight or anything. There is definitely a problem since it's not working perfectly :)
Thanks again,
Usbeth
--
Check out my site ;)
www.frayday.wordpress.com
First of all, thank you for your response.
Well, actually FreeRadius & Ldap are on the same machine, which is 10.1.69.50.
Since the IP address 10.1.69.50 is the IP address of the PC I am trying to ping. Whatever my configuration is, I can ping it.
That's why I don't understand. Since I'm doing everything on the same machine, why can't I contact the Ldap server? I expected to have an issue, but not this kind.
Yet, I followed exactly what you said in your tutorial. Well, except for any oversight or anything. There is definitely a problem since it's not working perfectly :)
Thanks again,
Usbeth
--
Check out my site ;)
www.frayday.wordpress.com
Hello,
I uninstalled FreeRADIUS and started all over again. I have exactly the same error:
Output from the "freeradius -X" command:
Moreover, when I run the following commands, I get the following results:
My FreeRADIUS & LDAP are on the same machine, with the following IP address "10.1.69.50". I don't understand why there is an error contacting this LDAP server when it is on the same machine.
Is there anyone who knows the answer and can save my life?!
Thanks again,
Usbeth
Feel free to check out my website ;)
www.frayday.wordpress.com
I uninstalled FreeRADIUS and started all over again. I have exactly the same error:
radtest Leslie mypass 127.0.0.1 1812 testing123 Sending Access-Request of id 229 to 127.0.0.1 port 1812 User-Name = "Leslie" User-Password = "mypass" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=229, length=20
Output from the "freeradius -X" command:
rad_recv: Access-Request packet from host 127.0.0.1 port 50608, id=229, length=76 User-Name = "Leslie" User-Password = "mypass" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x625f2c3a9ecdc39a3a4d4f466c78e369 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "Leslie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for Leslie [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Leslie [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=Leslie) [ldap] expand: ou=utilisateurs,dc=DOMAINE,dc=LOCAL -> ou=utilisateurs,dc=DOMAINE,dc=LOCAL [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.1.69.50:389, authentication 0 [ldap] bind as cn=Leslie,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL/mypass to 10.1.69.50:389 [ldap] cn=Leslie,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL bind to 10.1.69.50:389 failed: Can't contact LDAP server [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Leslie attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 229 to 127.0.0.1 port 50608 Waking up in 4.9 seconds. Cleaning up request 0 ID 229 with timestamp +9 Ready to process requests. Moreover, when I run the following commands, I get the following results:
/etc/init.d/freeradius stop * Stopping FreeRADIUS daemon freeradius * /var/run/freeradius/freeradius.pid not found... [ OK ] brice-HP etc # /etc/init.d/freeradius start * Starting FreeRADIUS daemon freeradius [fail]
My FreeRADIUS & LDAP are on the same machine, with the following IP address "10.1.69.50". I don't understand why there is an error contacting this LDAP server when it is on the same machine.
Is there anyone who knows the answer and can save my life?!
Thanks again,
Usbeth
Feel free to check out my website ;)
www.frayday.wordpress.com
Hi everyone, I think I spoke too soon!!!
My server won't start!!
I've tried every imaginable command: service freeradius start, radiusd -X, service radiusd start. Each time it replies, service unrecognized.
When I run the command radiusd start or radiusd stop, nothing shows up, it should work but when checking in /etc/init.d, there is no freeradius service.
So I've tried to configure it with ldap but I keep getting errors: failed to link rlm_ldap
Something like that. Can someone help me?
My server won't start!!
I've tried every imaginable command: service freeradius start, radiusd -X, service radiusd start. Each time it replies, service unrecognized.
When I run the command radiusd start or radiusd stop, nothing shows up, it should work but when checking in /etc/init.d, there is no freeradius service.
So I've tried to configure it with ldap but I keep getting errors: failed to link rlm_ldap
Something like that. Can someone help me?
Hi,
try the command:
I had a similar problem, and whenever I tried to start it, it would fail. Or alternatively, try stopping it before starting it.
Otherwise, if you're motivated, I recommend completely purging freeradius and starting over with everything you did. That's what I did.
But well, it doesn't work for me either xD
try the command:
/etc/init.d/freeradius restart service freeradius restart
I had a similar problem, and whenever I tried to start it, it would fail. Or alternatively, try stopping it before starting it.
Otherwise, if you're motivated, I recommend completely purging freeradius and starting over with everything you did. That's what I did.
But well, it doesn't work for me either xD
I share Usbeth's opinion, #apt-get autoremove freeradius
This command will uninstall freeradius.
If you don't want to reinstall, then check your ldap module call (in radiusd.conf) because the error you reported to us (failed to link rlm_ldap) means that your module is not reachable. Did you properly install freeradius-ldap at the beginning of your configuration? Did you modify your radiusd.conf (or other files) in any way other than what I suggested?
Hang in there and... Be patient :)
This command will uninstall freeradius.
If you don't want to reinstall, then check your ldap module call (in radiusd.conf) because the error you reported to us (failed to link rlm_ldap) means that your module is not reachable. Did you properly install freeradius-ldap at the beginning of your configuration? Did you modify your radiusd.conf (or other files) in any way other than what I suggested?
Hang in there and... Be patient :)
Hello,
To solve my problem, I might need to do the following:
1 => Ensure that the "ldap" modules are uncommented in the files radiud.conf, /etc/freeradius/site-available/default, /etc/freeradius/site-available/inner-tunnel
2 => Edit /etc/freeradius/clients.conf:
client localhost {
ipaddr = 127.0.0.1
secret = your_nas_radius_secret
nastype = other
}
3 => Edit /usr/share/freeradius/dictionary and add:
VALUE Auth-Type LDAP 5
4 => Edit /etc/freeradius/users and add:
DEFAULT Auth-Type := LDAP
Fall-Through = 1
What do you think? Apparently, step 4 should not be done; opinions vary on this. Supposedly, "it only brings errors, and if we run in debug mode freeradius (sudo freeradius -X), it throws a nasty error!"
I also don’t understand why it tells me "/var/run/freeradius/freeradius.pid not found..." (see previous message) and especially its usefulness. Could someone help me?
After searching everywhere, I am making lots of different configs/tests. But I still do not have the desired result: the proper functioning of my freeradius server.
Best regards,
Usbeth
Feel free to check out my site ;)
www.frayday.wordpress.com
To solve my problem, I might need to do the following:
1 => Ensure that the "ldap" modules are uncommented in the files radiud.conf, /etc/freeradius/site-available/default, /etc/freeradius/site-available/inner-tunnel
2 => Edit /etc/freeradius/clients.conf:
client localhost {
ipaddr = 127.0.0.1
secret = your_nas_radius_secret
nastype = other
}
3 => Edit /usr/share/freeradius/dictionary and add:
VALUE Auth-Type LDAP 5
4 => Edit /etc/freeradius/users and add:
DEFAULT Auth-Type := LDAP
Fall-Through = 1
What do you think? Apparently, step 4 should not be done; opinions vary on this. Supposedly, "it only brings errors, and if we run in debug mode freeradius (sudo freeradius -X), it throws a nasty error!"
I also don’t understand why it tells me "/var/run/freeradius/freeradius.pid not found..." (see previous message) and especially its usefulness. Could someone help me?
After searching everywhere, I am making lots of different configs/tests. But I still do not have the desired result: the proper functioning of my freeradius server.
Best regards,
Usbeth
Feel free to check out my site ;)
www.frayday.wordpress.com
Hello Usbeth,
Your step 3), namely editing the dictionary file, as well as your step 4), which involves modifying the USER file, are unfortunately unnecessary. :-)
Let me explain: First of all, the default dictionary file includes the attributes from RFC2865. This dictionary establishes the correspondence between "attribute names" - "number". It is not recommended at all to modify it in our case. Then, let’s think logically. =) We are asking FreeRADIUS for LDAP authentication (see file sites-available/default), from there, FreeRADIUS will attempt this LDAP authentication using the LDAP module (see file radiusd.conf which in turn calls modules/ldap). Modifying the USER file does not allow anything, except for adding a user in addition to those in your LDAP. Moreover, we can see in the logs that FreeRADIUS is indeed asking the LDAP, look:
++[files] returns noop
[ldap] performing user authorization for Leslie
the [files] return noop informs you that the FILE user will not be used ^^
One crucial thing to remember: By DEFAULT, a FreeRADIUS server is functional (as long as the commands #apt-get update and #apt-get upgrade have been executed). So what generally causes instability (or even non-functionality) of your server are all these additional manipulations.
You need to keep it as simple as possible from the beginning, changing the minimum number of things, and the issues will disappear (except for exceptions, of course).
For your connection to your LDAP, I don't know if you modified the LDAP module in the manner I indicated (by changing uid to sAMAccountName). This change is specific to the LDAP configuration and may indeed be the error that prevents you from advancing. Also, check very carefully the path of your LDAP reader (identity password) :-)
Another thing, if your FreeRADIUS and your LDAP are on the same physical machine, one of them might be virtualized? FreeRADIUS is in a Linux environment and LDAP is Windows (or is it OpenLDAP?) --> This difference obviously changes the method of configuring the LDAP module :-)
In any case, I will try to help you as much as possible (but I am not a FreeRADIUS expert). If you find the error, don't forget to redo everything neatly :)
Good luck to you
Jak
Your step 3), namely editing the dictionary file, as well as your step 4), which involves modifying the USER file, are unfortunately unnecessary. :-)
Let me explain: First of all, the default dictionary file includes the attributes from RFC2865. This dictionary establishes the correspondence between "attribute names" - "number". It is not recommended at all to modify it in our case. Then, let’s think logically. =) We are asking FreeRADIUS for LDAP authentication (see file sites-available/default), from there, FreeRADIUS will attempt this LDAP authentication using the LDAP module (see file radiusd.conf which in turn calls modules/ldap). Modifying the USER file does not allow anything, except for adding a user in addition to those in your LDAP. Moreover, we can see in the logs that FreeRADIUS is indeed asking the LDAP, look:
++[files] returns noop
[ldap] performing user authorization for Leslie
the [files] return noop informs you that the FILE user will not be used ^^
One crucial thing to remember: By DEFAULT, a FreeRADIUS server is functional (as long as the commands #apt-get update and #apt-get upgrade have been executed). So what generally causes instability (or even non-functionality) of your server are all these additional manipulations.
You need to keep it as simple as possible from the beginning, changing the minimum number of things, and the issues will disappear (except for exceptions, of course).
For your connection to your LDAP, I don't know if you modified the LDAP module in the manner I indicated (by changing uid to sAMAccountName). This change is specific to the LDAP configuration and may indeed be the error that prevents you from advancing. Also, check very carefully the path of your LDAP reader (identity password) :-)
Another thing, if your FreeRADIUS and your LDAP are on the same physical machine, one of them might be virtualized? FreeRADIUS is in a Linux environment and LDAP is Windows (or is it OpenLDAP?) --> This difference obviously changes the method of configuring the LDAP module :-)
In any case, I will try to help you as much as possible (but I am not a FreeRADIUS expert). If you find the error, don't forget to redo everything neatly :)
Good luck to you
Jak
Hi Jak,
First of all, thank you for your help and your information!
I haven't executed this yet:
Since I'm not using an ADW.
I have my freeradius server and my Ldap on the same machine, which is an Ubuntu. Is it because I have everything on Ubuntu that it's not working?
I don't have Open Ldap.
I think there must be an error in the ldap file:
I don’t understand the lines identity, basedn, as well as filter. There must surely be an error around there. I also have a question. Does putting the password without quotes cause a problem?
I tried both with and without, it doesn't change anything.
I also don’t understand what you mean by LDAP path.
Thanks again,
Usbeth
First of all, thank you for your help and your information!
I haven't executed this yet:
Let's move to the line filter = --> Don't modify this line unless you're using a Windows Active Directory. If that's the case, change "uid=...etc" to sAMAccountName=...(the rest of the line remains unchanged)
Since I'm not using an ADW.
I have my freeradius server and my Ldap on the same machine, which is an Ubuntu. Is it because I have everything on Ubuntu that it's not working?
I don't have Open Ldap.
I think there must be an error in the ldap file:
identity = "cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL" password = mypass basedn = "ou=users,dc=DOMAIN,dc=LOCAL" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" I don’t understand the lines identity, basedn, as well as filter. There must surely be an error around there. I also have a question. Does putting the password without quotes cause a problem?
I tried both with and without, it doesn't change anything.
I also don’t understand what you mean by LDAP path.
Thanks again,
Usbeth
Well well,
You are therefore on a single UNIX Ubuntu machine (LTS server or desktop?).
To explain the lines you mentioned:
identity is used here to "identify yourself" to your LDAP, meaning that not just anyone can read your LDAP like that; you need to choose a user with read access to it.
password is obviously the password of the person mentioned earlier.
If your LDAP recognizes "Leslie," then the log will tell you:
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.1.69.50:389, authentication 0
[ldap] bind successful
or something close to that, in any case.
But the issue you are facing here does not concern "Leslie," so not Identity (at least for now). Your LDAP is not being queried because it is unreachable.
Thanks to the latest information you gave me (and I thank you for that :-) ), we can say with certainty that ping works --> BUT what could be simpler for your machine than to ping itself (after all, your ping to FreeRADIUS would be exactly the same #ping 10.1.69.50, right?) so you need to check if your LDAP server is functional.
Suggestions:
- Is it running?
- Do you have a way to see its logs?
- Are the test LDAP commands okay?
Recommendations:
- run a #tail -f /var/log/syslog in a separate terminal (if you are using a graphical interface) or in TTY2 (if you are in console mode). This command displays in real-time (thanks to the -f) the logs of your system.
- perform a query test on your LDAP with the following command (see if you need to modify it a bit):
#ldapsearch -x -b "ou=users,dc=DOMAIN,dc=LOCAL" 'uid=Leslie'
the -x means "simple query" and the -b is equivalent to the basedn of FreeRADIUS (the path where the users are located).
note: if ldapsearch is not installed, here is the command:
#apt-get install ldap-utils
As long as you cannot get ldapsearch to work, then it makes no sense to look for the problem in FreeRADIUS (at least that's what I think).
I'll check back this evening, crossing my fingers for you ;)
Good luck!
Jak
You are therefore on a single UNIX Ubuntu machine (LTS server or desktop?).
To explain the lines you mentioned:
identity is used here to "identify yourself" to your LDAP, meaning that not just anyone can read your LDAP like that; you need to choose a user with read access to it.
password is obviously the password of the person mentioned earlier.
If your LDAP recognizes "Leslie," then the log will tell you:
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.1.69.50:389, authentication 0
[ldap] bind successful
or something close to that, in any case.
But the issue you are facing here does not concern "Leslie," so not Identity (at least for now). Your LDAP is not being queried because it is unreachable.
Thanks to the latest information you gave me (and I thank you for that :-) ), we can say with certainty that ping works --> BUT what could be simpler for your machine than to ping itself (after all, your ping to FreeRADIUS would be exactly the same #ping 10.1.69.50, right?) so you need to check if your LDAP server is functional.
Suggestions:
- Is it running?
- Do you have a way to see its logs?
- Are the test LDAP commands okay?
Recommendations:
- run a #tail -f /var/log/syslog in a separate terminal (if you are using a graphical interface) or in TTY2 (if you are in console mode). This command displays in real-time (thanks to the -f) the logs of your system.
- perform a query test on your LDAP with the following command (see if you need to modify it a bit):
#ldapsearch -x -b "ou=users,dc=DOMAIN,dc=LOCAL" 'uid=Leslie'
the -x means "simple query" and the -b is equivalent to the basedn of FreeRADIUS (the path where the users are located).
note: if ldapsearch is not installed, here is the command:
#apt-get install ldap-utils
As long as you cannot get ldapsearch to work, then it makes no sense to look for the problem in FreeRADIUS (at least that's what I think).
I'll check back this evening, crossing my fingers for you ;)
Good luck!
Jak
I just understood what was wrong, thanks to your last message! I'm such a loser!
Oh MY GOD!
Explanation:
To me, the ldap server was supposed to start automatically. I mean, I thought it was unnecessary to start it. That's why I didn't try to launch it. But it needs to be started, just like freeradius!
To start it, I searched online and I came across the following command:
I type it in the terminal but nothing happens! Result of the command:
That's the million-dollar question!
I'll keep you updated if I find out before you get back to me.
Thanks, buddy!
Oh MY GOD!
Explanation:
To me, the ldap server was supposed to start automatically. I mean, I thought it was unnecessary to start it. That's why I didn't try to launch it. But it needs to be started, just like freeradius!
To start it, I searched online and I came across the following command:
/etc/init.d/ldap start
I type it in the terminal but nothing happens! Result of the command:
bash: /etc/init.d/ldap: No such file or directoryYet, I did download the files you mentioned (freeradius and freeradius-ldap). So why can't I run the command to start the ldap server?!
That's the million-dollar question!
I'll keep you updated if I find out before you get back to me.
Thanks, buddy!
