freeradius 1.9.2 broke configuration after update to opnsense 19.1.6

[ruggerio]

After updating to 19.1.6, i got lots of errors with ubuntu clients, using wpa2/eap/mschapv2 using freeradius. Auth is LDAP.

21:25:50 2019 : Auth: (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username/] (from client Radius-Clients LAN 1 port 0 via TLS tunnel)

erm...i do not user nt/lm passwords...where does this come from?

[fichtner]

Not aware of these changes. Does reverting the plugin help?

# opnsense-revert -r 19.1.5 os-freeradius

Cheers, Franco

[mimugmail]

If a revert works, please update to latest version again, stop radius via /usr/local/etc/rc.d/radiusd stopand start in debug mode: radiusd -X

@fichtner Only thing we did was certicate script, ldap user/pw hardening and ldap group, correct? Then I'd love to see the output

[fichtner]

Maybe a problem in the new escaping using single quotes, but that would mean it's not a general issue.

[ruggerio]

tried already reverting the plugin yesterday, did not fix it.

i reverted back completely to 19.1.5_1 now and first will retry asap. If this works, i'll update again will debugging according to mimugmail and post output here.

--edit-- verfied by email, even after reverting i see those errors. Will update back to 19.1.6 and debug.

[mimugmail]

What was the last known running version?

[ruggerio]

os-freeradius 1.9.0 on opnsense 1.19.5_1

[ruggerio]

Debug-Log (partially)

radius.txt

[mimugmail]

rlm_ldap (ldap): Reserved connection (5) (8) ldap: Performing search in "dc=gwch,dc=net" with filter "(uid=%{%{Stripped-User-Name}:-%{User-Name}})", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results

Can you install the latest version and edit the file /usr/local/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap

Line 81, replace '{{ OPNsense.freeradius.ldap.group_filter }}' with '(objectClass=posixGroup)' then save and type service configd restart and save via UI ...

[ruggerio]

same result. will deliver debug logs later.

[mimugmail]

Can you also try:

# opnsense-revert -r 19.1.5 freeradius3

[ruggerio]

Reverted, without any success.

How can i prevent the actual configuration from taken, if i would reinstall on a clear freeradius-basis? I would like to try if just the config is corrupted after update.

[mimugmail]

Can you post the output of Freeradius ldap config?

What about other Client OS as you only mention Ubuntu

[ruggerio]

Same problem on Fedora, Android and iOS.

[ruggerio]

got it. in fact, it's been very simple. i just had to change the user filter (Benutzerfilter)

...for the moment, i do not remember, how the old string got in, eventually it's been automatic?

[ruggerio]

...it does not seem the final solution. My account is the only one, that works for the moment. I entered the account as radius user, logged in, and then deleted the account again. after that, it worked.

I did this not for my wife, so it does not work for her.

[ruggerio]

btw. found those errors in log:

15:59:14 2019 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".

Fri Apr 12 | 15:59:14 2019 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".

[ruggerio]

other thumb question:

[roger/'<via Auth-Type = eap>']

is the slash after username correct?

[mimugmail]

Think so, yes. As I'm on vacation the next week hard for me to reproduce

[ruggerio]

what i can confirm, is that it works without ldap. I created the users on the opnsense, in that case freeradius works. its the ldap-integration, which is faulty.

happy vacation :)

[mimugmail]

Only thing I know is that WIFI EAP doesn't work with LDAP .. I'll try to test it.

[ruggerio]

thats exactly how i've been using it for until 19.1.5. Since the update to 19.1.6 it's broken. all other ldap-connections than those using freeradius are working without problem (authentication, openvpn...)

[mimugmail]

Do you use LDAP as OpenVPN backend or Radius as OpenVPN backend which in turn is connected via LDAP?

[ruggerio]

ldap for both. freeradius for wifi only.

[mimugmail]

So next test would be to select Radius a Backend for Open VPN

[mimugmail]

How is progress on this?

[ruggerio]

Hi Michael,

I've searched the option in openvpn with gui, but did not find. OpenVPN uses just LDAP, which works straight.

[mimugmail]

see screenshot

[ruggerio]

could you please post your localradius? Mine doesn't work. Just to make sure, i have no error.

Am 24. April 2019 09:31:28 schrieb Michael notifications@github.com:

see screenshot

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ruggerio]

no need. Got it. But same effect.

Am 24. April 2019 13:16:39 schrieb Roger Grosswiler rotscher.g@gmail.com:

could you please post your localradius? Mine doesn't work. Just to make sure, i have no error.

Am 24. April 2019 09:31:28 schrieb Michael notifications@github.com:

see screenshot

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ruggerio]

btw. connecting directly to ldap when authenticating vpn works perfect.

[mimugmail]

So, when Radius is connected to LDAP and it doesn't work with OpenVPN, but LDAP as a backend directly works, it's an error in LDAP config within FreeRadius plugin.

[ruggerio]

This might be, i'll check it out. What i do not understand, that it's been working until 19.1.5.

[mimugmail]

You may have an error in your search filter. The saerch filter wasn't respected before this update: https://github.com/opnsense/plugins/pull/1239/files

[ruggerio]

OK, i gonna check my filter in that case.

[ruggerio]

Have this filter inserted, but does not work:

(&(|(objectclass=person))(|(uid=%uid)(|(cn=%uid))))

I use this filter also on other places, but works there well (nextcloud).

[fichtner]

this looks weird.... how about this

(&(objectclass=person)(|(uid=%uid)(cn=%uid)))

[fichtner]

(edited post again)

[ruggerio]

same.

[mimugmail]

Then set LDAPS to LDAP and to a packet capture with -X to see what happens in clear text.

[ruggerio]

`Ready to process requests
(0) Received Access-Request Id 8 from 127.0.0.1:40217 to 127.0.0.1:1812 length 84
(0)   User-Name = "[Username]"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "5cc6a82bb5e14"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "[Password]"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "[Username]", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: Performing search in "dc=[domain],dc=net" with filter "(&(objectclass=person)(|(uid=%uid)
cn=%uid)))", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://[server].[domain].net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = notfound
(0)     if ((ok || updated) && User-Password) {
(0)     if ((ok || updated) && User-Password)  -> FALSE
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> [Username]
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [[Username]/
Password]] (from client Radius Clients Localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 8 from 127.0.0.1:1812 to 127.0.0.1:40217 length 20
Waking up in 3.9 seconds.
`

[mimugmail]

I meant tcpdump with -X :)

[ruggerio]

;) i just saw now, that freeradius does not get any user back from ldap at all. So this might be, that the query to my qnap nas is malformed.

(0) ldap: Search returned no results

[paul-palmer]

I am seeing a similar/same situation. When I look in my LDAP logs, it appears that FreeRadius is no longer performing the expansions for Stripped-User-Name and User-Name before submitting the query to LDAP. From my 389 logs:

[04/May/2019:21:58:17.031148563 +0000] conn=10384 op=2 SRCH base="cn=users,cn=accounts,dc=at1,dc=netcentrix,dc=net" scope=2 filter="(uid=%{%{Stripped-User-Name}:-%{User-Name}})" attrs="radiusauthtype radiussimultaneoususe radiuscalledstationid radiuscallingstationid lmpassword ntpassword sambaLMPassword sambaNTPassword dbcspwd userPassword acctflags radiusexpiration radiusnasipaddress radiusservicetype radiusframedprotocol radiusframedipaddress radiusframedipnetmask radiusframedroute radiusframedrouting radiusfilterid radiusframedmtu radiusframedcompression radiusloginiphost radiusloginservice radiuslogintcpport radiuscallbacknumber radiuscallbackid radiusframedipxnetwork radiusclass radiussessiontimeout radiusidletimeout radiusterminationaction radiusloginlatservice radiusloginlatnode radiusloginlatgroup radiusframedappletalklink radiusframedappletalknetwork radiusframedappletalkzone radiusportlimit radiusloginlatport radiusreplymessage radiustunneltype radiustunnelmediumtype radiustunnelprivategroupid radiuscontrolattribute radiusrequestattribute radiusreplyattribute"

I verified that the problem is constrained to the "User Filter" handling by changing just the User Filter part of my configuration to "(uid=paul)" and was able to auth successfully with that user's password.

[paul-palmer]

For those looking for a workaround, setting the User Filter to "(uid=%{User-Name})" is currently working in our environment.

[aponert]

This issue may also be gone with 19.1.8. There's a fix regarding the string interpolation inside the user and group filter.

[mimugmail]

A feedback would be very appreaciated :)

[ruggerio]

Sorry Mimugmail :)

opnsense-patch -c plugins 12f89de Fetched 12f89de via https://github.com/opnsense/plugins 1 out of 2 hunks failed while patching opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap

perhaps i did something wrong?

[ruggerio]

@fichtner thx for help for patching.

i can confirm, freeradius again is working using ldap, in conjunction with eap.

Thx!

[fichtner]

Ok, no problem. :) We have the patch queued up for 19.1.8 already which should come out next week.

[cmacias00]

@fichtner thx for help for patching.

i can confirm, freeradius again is working using ldap, in conjunction with eap.

Thx!

Hi! I can't connect any wireless device with freeRadius + openLDAP. I use openVPN with openLDAP (LDAPS) and it work properly. Could you tell me your settings about LDAP (User filter and Group filter) and EAP (type EAP) tabs?

I also tried with plain-text password but it doesn't work in LDAP either.

I have the latest version of opnSense (20.1.8).

Any help would be greatly appreciated.

Many thanks.