Radius test works, but Wifi does not

undeadindustries commented 4 years ago

Hi there!

I'm trying to use this container to use gsuite ldap + freeradius + unifi controller for wifi access.

When I test the freeradius container with NTRadPing and I get a proper access-accept. So I know freeradius is properly connected to gsuite ldap.

However, no matter what I do, I can't get my laptop to wifi via freeradius. Are there any special settings in unifi that are required?

I've setup unifi with Jumpcloud as the radius server and it just worked. I think the difference is that GSuite LDAP doesn't expose the userPassword at all? So CHAP / MSCHAPv2 just will never work. But I thought EAP wouldn't run into that issue?

Any help would be greatly appreciated. Thanks so much!

undeadindustries commented 4 years ago

I narrowed this down. In ChromeOS, it works when I force EAP-TTLS PAP

In Windows 10, it always thinks it's anonymous. I'm forcing the same as ChromeOS. I'm typing in correct username/password. no matter what I do, I get this:


unifi-freeradius-ldap_1  | (37) # Executing section authorize from file /etc/freeradius/sites-enabled/default
unifi-freeradius-ldap_1  | (37)   authorize {
unifi-freeradius-ldap_1  | (37)     policy filter_username {
unifi-freeradius-ldap_1  | (37)       if (&User-Name) {
unifi-freeradius-ldap_1  | (37)       if (&User-Name)  -> TRUE
unifi-freeradius-ldap_1  | (37)       if (&User-Name)  {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ / /) {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ / /)  -> FALSE
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /@[^@]*@/ ) {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /\.\./ ) {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /\.\./ )  -> FALSE
unifi-freeradius-ldap_1  | (37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
unifi-freeradius-ldap_1  | (37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /\.$/)  {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /\.$/)   -> FALSE
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /@\./)  {
unifi-freeradius-ldap_1  | (37)         if (&User-Name =~ /@\./)   -> FALSE
unifi-freeradius-ldap_1  | (37)       } # if (&User-Name)  = notfound
unifi-freeradius-ldap_1  | (37)     } # policy filter_username = notfound
unifi-freeradius-ldap_1  | (37)     [preprocess] = ok
unifi-freeradius-ldap_1  | (37)     [digest] = noop
unifi-freeradius-ldap_1  | (37) suffix: Checking for suffix after "@"
unifi-freeradius-ldap_1  | (37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
unifi-freeradius-ldap_1  | (37) suffix: No such realm "NULL"
unifi-freeradius-ldap_1  | (37)     [suffix] = noop
unifi-freeradius-ldap_1  | (37) eap: Peer sent EAP Response (code 2) ID 39 length 136
unifi-freeradius-ldap_1  | (37) eap: Continuing tunnel setup
unifi-freeradius-ldap_1  | (37)     [eap] = ok
unifi-freeradius-ldap_1  | (37)   } # authorize = ok
unifi-freeradius-ldap_1  | (37) Found Auth-Type = eap
unifi-freeradius-ldap_1  | (37) # Executing group from file /etc/freeradius/sites-enabled/default
unifi-freeradius-ldap_1  | (37)   authenticate {
unifi-freeradius-ldap_1  | (37) eap: Expiring EAP session with state 0x69373e976a102bbb
unifi-freeradius-ldap_1  | (37) eap: Finished EAP session with state 0x69373e976a102bbb
unifi-freeradius-ldap_1  | (37) eap: Previous EAP request found for state 0x69373e976a102bbb, released from the list
unifi-freeradius-ldap_1  | (37) eap: Peer sent packet with method EAP TTLS (21)
unifi-freeradius-ldap_1  | (37) eap: Calling submodule eap_ttls to process data
unifi-freeradius-ldap_1  | (37) eap_ttls: Authenticate
unifi-freeradius-ldap_1  | (37) eap_ttls: Continuing EAP-TLS
unifi-freeradius-ldap_1  | (37) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
unifi-freeradius-ldap_1  | (37) eap_ttls: Got complete TLS record (126 bytes)
unifi-freeradius-ldap_1  | (37) eap_ttls: [eaptls verify] = length included
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS write server done
unifi-freeradius-ldap_1  | (37) eap_ttls: <<< recv TLS 1.2  [length 0046]
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
unifi-freeradius-ldap_1  | (37) eap_ttls: <<< recv TLS 1.2  [length 0010]
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS read finished
unifi-freeradius-ldap_1  | (37) eap_ttls: >>> send TLS 1.2  [length 0001]
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
unifi-freeradius-ldap_1  | (37) eap_ttls: >>> send TLS 1.2  [length 0010]
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS_accept: SSLv3/TLS write finished
unifi-freeradius-ldap_1  | (37) eap_ttls: (other): SSL negotiation finished successfully
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS - Connection Established
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS-Session-Version = "TLS 1.2"
unifi-freeradius-ldap_1  | (37) eap_ttls: TLS - got 51 bytes of data
unifi-freeradius-ldap_1  | (37) eap_ttls: [eaptls process] = handled
unifi-freeradius-ldap_1  | (37) eap: Sending EAP Request (code 1) ID 40 length 61
unifi-freeradius-ldap_1  | (37) eap: EAP session adding &reply:State = 0x69373e976d1f2bbb
unifi-freeradius-ldap_1  | (37)     [eap] = handled
unifi-freeradius-ldap_1  | (37)   } # authenticate = handled
unifi-freeradius-ldap_1  | (37) Using Post-Auth-Type Challenge
unifi-freeradius-ldap_1  | (37) # Executing group from file /etc/freeradius/sites-enabled/default
unifi-freeradius-ldap_1  | (37)   Challenge { ... } # empty sub-section is ignored
unifi-freeradius-ldap_1  | (37) session-state: Saving cached attributes
unifi-freeradius-ldap_1  | (37)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
unifi-freeradius-ldap_1  | (37)   TLS-Session-Version = "TLS 1.2"
unifi-freeradius-ldap_1  | (37) Sent Access-Challenge Id 14 from 10.128.0.6:1812 to 96.92.49.235:52585 length 0
unifi-freeradius-ldap_1  | (37)   EAP-Message = 0x0128003d1580000000331403030001011603030028f8d74d7d3c1b998dc0c6126929b4f37d12cf007c55f42ee5598acca90fdc3a832e989b0774f6c80f
unifi-freeradius-ldap_1  | (37)   Message-Authenticator = 0x00000000000000000000000000000000
unifi-freeradius-ldap_1  | (37)   State = 0x69373e976d1f2bbb31951ea382f226eb
unifi-freeradius-ldap_1  | (37) Finished request

hacor commented 4 years ago

Sorry for the late reply, it's been busy :-) Google doesn't share passwords indeed, so it takes the password and says if it is correct or not. If I'm correct PAP should be the way to go indeed. What I see in your logs that surprises mee is the following lines:

unifi-freeradius-ldap_1  | (37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
unifi-freeradius-ldap_1  | (37) suffix: No such realm "NULL"

Have you tried logging in using the login with user@domain.com credentials? I also don't find any communication with the Google LDAP servers in your logs. This is why I think the realm is something to dig deeper into.

Hope this helps!

Best

hacor / unifi-freeradius-ldap

Radius test works, but Wifi does not #9