I think a file or a command line might be missing. In any case, I'm 100% sure the error is there! I feel like "Leslie" is connecting correctly (except that the server is missing xD):
If I manage to start that damn Ldap server, I’m 99.9999% sure everything will work all of a sudden. (Except there’s that 0.0001% that makes me greatly doubt ^^)
[ldap] bind as cn=Leslie,ou=admin,ou=info,dc=DOMAIN,dc=LOCAL/mypass to 10.1.69.50:389
If I manage to start that damn Ldap server, I’m 99.9999% sure everything will work all of a sudden. (Except there’s that 0.0001% that makes me greatly doubt ^^)
Hello there!
Today I'm motivated to solve this problem!
Okay, I see. To install/configure my ldap, I simply did:
As you said in the tutorial you made. And then I did everything you mentioned in the tutorial. I didn't touch anything else. I have a file in /etc/ldap/ldap.conf (that's the only file in that folder). I looked at what's inside, which is not much.
File /etc/ldap/ldap.conf:
In my opinion, it must be impossible this way if I don't do Ldap on Windows, right? Do you think I should do an OpenLdap since I'm on Ubuntu and not on Windows like you? Could you help me set it up if you know how?
Sincerely,
Usbeth.
--
Check out my website ;)
www.frayday.wordpress.com
Today I'm motivated to solve this problem!
Okay, I see. To install/configure my ldap, I simply did:
apt-get install freeradius-ldap
As you said in the tutorial you made. And then I did everything you mentioned in the tutorial. I didn't touch anything else. I have a file in /etc/ldap/ldap.conf (that's the only file in that folder). I looked at what's inside, which is not much.
File /etc/ldap/ldap.conf:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
In my opinion, it must be impossible this way if I don't do Ldap on Windows, right? Do you think I should do an OpenLdap since I'm on Ubuntu and not on Windows like you? Could you help me set it up if you know how?
Sincerely,
Usbeth.
--
Check out my website ;)
www.frayday.wordpress.com
Re! :D
Sorry for the double message but it's important to solve this murder case! :O
We have an incredible clue! The Ldap server is WORKING!! :
I performed a :
I don't know what it means but it's fantastic! :D Now the authentication is not working xD (And yes! There's always a problem! But we will conquer!). So!
Well, now we need to make all this work and understand why the auth is not functioning. Do you accept the mission? YES! We will conquer!
Best regards,
Usbeth.
Come and check out my site ;)
www.frayday.wordpress.com
Sorry for the double message but it's important to solve this murder case! :O
We have an incredible clue! The Ldap server is WORKING!! :
apt-get install slapd
radtest Leslie kikou 127.0.0.1 1812 testing123 Sending Access-Request of id 159 to 127.0.0.1 port 1812 User-Name = "Leslie" User-Password = "kikou" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=159, length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 37687, id=159, length=76 User-Name = "Leslie" User-Password = "kikou" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x836e0a504ea6396922e228599deeb301 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "Leslie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for Leslie [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Leslie [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=Leslie) [ldap] expand: ou=utilisateurs,dc=DOMAINE,dc=LOCAL -> ou=utilisateurs,dc=DOMAINE,dc=LOCAL [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.1.69.50:389, authentication 0 [ldap] bind as cn=Leslie,ou=admin,ou=info,dc=DOMAINE,dc=LOCAL/kikou to 10.1.69.50:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Leslie attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 159 to 127.0.0.1 port 37687 Waking up in 4.9 seconds. Cleaning up request 0 ID 159 with timestamp +5 Ready to process requests. I performed a :
ldapsearch -x -b "ou=utilisateurs,dc=DOMAINE,dc=LOCAL" 'uid=Leslie' # extended LDIF # # LDAPv3 # base <ou=utilisateurs,dc=DOMAINE,dc=LOCAL> with scope subtree # filter: uid=Leslie # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
I don't know what it means but it's fantastic! :D Now the authentication is not working xD (And yes! There's always a problem! But we will conquer!). So!
Well, now we need to make all this work and understand why the auth is not functioning. Do you accept the mission? YES! We will conquer!
Best regards,
Usbeth.
Come and check out my site ;)
www.frayday.wordpress.com
Hi!! I see that at least you have a ready for request when launching radius in debug mode; well, I don't. It says, failed to link module rlm_ldap, I tried to install freeradius-ldap with:
apt-get update
apt-get upgrade
apt-get install freeradius-ldap
But it replies that freeradius-ldap is already the most recent version installed.
