Hello,
I have two freeradius v2.1.3-1 servers setup to run with redundant load
balancing with two Windows Active Directory LDAP servers for authentication.
When the LDAP servers are running the radius will load-balance between them and
authenticate fine. If I shut the primary LDAP server down radius doesn't
authenticate properly against the second LDAP server. I have tested the
secondary LDAP as the the primary in the radius configuration and it works
fine. If I change the radius config to have a bogus primary name it will then
authenticate with the secondary fine. But when it has the correct name and the
primary is down the authentication fails. I believe it may have something to
do with ntlm_auth but I don't understand why as in the other test instances
with the bogus name it works. Below is the LDAP portion of my server along
with a part of the debug of what happens when I shutdown the primary LDAP
server. If anyone has any suggestions it would be much appreciated.
Thank you,
Justin
Radius.conf
*************************************************************************************************
ldap ds-01 {
server = "ldap1.domain.org"
port = 3268
identity = " [email protected] "
password = "****"
basedn = "dc=domain,dc=org"
filter =
"(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
}
ldap ds-02 {
server = "ldap2.domain.org"
port = 3268
identity = "****"
password = "****"
basedn = "dc=domain,dc=org"
filter =
"(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
}
instantiate {
exec
expr
expiration
logintime
redundant-load-balance redundant_ldap {
ds-01
ds-02
}
}
****************************************************************************************************
Debug file portion that points to ntlm_auth (as you can see the redundancy
works except the ms-chap portion)
****************************************************************************************************
++- entering redundant-load-balance group redundant_ldap {...}
[ds-01] performing user authorization for DoeJ
[ds-01] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountname=DoeJ)
[ds-01] expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.domain.org:3268, authentication 0
rlm_ldap: bind as [email protected]/**** to ldap1.domain.org:3268
rlm_ldap: [email protected] bind to ldap1.domain.org:3268 failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
[ds-01] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-01] returns fail
[ds-02] performing user authorization for DoeJ
[ds-02] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountname=DoeJ)
[ds-02] expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=org, with filter
(sAMAccountname=DoeJ)
[ds-02] looking for check items in directory...
[ds-02] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ds-02] user DoeJ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-02] returns ok
++- redundant-load-balance group redundant_ldap returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for DoeJ with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name}}
-> --username=DoeJ
[mschap] mschap2: 4d
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=92aa0495d9c105f7
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=ab395391ee828796a6b2458cf767e8fa87eb8530457f7b67
Exec-Program output: No logon servers (0xc000005e)
Exec-Program-Wait: plaintext: No logon servers (0xc000005e)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [domain\\DoeJ] (from client switch-man-lan port 0 via TLS
tunnel)
****************************************************************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
