Thanks Alan Yes I did that in the defaut server I put in the post-auth, a condition depending of my realm like if ( &reply:Realm != "mydomain.ex" ) { update { &reply:Tunnel-Private-Group-Id := 143 } } elsif ( .... and It works, in the inner-tunnerl I put condition to specifiy a VLAN according to LDAP-attribute ( only for internal users ) like : if (&outer.session-state:LDAP-Desc == "employee") { update outer.session-state { &Tunnel-Private-Group-Id := 142 } } elsif (...... and It works too. If I try with eapol_test : eapol_test -c eapol_student -p1812 -smysecret -r1 with eapol_stutdent = network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="teststudent@univ-brest.fr" password="a1z2e3r4*" phase2="auth=MSCHAPV2" } It works I joined the first debug (radius -X ) of this command and the results for eapol_test is :........ EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): a4 c1 e3 f6 68 80 9a 8e c5 65 69 44 dd 1a 70 10 b6 f6 69 53 53 17 b4 a2 14 8d f1 66 2d aa 72 fa EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 2 mismatch: 0 SUCCESS But If I try [root@freeradius-3-a test]# radtest -t mschap teststudent 'a1z2e3r4*' 127.0.0.1:18120 0 mysecret Sent Access-Request Id 176 from 0.0.0.0:40417 to 127.0.0.1:18120 length 137 User-Name = "teststudent" MS-CHAP-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "a1z2e3r4*" MS-CHAP-Challenge = 0xb835226cb6ade5e0 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000008062fbf5061e27dcc5038f6ad7105d9486d9df3efc9813c5 Received Access-Reject Id 176 from 127.0.0.1:18120 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject I joined the second debug file too. It's the same result for internal or external users, it failed. I would like to understand why I got this error with radtest even if it works well with wifi device or eapol_test. I noticed that when I configured steps by steps my radius, at the beginning , I didn't affected a VLAN in the default and inner-tunnel. I didn't configure the post_auth section and so I didn't use update outer.session-state and update block. At this time, my tests with a device, eapol_test and radtest with the same command line worked, when I added the option to update block in the inner-tunnel update { &outer.session-state: += &reply: } + update outer.session-state { MS-MPPE-Encryption-Policy...... my tests failed with the radtest command and still worked withe the device and eapo_test. So I have a doubt with my configuration any advice will be appreciate. I would like to be sure of my configuration before using it in production or can I used it like that. Michel Quoting Alan Buxey <alan.buxey@gmail.com>:
PEAP etc use inner-tunnel, radtest is just a PAP or MSCHAP method, without any EAP so it doesnt use inner-tunnel....and therefore will use whatever auth methods you only have in the outer phase (in 'default' server with a default install) - you could try using eg eapol_test (part of wpa_supplicant) - or, use radtest against the direct inner-tunnel listener - read the inner-tunnel config..it has a listen on localhost 18121 or 18120 or such.... direct your radtest to that.
note that this config wont work if you have real external users (ie users that you proxy off to a remote RADIUS server - eg in eduroam - for that you need to also look at setting VLANs in the post-auth outer phase (or dont assign a VLAN and hope your kit drops people correctly onto a predefined default vlan.
alan
On 28 April 2017 at 22:06, Michel Villeneuve <Michel.Villeneuve@univ-brest.fr> wrote:
Hi,
I use freeradius-3.0.12 on centos 7.3 with an openldap 2.4 and a samba attribute EAP / PEAP authentication MSCHAPV2.
I want to authentificate and authorize users according to their attribute on the LDAP. I created an attribute LDAP-Desc mapped with the field eduPersonPrimaryAffilation on my LDAP. I want to put user on specific VLAN if they are students, employee .... or outer people.
For that I use in the inner-tunnel the capabilities to return AVP like Tunnel-Private-Group-Id with the good value .
It's work very well, for internal and also for external people. I tested also the realm value in the default server and I put also the good Tunnel-Private-Group-Id depending the value of realm. It's work with device like smartphone, pc ... and also with the command.
eapol_test -c afile -p1812 -smysecret -r1
Everything seems good but not when I use radtest command
I can't authentificate internal or external people with the test command radtest
[root@freeradius-3-a test]# radtest 'teststudent' 'a1z2e3r4*' localhost 1812 mysecret
Sent Access-Request Id 154 from 0.0.0.0:54585 to 127.0.0.1:1812 length 81 User-Name = "teststudent" User-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "a1z2e3r4*" Received Access-Reject Id 154 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
nor
radtest -t mschap 'teststudent' 'a1z2e3r4*' 127.0.0.1:18120 1 mysecret
I got ot@freeradius-3-a test]# radtest -t mschap 'teststudent' 'secret' 127.0.0.1:18120 1 mysecret Sent Access-Request Id 129 from 0.0.0.0:34088 to 127.0.0.1:18120 length 137 User-Name = "teststudent" MS-CHAP-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "secret" MS-CHAP-Challenge = 0x3a7dd0c59a922170 MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000ae872e407e206d5579b1515fbf4e92f594e5c5e66739c6e7
Received Access-Reject Id 129 from 127.0.0.1:18120 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Perhaps the problem comes from /etc/raddb/mods-enabled/mschap files and I tried differents values with no good results.
mschap { with_ntdomain_hack = no #authtype = MS-CHAP allow_retry = yes use_mppe=yes require_encryption = yes require_strong = yes ..... I am not sure about the good values needing for this section. I would like to have an advice before using this configuration in production environment.
here a debug with a Successful results
Thanks in advance for you help
PS: sorry for my english I hope it's comprehensible. -- Michel Villeneuve Tel 02 98 01 71 61
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Michel Villeneuve Tel 02 98 01 71 61