Synology Radius with AzureAD LDAP wrapper
ullerdk opened this issue · 22 comments
Trying to use Synology Radius along with Azure AD wrapper for 802.1x WiFi auth against Azure AD accounts.
But it is not working.
I see all Azure AD user accounts under LDAP users.
I see this in the Synology Radius log:
2023-06-20 10:22:24 | Auth | (23) Login incorrect (ldap: Failed performing search: Can't contact LDAP server): [username] (from client Unifi2 port 0 cli EE-E0-96-F3-61-2F)
2023-06-20 10:22:24 | Auth | (23) Invalid user (ldap: Failed performing search: Can't contact LDAP server): [username] (from client Unifi2 port 0 cli EE-E0-96-F3-61-2F)
2023-06-20 10:22:24 | Error | rlm_ldap (ldap): Failed to reconnect (0), no free connections are available
2023-06-20 10:22:24 | Error | rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
Synology Radius works with Synology local accounts.
LDAP account source is enabled in Synology Radius configuration.
Do you see anything in the wrapper log? If not, could you set LDAP_DEBUG to true and try again?
Thank you. I have no idea how the radius actually works, I've never used it yet...
I will try it out in July.
I have the Synology Radius working with the LDAP wrapper under DSM 7.2 without any issues. From the log you've posted perhaps you've not got the LDAP user binding correct (that's the LDAP_BINDUSER variable that you have made up). Are you able to log into the DSM portal using you Azure AD credentials ?
You can post your azure-ldap configuration, I've configured radius in a Synology NAS and had no problems.
Are you using the latest version of the wrapper? Are Synology Radius and the AzureAD LDAP-wrapper on the same NAS?
Is the address of your LDAP server under Domain/LDAP "127.0.0.1" or the real IP of your NAS?
I don't have Unifi for testing, so I used radtest in my WSL (Windows Subsystem for Linux). Here's how I proceeded:
- Install Radius Server on my NAS
- enable LDAP Users as source for user authentication
- check Security > Certificate to make sure the Radius server is listed for a valid certificate
- enable both firewall rules in Security > Firewall for Radius Server (1812 and 18120)
- enable firewall rule in Security > Firewall for port 389 (ldap server) for the real IP of my NAS/Radius Server
- added my Win10 machine/IP as a client with a secret
- run
radtest -t pap -x username@domain.tld userpassword mynas.intranet.domain.tld 1812 sharedsecret
.
GotReceived Access-Accept Id 81 from **:1812 to **:59492 length 20
. - Run
radtest -t mschap -x username@domain.tld userpassword mynas.intranet.domain.tld 1812 sharedsecret
.
GotReceived Access-Accept Id 251 from **:1812 to *:42829 length 84 MS-CHAP-MPPE-Keys = *** MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
- Using -t eap-md5 or -t chap fails for me
I too have run into this same issue.
LDAP Wrapper working.
SAMBA working.
LDAP users and SG's listed correctly.
RADIUS working with local users, LDAP users incurring the same issue.
DSM 6.2.4-25556
Is it possibly a DSM versioning issue?
Testing with radtest locally on the NAS:
Local admin account:
ash-4.3# /volume1/@appstore/RadiusServer/bin/radtest -x -t mschap admin "local admin pw" localhost 0 "secret key"
User-Name = "admin"
MS-CHAP-Password = "local admin pw"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "local admin pw"
MS-CHAP-Challenge = [redacted]
MS-CHAP-Response = [redacted]
Received Access-Accept Id 106 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = [redacted]
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
ash-4.3#
LDAP Wrapper User (does work via DSM web and SMB):
ash-4.3# /volume1/@appstore/RadiusServer/bin/radtest -x -t pap "user@tld" "user pw" localhost 0 "secret key"
User-Name = "user@tld"
User-Password = "user pw"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "user pw"
Received Access-Reject Id 112 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
ash-4.3#
Neither pap nor chap change anything with radtest.
Yes, I can login into the Synology with Azure AD credentials. So I guess then, the LDAP user binding is done correctly. Fra: Calum MacLean @.> Sendt: 21. juni 2023 17:55 Til: ahaenggli/AzureAD-LDAP-wrapper @.> Cc: Ulrik S. Andreassen @.>; Author @.> Emne: Re: [ahaenggli/AzureAD-LDAP-wrapper] Synology Radius with AzureAD LDAP wrapper (Issue #56) I have the Synology Radius working with the LDAP wrapper under DSM 7.2 without any issues. From the log you've posted perhaps you've not got the LDAP user binding correct (that's the LDAP_BINDUSER variable that you have made up). Are you able to log into the DSM portal using you Azure AD credentials ? — Reply to this email directly, view it on GitHub<#56 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANID3DN3U6R4YIPBGPD3I5DXMMKMFANCNFSM6AAAAAAZM7KJBM. You are receiving this because you authored the thread.Message ID: @.***>
Did you ever get it working?
Got the same issue, can authenticate into the Synology without issues but Radius throws 2 errors:
This looks like the same error @wholegamer got?
Any idea on how to resolve this as I would love to use AzureAD login with my AP's-
@ahaenggli Is there a fix for this? Or are we doing something wrong?
I also got a UniFi AP and successfully tested it today. It's pretty nice to be able to use the Wi-Fi with the same credentials :) The steps are added in the docs.
@IHMS-IT Regarding the NT-Password issue, it seems that if a user hasn't logged into DSM before, Radius doesn't perform an actual bind/login on the LDAP server. Instead, it queries the entries searching for the user and password. Without a successful login before, the LDAP-wrapper doesn't have a hashed password for the user, causing the Radius request to fail.
it seems that if a user hasn't logged into DSM before, Radius doesn't perform an actual bind/login on the LDAP server.
@ahaenggli that makes sense actually and I can confirm it solved the issue when I first login into DSM with Azure SSO and then connect to my Unifi AP. However, I am planning to use it offsite where users have no need to login into the DSM and just needs to use Radius. I guess there is no workaround for it (meaning, no initial login into DSM before the hashed password is stored.
Adding a normal (non-azureSSO) user and password manually to the Syno LDAP (not using LDAP wrapper) doesn't show the issue, without logging into DSM Radius works for that user.
LDAP Wrapper definitely is very interesting and I am sure I'll find some use for it (even if I need to ask every user to login in a remote DSM first, too bad those are > 150 at the moment ;)
Thanks for developing this!
I'm glad to hear that! :)
Unfortunately, there is no real workaround for the initial login in advance. Microsoft/Azure does not offer a way to query the user's password (or its hash). Therefore, a login via LDAP wrapper is required so that the hashed password can be saved.
If you use the Syno LDAP, the password hash is stored directly there by creation of your users. So, no need to await a login to fetch its hash before.
A prior login does not necessarily have to be via DSM - another tool that authenticates the users directly would also work (e.g. Authelia, Portainer, some filetransfer-tools or project-management-tools with ldap support, etc.).
@ahaenggli Could you eloborate on what the requirements would be of another tool to make sure the password is hashed?
I'm thinking of writing a small menubar app that asks the user for credentials and then authenticates first with LDAP (to hash the password), and then afterwards open the selected SMB path using open smb://username:password
@noque-lind just a simple ldap bind request is all that's needed. for example in bash
#!/bin/bash
ldapHost="192.168.1.2"
ldapPort=389
username="uid=username@domain.tld"
password="the_password"
ldapsearch -x -H "ldap://$ldapHost:$ldapPort" -D "$username" -w "$password"
if [ $? -eq 0 ]; then
echo "LDAP bind successful"
else
echo "LDAP bind failed"
fi
or php
<?php
$ldapHost = '192.168.1.2';
$ldapPort = 389;
$username = 'uid=username@domain.tld';
$password = 'the_password';
$ldapConnection = ldap_connect("ldap://$ldapHost:$ldapPort");
if ($ldapConnection) {
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($ldapConnection, $username, $password);
if (ldap_errno($ldapConnection) === 0) {
echo "LDAP bind successful\n";
} else {
echo "LDAP bind failed: " . ldap_error($ldapConnection) . "\n";
}
ldap_unbind($ldapConnection);
} else {
echo "Unable to connect to LDAP server\n";
}
?>
Hi @ahaenggli, we are still having issues with the "mschap: FAILED: No NT-Password" error when trying to authenticate into the Synology network using RADIUS. We have verified that the account we are testing with has signed into the DSM. Are there any other reasons it could be failing? We have verified that the RADIUS setup works with a local account, it is just the LDAP ones.
@danielboyer do you also use Samba? Does that work?
If not, how did you connect your Synology to the ldap wrapper? Did you use the credentials of your superuser (environment variable LDAP_BINDUSER
)?
@ahaenggli, Ahhhh, it looks like out ldap_BINDUSER
is not configured correctly. So if I understand correctly, this is where we would insert root or Synology admin credentials?
Briefly summarized: LDAP_BINDUSER are the ldap-wrapper internal admin-users. Synology needs an admin-user to connect (bind), so that it has access to all password hashes of the "real" EntraId accounts.
Detailed version:
Synology only connects to the LDAP wrapper as a client. From Synology's point of view, the LDAP wrapper is a complete LDAP server and has sovereignty over the user management.
The LDAP wrapper has all your Entra users in it. Depending on the settings, the passwords are saved as a hash for successful logins. However, Alice should not be able to see Bob's password hash. Bob should not be able to query Alice's password hash, and so on. This is programmed in the wrapper for security reasons, so that nobody can "accidentally" access other people's passwords (hashes).
The user logs on to Samba/Radius. The user does not interact directly with the LDAP wrapper. Samba/Radius loads the user and password hash from the LDAP wrapper and compares the values with the user input. In the case of Synology, Samba and Radius adopt the settings from the Synology<>LDAP-wrapper connection.
For Samba/Radius to be able to do this, they need a user who is allowed to see ALL password hashes.
LDAP_BINDUSER is used to define a superuser who can do everything within the LDAP wrapper. Classic example: root.
If you now connect your Synology to the LDAP wrapper with this ldap-wrapper server internal superuser, Synology (and therefore all packages such as Samba or Radius) can see all password hashes. A login with Samba/Radius becomes possible.