[Freeipa-users] FreeIPA & FreeRadius LDAP auth issue

Boris Cheperis boris at datarobot.com
Tue Apr 12 12:02:40 UTC 2016 

Hi, 

I’ve  started using FreeIPA and got  fascinated with it’s capabilities, but recently I tried to configure FreeRadius integration
for WiFi authentication and ran into some issues.

I’ve configured ldap integration and when I run a test everything seems fine:

----
radtest dmitry.fedorov fedor 127.0.0.1 100 testing123
Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812
	User-Name = 'dmitry.fedorov'
	User-Password = 'fedor'
	NAS-IP-Address = 10.0.0.12
	NAS-Port = 100
	Message-Authenticator = 0x00
Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20
-----

But when I try to do a real-world test and run authentication on a wifi device I get this:

——
(10)  ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
(10)  eap : Failed in EAP select
(10)   [eap] = invalid
(10)  } #  authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)  Post-Auth-Type REJECT {
(10)  attr_filter.access_reject : EXPAND %{User-Name}
(10)  attr_filter.access_reject :    --> dmitry.fedorov
(10)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(10)   [attr_filter.access_reject] = updated
(10)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(10)   [eap] = noop
(10)   remove_reply_message_if_eap remove_reply_message_if_eap {
(10)     if (&reply:EAP-Message && &reply:Reply-Message) 
(10)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)    else else {
(10)     [noop] = noop
(10)    } # else else = noop
(10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10)  } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1 seconds
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, length=0
(10) 	EAP-Message = 0x040a0004
(10) 	Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980
	EAP-Message = 0x040a0004
	Message-Authenticator = 0x0000000000000000000000000000000
———

before this I see a couple of other errors in the debug output
—
WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
(9)    WARNING: mschap : No Cleartext-Password configured.  Cannot create NT-Password
(9)    mschap : Creating challenge hash with username: dmitry.fedorov
(9)    mschap : Client is using MS-CHAPv2
(9)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform authentication
(9)    ERROR: mschap : MS-CHAP2-Response is incorrect
(9)     [mschap] = reject
(9)    } # Auth-Type MS-CHAP = reject
—

and

---
ldap : Processing user attributes
(2)  WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(2)  WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(2)   [ldap] = ok
(2)    if ((ok || updated) && User-Password) 
(2)    if ((ok || updated) && User-Password)  -> FALSE
(2)   [expiration] = noop
(2)   [logintime] = noop
(2)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(2)  WARNING: pap : Authentication will fail unless a "known good" password is available
(2)   [pap] = noop
—

At first I thought the problem was in the "known good” password, but if it was, most likely the ‘radtest' string would not work.
And if I change the base_dn to a wrong one, the test fails at once. From my point of view it proves that free radius is able to get to ldap, but there is some over error present.
Maybe I’m wrong.

Please help to understand what is wrong with my setup.


Regards,
Boris

More information about the Freeipa-users mailing list