Re: RADIUS + LDAP + SSL
> I realize the second bind is for authentication. However, it's trying > to bind as Usuari instead of the numeric UserID mentioned elsewhere > in your log. It looks like this might be related to some sort of group > authentication. It also looks like the LDAP bind doesn't return failure, > but simply times out. (Note there is no mention of LDAP returning, just > the modcall: group authtype returns reject). Yes, It is possible... When I access to my LDAP server as https://ldap.server.com:636 I must install a CA certficate o selfsigned certificated onto client in order to access. On FreeRadius I haven't configured this (I don't kwno how). I think modcall returns reject, because it can't authenticate SSL certficate presented by LDAP server. Anyone has been able to use Radius + SSL + LDAP using FreeRadius. ? __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Hi Owen, > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > > is a line that says: > > rlm_ldap: setting TLS mode to 1 > > This leads me to believe that it is trying to start TLS as well, but I could > be wrong. I haven't read through the code carefully. Always It put on log (re)connect, I think this is normal behaivour. If you see my logs, in both test, qhen I use LDAP and when I use LDAPs It logs (re)connect. The only diference between LDAP test and LDAPs test is that on the second, It tries to connect twice, see my logs... > >> > rlm_ldap: attempting LDAP reconnection > >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 It connects once, and search the user who is attempting to remote access > >> > rlm_ldap: setting TLS mode to 1 > >> > rlm_ldap: bind as / to albinoni.upc.es:636 > >> > rlm_ldap: waiting for bind result ... > >> > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > >> > rlm_ldap: looking for check items in directory... > >> > rlm_ldap: looking for reply items in directory... > >> > rlm_ldap: user 0010 authorized to use remote access > >> > ldap_release_conn: Release Id: 0 > >> > modcall[authorize]: module "ldap" returns ok It find him, Now It tries to authenticate > >> > modcall: group authorize returns ok > >> > rad_check_password: Found Auth-Type LDAP > >> > auth: type "LDAP" > >> > modcall: entering group authtype > >> > rlm_ldap: - authenticate > >> > rlm_ldap: login attempt by "0010" with password "hola123" > >> > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > >> > rlm_ldap: setting TLS mode to 1 > >> > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to > > albinoni.upc.es:636 > >> > rlm_ldap: waiting for bind result ... > >> > modcall[authenticate]: module "ldap" returns reject > >> > modcall: group authtype returns reject > >> > auth: Failed to validate the user. It can't authenticate user, and It rejects... Uhm... I don't know how configure it... and where is the problem... > Also, I'm not sure why it's trying to bind as Usuari in the second > bind. It looks like the bind didn't return and the module returned reject > due to timeout, so it might be that with SSL your LDAP server isn't > responding Uhmm... I think that isn't the problem... Second bind is for autehntication. __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Owen, I've got tls disabled. But I think I may configure something in openSSL Isnt' it? Thanks __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 [EMAIL PROTECTED] wrote on 23/06/2003 16:08:35: > If you're using Port 636, you probably need to set TLS off. I'm not sure > starting TLS over SSL works. Even if it does, it's kind of redundant. > > Owen > > > --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" > <[EMAIL PROTECTED]> wrote: > > > Hiya, > > > > Finally I've installed openSSL, but I think I'm forgetting something, > > because I can authenticate via LDAP over SSL. > > > > I've installed openSSL (openssl-0.9.7b). > > I've installed Freeradius (freeradius-0.8.1) as: > > > > tar -zxvf freeradius.tar.gz > > cd freeradius-0.8.1 > > ./configure --prefix=/opt/freeradius > > make > > make install > > > > Then I configured radiusd.conf (see file below). > > > > First with port=389 (LDAP without SSL): > > > > rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "0010" with password "hola123" > > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > > rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 > > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: user 0010 authenticated succesfully > > modcall[authenticate]: module "ldap" returns ok > > modcall: group authtype returns ok > > Sending Access-Accept of id 90 to 127.0.0.1:32805 > > > > It works great. I can authenticate without any problem. > > > > Now I'll try with LDAP over SSL, as you can see I haven't installed any > > selfsigned o CA certificate, but I can't see any message about it. > > > > Now port=636: > > > > rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as / to albinoni.upc.es:636 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "99
RADIUS + LDAP + SSL
Hiya, Finally I've installed openSSL, but I think I'm forgetting something, because I can authenticate via LDAP over SSL. I've installed openSSL (openssl-0.9.7b). I've installed Freeradius (freeradius-0.8.1) as: tar -zxvf freeradius.tar.gz cd freeradius-0.8.1 ./configure --prefix=/opt/freeradius make make install Then I configured radiusd.conf (see file below). First with port=389 (LDAP without SSL): rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: user 0010 authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authtype returns ok Sending Access-Accept of id 90 to 127.0.0.1:32805 It works great. I can authenticate without any problem. Now I'll try with LDAP over SSL, as you can see I haven't installed any selfsigned o CA certificate, but I can't see any message about it. Now port=636: rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 I think RADIUS can connect to LDAP server over SSL, because it can do the first filter, but qhen it tries to authenticate it is missing something... More help! :-) __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 radiusd.conf Description: Binary data
RE: RADIUS + LDAP + TLS
Hiya, > StartTLS is an extended operation for starting TLS while connecting to the > normal ldap port (389). I would suggest > start_tls=yes,tls_mode=no and port=389 > > I think that the tls_mode directive should go away completely and > start_tls only > be allowed if we don't use the ldaps port. But I am not sure that the above is > correct. Is necessary install OpenSSL or other software in order to use TLS with RADIUS? This is my big dude __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + TLS
Hiya, I'm bit confused. I'd like to use, as I mentioned, RADIUS + LDAP over encripted comunications (TLS). I order to user RADIUS + LDAP I've compiled FreeRadius, but I haven't installed any OpenLDAP SDK. Then I've configured radiusd.conf as mentioned in past messages. I try it and It works great. I can authenticate users via LDAP. When I try to use TLS I've configured radiusd.conf parameters: "stat_tls=yes" "tls_mode=yes" "port=636" It's not working, see log. "Protocol Error", It means that I need to compile something. I don't want to authenticate LDAP server from RADIUS, so I doesn't need to install OpenSSL and CA certificates. I only want to encrypt RADIUS - LDAP comunication, without ensuring identity of any. Please... can you put some light on my work > >> > >> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, > >> length=60 > >> User-Name = "test" > >> User-Password = "1234567890" > >> NAS-IP-Address = 255.255.255.255 > >> NAS-Port = 1 > >> rad_lowerpair: User-Name now 'test' > >> rad_lowerpair: User-Password now '1234567890' > >> modcall: entering group authorize > >> rlm_ldap: - authorize > >> rlm_ldap: performing user authorization for test > >> radius_xlat: '(uid=test)' > >> radius_xlat: 'o=Prova' > >> ldap_get_conn: Got Id: 0 > >> rlm_ldap: attempting LDAP reconnection > >> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > >> > authentication > >> >>> 0 > >> rlm_ldap: setting TLS mode to 1 > >> rlm_ldap: starting TLS > >> rlm_ldap: ldap_start_tls_s() > >> rlm_ldap: could not start TLS Protocol error > >> rlm_ldap: (re)connection attempt failed > >> rlm_ldap: search failed > >> ldap_release_conn: Release Id: 0 > >> modcall[authorize]: module "ldap" returns fail > >> modcall: group authorize returns fail > >> There was no response configured: rejecting request 0 > >> Server rejecting request 0. > >> Finished request 0 > >> Going to the next request > >> --- Walking the entire request list --- > >> Waking up in 1 seconds... > >> --- Walking the entire request list --- > >> Waking up in 1 seconds... > >> --- Walking the entire request list --- > >> Sending Access-Reject of id 101 to 127.0.0.1:32792 > >> Waking up in 4 seconds... > >> --- Walking the entire request list --- > >> Cleaning up request 0 ID 101 with timestamp 3ef0694c > >> Nothing to do. Sleeping until we see a request. __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + TLS
