Résolu LDAP RADIUS - pfsense

Solutions (9)
Tags :
  • default
  • Config PC
  • certificate
  • Ldap
  • Internet
|
bonjour je veux mettre en place un portail captif avec pfsense radius et ldap
quand j'execute un radtest avec un utilisateur qui a comme uid 123467 j'ai ce message d'erreur

WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=123467)
expand: dc=xxx,dc=yyy -> dc=xxx,dc=yyy
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=xxx,dc=yyy, with filter (uid=123467)
rlm_ldap: no dialupAccess attribute - access denied by default
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns userlock
Invalid user (rlm_ldap: Access Attribute denies access): [123467/\233\243\304NE×?C{\242\340\232\351F\311l] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> 123467
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 143 to 127.0.0.1 port 60115
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 60115, id=143, length=58
Sending duplicate reply to client localhost port 60115 - ID: 143
Sending Access-Reject of id 143 to 127.0.0.1 port 60115
Waking up in 1.9 seconds.
Cleaning up request 4 ID 143 with timestamp +171
Ready to process requests.


VOICI MES FICHIERS DE CONFIGURATION

/etc/ldap/slapd.conf

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/RADIUS-LDAPv3.schema

suffix "dc=xxx,dc=yyy"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=xxx,dc=yyy"
rootpw {SSHA}GMrMsPM788chEC6m8CxFzeh9B185qedo
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
!
!
!
///////////////////////////////
LA PARTIE CONCERNANT LDAP DANS LE FICHIER /etc/freeradius/radiusd.conf
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
#server = "ldap.your.domain"
server = "localhost"
identity = "cn=admin,dc=xxx,dc=yyy"
password = admin
basedn = "dc=xxx,dc=yyy"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
base_filter = "(objectclass=organizationalPerson)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3

#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1

#
# This subsection configures the tls related items
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no

# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd

# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
# The default is "allow"
# require_cert = "demand"
}

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap

# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publis...$
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
password_attribute = userPassword

# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(memb$
# groupmembership_attribute = radiusGroupName

# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes

#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:( LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028

////////////////////////////////////

DANS /etc/freeradius/sites-enabled/default
# already been set
ldap


Auth-Type LDAP {
ldap
}

/etc/freeradius/sites-enabled/inner-tunnel
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# already been set

ldap


Auth-Type LDAP {
ldap
}



merci
Contenus similaires
Meilleure solution
partage
|
secret est un mot de passe partagé entre le serveur radius et le supplicant (ici ton pfsense)
shortname est un "alias" pour donner un petit nom au supplicant (pratique dans les logs)
nastype c'est pour spécifier le type du supplicants (certains ne "parlent" pas le même langage que le serveur radius), en général ce n'est pas nécessaire
  • Commenter cette solution |
Score
0
òh
òi
|
Meilleure réponse sélectionnée par sam85.
  • Commenter cette réponse |
Score
0
òh
òi
|
merci beaucoup malth
je vais tester
c'est exactement le serveur pfsense qui interagit avec radius
je vous remercie du fond du coeur
merci
  • Commenter cette réponse |
Score
0
òh
òi
|
ça dépend de ton installation, si c'est pour le portail captif, c'est lui le supplicant, donc c'est au niveau du pfsense qu'il faut configurer le "secret" (au même endroit que pour configurer l'adresse du radius)
  • Commenter cette réponse |
Score
0
òh
òi
|
merci maith pour votre reponse
ce que je ne comprends pas ces attributs du fichier client.conf de radius
secret = motdepasseradius
shortname = alias
nastype = other

