New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
freeradius 1.9.2 broke configuration after update to opnsense 19.1.6 #1303
Comments
Not aware of these changes. Does reverting the plugin help?
Cheers, |
If a revert works, please update to latest version again, stop radius via @fichtner Only thing we did was certicate script, ldap user/pw hardening and ldap group, correct? |
Maybe a problem in the new escaping using single quotes, but that would mean it's not a general issue. |
tried already reverting the plugin yesterday, did not fix it. i reverted back completely to 19.1.5_1 now and first will retry asap. If this works, i'll update again will debugging according to mimugmail and post output here. --edit-- verfied by email, even after reverting i see those errors. Will update back to 19.1.6 and debug. |
What was the last known running version? |
os-freeradius 1.9.0 on opnsense 1.19.5_1 |
Debug-Log (partially) |
rlm_ldap (ldap): Reserved connection (5) Can you install the latest version and edit the file Line 81, replace |
same result. will deliver debug logs later. |
Can you also try:
|
Reverted, without any success. How can i prevent the actual configuration from taken, if i would reinstall on a clear freeradius-basis? I would like to try if just the config is corrupted after update. |
Can you post the output of Freeradius ldap config? What about other Client OS as you only mention Ubuntu |
...it does not seem the final solution. My account is the only one, that works for the moment. I entered the account as radius user, logged in, and then deleted the account again. after that, it worked. I did this not for my wife, so it does not work for her. |
btw. found those errors in log: 15:59:14 2019 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Fri Apr 12 | 15:59:14 2019 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". |
other thumb question:
is the slash after username correct? |
Think so, yes. As I'm on vacation the next week hard for me to reproduce |
what i can confirm, is that it works without ldap. I created the users on the opnsense, in that case freeradius works. its the ldap-integration, which is faulty. happy vacation :) |
Only thing I know is that WIFI EAP doesn't work with LDAP .. I'll try to test it. |
thats exactly how i've been using it for until 19.1.5. Since the update to 19.1.6 it's broken. all other ldap-connections than those using freeradius are working without problem (authentication, openvpn...) |
Do you use LDAP as OpenVPN backend or Radius as OpenVPN backend which in turn is connected via LDAP? |
ldap for both. freeradius for wifi only. |
So next test would be to select Radius a Backend for Open VPN |
How is progress on this? |
Hi Michael, I've searched the option in openvpn with gui, but did not find. OpenVPN uses just LDAP, which works straight. |
could you please post your localradius? Mine doesn't work. Just to make
sure, i have no error.
Am 24. April 2019 09:31:28 schrieb Michael <notifications@github.com>:
… see screenshot
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
no need. Got it. But same effect.
Am 24. April 2019 13:16:39 schrieb Roger Grosswiler <rotscher.g@gmail.com>:
… could you please post your localradius? Mine doesn't work. Just to make
sure, i have no error.
Am 24. April 2019 09:31:28 schrieb Michael ***@***.***>:
> see screenshot
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub, or mute the thread.
|
btw. connecting directly to ldap when authenticating vpn works perfect. |
So, when Radius is connected to LDAP and it doesn't work with OpenVPN, but LDAP as a backend directly works, it's an error in LDAP config within FreeRadius plugin. |
This might be, i'll check it out. What i do not understand, that it's been working until 19.1.5. |
You may have an error in your search filter. |
OK, i gonna check my filter in that case. |
Have this filter inserted, but does not work: (&(|(objectclass=person))(|(uid=%uid)(|(cn=%uid)))) I use this filter also on other places, but works there well (nextcloud). |
this looks weird.... how about this
|
(edited post again) |
same. |
Then set LDAPS to LDAP and to a packet capture with -X to see what happens in clear text. |
|
I meant tcpdump with -X :) |
;) i just saw now, that freeradius does not get any user back from ldap at all. So this might be, that the query to my qnap nas is malformed.
|
I am seeing a similar/same situation. When I look in my LDAP logs, it appears that FreeRadius is no longer performing the expansions for Stripped-User-Name and User-Name before submitting the query to LDAP. From my 389 logs:
I verified that the problem is constrained to the "User Filter" handling by changing just the User Filter part of my configuration to "(uid=paul)" and was able to auth successfully with that user's password. |
For those looking for a workaround, setting the User Filter to "(uid=%{User-Name})" is currently working in our environment. |
This issue may also be gone with 19.1.8. There's a fix regarding the string interpolation inside the user and group filter. |
A feedback would be very appreaciated :) |
Sorry Mimugmail :) opnsense-patch -c plugins 12f89de perhaps i did something wrong? |
@fichtner thx for help for patching. i can confirm, freeradius again is working using ldap, in conjunction with eap. Thx! |
Ok, no problem. :) We have the patch queued up for 19.1.8 already which should come out next week. |
Hi! I also tried with plain-text password but it doesn't work in LDAP either. I have the latest version of opnSense (20.1.8). Any help would be greatly appreciated. Many thanks. |
EAP does not work via LDAP .. only Kerberos which is not supported |
After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.
21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)
erm...i do not user nt/lm passwords...where does this come from?
The text was updated successfully, but these errors were encountered: