Am 26.11.2016 um 16:33 schrieb Alan DeKok:
I played around with ttls and md or gtc, inserted perl in authorized section and so on, nothing worked. Trying random things isn't a good way to solve problems. It's best to understand how things work.
In this case, the EAP module handles the outer tunnel. If the inner-tunnel authentication contains PAP, you can put the "perl" module into the authenticate section, as:
authenticate { ...
Auth-Type PAP { perl }
... }
Which is probably the simplest thing to do. EAP-GTC will work, too, but why do that when you have PAP?
Thanks for your explanations! I set this on the inner-tunnel but it still doesn't work. Now I can see the password (OTP Key) but still doesn't get forwarded to the perl plugin. # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "user" User-Password = "123456" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "user" User-Password = "123456" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop rlm_perl: Added pair User-Name = user rlm_perl: Added pair User-Password = 123456 rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 ++[perl] = ok ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 14 to 81.24.74.3 port 42084 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 5 ID 10 with timestamp +31 I've added Freeradius for Beginners book to my Safari Queue :) The "problem" with Freeradius is, that you search for a problem, add the related part and it works for ages. So there was no reason to dive into the insights, but this one seems to be quite more complex. Really appreciate your help, thank you! Michael
As for the other authentication methods, see:
http://deployingradius.com/documents/protocols/compatibility.html
You just cannot use anything other than PAP with Perl. At least, in the way you want to do.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- www.muenz-it.de - Cisco, Linux, Networks