<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
<span lang="EN"><font size="3">Hello all,</font><br><font size="3"></font></span><font size="3"><font size="3"><span lang="TR">I've just able to implemented Wired 802</span></font></font><font size="3"><span lang="EN">.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard.</span></font><br><font size="3">At the end I have a "working" setup, but I like to learn more to fix my faults.<br> <br>below you can find my study steps and config changes<br> <br>And these are my question regarding to the following outputs.<br> <br>Q1- Is it possible to get radius attributes with opendirectory module ( not well documented)? if yes, please share your experience.<br></font><font size="3" face="Courier New TUR"><font size="3" face="Courier New TUR"><span lang="TR"><font face="Tahoma">Q2- I am not sure what is happining during below mschap challenge/response.</font><br></span></font></font><font size="3"><span lang="EN">[mschapv2] !
+- entering group MS-CHAP {...}<br>[mschap] No Cleartext-Password configured. Cannot create LM-Password.<br>[mschap] No Cleartext-Password configured. Cannot create NT-Password.<br>[mschap] No NT-Password configured. Trying OpenDirectory Authentication.<br>[mschap] OD username_string = onex, OD shortUserName=onex (length = 4) <br>[mschap] dsDoDirNodeAuth returns stepbuff: S=D134BC291881FAF31275724FE84FEA40648F64C6 (len=40) <br>++[mschap] returns ok<br>MSCHAP Success <br> <br> <br>1. Testbed:<br>Auth Server : FreeRadius 2.1.3 running on MacOSX 10.6.8 Leopard, other services: opendirectory (openLDAP), Kerberos, DNS, DHCP<br>Authenticator : HP Networking 2910 switch</span>Supplicants : WindowsXPsp3, Windows7, MacOSX (PEAP/mschapv2)</font><font size="3">Directory Admin : diradmin<br>Test User : onex<br>authentication : opendirectory (mschap module is calling opendirectory module for challenge response)<br>authorization : by ldap search in post-auth section inside of !
inner-tunnel server.<br>authorization : settings are Tunnel-Type, Tunn
el-Medium-Type, Tunnel-Private-Group-Id (by ldap search)<br>sql client db : Mac OSX serveradmin GUI have an access to configure radius clients (max count is 64), I am not using clients.conf<br> <br>as I understood Mac OSX server actually using openLDAP, but Apple named it as "opendirectory" by restricting and changing of access medhods.<br>There was no radius schema file in Apple's distribution of FreeRadius, or at least I could not find it where it normally would be. So, downloaded the schema file and extended it manually.<br> <br> <br>2. LDAP schema extention and creating radius attributes for 802.1x<br>/etc/openldap/slapd.conf<br>include /etc/openldap/schema/radius.schema<br> <br>slaptest -f slapd.conf -F slapd.d<br> <br>/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}radius.ldif<br>dn: cn={10}radius<br> <br></font><BR><font size="3">restart host or restart slapd</font><BR><font size="3"><br>dscl<br>cd LDAPv3<br>auth diradmin abc123<br>cd 127.0.0.1/Groups/v!
lan10<br>create . radiusTunnelPrivateGroupId 10<br>cd ..<br>cd vlan20<br>create . radiusTunnelPrivateGroupId 20<br>...<br>I will set Tunnel-Type and Tunnel-Medium-Type statically in post-auth section, radiusTunnelPrivateGroupId attribute is sufficiant in LDAP.<br> <br> <br>3. Radius config<br>Non-default or changed parameters are written here.<br>LDAP module will not be used for authentication, will be used only to set radiusTunnelPrivateGroupId<br>Authentication would be done through opendirectory module by mschap call.<br> <br>MacOSX issue : without Apple base stations Radius service could not be started from serveradmin GUI<br> need to be fixed by deleting some lines regarding BaseStation check in the following file.<br>/Applications/Server/Server\ Admin.app/Contents/Resources/RoleBasedSetup.bundle/Contents/PlugIns/RadiusPlugin.plugin/Contents/Resources/RadiusSteps.plist <br> <br> <br><BR></font><font size="3">/private/etc/raddb/modules/ldap<br>ldap!
{<br> server = "radsrv.lab.com"<br> identity = "uid=dir
admin,cn=users,dc=radsrv,dc=lab,dc=com"<br> password = abc123<br> basedn = "dc=radsrv,dc=lab,dc=com"<br> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" // In my test only User-Name is used <br> base_filter = "(objectclass=radiusprofile)"<br>set_auth_type = no // As I know LDAP only working with pap authentication<br>}<br> <br> </font><BR><font size="3"><br>/private/etc/raddb/attrs<br>DEFAULT<br> Tunnel-Type == VLAN,<br> Tunnel-Medium-Type == IEEE-802,<br> Tunnel-Private-Group-Id =* ANY,<br> <br> <BR><br>/Private/etc/raddb/ldap.attrmap<br>checkItem User-Name uid // I am not able to check ntlm or other hashes, only uid check for "return noop"<br>replyItem Tunnel-Type radiusTunnelType<br>replyItem Tunnel-Medium-Type radiusTunnelMediumType<br>replyItem Tunnel-Private-Group-Id !
radiusTunnelPrivateGroupId<br> <br> <BR><br>/private/etc/raddb/radiusd.conf<br>max_request = 16384<br>proxy_requests = no<br>#$INCLUDE clients.conf // MAX Client count is 64 in sql db ( if I run out of space, will use clients.conf in addition)<br> <br> <br><BR>/private/etc/raddb/proxy.conf<br>realm LAB.COM { // doing nothing, but like to use it<br>}<br> <br><BR>/private/etc/raddb/eap.conf<br>default_eap_type = peap<br>#gtc<br>#leap<br>#md5<br>tls {<br> private_key_password = Apple:UseCertAdmin<br> private_key_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.key.pem"<br> certificate_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.cert.pem"<br> CA_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.chain.pem"<br> dh_file = /etc/raddb/certs/dh<br> random_file = !
/etc/raddb/certs/random<br> }<br>peap {<br> use_tunneled_reply = yes<b
r>}<br> <br><BR>/private/etc/raddb/sites-enabled/default<br>authorize {<br>#chap<br>#unix<br>#files<br>#pap<br>}<br>authenticate {<br># Auth-Type PAP {<br># pap<br># }<br># Auth-Type CHAP {<br># chap<br># }<br># Auth-Type opendirectory {<br># opendirectory<br># }<br>#unix<br># Auth-Type LDAP {<br># ldap<br># }<br>...<br>}<br> <br> <br><BR>/private/etc/raddb/sites-enabled/inner-tunnel<br>authorize {<br>#chap<br>#mschap<br>#unix<br>#files<br>#LDAP is checking uid only, enabled for post-auth section<br>ldap<br>#pap<br>}<br>authenticate {<br># Auth-Type PAP {<br># pap<br># }<br># Auth-Type CHAP {<br># chap<br># }<br>}<br>#unix<br>#suffix<br># in ldap search radiusTunnelPrivateGroupId attribute is reached if cn=vl* AND memberUid=%{User-Name}<br># all group names need to start with "vl"<br># attribute value "10" returns in this case<br>!
</font><font size="3" face="Courier New TUR"><font size="3" face="Courier New TUR"><span lang="TR"></span></font></font><br><font size="3" face="Courier New TUR"><font size="3" face="Courier New TUR"></font></font><font size="3"><span lang="EN">post-auth {<br> update reply {<br> Tunnel-Type = VLAN<br> Tunnel-Medium-Type = IEEE-802<br> Tunnel-Private-Group-Id = "%{ldap:ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}"<br> }<br>}<br> <br> <BR> <BR>4. Switch Config, HP Networking 2910 switch is used in this testbed<br></span></font><font size="3">interface 1 name Supplicant<br>interface 3 name RadiusServer</font><font size="3">vlan 10 name CorporateVLAN<br>ip add 10.10.10.1/24<br>ip helper 10.10.100.100<br>exit<br>vlan 40 name UnauthVLAN<br>ip add 10.10.40.1/24<br>ip helper 10.10.100.100<br>exit<br>vlan 100<br>ip add 10.10.100.1/24<br>untag 3</font><BR><font size="3"!
><span lang="EN">exit<br>radius-server host 10.10.100.100 key 123<br>a
aa authentication port-access eap-radius<br>aaa accounting network start-stop radius<br>aaa port-access authenticator 1<br>aaa port-access authenticator 1 unauth-vid 40<br>aaa port-access authenticator 1 client-limit 2<br>aaa port-access authenticator 1 control auto<br>aaa port-access authenticator active<br><BR></span></font> </div></body>
</html>