Does that mean it is already installed on my machine?
Help please? What should I do, I really don't want to uninstall it because I spent weeks getting out of "no response from the server" and I installed freeradius using a freeradius-server-2.2.0.tar.gz package.
apt-get update
apt-get upgrade
apt-get install freeradius-ldap
But it replies that freeradius-ldap is already the most recent version installed.
Does that mean it is already installed on my machine?
Help please? What should I do, I really don't want to uninstall it because I spent weeks getting out of "no response from the server" and I installed freeradius using a freeradius-server-2.2.0.tar.gz package.
I have reinstalled it several times and yes, I have installed freeradius-ldap, in other forums they say that the module is not activated? How is that possible?
When I have already recompiled it so many times!!
When I have already recompiled it so many times!!
Hello Leslie,
Maybe the issue comes from your .gz package.
Let me explain:
The command #apt-get install freeradius-ldap gives you the means to configure LDAP with FreeRADIUS.
But this command is only worthwhile and functions properly if and only if you install freeradius2.X with the command #apt-get install freeradius.
You should not use a freeradius package downloaded from anywhere other than the repository (the repository = apt-get install) if you then use an apt-get install. Do you see where I'm going with this?
Either EVERYTHING from the repository, meaning:
#apt-get update
#apt-get upgrade
#apt-get install freeradius
#apt-get install freeradius-ldap
or EVERYTHING without the repository using your method:
#wget http://XXXXXX.freeradius-2.0.0.tar.gz (be careful, this command does not exist, it's just an example)
#dpkg -i freeradius-2.0.0.tar.gz ...
So I install everything from the repository (to avoid compatibility issues or the like, which is your case)
Possible solutions:
- Remove the freeradius package you downloaded
then:
#apt-get autoremove freeradius
#apt-get autoremove freeradius-ldap
#apt-get install freeradius
#apt-get install freeradius-ldap
Be careful, you will not lose the contents of your FreeRADIUS configuration files (your modifications will remain intact)
I hope I can help you more in the future
Good luck to you
Jak
Maybe the issue comes from your .gz package.
Let me explain:
The command #apt-get install freeradius-ldap gives you the means to configure LDAP with FreeRADIUS.
But this command is only worthwhile and functions properly if and only if you install freeradius2.X with the command #apt-get install freeradius.
You should not use a freeradius package downloaded from anywhere other than the repository (the repository = apt-get install) if you then use an apt-get install. Do you see where I'm going with this?
Either EVERYTHING from the repository, meaning:
#apt-get update
#apt-get upgrade
#apt-get install freeradius
#apt-get install freeradius-ldap
or EVERYTHING without the repository using your method:
#wget http://XXXXXX.freeradius-2.0.0.tar.gz (be careful, this command does not exist, it's just an example)
#dpkg -i freeradius-2.0.0.tar.gz ...
So I install everything from the repository (to avoid compatibility issues or the like, which is your case)
Possible solutions:
- Remove the freeradius package you downloaded
then:
#apt-get autoremove freeradius
#apt-get autoremove freeradius-ldap
#apt-get install freeradius
#apt-get install freeradius-ldap
Be careful, you will not lose the contents of your FreeRADIUS configuration files (your modifications will remain intact)
I hope I can help you more in the future
Good luck to you
Jak
Have you installed slapd? (LDAP server)
--
Go take a look at my website ;)
www.frayday.wordpress.com
--
Go take a look at my website ;)
www.frayday.wordpress.com
Hi,
Thanks jak, I'll try that, but I have a little problem, I no longer have the "directory" file!
Does anyone have it for me?
I'm such a klutz ^^"
--
Check out my site ;)
www.frayday.wordpress.com
Thanks jak, I'll try that, but I have a little problem, I no longer have the "directory" file!
Does anyone have it for me?
I'm such a klutz ^^"
--
Check out my site ;)
www.frayday.wordpress.com
/etc/freeradius/directory
In fact, as soon as I run /etc/init.d/freeradius restart or start, I get a fail. And I think it's because this file is missing.
Launching the command freeradius -X
I apparently also need the file snmp.conf.
In fact, as soon as I run /etc/init.d/freeradius restart or start, I get a fail. And I think it's because this file is missing.
Launching the command freeradius -X
freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Sep 11 2012 at 22:27:05 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf Unable to open file "/etc/freeradius/snmp.conf": No such file or directory Errors reading /etc/freeradius/radiusd.conf
I apparently also need the file snmp.conf.
Hi Jak! Thanks for your advice! Because now that I have fewer errors when launching in debug mode, BUT when I run the radtest command, I get an access-reject, which is strange because it worked in my previous freeradius. I redid the same configurations but to no avail. Can you please help me!!
I uncommented a user in the users file for testing and configured clients.conf as usual! So where is the problem? Authentication with EAP is enabled by default.
I uncommented a user in the users file for testing and configured clients.conf as usual! So where is the problem? Authentication with EAP is enabled by default.
Hello Leslie,
I'll be happy to help you, at least if I'm able to... :)
I need some information. So you've reinstalled FreeRADIUS which this time starts without any issues, however, radtest is failing.
Questions:
- Are you using an LDAP alongside or just the USERS file?
- Do you have an accessible and operational LDAP (cf. Usbeth :-D)?
- Have you configured your LDAP module? (identity, password, ...)?
- Have you properly authorized LDAP in the sites-available/default file by uncommenting the associated lines?
EAP authentication normally doesn't pose any problem, as long as everything is passed in clear (unencrypted).
Recommendations:
- Run FreeRADIUS in debug mode (first stop it with the command #/etc/init.d/freeradius stop then restart it in debug mode with #freeradius -X) and paste us what it tells you when you run a radtest (the same way as Usbeth) so we can analyze all this :-)
Good luck!
Jak
I'll be happy to help you, at least if I'm able to... :)
I need some information. So you've reinstalled FreeRADIUS which this time starts without any issues, however, radtest is failing.
Questions:
- Are you using an LDAP alongside or just the USERS file?
- Do you have an accessible and operational LDAP (cf. Usbeth :-D)?
- Have you configured your LDAP module? (identity, password, ...)?
- Have you properly authorized LDAP in the sites-available/default file by uncommenting the associated lines?
EAP authentication normally doesn't pose any problem, as long as everything is passed in clear (unencrypted).
Recommendations:
- Run FreeRADIUS in debug mode (first stop it with the command #/etc/init.d/freeradius stop then restart it in debug mode with #freeradius -X) and paste us what it tells you when you run a radtest (the same way as Usbeth) so we can analyze all this :-)
Good luck!
Jak
Hi! Thanks for replying, uh, here’s an excerpt of what it shows when launching radiusd -X
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 33019
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
And when I run the radtest, I get this:
Sending Access-Request of id 200 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 192.168.11.30
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=200, length=20
I do have a reachable LDAP, but I wanted to make sure it works locally first!
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 33019
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
And when I run the radtest, I get this:
Sending Access-Request of id 200 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 192.168.11.30
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=200, length=20
I do have a reachable LDAP, but I wanted to make sure it works locally first!
Hello you two :)
Ah, it seems to revolve around the snmp.conf, doesn’t it? :)
Bad news for you, Leslie, your issue doesn't come from there.
I did some tests and noticed that depending on your machine, you cannot use ldap and file at the same time (in fact, you can, but it's quite unstable). So I think that in any case, your users in USERS will be rejected.
Thanks to your startup log, I noticed that there were no issues (at least at first glance). What I need now are the logs from your FreeRADIUS at the time of the radtest :) If you want and to make it easier for you, you can open a second terminal and type #tail -f /var/log/freeradius/radius.log
Then please copy me the information from this window during the radtest :)
Usbeth,
Are you sure that your radius doesn't start without this file "snmp.conf"? Mine is simply not present and everything seems to be working :-/
Maybe the issue isn't here?
--
Jakscoreur - Networks and Telecommunications =)
Ah, it seems to revolve around the snmp.conf, doesn’t it? :)
Bad news for you, Leslie, your issue doesn't come from there.
I did some tests and noticed that depending on your machine, you cannot use ldap and file at the same time (in fact, you can, but it's quite unstable). So I think that in any case, your users in USERS will be rejected.
Thanks to your startup log, I noticed that there were no issues (at least at first glance). What I need now are the logs from your FreeRADIUS at the time of the radtest :) If you want and to make it easier for you, you can open a second terminal and type #tail -f /var/log/freeradius/radius.log
Then please copy me the information from this window during the radtest :)
Usbeth,
Are you sure that your radius doesn't start without this file "snmp.conf"? Mine is simply not present and everything seems to be working :-/
Maybe the issue isn't here?
--
Jakscoreur - Networks and Telecommunications =)
If I comment out the entire SNMP section, I get the following error:
freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Sep 11 2012 at 22:27:05 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/ippool WARNING: No such configuration item db_dir /etc/freeradius/modules/ippool[47]: Reference "${db_dir}/db.ippool" not found Errors reading /etc/freeradius/radiusd.conf
OK,
If I trust the logs, you are using ippools (IP address groups) for your configuration?
Apparently, you are using the db.ippool module which requires a separate database to manage IP address groups and I don't think that's what you want, right?
If that's not on the agenda, then simply disable the db.ippool module in the /modules/ippool file.
If I trust the logs, you are using ippools (IP address groups) for your configuration?
Apparently, you are using the db.ippool module which requires a separate database to manage IP address groups and I don't think that's what you want, right?
If that's not on the agenda, then simply disable the db.ippool module in the /modules/ippool file.
Awesome! Next, I encountered another error that I fixed! But this one I have no idea about.
I don't know this file. So I tried a lot of different things but nothing ^^" So I reset the file as if I had never touched it.
freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Sep 11 2012 at 22:27:05 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/counter WARNING: No such configuration item db_dir /etc/freeradius/modules/counter[72]: Reference "${db_dir}/db.daily" not found Errors reading /etc/freeradius/radiusd.conf I don't know this file. So I tried a lot of different things but nothing ^^" So I reset the file as if I had never touched it.
Hello hello,
It's strange you have an error in your "counter" module. Are you collecting them or what? ^^
So just like with the ippool module, you don't need the counter module unless you want to log out your users at a specific time. (the counter module is used to stop the authentication and accounting of a person at the end of a given time). If you're using a captive portal, it's better to use its own counter, but it's the same, you need to have a reason for it.
If you don't need it, you shouldn't use the counter module. But by default, it usually doesn't cause any issues.
By default, your module should only contain the following lines (in addition to a lot of comments):
counter daily {
filename = ${db_dir}/db.daily #apparently this line is causing you issues
key = User-Name
count-attribute = Act-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
It's strange you have an error in your "counter" module. Are you collecting them or what? ^^
So just like with the ippool module, you don't need the counter module unless you want to log out your users at a specific time. (the counter module is used to stop the authentication and accounting of a person at the end of a given time). If you're using a captive portal, it's better to use its own counter, but it's the same, you need to have a reason for it.
If you don't need it, you shouldn't use the counter module. But by default, it usually doesn't cause any issues.
By default, your module should only contain the following lines (in addition to a lot of comments):
counter daily {
filename = ${db_dir}/db.daily #apparently this line is causing you issues
key = User-Name
count-attribute = Act-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
Hey!
Yeah, I admit it! I'm the pro of mistakes xD
I would really like to have no errors but oh well ^^"
I just commented out this line and it's good. But, for a change, I have another error in a file
I'm going to beat freeradius! I'm almost there, I can feel it. And I'm going to try to find this error
Edit!
Found it! :D
Since I'm not using sql, I commented out a line including the sql files.
And I have another error xDDDD
I'm soooooo tired!
Let's do it!
Yeah, I admit it! I'm the pro of mistakes xD
I would really like to have no errors but oh well ^^"
I just commented out this line and it's good. But, for a change, I have another error in a file
including configuration file /etc/freeradius/sql/mysql/dialup.conf Unable to open file "/etc/freeradius/sql/mysql/dialup.conf": No such file or directory Errors reading /etc/freeradius/radiusd.conf
I'm going to beat freeradius! I'm almost there, I can feel it. And I'm going to try to find this error
Edit!
Found it! :D
Since I'm not using sql, I commented out a line including the sql files.
And I have another error xDDDD
I'm soooooo tired!
including configuration file /etc/freeradius/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } freeradius: Cannot get ID for group radiusd: Success Let's do it!
- 1
- 2
Next
I have been working with freeradius for almost a month and a half as part of my internship project. The goal of the project is to enable authentication and accounting for asterisk users from freeradius.
All the tutorials I have consulted so far do not help me make progress in my project.
I have used radiusclient-ng as a radius client between the two servers, but it does not work. If you have worked on this before, I would need your help.
Thank you for your contribution.