Problems with "virtual_server" for EAP-pwd

Christian Strauf strauf at rz.tu-clausthal.de
Mon Mar 27 16:14:05 CEST 2017 

Hi all!

For our eduroam setup we use FreeRADIUS to authenticate EAP-TTLS, PEAP as well as EAP-pwd requests. For each of these EAP types you have to configure the "virtual_server" which deals with the tunneled authentication (which is a little odd with respect to EAP-pwd because it isn't a tunneled method). Within the "inner-tunnel*" virtual servers we connect to an LDAP server to get the user credentials and RADIUS attributes that are associated with a specific user. Furthermore, we call a policy in the authorize section that is defined in policy.d/ that simply checks whether a certain attribute is set to "yes" or "no". The check basically looks like this:

if ( ...<some check>... ) {
	reject
}

This works nicely with the inner-tunnel virtual servers that are used for EAP-TTLS and PEAP. It basically looks like this if the check yields a reject:

11)         if (...<some check>...)  {
(11)           [reject] = reject
(11)         } # if (...<some check>...)  = reject
(11)       } # policy XXXX = reject
(11)     } # authorize = reject
(11)   Using Post-Auth-Type Reject
(11)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(11)     Post-Auth-Type REJECT {
...
(11)     } # Post-Auth-Type REJECT = updated
(11) } # server inner-tunnel
(11) Virtual server sending reply

This reject is forwarded to the outer session and this works as expected. However, it doesn't work with the inner-tunnel virtual server that we use for EAP-pwd. Please note that the configuration is virtually identical (except that you obviously don't need inner authentications methods for EAP-pwd). You basically get debugging output that looks like this:

(2)       if (...<some check>...)  {
(2)         [reject] = reject
(2)       } # if (...<some check>...)  = reject
(2)     } # policy XXXX = reject
(2)   } # authorize = reject
(2) eap_pwd: } # server inner-tunnel-eap-pwd
(2) eap_pwd: Got tunneled reply code 0

It looks like the eap_pwd module doesn't receive the reject generated within the authorize section of the inner-tunnel virtual server. Please note that EAP-pwd authentication per se works without any problems. Furthermore, I perfectly understand that only the authorize section of the inner-tunnel virtual server is used by EAP-pwd anyhow (it's simply used to retrieve credentials). However, it's not clear to me why the exact same configuration works for EAP-TTLS / PEAP but not for EAP-pwd because other things that we do within the authorize section (like setting RADIUS attributes that are used in the outer session etc.) work. I was thinking about working around the problem by doing something like

update outer.session-state { ... }

to generate a reject within the outer session. Do you have any suggestions what the right way would be to work around this? Apart from a workaround, do you think this could be a bug in the EAP-pwd module? I tried to read the source code but I'm not a programmer and I couldn't figure out how the EAP-pwd module works differently from the EAP-TTLS and PEAP modules with respect to how it works with inner-tunnel virtual servers. Any help would be highly appreciated.

Kind regards,
Christian Strauf
-- 
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology   E-Mail: strauf at rz.tu-clausthal.de
Rechenzentrum                   Web:    www.rz.tu-clausthal.de
Erzstraße 18                    Tel.:   +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5172 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170327/7127d0f9/attachment-0001.bin>

More information about the Freeradius-Users mailing list