doivent etre aussi definis sur le serveur pfsense ? ou sur les points d'acces ?
comment faire pour que les points d'acces soient reconnus par radius ?
merci encore
  • Commenter cette réponse |
Score
0
òh
òi
|
bonjour maith
sur le fichier de configuration de clients.conf de radius on a la syntaxe suivante
client host.domainname
{
secret = motdepasseradius
shortname = alias
nastype = other
}
dans ce fichier on donne les adresses des points d'acces qui ont le droit d'acceder au serveur radius pour l'authentification
mais que representent ces attributs secret ,shortname et nastype
mes points d'acces ne sont pas reconnus pas radius que dois-je modifier sur le fichier clients .conf
  • Commenter cette réponse |
Score
0
òh
òi
|
bah de rien alors :) 
  • Commenter cette réponse |
Score
0
òh
òi
|
merci pour la reponse mais ca marche j'ai desactivé la ligne
access_attr = "dialupAccess"
il me reste maintenant à modifier le fichier client.conf de radius
pour autoriser les points d'acces a acceder au serveur radius
merci
  • Commenter cette réponse |
Score
0
òh
òi
|
Je te conseille de regarder les logs de ton serveur (ou de lancer le serveur en mode debug)
Il y a au moins 2 méthodes pour configurer le ldap dans freeradius, mais dans les 2 cas il faut aussi configurer l'eap (la partie de comme entre pfsense et le radius)
Voici mon fichier de configuration (complet, avec les includes mais sans les commentaires et les vrais infos de production) à titre d'exemple :
  1. prefix = /usr
  2. exec_prefix = /usr
  3. sysconfdir = /etc
  4. localstatedir = /var
  5. sbindir = ${exec_prefix}/sbin
  6. logdir = /var/log/freeradius
  7. raddbdir = /etc/freeradius
  8. radacctdir = ${logdir}/radacct
  9. confdir = ${raddbdir}
  10. run_dir = ${localstatedir}/run/freeradius
  11. log_file = ${logdir}/radius.log
  12. libdir = /usr/lib/freeradius
  13. pidfile = ${run_dir}/freeradius.pid
  14. user = freerad
  15. group = freerad
  16. max_request_time = 30
  17. delete_blocked_requests = no
  18. cleanup_delay = 5
  19. max_requests = 1024
  20. bind_address = *
  21. port = 0
  22. hostname_lookups = no
  23. allow_core_dumps = no
  24. regular_expressions = yes
  25. extended_expressions = yes
  26. log_stripped_names = yes
  27. log_auth = yes
  28. log_auth_badpass = no
  29. log_auth_goodpass = no
  30. usercollide = no
  31. lower_user = no
  32. lower_pass = no
  33. nospace_user = no
  34. nospace_pass = no
  35. checkrad = ${sbindir}/checkrad
  36. security {
  37. max_attributes = 200
  38. reject_delay = 1
  39. status_server = no
  40. }
  41. proxy_requests = yes
  42. proxy server {
  43. synchronous = no
  44. retry_delay = 5
  45. retry_count = 3
  46. dead_time = 120
  47. default_fallback = yes
  48. post_proxy_authorize = no
  49. }
  50. realm LOCAL {
  51. type = radius
  52. authhost = LOCAL
  53. accthost = LOCAL
  54. }
  55. #Commence par tester si avec ce compte ça marche, si lui ne marche pas, dans une configuration par défaut, ça ne sert à rien d'aller plus loin)
  56. client 127.0.0.1 {
  57. secret = testing123
  58. shortname = localhost
  59. }
  60. #Ici il faut mettre l'IP avec laquelle ton pfsense va contacter le radius
  61. client 1.1.1.1 {
  62. secret = unSecretPartageEntreTonRadisuEtTonPfsense
  63. shortname = Un alias de ton choix (pour les log)
  64. }
  65. snmp = no
  66. thread pool {
  67. start_servers = 5
  68. max_servers = 32
  69. min_spare_servers = 3
  70. max_spare_servers = 10
  71. max_requests_per_server = 0
  72. }
  73. modules {
  74. eap {
  75. default_eap_type = md5
  76. timer_expire = 60
  77. ignore_unknown_eap_types = no
  78. cisco_accounting_username_bug = no
  79. md5 {
  80. }
  81. leap {
  82. }
  83. gtc {
  84. auth_type = PAP
  85. }
  86. mschapv2 {
  87. }
  88. }
  89. ldap LDAP1 {
  90. #Dans ma configuration, je ne m'authentifie pas auprès du ldap pour tester les utilisateurs (requête anonyme)
  91. server = "ldap.macompagnie.exemple"
  92. basedn = "ou=users,dc=macompagnie,dc=exemple"
  93. # Les filtres sont à adapter en fonction de ton annuaire
  94. filter = "(&(cn=%{Stripped-User-Name:-%{User-Name}}))"
  95. base_filter = "(passwordAllowChange=TRUE)"
  96. start_tls = no
  97. # Ce fichier peut être à adapter en fonction de tes attributs, par exemple j'ai du ajouter ceci :
  98. # checkItem User-Password userPassword
  99. dictionary_mapping = ${raddbdir}/ldap.attrmap
  100. ldap_connections_number = 5
  101. timeout = 4
