-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I've been tasked with determining the feasibility of migrating a campus wireless deployment from "open wireless plus VPN" to WPA2 Enterprise. The existing VPN server authenticates against a RHEL4 FreeRADIUS server (1.0.1-3.RHEL4.5, the latest available distro-standard package), which itself primarily auts against PAM. (There are a few users defined in the RADIUS users file, but these are the exception rather than the rule.) This function is to be bolted-onto an existing, production FreeRADIUS server, which is why I'm using such an old version of FR. My NAS is talking to the FR instance (being run in "-X" debug mode, of course), but the NAS doesn't appear to be sending the "User-Password" attribute that FR is expecting. What I'm going for, here, is EAP/TTLS. I've synthesized a few HOWTOs* to arrive at my current configuration, which is attached in the form of my (sanitized) radiusd.conf, clients.conf, and eap.conf, as well as /etc/pam.d/radiusd. FWIW, I'm getting good answers when running 'radtest' locally, so the FR-to-PAM linkage is working properly. * Namely, Hack #44 from O'Reilly's "Wireless Hacks, 2nd Ed." and an article[1] from Free Software Magazine. Also attached are a few sample conversations as seen from the perspective of FR using a user that's active in PAM (radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND one using an account that's local at FR, i.e., in the /etc/raddb/users file (radiusd-X_testuser_actual_eap_client.txt). My test case will eventually include Windows XP Pro, Vista Business, and Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it seems to have very flexible native support for mucking with 802.1x settings. I did see mention of a similar symptom in my searches, and a few (including this one[2]) suggested that a fix was forthcoming in 1.1.5. By way of attempting this, I tried rolling my own 2.0.5 instance of FR, but it had the same problem. Alan's post here[3] indicates, "It needs a password." What I'm not clear on is _what_ needs a password: is the client not sending it, or does the FR server not have access to the backend against which it should be verifying the password incoming from the client? If the client is not sending it, how might I go about ascertaining why? In any case, this seems to be one of the more common errors for people attempting 802.1x auth via RADIUS, and since there are so many different scenarios cited by the posts I'm finding, I hoped that the knowledgeable ~ among you might analyze and comment on my configuration. I can provide further information and diagnostic output upon request. If at any point it's appropriate for someone to say, "You fool! You can't have WPA(2) Enterprise authentication for both Mac and Windows!" please, don't hesitate to do so. ;-) Thanks in advance for your time. Cheers, - -sth [1]http://www.freesoftwaremagazine.com/community_posts/howto_incremental_setup_... [2]http://lists.cistron.nl/pipermail/freeradius-users/2007-February/060265.html [3]http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg22607.html sam hooker|sth@noiseplant.com|http://www.noiseplant.com Yes, my television runs Linux, too. Yes, really. http://mythtv.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhQHdEACgkQX8KByLv3aQ2ZlwCdFRD/+GGPomxSZmdJq+fD3T24 8I4AoLkwSuUwdjcCrnu48HF7obHCX2qy =yzeE -----END PGP SIGNATURE----- client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other # localhost isn't usually a NAS... } client w.x.y.z { secret = supersecret shortname = sth_wireless_test } eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = ultrasecret private_key_file = ${raddbdir}/certs/eap-test.pem certificate_file = ${raddbdir}/certs/eap-test.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } mschapv2 { } } prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } pam unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth [sthooker@radtest ~]$ sudo /usr/sbin/radiusd -X Password: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/eap-test.pem" tls: certificate_file = "/etc/raddb/certs/eap-test.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "ultrasecret" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "md5" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. ... rad_recv: Access-Request packet from host w.x.y.z:1046, id=0, length=129 User-Name = "sthooker" NAS-IP-Address = w.x.y.z Called-Station-Id = "001d7e5dc520" Calling-Station-Id = "0016cbb1f902" NAS-Identifier = "001d7e5dc520" NAS-Port = 10 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000d017374686f6f6b6572 Message-Authenticator = 0x8884ca25a4b0e8632525fb9ef4246dbf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "sthooker", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched DEFAULT at 187 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [sthooker] (from client sth_wireless_test port 10 cli 0016cbb1f902) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to w.x.y.z:1046 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 0 with timestamp 484d91f2 Nothing to do. Sleeping until we see a request. [sthooker@radtest consolidated_radius_configs]$ radeapclient -x localhost auth testing123 < req.txt +++> About to send encoded packet: User-Name = "sthooker" NAS-IP-Address = w.x.y.z EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "sthooker" Message-Authenticator = 0x00 NAS-Port = 0 Sending Access-Request of id 154 to 127.0.0.1:1812 User-Name = "sthooker" NAS-IP-Address = w.x.y.z Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Message = 0x02d2000d017374686f6f6b6572 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=154, length=20 rlm_eap: EAP-Message not found <+++ EAP decoded packet: ... rad_recv: Access-Request packet from host 127.0.0.1:32830, id=154, length=75 User-Name = "sthooker" NAS-IP-Address = w.x.y.z Message-Authenticator = 0xd4b84d12e6dc88294f27aaff16e2547c NAS-Port = 0 EAP-Message = 0x02d2000d017374686f6f6b6572 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "sthooker", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 210 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched DEFAULT at 187 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type pam auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_pam: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "pam" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Login incorrect: [sthooker] (from client localhost port 0) Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 154 to 127.0.0.1:32830 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 154 with timestamp 484d95af Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host w.x.y.z:1046, id=0, length=177 User-Name = "testuser" NAS-IP-Address = w.x.y.z Called-Station-Id = "001d7e5dc520" Calling-Station-Id = "0016cbb1f902" NAS-Identifier = "001d7e5dc520" NAS-Port = 10 Framed-MTU = 1400 State = 0xaafd92bfb16297927e5b53fde6e3b52d NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b190017030100205a2dd9f0761ff1874a7d6aa970845f772eec68d85a7124cc1b717f7930bc2c9a Message-Authenticator = 0x0b925b0d2d16bdabdfe321a2c7399d42 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 7 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched testuser at 93 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Login incorrect: [testuser] (from client sth_wireless_test port 10 cli 0016cbb1f902) Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to w.x.y.z:1046 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 8 ID 0 with timestamp 484d9af1 Nothing to do. Sleeping until we see a request.