Hello Enrico,
what i would do is the following:
edit /usr/local/pf/raddb/mods-available/ldap and add that:
ldap ldap_user {
server = "MyLDAP"
identity = "CN=readuser,CN=Users,DC=acme,DC=com"
password = password
basedn = "DC=acme,DC=com"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Then in /usr/local/pf/conf/radiusd/packetfence-tunnel here
(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/packetfence-tunnel.example#L117)
add:
ldap_user
and restart radiusd (pfcmd service radiusd restart)
So it will produce the following, freeradius will do a search for the
attribute "userPassword" based on the cn=becchett. If the userPassword
match one of the following format
https://freeradius.org/radiusd/man/rlm_pap.html then it will use it as a
"know good password" and will compare the password you gave (password)
with the one found in the ldap .
Let me know if it's ok, if no then paste the raddebug one more time.
Regards
Fabrice
Le 18-12-20 à 15 h 30, Enrico via PacketFence-users a écrit :
Dear Fabrice,
I looking at /usr/local/pf/raddb/sites-available/packetfence-tunnel
and/usr/local/pf/raddb/modules/ldap
I realized that this guide probably is related to an old Freeradius ,
may be version 2.
This is because in my PF 8.2.1 setup both are missing.
I've got:
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
and
/usr/local/pf/raddb/mods-available/ldap
Can I follow your guide anyway even if it is probably related to a
different freeradius ?
Thanks !
Enrico
Il 20/12/18 21:06, Enrico ha scritto:
Dear All,
so If I understand I need to change Wireless-NOEAP to Wireless-EAP and
create, or change, /usr/local/pf/raddb/modules/ldap following
this guide: 16.3 EAP Authentication.....
but tell more about because this file
/usr/local/pf/raddb/sites-available/packetfence-tunnel
shows nothing about pap.
Is it normal that in this file there are only ldap and eap authorize
module ?
Thanks a lot again !!!
Best Regards
Enrico
Il 20/12/18 19:39, Fabrice Durand via PacketFence-users ha scritto:
Hello Enrico,
you need to add manually the ldap server in the freeradius
configuration.
(https://packetfence.org/doc/PacketFence_Installation_Guide.html#_eap_authentication_against_openldap)
Regards
Fabrice
Le 18-12-20 à 10 h 15, Enrico Becchetti via PacketFence-users a écrit :
Hi all,
I again ask in this mailing list to finish the setup of my PacketFence
server. I'm running Centos 7.6 x86 with
packetfence-8.2.1-3.el7.noarch and , as you can read from
the subject of this email, I need to activate 802.1X authentication
using TTLS and PAP.
I've one production vlan and PF in Inline mode for this network , I
've also defined
"connection profile", "authentication sources","network device" and
so on.
You can see all of my settings here:
https://www.dropbox.com/s/rjc0j8mapt4ymzg/8021x.pdf?dl=0
PF must use my ldap server as backend. In fact all authentication
requests come from
AP and Switch must be forwarded to the ldap server. All supplicants
are configured with
TTLS and PAP security profile and I'ven't any Active Domain
controller.
In the following lines radius debug from packetfence:
(9) Thu Dec 20 15:09:35 2018: WARNING: You set Proxy-To-Realm =
local, but it is a LOCAL realm! Cancelling proxy request.
(9) Thu Dec 20 15:09:35 2018: ERROR: No Auth-Type found:
rejecting the user via Post-Auth-Type = Reject
log file is here:
https://www.dropbox.com/s/579hffpa4w6ff9z/radiusdebug.log?dl=0
Authentication Methods are set to:MD5,MSCHAPv2,PEAP,TLS,TTLS.
Someone has any ideas to fix it ?
Thank you in advance for your help.
Best Regards
Enrico
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
