FreeRadius3.0 with ldap configuration

Question

The setup is pretty much as the title states. On the same VM I have OpenLDAP and FreeRadius3.0 server that fetches the users from the LDAP directory.

On my UniFi controller I point the authentication server to be FreeRadius.

The odd here is that an Android phone with EAP method set to TTLS and Phase2 to PAP works fine. On the other hand I cant authenticate an iPhone device.

I have attached the log files for both. Note I remove several retries from both files due to the characters restrictions in order to post it:

• iPhone

(36) Received Access-Request Id 68 from 192.168.1.45:11929 to 192.168.2.6:1812 length 285 (36) User-Name = "user" (36) NAS-IP-Address = 192.168.0.16 (36) NAS-Identifier = "1ae82968d827" (36) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (36) NAS-Port-Type = Wireless-802.11 (36) Service-Type = Framed-User (36) Calling-Station-Id = "56-7E-6E-74-19-66" (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) Acct-Session-Id = "7920B3C56618BB67" (36) Acct-Multi-Session-Id = "31C198EF71C46ED1" (36) WLAN-Pairwise-Cipher = 1027076 (36) WLAN-Group-Cipher = 1027076 (36) WLAN-AKM-Suite = 1027073 (36) Framed-MTU = 1400 (36) EAP-Message = 0x02c1003715800000002d17030300289d5b6e7c1b6d76eee5a570e1dd5dab9ce96cf13e3974ea5a14c116425106079c9adabe1aef8b357c (36) State = 0x25b700c8237615504ad2b47e6e37541e (36) Message-Authenticator = 0xc4d8a828f8ee36dadd47cafc2a456311 (36) session-state: No cached attributes (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ / /) { (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\\.\\./ ) { (36) if (&User-Name =~ /\\.\\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\\.$/) { (36) if (&User-Name =~ /\\.$/) -> FALSE (36) if (&User-Name =~ /@\\./) { (36) if (&User-Name =~ /@\\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "user", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 193 length 55 (36) eap: Continuing tunnel setup (36) [eap] = ok (36) } # authorize = ok (36) Found Auth-Type = eap (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) authenticate { (36) eap: Expiring EAP session with state 0x41848598418590ad (36) eap: Finished EAP session with state 0x25b700c823761550 (36) eap: Previous EAP request found for state 0x25b700c823761550, released from the list (36) eap: Peer sent packet with method EAP TTLS (21) (36) eap: Calling submodule eap_ttls to process data (36) eap_ttls: Authenticate (36) eap_ttls: Continuing EAP-TLS (36) eap_ttls: Peer indicated complete TLS record size will be 45 bytes (36) eap_ttls: Got complete TLS record (45 bytes) (36) eap_ttls: [eaptls verify] = length included (36) eap_ttls: [eaptls process] = ok (36) eap_ttls: Session established. Proceeding to decode tunneled attributes (36) eap_ttls: Got tunneled request (36) eap_ttls: EAP-Message = 0x02010006031a (36) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (36) eap_ttls: Sending tunneled request (36) Virtual server default received request (36) EAP-Message = 0x02010006031a (36) FreeRADIUS-Proxied-To = 127.0.0.1 (36) User-Name = "user" (36) State = 0x41848598418590ad5f5257f699cb08cd (36) NAS-IP-Address = 192.168.0.16 (36) NAS-Identifier = "1ae82968d827" (36) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (36) NAS-Port-Type = Wireless-802.11 (36) Service-Type = Framed-User (36) Calling-Station-Id = "56-7E-6E-74-19-66" (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) Acct-Session-Id = "7920B3C56618BB67" (36) Acct-Multi-Session-Id = "31C198EF71C46ED1" (36) WLAN-Pairwise-Cipher = 1027076 (36) WLAN-Group-Cipher = 1027076 (36) WLAN-AKM-Suite = 1027073 (36) Framed-MTU = 1400 (36) Event-Timestamp = "Jul 6 2021 13:49:41 EEST" (36) WARNING: Outer and inner identities are the same. User privacy is compromised. (36) server default { (36) session-state: No cached attributes (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ / /) { (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\\.\\./ ) { (36) if (&User-Name =~ /\\.\\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\\.$/) { (36) if (&User-Name =~ /\\.$/) -> FALSE (36) if (&User-Name =~ /@\\./) { (36) if (&User-Name =~ /@\\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "user", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 1 length 6 (36) eap: Ignoring NAK with request for unknown EAP type (36) [eap] = noop (36) [files] = noop rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 84 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 84 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (36) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (36) ldap: --> (uid=user) (36) ldap: Performing search in "ou=People,dc=domain,dc=net" with filter "(uid=user)", scope "sub" (36) ldap: Waiting for search result... (36) ldap: User object found at DN "cn=user,ou=People,dc=domain,dc=net" (36) ldap: Processing user attributes (36) ldap: control:Password-With-Header += '{SHA}jNcioN4OBp8h7ZqsEqIjBoxKy8Y=' rlm_ldap (ldap): Released connection (10) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (36) [ldap] = updated (36) [expiration] = noop (36) [logintime] = noop (36) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (36) pap: Removing &control:Password-With-Header (36) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (36) pap: No User-Password attribute in the request. Cannot do PAP (36) [pap] = noop (36) } # authorize = updated (36) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (36) Failed to authenticate the user (36) Using Post-Auth-Type Reject (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Post-Auth-Type REJECT { (36) attr_filter.access_reject: EXPAND %{User-Name} (36) attr_filter.access_reject: --> user (36) attr_filter.access_reject: Matched entry DEFAULT at line 11 (36) [attr_filter.access_reject] = updated (36) eap: Expiring EAP session with state 0x41848598418590ad (36) eap: Finished EAP session with state 0x41848598418590ad (36) eap: Previous EAP request found for state 0x41848598418590ad, released from the list (36) eap: Request was previously rejected, inserting EAP-Failure (36) eap: Sending EAP Failure (code 4) ID 1 length 4 (36) [eap] = updated (36) policy remove_reply_message_if_eap { (36) if (&reply:EAP-Message && &reply:Reply-Message) { (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (36) else { (36) [noop] = noop (36) } # else = noop (36) } # policy remove_reply_message_if_eap = noop (36) } # Post-Auth-Type REJECT = updated (36) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type =Reject): [user] (from client localhost port 0 cli 56-7E-6E-74-19-66 via TLS tunnel) (36) } # server default (36) Virtual server sending reply (36) EAP-Message = 0x04010004 (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) eap_ttls: Got tunneled Access-Reject (36) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (36) eap: Sending EAP Failure (code 4) ID 193 length 4 (36) eap: Failed in EAP select (36) [eap] = invalid (36) } # authenticate = invalid (36) Failed to authenticate the user (36) Using Post-Auth-Type Reject (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Post-Auth-Type REJECT { (36) attr_filter.access_reject: EXPAND %{User-Name} (36) attr_filter.access_reject: --> user (36) attr_filter.access_reject: Matched entry DEFAULT at line 11 (36) [attr_filter.access_reject] = updated (36) [eap] = noop (36) policy remove_reply_message_if_eap { (36) if (&reply:EAP-Message && &reply:Reply-Message) { (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (36) else { (36) [noop] = noop (36) } # else = noop (36) } # policy remove_reply_message_if_eap = noop (36) } # Post-Auth-Type REJECT = updated (36) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [user] (from client localhost port 0 cli 56-7E-6E-74-19-66) (36) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (36) Sending delayed response (36) Sent Access-Reject Id 68 from 192.168.2.6:1812 to 192.168.1.45:11929 length 44 (36) EAP-Message = 0x04c10004 (36) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (29) Cleaning up request packet ID 61 with timestamp +383 (30) Cleaning up request packet ID 62 with timestamp +383 (31) Cleaning up request packet ID 63 with timestamp +383 (32) Cleaning up request packet ID 64 with timestamp +383 (33) Cleaning up request packet ID 65 with timestamp +383 (34) Cleaning up request packet ID 66 with timestamp +383 (35) Cleaning up request packet ID 67 with timestamp +383 (36) Cleaning up request packet ID 68 with timestamp +383 Ready to process requests

• Android

(22) Received Access-Request Id 54 from 192.168.1.45:63948 to 192.168.2.6:1812 length 226 (22) User-Name = "user" (22) NAS-IP-Address = 192.168.0.16 (22) NAS-Identifier = "1ae82968d827" (22) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (22) NAS-Port-Type = Wireless-802.11 (22) Service-Type = Framed-User (22) Calling-Station-Id = "30-07-4D-96-97-1B" (22) Connect-Info = "CONNECT 0Mbps 802.11b" (22) Acct-Session-Id = "873598953FB6DD96" (22) Acct-Multi-Session-Id = "02DA1835116F75BF" (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-Group-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027073 (22) Framed-MTU = 1400 (22) EAP-Message = 0x02ab000e016c64617061646d696e (22) Message-Authenticator = 0x466ab990741ed6cebb6c5a58af53cca1 (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\\.\\./ ) { (22) if (&User-Name =~ /\\.\\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\\.$/) { (22) if (&User-Name =~ /\\.$/) -> FALSE (22) if (&User-Name =~ /@\\./) { (22) if (&User-Name =~ /@\\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "user", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 171 length 14 (22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) authenticate { (22) eap: Peer sent packet with method EAP Identity (1) (22) eap: Calling submodule eap_ttls to process data (22) eap_ttls: Initiating new EAP-TLS session (22) eap_ttls: [eaptls start] = request (22) eap: Sending EAP Request (code 1) ID 172 length 6 (22) eap: EAP session adding &reply:State = 0x912db4839181a1fa (22) [eap] = handled (22) } # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Challenge { ... } # empty sub-section is ignored (22) Sent Access-Challenge Id 54 from 192.168.2.6:1812 to 192.168.1.45:63948 length 0 (22) EAP-Message = 0x01ac00061520 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x912db4839181a1fac5f853532e9c45a7 (22) Finished request Waking up in 4.8 seconds. (28) Received Access-Request Id 60 from 192.168.1.45:63948 to 192.168.2.6:1812 length 309 (28) User-Name = "user" (28) NAS-IP-Address = 192.168.0.16 (28) NAS-Identifier = "1ae82968d827" (28) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "30-07-4D-96-97-1B" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "873598953FB6DD96" (28) Acct-Multi-Session-Id = "02DA1835116F75BF" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) EAP-Message = 0x02b1004f150017030300440000000000000001374e029fa0b1517e6088f6e72cf0c4cd4ae4e2c3d2d7e064ce17eee6a8eaedff66ea36e77f18f69f9245bbb2f0fc391a7291c4d95111197d35ab8c85 (28) State = 0x912db483949ca1fac5f853532e9c45a7 (28) Message-Authenticator = 0x42b24c717e99eb8b3221698b2b94c453 (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\\.\\./ ) { (28) if (&User-Name =~ /\\.\\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\\.$/) { (28) if (&User-Name =~ /\\.$/) -> FALSE (28) if (&User-Name =~ /@\\./) { (28) if (&User-Name =~ /@\\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "user", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: Peer sent EAP Response (code 2) ID 177 length 79 (28) eap: Continuing tunnel setup (28) [eap] = ok (28) } # authorize = ok (28) Found Auth-Type = eap (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) authenticate { (28) eap: Expiring EAP session with state 0x912db483949ca1fa (28) eap: Finished EAP session with state 0x912db483949ca1fa (28) eap: Previous EAP request found for state 0x912db483949ca1fa, released from the list (28) eap: Peer sent packet with method EAP TTLS (21) (28) eap: Calling submodule eap_ttls to process data (28) eap_ttls: Authenticate (28) eap_ttls: Continuing EAP-TLS (28) eap_ttls: [eaptls verify] = ok (28) eap_ttls: Done initial handshake (28) eap_ttls: [eaptls process] = ok (28) eap_ttls: Session established. Proceeding to decode tunneled attributes (28) eap_ttls: Got tunneled request (28) eap_ttls: User-Name = "user" (28) eap_ttls: User-Password = "Password1!!!" (28) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (28) eap_ttls: Sending tunneled request (28) Virtual server default received request (28) User-Name = "user" (28) User-Password = "Password1!!!" (28) FreeRADIUS-Proxied-To = 127.0.0.1 (28) NAS-IP-Address = 192.168.0.16 (28) NAS-Identifier = "1ae82968d827" (28) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "30-07-4D-96-97-1B" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "873598953FB6DD96" (28) Acct-Multi-Session-Id = "02DA1835116F75BF" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) Event-Timestamp = "Jul 6 2021 13:48:17 EEST" (28) WARNING: Outer and inner identities are the same. User privacy is compromised. (28) server default { (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\\.\\./ ) { (28) if (&User-Name =~ /\\.\\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\\.$/) { (28) if (&User-Name =~ /\\.