P.S.: I'm sorry, I forgot to write that we're using FreeRADIUS 3.0.12. Am 27. März 2017 4:16:35 nachm. schrieb Christian Strauf <strauf@rz.tu-clausthal.de>:
Hi all!
For our eduroam setup we use FreeRADIUS to authenticate EAP-TTLS, PEAP as well as EAP-pwd requests. For each of these EAP types you have to configure the "virtual_server" which deals with the tunneled authentication (which is a little odd with respect to EAP-pwd because it isn't a tunneled method). Within the "inner-tunnel*" virtual servers we connect to an LDAP server to get the user credentials and RADIUS attributes that are associated with a specific user. Furthermore, we call a policy in the authorize section that is defined in policy.d/ that simply checks whether a certain attribute is set to "yes" or "no". The check basically looks like this:
if ( ...<some check>... ) { reject }
This works nicely with the inner-tunnel virtual servers that are used for EAP-TTLS and PEAP. It basically looks like this if the check yields a reject:
11) if (...<some check>...) { (11) [reject] = reject (11) } # if (...<some check>...) = reject (11) } # policy XXXX = reject (11) } # authorize = reject (11) Using Post-Auth-Type Reject (11) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (11) Post-Auth-Type REJECT { ... (11) } # Post-Auth-Type REJECT = updated (11) } # server inner-tunnel (11) Virtual server sending reply
This reject is forwarded to the outer session and this works as expected. However, it doesn't work with the inner-tunnel virtual server that we use for EAP-pwd. Please note that the configuration is virtually identical (except that you obviously don't need inner authentications methods for EAP-pwd). You basically get debugging output that looks like this:
(2) if (...<some check>...) { (2) [reject] = reject (2) } # if (...<some check>...) = reject (2) } # policy XXXX = reject (2) } # authorize = reject (2) eap_pwd: } # server inner-tunnel-eap-pwd (2) eap_pwd: Got tunneled reply code 0
It looks like the eap_pwd module doesn't receive the reject generated within the authorize section of the inner-tunnel virtual server. Please note that EAP-pwd authentication per se works without any problems. Furthermore, I perfectly understand that only the authorize section of the inner-tunnel virtual server is used by EAP-pwd anyhow (it's simply used to retrieve credentials). However, it's not clear to me why the exact same configuration works for EAP-TTLS / PEAP but not for EAP-pwd because other things that we do within the authorize section (like setting RADIUS attributes that are used in the outer session etc.) work. I was thinking about working around the problem by doing something like
update outer.session-state { ... }
to generate a reject within the outer session. Do you have any suggestions what the right way would be to work around this? Apart from a workaround, do you think this could be a bug in the EAP-pwd module? I tried to read the source code but I'm not a programmer and I couldn't figure out how the EAP-pwd module works differently from the EAP-TTLS and PEAP modules with respect to how it works with inner-tunnel virtual servers. Any help would be highly appreciated.
Kind regards, Christian Strauf -- Dipl.-Math. Christian Strauf Clausthal Univ. of Technology E-Mail: strauf@rz.tu-clausthal.de Rechenzentrum Web: www.rz.tu-clausthal.de Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086 D-38678 Clausthal-Zellerfeld