Issue with freeradius
arctus opened this issue · 12 comments
I am trying to configure this to work with freeradius-ldap docker container and I can't seem to make it work, receive these kinds of errors:
WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
as well as:
WARNING: pap : No "known good" password found for the user. Not setting Auth-Type WARNING: pap : Authentication will fail unless a "known good" password is available
or:
WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password
Anything I need to change to reconfigure?
Did you possibly use a user from Entra for freeradius-ldap in its config instead of an wrapper admin user (env var LDAP_BINDUSER
)?
Checked that - I used a "root" binding user.
The Synology Freeradius package works so far. It should be due to some configuration... Is there an attribute mapping somewhere? The only "special" thing about the wrapper is, that no plain text passwords are stored. Freeradius should therefore use the hashed attribute sambaNTPassword. Maybe this attribute has to be configured somewhere?
yes, indeed the Radius package in Synology works ok, the only bad thing that they have is that instead of "allowed group", you can set only "blocked group".
so tried the VPN from Mikrotik to RADIUS running on Synology connected to LDAP. Receive error about "No NT Password", question is: in order to use RADIUS (without PAP as I understand), I first need to allow users to login to Synology?
Yep. Each user must first log in to a service that is directly connected to the LDAP-wrapper (DSM, web application, etc.).
Is there any way around it? My entry point is VPN service and really don't want to expose the synology outside.
Nope. Without a previous login, the wrapper has no idea about what the user password is.
I guess that is the reason why freeradius did not work as well.
Nope. Without a previous login, the wrapper has no idea about what the user password is.
how to change the code so that we can verify the password online (a previous login is not convenient) ; I try to understand the docker building's code ; It's hard to me
@yuhongwei380 the problem is not the wrapper. The wrapper verifies the password online.
The problem is Freeradius. Freeradius does not send the password to the wrapper for verification. freeradius fetches the password hash from the wrapper and performs the verification itself.
@yuhongwei380 the problem is not the wrapper. The wrapper verifies the password online. The problem is Freeradius. Freeradius does not send the password to the wrapper for verification. freeradius fetches the password hash from the wrapper and performs the verification itself.
OK; thanks for reply