EAP-TTLS w/MS-CHAPv2
Bram Matthys (Syzop)
syzop at vulnscan.org
Wed May 21 16:19:14 CEST 2008
Hi all,
I'd like to use EAP-TTLS with MS-CHAP(v2), so I can use SecureW2 with
Freeradius. To be more exact, I'd be using ntlm_auth, so that wireless users
will be able to get on the wireless network using their usual windows
username / password.
I'm using FreeRadius 2.0.3. I've seen several tutorials regarding Freeradius
1, which help, but they are a bit outdated, and are often using a different
authentication method or protocol (like PEAP).
I'm stuck getting it to work, and it isn't even at the point of calling
ntlm_auth yet (except for the first initial test, described later).
I've verified ntlm_auth works on the command line.
I've been following (among others)
http://deployingradius.com/documents/configuration/active_directory.html
which suggested to verify ntlm_auth in radius via this:
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=DOMAIN --username=%{mschap:User-Name
} --password=%{User-Password}"
}
And adding this to the users file:
Auth-Type := ntlm_auth
Once this passed (i tested with radtest), I commented out both, because it
was only for testing.
Side note..I had set 'wait = no' previously, due to the tutorial mentioning
that, but then the password was always correct even if I provided an
incorrect one.
I've also been reading
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO by
the way, and while it did help they use PEAP (w/mschapv2) so hmm.
Anyway, back on track:
I've taken the default radius configuration files (as of v2.0.3), and
editted them..
I hope I've pasted all relevant parts here, if not.. let me know:
radiusd.conf:
$INCLUDE eap.conf
mschap {
require_encryption = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challe
nge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
I should also note that I have with_ntdomain_hack set to 'no' in
preprocess{} (but to yes in mschap as pasted above), as I'll be using the
realms module for that (or at least I try to).
then the eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
...
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
and sites-enabled/default:
authorize {
preprocess
chap
mschap
ntdomain
eap {
ok = return
}
unix
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
And proxy.conf entry:
realm DOMAIN {
}
This is what I get using the 'rad_eap_test' tool.. since i'm working
remotely I cannot use securew2 at the moment (if someone has another
suggestion on how to check eap ttls w/mschapv2, let me know.. it seems the
radclient and radtest utils won't suffice because they don't do mschapv2):
./rad_eap_test -H 127.0.0.1 -P 1812 -S xxx -u 'DOMAIN\myuser' -p xxx -m
WPA-EAP -e TTLS -v
access-reject; 1
Radius log was a bit too large.. uploaded to:
http://www.vulnscan.org/tmp/radius_log.txt
I think this is the most relevant part:
Wed May 21 15:09:43 2008 : Debug: +- entering group authorize
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 5
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[preprocess] returns ok
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 5
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[chap] returns noop
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 5
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[mschap] returns noop
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling ntdomain
(rlm_realm) for request 5
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Looking up realm "DOMAIN"
for User-Name = "DOMAIN\myuser"
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Found realm "DOMAIN"
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Adding Stripped-User-Name =
"myuser"
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Proxying request from user
myuser to realm DOMAIN
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Adding Realm = "DOMAIN"
Wed May 21 15:09:43 2008 : Debug: rlm_realm: Authentication realm is LOCAL.
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from
ntdomain (rlm_realm) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[ntdomain] returns noop
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 5
Wed May 21 15:09:43 2008 : Debug: rlm_eap: EAP packet type response id 5
length 192
Wed May 21 15:09:43 2008 : Debug: rlm_eap: Continuing tunnel setup.
Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[eap] returns ok
Wed May 21 15:09:43 2008 : Debug: rad_check_password: Found Auth-Type EAP
Wed May 21 15:09:43 2008 : Debug: auth: type "EAP"
Wed May 21 15:09:43 2008 : Debug: +- entering group authenticate
Wed May 21 15:09:43 2008 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 5
Wed May 21 15:09:43 2008 : Debug: rlm_eap: Request found, released from
the list
Wed May 21 15:09:43 2008 : Debug: rlm_eap: EAP/ttls
Wed May 21 15:09:43 2008 : Debug: rlm_eap: processing type ttls
Wed May 21 15:09:43 2008 : Debug: rlm_eap_ttls: Authenticate
Wed May 21 15:09:43 2008 : Debug: rlm_eap_tls: processing TLS
Wed May 21 15:09:43 2008 : Debug: eaptls_verify returned 7
Wed May 21 15:09:43 2008 : Debug: rlm_eap_tls: Done initial handshake
Wed May 21 15:09:43 2008 : Debug: eaptls_process returned 7
Wed May 21 15:09:43 2008 : Debug: rlm_eap_ttls: Session established.
Proceeding to decode tunneled attributes.
Wed May 21 15:09:43 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Wed May 21 15:09:43 2008 : Debug: auth: Failed to validate the user.
Wed May 21 15:09:43 2008 : Auth: Login incorrect: [DOMAIN\\myuser/<no
User-Password attribute>] (from client localhost port 0 cli 70-6F-6C-69-73-68)
Wed May 21 15:09:43 2008 : Debug: TTLS: Got tunneled Access-Reject
Wed May 21 15:09:43 2008 : Debug: rlm_eap: Handler failed in EAP/ttls
Wed May 21 15:09:43 2008 : Debug: rlm_eap: Failed in EAP select
Wed May 21 15:09:43 2008 : Debug: modsingle[authenticate]: returned from
eap (rlm_eap) for request 5
Wed May 21 15:09:43 2008 : Debug: ++[eap] returns invalid
Wed May 21 15:09:43 2008 : Debug: auth: Failed to validate the user.
Wed May 21 15:09:43 2008 : Auth: Login incorrect: [DOMAIN\\myuser/<via
Auth-Type = EAP>] (from client localhost port 0 cli 70-6F-6C-69-73-68)
Any help is very much welcomed :)
Regards,
Bram.
--
Bram Matthys
Software developer/IT consultant syzop at vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2
More information about the Freeradius-Users
mailing list