$/) -> FALSE (28) if (&User-Name =~ /@\\./) { (28) if (&User-Name =~ /@\\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "user", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: No EAP-Message, not doing EAP (28) [eap] = noop (28) [files] = noop rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 299 seconds rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 299 seconds rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 296 seconds rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 296 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 285 seconds rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 285 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 278 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 278 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=user) (28) ldap: Performing search in "ou=People,dc=domain,dc=net" with filter "(uid=user)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "cn=user,ou=People,dc=domain,dc=net" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += '{SHA}jNcioN4OBp8h7ZqsEqIjBoxKy8Y=' rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (28) [ldap] = updated (28) [expiration] = noop (28) [logintime] = noop (28) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (28) pap: Removing &control:Password-With-Header (28) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (28) [pap] = updated (28) } # authorize = updated (28) Found Auth-Type = PAP (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) Auth-Type PAP { (28) pap: Login attempt with password (28) pap: Comparing with "known-good" SHA-Password (28) pap: User authenticated successfully (28) [pap] = ok (28) } # Auth-Type PAP = ok (28) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (28) post-auth { (28) update { (28) No attributes updated (28) } # update = noop (28) [exec] = noop (28) policy remove_reply_message_if_eap { (28) if (&reply:EAP-Message && &reply:Reply-Message) { (28) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (28) else { (28) [noop] = noop (28) } # else = noop (28) } # policy remove_reply_message_if_eap = noop (28) } # post-auth = noop (28) Login OK: [user] (from client localhost port 0 cli 30-07-4D-96-97-1B via TLS tunnel) (28) } # server default (28) Virtual server sending reply (28) eap_ttls: Got tunneled Access-Accept (28) eap: Sending EAP Success (code 3) ID 177 length 4 (28) eap: Freeing handler (28) [eap] = ok (28) } # authenticate = ok (28) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (28) post-auth { (28) update { (28) No attributes updated (28) } # update = noop (28) [exec] = noop (28) policy remove_reply_message_if_eap { (28) if (&reply:EAP-Message && &reply:Reply-Message) { (28) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (28) else { (28) [noop] = noop (28) } # else = noop (28) } # policy remove_reply_message_if_eap = noop (28) } # post-auth = noop (28) Login OK: [user] (from client localhost port 0 cli 30-07-4D-96-97-1B) (28) Sent Access-Accept Id 60 from 192.168.2.6:1812 to 192.168.1.45:63948 length 0 (28) MS-MPPE-Recv-Key = 0x56707e44ad2b97f1e40d4f4be67454a69e744d1b58ea60bf71ea080a9a55c4a6 (28) MS-MPPE-Send-Key = 0x2a0f6c6d576690859d4c73b3fdaccc5bb59de87760266ad0728cd9438623e0ae (28) EAP-Message = 0x03b10004 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) User-Name = "user" (28) Finished request Waking up in 4.8 seconds. (22) Cleaning up request packet ID 54 with timestamp +299 (23) Cleaning up request packet ID 55 with timestamp +299 (24) Cleaning up request packet ID 56 with timestamp +299 (25) Cleaning up request packet ID 57 with timestamp +299 (26) Cleaning up request packet ID 58 with timestamp +299 (27) Cleaning up request packet ID 59 with timestamp +299 (28) Cleaning up request packet ID 60 with timestamp +299 Ready to process requests

Do you see something that I dont see? Mind that this is my first radius server so if you can guide me in detail to overcome this issue. I would be grateful.

Answer 1

Due to the character limitation here im posting my config files:

• sites-available/default

server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap digest suffix eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap ldap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { update { &reply: += &session-state: } exec remove_reply_message_if_eap Post-Auth-Type REJECT { attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } }

• mods-available/ldap

 ldap { server = '127.0.0.1' port = 389 identity = 'cn=admin,dc=domain,dc=net' password = hdf87dfgyd87g98df89 base_dn = 'dc=domain,dc=net' sasl { } update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "ou=People,dc=domain,dc=net" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "cn=wifi-users,ou=group,dc=domain,dc=net" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }

Answer 2

我在 EAP 中进行了此更改，它在 iphone 上工作，在 android 上我将其设置为 GTC 并且它也工作了，但我没有在 Windows 10 的笔记本电脑上得到它。