Hiya, > When you built rlm_ldap, you needed some sort of LDAP library for > it. Usually, this is OpenLDAP. If you used something else, I'm not > sure what to tell you. In my case, I built FreeRadius and the rlm_ldap > module at the same time. I don't know what you did. I didn't install > a certificate on the RADIUS server. I used an existing LDAP server run > by IT which has a self-signed certificate on it. I don't know how they > installed the certificate, and that would depend on the LDAP server in use > anyway. As to validation, I haven't been able to get them to validate > because FreeRadius is rejecting the self-signed certificate from the LDAP > server. I've compiled FreeRadius and rlm_ldap, without installing any LDAP package (like OpenLDAP), I've only untar FreeRadius, then ./configure, and make. But I suppose that it has LDAP support, because I've been able to authenticate users using LDAP. On RADIUS server I haven't install any certificate, I don't know how. I've configured my RADIUS server in order to use LDAP as authentication database and I det to yes "start_tls" and "tls_mode". > I got the impression from your original email that you had the LDAP > server already working with LDAPs. If that's not the case, you first > need to get a working LDAPs server (LDAP over SSL). This is not something > I can help you with. Yes, I've got an LDAPs (LDAP over SSL) server working. But I'm not able to contact it from RADIUS. If I try to contact to LDAPs server from Outlook (for example) I need to install my CA certificate, to validate authentication of LDAPs. Dous RADIUS need some similar? > Once that is done, getting RADIUS to be another client of that LDAPs > server should simply be a matter of changing the port number in the > radiusd.conf from what was working with the LDAP server. I've do it, but i get an error "could not start TLS protocol". See my log. Maybe I'm forgetting something. I've saw some TLS parameters in EAP section of radiusd.conf, but I haven't used it... Is it ok? > > rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, > length=60 > User-Name = "test" > User-Password = "1234567890" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > rad_lowerpair: User-Name now 'test' > rad_lowerpair: User-Password now '1234567890' > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for test > radius_xlat: '(uid=test)' > radius_xlat: 'o=Prova' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > > authentication > >>> 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: starting TLS > rlm_ldap: ldap_start_tls_s() > rlm_ldap: could not start TLS Protocol error > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail > modcall: group authorize returns fail > There was no response configured: rejecting request 0 > Server rejecting request 0. > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 101 to 127.0.0.1:32792 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 101 with timestamp 3ef0694c > Nothing to do. Sleeping until we see a request. __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS + LDAP + TLS
Hello to all,
I've been using FreeRadius for a year, but now I'd like to implement
RADIUS with LDAP authentication, I've test it and It works great.
Now I'd like to protect radius - ldap server comunication using TLS. But
I'm not able to do it.
My LDAP server is Notes Domino and I've been able to configure it
correctly. I can connect to it using LDAP SSL/TLS, but I don't know how to
implement this in FreeRadius.
I'm using freeradius-0.8.1 and this is my radiusd.conf
Can you help me?
When I try i view this log:
rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101,
length=60
User-Name = "test"
User-Password = "1234567890"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
rad_lowerpair: User-Name now 'test'
rad_lowerpair: User-Password now '1234567890'
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'o=Prova'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.server.mycompany.es:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Protocol error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail
modcall: group authorize returns fail
There was no response configured: rejecting request 0
Server rejecting request 0.
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 101 to 127.0.0.1:32792
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 101 with timestamp 3ef0694c
Nothing to do. Sleeping until we see a request.
__
Paco Orozco ([EMAIL PROTECTED])
Divisió de Telecomunicacions
UPCNet
Edifici Vèrtex - Pl. Eusebi Güell, 6
Telèfon centraleta: 93.40.11600##
## radiusd.conf -- FreeRADIUS server configuration file.
##
# The location of other config files and
# logfiles are declared in this file
#
prefix = /opt/freeradius-0.8.1
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /opt/freeradius-0.8.1/logs
raddbdir = ${sysconfdir}/raddb
radacctdir = /opt/freeradius-0.8.1/acct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
libdir = ${exec_prefix}/lib
#
# pidfile: Where to place the PID of the RADIUS server.
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# user = radius
group = admradius
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set
