Ok first post here. Howdy..  Name is Arjan. Sorry for the long post in advance.

 

Currently our small school is running a mac osx tiger file/web server with radius slapped onto it.

As the server is getting old, I’ve been asked to configure a new server. (Dell 720 running Ubuntu 14.10.) Clients are numerous formats (BYOD) but mainly osx and windows machines. Testing virtually at home atm. The Apache, LDAP and Samba part are fine for me. But freeradius is really tough.. Can use some help.

 

Trying to get a EAP-TTLS with PAP working, as that was what we had before. Users are supposed to login with their username and password. No user certificates.

 

Doing a pap or mschap from server terminal is fine, which means the connection to ldap seems to be working. Doing TTLS-PAP from android phone gives errors.

 

The mailing list won’t allow me to post my full config and output. (>100KB) so I’ve put it up at a website :

http://www.audiodude.nl/ldapconfig.txt

 

Here a few excerpts:

 

radtest -t mschap arjan Mypassword^3 localhost 0 mypassword  ends with :

 

Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1 port 44458, id=134, length=131

        User-Name = "arjan"

        NAS-IP-Address = 127.0.1.1

        NAS-Port = 0

        Message-Authenticator = 0xe851266b3b6672aed5d53caecf5421b9

        MS-CHAP-Challenge = 0x6e5a7c9078ec9181

        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e8c0afd962f70b27eae06ed24a3fd2e53950c029a26de960

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

++[mschap] returns ok

++[digest] returns noop

[suffix] No '@' in User-Name = "arjan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

[ldap] performing user authorization for arjan

[ldap]  expand: %{Stripped-User-Name} ->

[ldap]  ... expanding second conditional

[ldap]  expand: %{User-Name} -> arjan

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan)

[ldap]  expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0

  [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan)

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

  [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL"

  [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246

  [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935

[ldap] looking for reply items in directory...

[ldap] user arjan authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Normalizing NT-Password from hex encoding

[pap] Normalizing LM-Password from hex encoding

[pap] Normalizing SSHA1-Password from base64 encoding

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = MSCHAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group MS-CHAP {...}

[mschap] Found LM-Password

[mschap] Found NT-Password

[mschap] Told to do MS-CHAPv1 with NT-Password

[mschap] adding MS-CHAPv1 MPPE keys

++[mschap] returns ok

# Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 134 to 127.0.0.1 port 44458

        MS-CHAP-MPPE-Keys = 0xd71ab5a02f21bf6c84ea1619e12e6d233ad6e6fe70164f220000000000000000

        MS-MPPE-Encryption-Policy = 0x00000001

        MS-MPPE-Encryption-Types = 0x00000006

Finished request 0.

 

So LDAP seems ok.

 

But doing a EAP-TTLS-PAP produces results below :

Should I change something in the EAP.conf file ?

                ttls {

                        default_eap_type = md5

                        copy_request_to_tunnel = no

                        use_tunneled_reply = no

                        virtual_server = "inner-tunnel"

        }

 

THX in advance guys !

 

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=123

        User-Name = "arjan"

        NAS-IP-Address = 192.168.63.144

        Called-Station-Id = "20aa4b81f8a3"

        Calling-Station-Id = "64a769fde8c7"

        NAS-Identifier = "20aa4b81f8a3"

        NAS-Port = 18

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        EAP-Message = 0x0200000a0161726a616e

        Message-Authenticator = 0x2f7a9f1fe7f8586e05b801511990fa64

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "arjan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 0 length 10

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[ldap] performing user authorization for arjan

[ldap]  expand: %{Stripped-User-Name} ->

[ldap]  ... expanding second conditional

[ldap]  expand: %{User-Name} -> arjan

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan)

[ldap]  expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0

  [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan)

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

  [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL"

  [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246

  [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935

[ldap] looking for reply items in directory...

[ldap] user arjan authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Normalizing NT-Password from hex encoding

[pap] Normalizing LM-Password from hex encoding

[pap] Normalizing SSHA1-Password from base64 encoding

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 0 to 192.168.63.144 port 32869

        EAP-Message = 0x010100061520

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xb4cfcc79b4ced9bce030871567d52b3d

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=327

Cleaning up request 0 ID 0 with timestamp +41

        User-Name = "arjan"

        NAS-IP-Address = 192.168.63.144

        Called-Station-Id = "20aa4b81f8a3"

        Calling-Station-Id = "64a769fde8c7"

        NAS-Identifier = "20aa4b81f8a3"

        NAS-Port = 18

        Framed-MTU = 1400

        State = 0xb4cfcc79b4ced9bce030871567d52b3d

        NAS-Port-Type = Wireless-802.11

        EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000

        Message-Authenticator = 0xa56f2ecfe109fcdef933ff8083a95981

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "arjan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 1 length 196

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/ttls

[eap] processing type ttls

[ttls] Authenticate

[ttls] processing EAP-TLS

[ttls] eaptls_verify returned 7

[ttls] Done initial handshake

[ttls]     (other): before/accept initialization

[ttls]     TLS_accept: before/accept initialization

[ttls] <<< TLS 1.0 Handshake [length 00b9], ClientHello

[ttls]     TLS_accept: SSLv3 read client hello A

[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello

[ttls]     TLS_accept: SSLv3 write server hello A

[ttls] >>> TLS 1.0 Handshake [length 080c], Certificate

[ttls]     TLS_accept: SSLv3 write certificate A

[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange

[ttls]     TLS_accept: SSLv3 write key exchange A

[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

[ttls]     TLS_accept: SSLv3 write server done A

[ttls]     TLS_accept: SSLv3 flush data

[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

[ttls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 0 to 192.168.63.144 port 32869

        EAP-Message = 0x0102040015c0000009a81603010039020000350301f859cacda779f3daccc335ce2f05951a6ebd8553a22fcdddd9e3f970f333aa8400c01400000dff01000100000b000403000102160301080c0b00080800080500040830820404308202eca003020102020101300d06092a864886f70d01010b050030818f310b3009060355040613024e4c310b300906035504080c024e48310f300d06035504070c064865696c6f6f31123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e4061

        EAP-Message = 0x7564696f647564652e6e6c301e170d3134313131373232353630335a170d3334313131323232353630335a307e310b3009060355040613024e4c310b300906035504080c024e4831123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e40617564696f647564652e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100f4640f19e08fb8869b72176e11694ec277cb35f285ff090219a6ca6f27b8150cd9f667e29ace92c495715bb27dcae8e66d

        EAP-Message = 0x7dd93ef3160790f4ee9d86b43d7a5e80b1c90848a4be5fbd8ecbf36eba46dc440fdb23fc79ea81083d52362e2b34f54b3ba959e16dc547acb3956bdb93002efe024c319ccb199a18d681aad0abb92dbac30a074424daea0c853db8877502b69fb32eead1c8772a1549bf4a317fad2a0697302694063eea7a3ca3bb8c5f3393176a0c3be75e11fd8f18f01acd79a4c64e5e21531c69546c47ee2aa72b053eec7ab9bc74f59c14fddaf5ad3cbbdd70bbf1535a5bde27017f170fc0f1f29a6945f39e1ec5413ce927b5465de6d24180850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047

        EAP-Message = 0x656e657261746564204365727469666963617465301d0603551d0e041604140737387034b41501c039af30da0610a01696e022301f0603551d23041830168014ced3e4ed5350edb0ae3d88f9fa1864647b84a63d300d06092a864886f70d01010b05000382010100bd4eb2a878d181e7b59b5791af99a3bf420aef6187859901d5b7a07d839b8ebde91cd7201db875f6211c112f8926c3624dc4600dd1d9935ed74b58664f7a81d38313240da1683fa8cfb5091ffb0f9156533147296da74a0acb439ab955a108a2d07461921bd1715f2c8a76d9d1d9031be91afbc0062c9b3b8e2b1bf856628b8a9d63a7119b8f8b76bf895e7be163269baea4602221

        EAP-Message = 0xcd9d8cef411761a8d4ef22af

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xb4cfcc79b5cdd9bce030871567d52b3d

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=309

Cleaning up request 1 ID 0 with timestamp +41

        User-Name = "arjan"

        NAS-IP-Address = 192.168.63.144

        Called-Station-Id = "20aa4b81f8a3"

        Calling-Station-Id = "64a769fde8c7"

        NAS-Identifier = "20aa4b81f8a3"

        NAS-Port = 18

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000

        Message-Authenticator = 0x3e826a011acf3c3c7c4ee12c132df594

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "arjan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 1 length 196

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

[eap] Failed in handler

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> arjan

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 2 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 2

Sending Access-Reject of id 0 to 192.168.63.144 port 32869