====== FreeRADIUS ======
===== Alterar o hash padrão do FreeIPA =====
# echo "dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: SSHA512" > passwordHashAlgorithm.ldif
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
Enter LDAP Password:
passwordStorageScheme: PBKDF2_SHA256
# ldapmodify -h localhost -p 389 -x -D "cn=Directory Manager" -W -f passwordHashAlgorithm.ldif
Enter LDAP Password:
modifying entry "cn=config"
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
Enter LDAP Password:
passwordStorageScheme: SSHA512
===== Adicionado o host =====
# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --a-rec 172.28.129.6
Record name: sp-spo-radius
A record: 172.28.129.6
# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --aaaa-rec 2804:694:4c00:4004::6
Record name: sp-spo-radius
A record: 172.28.129.6
AAAA record: 2804:694:4c00:4004::6
# ipa host-add sp-spo-radius.juntotelecom.com.br --desc="FreeRADIUS" --password="@btjt(())22"
----------------------------------------------
Added host "sp-spo-radius.juntotelecom.com.br"
----------------------------------------------
Host name: sp-spo-radius.juntotelecom.com.br
Description: FreeRADIUS
Password: True
Keytab: False
Managed by: sp-spo-radius.juntotelecom.com.br
===== Permissão do usuário radiusadm =====
# ipa permission-add 'userPassword service read' --attrs=userPassword --type=user --right=read
--------------------------------------------
Added permission "userPassword service read"
--------------------------------------------
Permission name: userPassword service read
Granted rights: read
Effective attributes: userPassword
Bind rule type: permission
Subtree: cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br
Type: user
Permission flags: SYSTEM, V2
# ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate'
---------------------------------
Added privilege "Radius services"
---------------------------------
Privilege name: Radius services
Description: Privileges needed to allow radiusd servers to operate
# ipa privilege-add-permission 'Radius services' --permissions='userPassword service read'
Privilege name: Radius services
Description: Privileges needed to allow radiusd servers to operate
Permissions: userPassword service read
-----------------------------
Number of permissions added 1
-----------------------------
# ipa role-add 'Radius server' --desc="Radius server role"
--------------------------
Added role "Radius server"
--------------------------
Role name: Radius server
Description: Radius server role
# ipa role-add-privilege --privileges="Radius services" 'Radius server'
Role name: Radius server
Description: Radius server role
Privileges: Radius services
----------------------------
Number of privileges added 1
----------------------------
# yes "@btjt(())22" | ipa user-add "radiusadm" --first=Radius --last=User --shell=/bin/bash --password
----------------------
Added user "radiusadm"
----------------------
User login: radiusadm
First name: Radius
Last name: User
Full name: Radius User
Display name: Radius User
Initials: RU
Home directory: /home/radiusadm
GECOS: Radius User
Login shell: /bin/bash
Principal name: radiusadm@JUNTOTELECOM.COM.BR
Principal alias: radiusadm@JUNTOTELECOM.COM.BR
User password expiration: 20220412204350Z
Email address: radiusadm@juntotelecom.com.br
UID: 187600003
GID: 187600003
Password: True
Member of groups: ipausers
Kerberos keys available: True
# ipa user-mod "radiusadm" --user-auth-type=password --user-auth-type=radius
-------------------------
Modified user "radiusadm"
-------------------------
User login: radiusadm
First name: Radius
Last name: User
Home directory: /home/radiusadm
Login shell: /bin/bash
Principal name: radiusadm@JUNTOTELECOM.COM.BR
Principal alias: radiusadm@JUNTOTELECOM.COM.BR
Email address: radiusadm@juntotelecom.com.br
UID: 187600003
GID: 187600003
User authentication types: password, radius
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
# yes "@btjt(())22" | ipa user-mod "radiusadm" --password-expiration="2050-01-01Z" --password
-------------------------
Modified user "radiusadm"
-------------------------
User login: radiusadm
First name: Radius
Last name: User
Home directory: /home/radiusadm
Login shell: /bin/bash
Principal name: radiusadm@JUNTOTELECOM.COM.BR
Principal alias: radiusadm@JUNTOTELECOM.COM.BR
User password expiration: 20220412204516Z
Email address: radiusadm@juntotelecom.com.br
UID: 187600003
GID: 187600003
User authentication types: password, radius
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
# ipa role-add-member 'Radius server' --users='radiusadm'
Role name: Radius server
Description: Radius server role
Member users: radiusadm
Privileges: Radius services
-------------------------
Number of members added 1
-------------------------
# ipa user-show radiusadm --all --raw
dn: uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br
uid: radiusadm
givenname: Radius
sn: User
cn: Radius User
initials: RU
homedirectory: /home/radiusadm
gecos: Radius User
loginshell: /bin/bash
krbcanonicalname: radiusadm@JUNTOTELECOM.COM.BR
krbprincipalname: radiusadm@JUNTOTELECOM.COM.BR
mail: radiusadm@juntotelecom.com.br
uidnumber: 187600003
gidnumber: 187600003
ipauserauthtype: password
ipauserauthtype: radius
nsaccountlock: FALSE
has_password: TRUE
has_keytab: TRUE
displayName: Radius User
ipaNTSecurityIdentifier: S-1-5-21-2731924211-1883941829-2112701219-1003
ipaUniqueID: 42e05e52-baa1-11ec-a438-000c29ad9330
krbExtraData: AALc5FVicm9vdC9hZG1pbkBKVU5UT1RFTEVDT00uQ09NLkJSAA==
krbLastPwdChange: 20220412204516Z
krbPasswordExpiration: 20220412204516Z
memberof: cn=Radius server,cn=roles,cn=accounts,dc=juntotelecom,dc=com,dc=br
memberof: cn=ipausers,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
memberofindirect: cn=userPassword service read,cn=permissions,cn=pbac,dc=juntotelecom,dc=com,dc=br
memberofindirect: cn=Radius services,cn=privileges,cn=pbac,dc=juntotelecom,dc=com,dc=br
mepManagedEntry: cn=radiusadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: ipauserauthtypeclass
===== Instalação FreeRADIUS =====
# cat <
# hostnamectl set-hostname sp-spo-radius.juntotelecom.com.br
# echo "krb5-config krb5-config/kerberos_servers string
krb5-config krb5-config/add_servers_realm string JUNTOTELECOM.COM.BR
krb5-config krb5-config/default_realm string JUNTOTELECOM.COM.BR
krb5-config krb5-config/add_servers boolean false
krb5-config krb5-config/admin_server string
krb5-config krb5-config/read_conf boolean true
libpam-runtime libpam-runtime/override boolean false
libpam-runtime libpam-runtime/profiles multiselect pwquality, unix, sss, systemd, gnome-keyring, capability" | debconf-set-selections
# apt-get install freeradius freeradius-ldap freeradius-utils sudo patch
# echo "deb http://deb.debian.org/debian bullseye-backports main" > /etc/apt/sources.list.d/bullseye-backports.list
# apt-get update
# DEBIAN_FRONTEND=noninteractive apt-get install -t bullseye-backports freeipa-client
# yes yes | ipa-client-install --ntp-server=sp-spo-ipa.juntotelecom.com.br --domain=juntotelecom.com.br --enable-dns-updates --password="@btjt(())22" --realm=JUNTOTELECOM.COM.BR --server=sp-spo-ipa.juntotelecom.com.br
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: Client hostname: sp-spo-radius.juntotelecom.com.br
Realm: JUNTOTELECOM.COM.BR
DNS Domain: juntotelecom.com.br
IPA Server: sp-spo-ipa.juntotelecom.com.br
BaseDN: dc=juntotelecom,dc=com,dc=br
NTP server: sp-spo-ipa.juntotelecom.com.br
Continue to configure the system with these values? [no]: Synchronizing time
Augeas failed to configure file /etc/chrony/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Do you want to download the CA cert from http://sp-spo-ipa.juntotelecom.com.br/ipa/config/ca.crt ?
(this is INSECURE) [no]: Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=JUNTOTELECOM.COM.BR
Issuer: CN=Certificate Authority,O=JUNTOTELECOM.COM.BR
Valid From: 2022-04-12 19:45:00
Valid Until: 2042-04-12 19:45:00
Enrolled in IPA realm JUNTOTELECOM.COM.BR
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm JUNTOTELECOM.COM.BR
Systemwide CA database updated.
Hostname (sp-spo-radius.juntotelecom.com.br) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host sp-spo-radius.juntotelecom.com.br: 172.28.129.6, 2804:694:4c00:4004::6.
Missing reverse record(s) for address(es): 172.28.129.6, 2804:694:4c00:4004::6.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Principal is not set when enrolling with OTP; using principal 'admin@juntotelecom.com.br' for 'getent passwd'
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring juntotelecom.com.br as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
# cp -p /etc/sssd/sssd.conf{,.dist}
# sed -i '/^\[domain\/.*]$/a enumerate = true' /etc/sssd/sssd.conf
# systemctl restart sssd
# cp -p /etc/freeradius/3.0/mods-available/ldap{,.dist}
# pushd /etc/freeradius/3.0/mods-enabled
# ln -s ../mods-available/ldap .
# sed -i -e "s#'localhost'#'sp-spo-ipa.juntotelecom.com.br'#g" -e "s#'dc=example,dc=org'#'cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'#g" ldap
# sed -i "s/#[[:blank:]]*identity = .*/\tidentity = 'uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'/" ldap
# sed -i "s/#[[:blank:]]*password = .*/\tpassword = '@btjt(())22'/" ldap
# cp -p /etc/freeradius/3.0/sites-available/default{,.dist}
# pushd /etc/freeradius/3.0/sites-enabled
/etc/freeradius/3.0/sites-enabled ~
# sed -i 's/-ldap/ldap/' default
echo '526,528c526,528
< # Auth-Type LDAP {
< # ldap
< # }
---
> Auth-Type LDAP {
> ldap
> }' | patch default
# popd
~
root@sp-spo-radius:~#
# rm /etc/freeradius/3.0/sites-enabled/default.orig
# systemctl restart freeradius.service
===== Testando a autenticação =====
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -v -b 'dc=juntotelecom,dc=com,dc=br' -D "uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" -W -LLL
# yes test | ipa user-add "radiustest" --first=Radius --last=Test --shell=/usr/bin/false --password
-----------------------
Added user "radiustest"
-----------------------
User login: radiustest
First name: Radius
Last name: Test
Full name: Radius Test
Display name: Radius Test
Initials: RT
Home directory: /home/radiustest
GECOS: Radius Test
Login shell: /usr/bin/false
Principal name: radiustest@JUNTOTELECOM.COM.BR
Principal alias: radiustest@JUNTOTELECOM.COM.BR
User password expiration: 20220412213118Z
Email address: radiustest@juntotelecom.com.br
UID: 187600004
GID: 187600004
Password: True
Member of groups: ipausers
Kerberos keys available: True
# ipa user-mod radiustest --password-expiration="2050-01-01Z" --user-auth-type=password --user-auth-type=radius
--------------------------
Modified user "radiustest"
--------------------------
User login: radiustest
First name: Radius
Last name: Test
Home directory: /home/radiustest
Login shell: /usr/bin/false
Principal name: radiustest@JUNTOTELECOM.COM.BR
Principal alias: radiustest@JUNTOTELECOM.COM.BR
User password expiration: 20500101000000Z
Email address: radiustest@juntotelecom.com.br
UID: 187600004
GID: 187600004
User authentication types: password, radius
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
# systemctl stop freeradius.service
# sudo -u freerad freeradius -fxX
~$ radtest radiustest test 127.0.0.1 0 testing123
Sent Access-Request Id 30 from 0.0.0.0:59482 to 127.0.0.1:1812 length 80
User-Name = "radiustest"
User-Password = "test"
NAS-IP-Address = 172.28.129.6
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 20
Tue Apr 12 18:36:06 2022 : Debug: (0) Received Access-Request Id 30 from 127.0.0.1:59482 to 127.0.0.1:1812 length 80
Tue Apr 12 18:36:06 2022 : Debug: (0) User-Name = "radiustest"
Tue Apr 12 18:36:06 2022 : Debug: (0) User-Password = "test"
Tue Apr 12 18:36:06 2022 : Debug: (0) NAS-IP-Address = 172.28.129.6
Tue Apr 12 18:36:06 2022 : Debug: (0) NAS-Port = 0
Tue Apr 12 18:36:06 2022 : Debug: (0) Message-Authenticator = 0xb14fe3c0f0e4be30e99922378beefed4
Tue Apr 12 18:36:06 2022 : Debug: (0) session-state: No State attribute
Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 12 18:36:06 2022 : Debug: (0) authorize {
Tue Apr 12 18:36:06 2022 : Debug: (0) policy filter_username {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) -> TRUE
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ / /) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ / /) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.\./ ) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.\./ ) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.$/) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.$/) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@\./) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@\./) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) } # if (&User-Name) = notfound
Tue Apr 12 18:36:06 2022 : Debug: (0) } # policy filter_username = notfound
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess)
Tue Apr 12 18:36:06 2022 : Debug: (0) [preprocess] = ok
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling chap (rlm_chap)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from chap (rlm_chap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [chap] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling mschap (rlm_mschap)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from mschap (rlm_mschap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [mschap] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling digest (rlm_digest)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from digest (rlm_digest)
Tue Apr 12 18:36:06 2022 : Debug: (0) [digest] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling suffix (rlm_realm)
Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: Checking for suffix after "@"
Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No '@' in User-Name = "radiustest", looking up realm NULL
Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No such realm "NULL"
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm)
Tue Apr 12 18:36:06 2022 : Debug: (0) [suffix] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap)
Tue Apr 12 18:36:06 2022 : Debug: (0) eap: No EAP-Message, not doing EAP
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [eap] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling files (rlm_files)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from files (rlm_files)
Tue Apr 12 18:36:06 2022 : Debug: (0) [files] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling ldap (rlm_ldap)
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 126 seconds
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba41f70
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 126 seconds
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba38e60
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 126 seconds
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba50eb0
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 126 seconds
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba508b0
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 126 seconds
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba5c010
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba5c010
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result...
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Reserved connection (5)
Tue Apr 12 18:36:06 2022 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Tue Apr 12 18:36:06 2022 : Debug: Parsed xlat tree:
Tue Apr 12 18:36:06 2022 : Debug: literal --> (uid=
Tue Apr 12 18:36:06 2022 : Debug: XLAT-IF {
Tue Apr 12 18:36:06 2022 : Debug: attribute --> Stripped-User-Name
Tue Apr 12 18:36:06 2022 : Debug: }
Tue Apr 12 18:36:06 2022 : Debug: XLAT-ELSE {
Tue Apr 12 18:36:06 2022 : Debug: attribute --> User-Name
Tue Apr 12 18:36:06 2022 : Debug: }
Tue Apr 12 18:36:06 2022 : Debug: literal --> )
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: --> (uid=radiustest)
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Performing search in "cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" with filter "(uid=radiustest)", scope "sub"
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Waiting for search result...
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: User object found at DN "uid=radiustest,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br"
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Processing user attributes
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: control:Password-With-Header += '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq'
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusControlAttribute" not found in LDAP object
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusRequestAttribute" not found in LDAP object
Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusReplyAttribute" not found in LDAP object
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Released connection (5)
Tue Apr 12 18:36:06 2022 : Info: Need 2 more connections to reach min connections (3)
Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba39000
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result...
Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from ldap (rlm_ldap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [ldap] = updated
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration)
Tue Apr 12 18:36:06 2022 : Debug: (0) [expiration] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime)
Tue Apr 12 18:36:06 2022 : Debug: (0) [logintime] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap)
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Converted: &control:Password-With-Header = '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq' -> &control:SSHA2-512-Password = '0x363639444d31756145494a533153696d4b396c4d6b397744314b432b6b70343774513142307735495a787a6b7174482f567031614a557656744a4653517054444d4f62702b5a53306a734d71792f433970437350712f73584a684d6b324a6f71'
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Removing &control:Password-With-Header
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [pap] = updated
Tue Apr 12 18:36:06 2022 : Debug: (0) } # authorize = updated
Tue Apr 12 18:36:06 2022 : Debug: (0) Found Auth-Type = PAP
Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 12 18:36:06 2022 : Debug: (0) Auth-Type PAP {
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authenticate]: calling pap (rlm_pap)
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Login attempt with password "test" (4)
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Comparing with "known-good" SSHA2-512-Password
Tue Apr 12 18:36:06 2022 : Debug: (0) pap: User authenticated successfully
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authenticate]: returned from pap (rlm_pap)
Tue Apr 12 18:36:06 2022 : Debug: (0) [pap] = ok
Tue Apr 12 18:36:06 2022 : Debug: (0) } # Auth-Type PAP = ok
Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 12 18:36:06 2022 : Debug: (0) post-auth {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) update {
Tue Apr 12 18:36:06 2022 : Debug: (0) No attributes updated for RHS &session-state:
Tue Apr 12 18:36:06 2022 : Debug: (0) } # update = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: calling exec (rlm_exec)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: returned from exec (rlm_exec)
Tue Apr 12 18:36:06 2022 : Debug: (0) [exec] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) policy remove_reply_message_if_eap {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) {
Tue Apr 12 18:36:06 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
Tue Apr 12 18:36:06 2022 : Debug: (0) else {
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always)
Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always)
Tue Apr 12 18:36:06 2022 : Debug: (0) [noop] = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) } # else = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) } # policy remove_reply_message_if_eap = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) } # post-auth = noop
Tue Apr 12 18:36:06 2022 : Debug: (0) Sent Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 0
Tue Apr 12 18:36:06 2022 : Debug: (0) Finished request
Tue Apr 12 18:36:06 2022 : Debug: Waking up in 4.9 seconds.
Tue Apr 12 18:36:11 2022 : Debug: (0) Cleaning up request packet ID 30 with timestamp +126
Tue Apr 12 18:36:11 2022 : Info: Ready to process requests
===== Configuração do arquivo clients =====
# cp -p /etc/freeradius/3.0/clients.conf{,.dist}
# cat /etc/freeradius/3.0/clients.conf
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# juniper
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nas_type = other # localhost isn't usually a NAS...
#
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
# IPv6 Client
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
# JuntoTelecom
client bloco_ipv6 {
ipv6addr = 2804:694::/32
secret = R4d10S
}
client private-network-1 {
ipaddr = 10.0.0.0/8
secret = Yosh1@nintend0
}
client private-network-2 {
ipaddr = 172.16.0.0/12
secret = R4d10S
}
client private-network-3 {
ipaddr = 192.168.0.0/16
secret = R4d10S
}
client bloco_public {
ipaddr = 177.75.176.0/20
secret = Yosh1@nintend0
}
client rondonopolis_internet {
ipaddr = 179.220.65.181/32
secret = Yosh1@nintend0
}
===== Configuração arquivo users =====
# cp -p /etc/freeradius/3.0/mods-config/files/authorize{,.dist}
# cat /etc/freeradius/3.0/users
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
# Inicío JuntoTelecom - FreeIPA
# Exemplo de uso sem autenticação
#awx_user Cleartext-Password := "$4l03_V3r@"
# Service-Type = NAS-Prompt-User,
# Juniper-Local-User-Name := "remote",
# Huawei-Exec-Privilege = "15",
# Cisco-AVPair = "shell:priv-lvl=15"
# Grupo com permissão de excrita
DEFAULT Ldap-Group == "cn=radiusgpadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br"
Service-Type = NAS-Prompt-User,
Juniper-Local-User-Name := "remote",
Huawei-Exec-Privilege = "15",
Cisco-AVPair = "shell:priv-lvl=15"
# Grupo com permissão de leitura
DEFAULT Ldap-Group == "cn=radiusgpmgm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br"
Service-Type = NAS-Prompt-User,
Juniper-Local-User-Name := "remote",
Huawei-Exec-Privilege = "15",
Cisco-AVPair = "shell:priv-lvl=3"
DEFAULT Auth-Type := Reject
# Fim JuntoTelecom - FreeIPA
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# systemctl restart freeradius
===== Referência =====
* https://goos-habermann.de/re/22/FreeIPA-Client_auf_Debian11/#1
* https://goos-habermann.de/re/21/FreeIPA+FreeRADIUS/#1
* https://goos-habermann.de/re2021-FreeIPA/index.html#1
* https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
* https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
* https://ilcofon.net/index.php/2018/01/05/wifi-authenticate-with-radius-and-freeipa/