Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Peter Eriksson peter at ifm.liu.se
Wed Sep 24 14:13:31 CEST 2008 

Sorry about this long first mail, but I figured I'd try to include as
much information as possible. right away..

I'm trying to set up a rather complicated RADIUS structure that I hope
will be able to support a number of different needs. Anyway, some bit
of background information. Things I need to support:

EDUROAM for my roaming users at other sites around Europe.

EDUROAM for roaming users at my site via WLAN access points
	(SSID "EDUROAM").

Normal 802.1x for our local users via WLAN (another SSID)

Normal 802.1x-enabled ethernet ports on switches.

Modem pool access (Ascend MAX4000 - olde faithful still going strong :-)
	for out users and two neighboring departments (separate user
	databases)

VPN gateway access (Nortel Contivity and OpenVPN) for out users and
	one other neighboring department.

+ More stuff (web services)...



"Access" Hardware/Software:

D-Link DWL-3200AP and DWL-8200AP WLAN access points
HP ProCurve ethernet switches
Ascend MAX4000 modem pool
Nortel Contivity IPSEC VPN gateway
OpenVPN server


Anyway, I have set up our access points to successfully do EAP-TTLS
authentication via RADIUS to a FreeRadius 1.1.7 server since this spring.

(The VPN and modem pool is handled by another very old
RADIUS server for the moment but I'm planning on moving those to the
new FreeRadius structure when things are working smoothly).

But now in our quest for implementing EDUROAM I starting looking at
using FreeRadius 2.1 and do some intelligent proxying based on various
criterias which gets complicated pretty quickly... :-)

1)
Users connecting to the WLAN SSID "EDUROAM" should be handled as EDUROAM
authentication requests and routed thru those RADIUS servers, and if
successful should end up on our "EDUROAM" VLAN.

2)
Users connecting to our "PERSONAL" WLAN SSID should be handled as
local users only and if successfully authenticated should end up on
our "TWILIGHT ZONE" VLAN.

It seems I should be able to distinguish at the RADIUS server side
between #1 and #2 via the "Called-Station-Id" attribute since the
D-Link AP's we are using sets that to something like:

   Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM"

(where the last part is the WLAN SSID).

3)
Users connecting to the 802.1x enabled physical ethernet ports should
if authenticating as USER at ifm.liu.se be handled like #2 above, else
be handled like #1 above, and if completely unsuccessful should be
conencted to a third special VLAN. (This should be doable via the
a RADIUS attribute telling the switch which VLAN to switch a
successfully authenticated user's port to).

4)
Modem pool users should accept request from three different realms
	USER at ifm.liu.se
	USER at dept2.liu.se
	USER at dept3.liu.se
Route those to the correct RADIUS server responsible for authenticating
those users, and in the response set the Ascend-special attributes to
'give' the user the right IP# from the departments special IP pools

5)
VPN pool users should do something similar to #4 but using the
Nortel-specific attributes.

(We do #4 and #5 already today with the stoneage RADIUS server,
sans the RADIUS-proxying stuff I want to do).



Anyway - what I'm curious about is if there are others 'out there' that
have done similar stuff before?

Any cookbooks for setting up a FreeRadius 2 server in an EDUROAM
environment?

Anyone with experience talking to D-Link DWL-3200AP or 8200AP
with EAP-TTLs and FreeRadius 2?


I ran into a problem directly - for some unknown reason when I redirect
my APs to talk to a proxying-only FreeRadius 2.1.0 server that forwards
requests to our old FreeRadius 1.1.7 server the access points doesn't
seem to correctly understand or mishandles (sort of - it looks like
things are going OK, but the Window and MacOS X clients just goes into
a loop with reretrying the authentication sequence and never finishing)
the 'Access-Accept' sent to them after having successfully authenticated
the user... And I'm at a loss as to why.

I tried running the radiusd servers with -X to see what the difference
in the responses are and I can't really see any big differences:


FreeRadius 1.1.7 directly to the Access Point:

First request:
rad_recv: Access-Request packet from host 192.168.160.158:1115, id=0,
length=181
        Message-Authenticator = 0x377dba909d00b36f5edacd2d732b8cc6
        Service-Type = Framed-User
        User-Name = "testson"
        Framed-MTU = 1488
        Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM"
        Calling-Station-Id = "00-30-65-18-72-61"
        NAS-Identifier = "ap13434"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x0200000c0174657374736f6e
        NAS-IP-Address = 192.168.160.158
        NAS-Port = 2
        NAS-Port-Id = "STA port # 2"


Last response:
Sending Access-Accept of id 6 to 192.168.160.158 port 1096
MS-MPPE-Recv-Key =
0xd95114ac0ba4ea2f18815d9d713bcc09730dce74705a24e87c1b3ff1e59bb391
MS-MPPE-Send-Key =
0x59bdb8c81b2d31916a50dbd43079f019616468618cd956c2bb8db99b29436b22
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testson"
Finished request 6



FreeRadius 2.1.0 directly to the Access Point (with a response received
via Proxying to the same 1.1.7 server):

First request:
rad_recv: Access-Request packet from host 192.168.160.158 port 1036,
id=0, length=181
        Message-Authenticator = 0x54e5c5b797c55e4cf49655edfa140e05
        Service-Type = Framed-User
        User-Name = "testson\000"
        Framed-MTU = 1488
        Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM"
        Calling-Station-Id = "00-30-65-18-72-61"
        NAS-Identifier = "ap13434"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x0200000c0174657374736f6e
        NAS-IP-Address = 192.168.160.158
        NAS-Port = 2
        NAS-Port-Id = "STA port # 2"


Last response:
Sending Access-Accept of id 6 to 192.168.160.158 port 1036
        Vendor-Specific =
0x0000013711348565439b6986f71bfa7425319eac8dd791f24936bc66a8cdd928a91c9c4343958ef040212
4dd4f552726302e356b878e6474
        Vendor-Specific =
0x0000013710348b855687f3a4ef1194289232229fe0be952c98689fb606c1e9d6ceae6a388baee98eeb292
be2d41ae58efa7f67737dec758c
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testson"
Finished request 6.

(I assume that 'Vendor-Specific' stuff is the MS-MPPE-Recv-Key stuff
that the 1.1.7 talks about).

Any suggestions?

- Peter

More information about the Freeradius-Users mailing list