  102. timelimit = 3
  103. net_timeout = 1
  104. }
  105. realm IPASS {
  106. format = prefix
  107. delimiter = "/"
  108. ignore_default = no
  109. ignore_null = no
  110. }
  111. realm suffix {
  112. format = suffix
  113. delimiter = "@"
  114. ignore_default = no
  115. ignore_null = no
  116. }
  117. realm realmpercent {
  118. format = suffix
  119. delimiter = "%"
  120. ignore_default = no
  121. ignore_null = no
  122. }
  123. realm ntdomain {
  124. format = prefix
  125. delimiter = "\\"
  126. ignore_default = no
  127. ignore_null = no
  128. }
  129. checkval {
  130. item-name = Calling-Station-Id
  131. check-name = Calling-Station-Id
  132. data-type = string
  133. }
  134. preprocess {
  135. huntgroups = ${confdir}/huntgroups
  136. hints = ${confdir}/hints
  137. with_ascend_hack = no
  138. ascend_channels_per_line = 23
  139. with_ntdomain_hack = no
  140. with_specialix_jetstream_hack = no
  141. with_cisco_vsa_hack = no
  142. }
  143. files {
  144. usersfile = ${confdir}/users
  145. acctusersfile = ${confdir}/acct_users
  146. preproxy_usersfile = ${confdir}/preproxy_users
  147. compat = no
  148. }
  149. detail {
  150. detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
  151. detailperm = 0600
  152. }
  153. detail auth_log {
  154. detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
  155. }
  156. acct_unique {
  157. key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  158. }
  159. $INCLUDE ${confdir}/sql.conf
  160.  
  161. radutmp {
  162. filename = ${logdir}/radutmp
  163. username = %{User-Name}
  164. case_sensitive = yes
  165. check_with_nas = yes
  166. perm = 0600
  167. callerid = "yes"
  168. }
  169. radutmp sradutmp {
  170. filename = ${logdir}/sradutmp
  171. perm = 0644
  172. callerid = "no"
  173. }
  174. attr_filter {
  175. attrsfile = ${confdir}/attrs
  176. }
  177. counter daily {
  178. filename = ${raddbdir}/db.daily
  179. key = User-Name
  180. count-attribute = Acct-Session-Time
  181. reset = daily
  182. counter-name = Daily-Session-Time
  183. check-name = Max-Daily-Session
  184. allowed-servicetype = Framed-User
  185. cache-size = 5000
  186. }
  187. sqlcounter dailycounter {
  188. counter-name = Daily-Session-Time
  189. check-name = Max-Daily-Session
  190. sqlmod-inst = sql
  191. key = User-Name
  192. reset = daily
  193. query = "SELECT SUM(AcctSessionTime - \
  194. GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  195. FROM radacct WHERE UserName='%{%k}' AND \
  196. UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  197. }
  198. sqlcounter monthlycounter {
  199. counter-name = Monthly-Session-Time
  200. check-name = Max-Monthly-Session
  201. sqlmod-inst = sql
  202. key = User-Name
  203. reset = monthly
  204. query = "SELECT SUM(AcctSessionTime - \
  205. GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  206. FROM radacct WHERE UserName='%{%k}' AND \
  207. UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  208. }
  209. always fail {
  210. rcode = fail
  211. }
  212. always reject {
  213. rcode = reject
  214. }
  215. always ok {
  216. rcode = ok
  217. simulcount = 0
  218. mpp = no
  219. }
  220. expr {
  221. }
  222. digest {
  223. }
  224. exec {
  225. wait = yes
  226. input_pairs = request
  227. }
  228. exec echo {
  229. wait = yes
  230. program = "/bin/echo %{User-Name}"
  231. input_pairs = request
  232. output_pairs = reply
  233. }
  234. ippool main_pool {
  235. range-start = 192.168.1.1
  236. range-stop = 192.168.3.254
  237. netmask = 255.255.255.0
  238. cache-size = 800
  239. session-db = ${raddbdir}/db.ippool
  240. ip-index = ${raddbdir}/db.ipindex
  241. override = no
  242. maximum-timeout = 0
  243. }
  244. }
  245. instantiate {
  246. exec
  247. expr
  248. }
  249. authorize {
  250. preprocess
  251. auth_log
  252.  
  253. eap
  254. files
  255. group {
  256. LDAP1
  257. }
  258. }
  259. authenticate {
  260. Auth-Type LDAP {
  261. group {
  262. LDAP1
  263. }
  264. }
  265. eap
  266. }
  267. preacct {
  268. preprocess
  269. acct_unique
  270. suffix
  271. files
  272. }
  273. accounting {
  274. detail
  275. radutmp
  276. }
  277. session {
  278. radutmp
  279. }
  280. post-auth {
  281. }
  282. pre-proxy {
  283. }
  284. post-proxy {
  285. eap
  286. }
  • Commenter cette réponse |

Ce n'est pas ce que vous cherchiez ?

Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS