Hi again, now the LOCAL and NOT local domain (=proxied) connection works, almost... Description: EAP-TTLS-PAP with Windows W2 Secure client. 1. If LOCAL domain then authenticate against (local) LDAP = This works. 2. If OTHER domain (SECURACCESS) terminate EAP tunnel and proxy only PAP and authenticate against other only PAP Radius.. = Doesn´t work... Problem: The proxied PAP doesn´t work due to the User Password... Output below: ========== radiusd.conf =========================================================================================================== ... modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = "192.168.1.71" identity = "cn=admin,o=Contonso" password = "toor" basedn = "o=Contonso" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_mode = no tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword tls_require_cert = "allow" timeout = 4 timelimit = 3 net_timeout = 1 port = 389 edir_account_policy_check=yes } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = yes } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = yes } ... authorize { preprocess chap mschap suffix ntdomain eap files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } post-auth { ldap Post-Auth-Type REJECT { ldap } } ===ENDradiusd.conf========================================================== ======== Proxy.conf ==================================================================== realm NULL { type = radius authhost = LOCAL accthost = LOCAL } realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } realm DOMAIN { type = radius authhost = LOCAL accthost = LOCAL } realm SECURACCESS { type = radius authhost = 192.168.1.75:1812 accthost = 192.168.1.75:1813 secret = toor # nostrip } ==================================================================== ======= eap.conf ===================================================================== eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = password private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 #Tried the = gtc as well ;-) copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } ===ENDEAP================================================================= ========= clients.conf =============================================== client 192.168.1.0/24 { secret = toor shortname = private-network-1 } ================================================ ==== users =========================================================================== DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL SECURACCESS FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "SECURACCESS" ==ENDusers=================================================================== ======== output: =================================================== Mon Feb 4 13:03:46 2008 : Debug: Module: Instantiated radutmp (radutmp) Mon Feb 4 13:03:46 2008 : Debug: Listening on authentication *:1812 Mon Feb 4 13:03:46 2008 : Debug: Listening on accounting *:1813 Mon Feb 4 13:03:46 2008 : Debug: Listening on proxy *:1814 Mon Feb 4 13:03:46 2008 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.150:32797, id=185, length=199 User-Name = "joakimlindgren@SECURACCESS" NAS-IP-Address = 192.168.1.73 NAS-Port = 1 NAS-Identifier = "10" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0012793DFC0C" Called-Station-Id = "000B86600A58" Framed-MTU = 1100 EAP-Message = 0x0201001f016a6f616b696d6c696e646772656e405345435552414343455353 Aruba-Essid-Name = "demo-wpa-aes-eap-radius" Aruba-Location-Id = "1.1.1" Message-Authenticator = 0x4a71e7a8e828c5fbfeba6f153ee22c40 Mon Feb 4 13:04:03 2008 : Debug: Processing the authorize section of radiusd.conf Mon Feb 4 13:04:03 2008 : Debug: modcall: entering group authorize for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Looking up realm "SECURACCESS" for User-Name = "joakimlindgren@SECURACCESS" Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Found realm "SECURACCESS" Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Adding Stripped-User-Name = "joakimlindgren" Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm SECURACCESS Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Adding Realm = "SECURACCESS" Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm "SECURACCESS" Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "suffix" returns updated for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_realm: Request already proxied. Ignoring. Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "ntdomain" returns noop for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm SECURACCESS. Not doing EAP. Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: users: Matched entry DEFAULT at line 209 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "files" returns ok for request 0 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: - authorize Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: performing user authorization for joakimlindgren Mon Feb 4 13:04:03 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' Mon Feb 4 13:04:03 2008 : Debug: radius_xlat: 'o=Contonso' Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: attempting LDAP reconnection Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: setting TLS CACert File to /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: starting TLS Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: bind as cn=admin,o=Contonso/toor to 192.168.1.71:389 Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: waiting for bind result ... Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: Bind was successful Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter (uid=joakimlindgren) Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: Added the eDirectory password in check items Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: looking for check items in directory... Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: looking for reply items in directory... Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: user joakimlindgren authorized to use remote access Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "ldap" returns ok for request 0 Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the request. Not performing PAP. Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0 Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. Mon Feb 4 13:04:04 2008 : Debug: auth: type Local Mon Feb 4 13:04:04 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request Mon Feb 4 13:04:04 2008 : Debug: auth: Failed to validate the user. Mon Feb 4 13:04:04 2008 : Auth: Login incorrect: [joakimlindgren/<no User-Password attribute>] (from client Aruba-vlan-2 port 1 cli 0012793DFC0C) Mon Feb 4 13:04:04 2008 : Debug: Found Post-Auth-Type Mon Feb 4 13:04:04 2008 : Debug: Processing the post-auth section of radiusd.conf Mon Feb 4 13:04:04 2008 : Debug: modcall: entering group REJECT for request 0 Mon Feb 4 13:04:04 2008 : Debug: modsingle[post-auth]: calling ldap (rlm_ldap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: attempting LDAP reconnection Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: setting TLS CACert File to /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: starting TLS Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: bind as cn=joakimlindgren,o=Contonso/aassword to 192.168.1.71:389 Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: waiting for bind result ... Mon Feb 4 13:04:08 2008 : Debug: rlm_ldap: ldap_result() Mon Feb 4 13:04:08 2008 : Error: rlm_ldap: cn=joakimlindgren,o=Contonso bind to 192.168.1.71:389 failed: timeout Mon Feb 4 13:04:08 2008 : Error: rlm_ldap: eDirectory account policy check failed. Mon Feb 4 13:04:08 2008 : Debug: rlm_ldap: Mon Feb 4 13:04:08 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Feb 4 13:04:08 2008 : Debug: modsingle[post-auth]: returned from ldap (rlm_ldap) for request 0 Mon Feb 4 13:04:08 2008 : Debug: modcall[post-auth]: module "ldap" returns reject for request 0 Mon Feb 4 13:04:08 2008 : Debug: modcall: leaving group REJECT (returns reject) for request 0 Mon Feb 4 13:04:08 2008 : Debug: Cancelling proxy as request was already rejected Mon Feb 4 13:04:08 2008 : Debug: Request 0 rejected in proxy_send. Mon Feb 4 13:04:08 2008 : Debug: Server rejecting request 0. Mon Feb 4 13:04:08 2008 : Debug: Finished request 0 Mon Feb 4 13:04:08 2008 : Debug: Going to the next request Mon Feb 4 13:04:08 2008 : Debug: --- Walking the entire request list --- Mon Feb 4 13:04:08 2008 : Debug: Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.150:32797, id=185, length=199 Sending Access-Reject of id 185 to 192.168.1.150 port 32797 Reply-Message = "" Mon Feb 4 13:04:08 2008 : Debug: --- Walking the entire request list --- Mon Feb 4 13:04:08 2008 : Debug: Waking up in 1 seconds... Mon Feb 4 13:04:09 2008 : Debug: --- Walking the entire request list --- Mon Feb 4 13:04:09 2008 : Debug: Cleaning up request 0 ID 185 with timestamp 47a6ff33 Mon Feb 4 13:04:09 2008 : Debug: Nothing to do. Sleeping until we see a request. ===ENDoutput============================================================================= ======== My thoughts about the output: ==========================================
Mon Feb 4 13:04:03 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm >SECURACCESS. Not doing EAP.
Detects that we want to proxy domain SECURACCESS. Terminate EAP and only proxy PAP.
Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: users: Matched entry DEFAULT at line 209 Mon Feb 4 13:04:03 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Mon Feb 4 13:04:03 2008 : Debug: modcall[authorize]: module "files" returns ok for request 0
Found the DEFAULT entry in users: DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL
Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: - authorize Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: performing user authorization for joakimlindgren Mon Feb 4 13:04:03 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' Mon Feb 4 13:04:03 2008 : Debug: radius_xlat: 'o=Contonso' ... Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: waiting for bind result ... Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: Bind was successful Mon Feb 4 13:04:03 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter >(uid=joakimlindgren) Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: Added the eDirectory password in check items Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: looking for check items in directory... Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: looking for reply items in directory... Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: user joakimlindgren authorized to use remote access Mon Feb 4 13:04:04 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "ldap" returns ok for request 0
Authorizing user joakimlindgren in Novell eDIrectory LDAP...
Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the request. Not performing PAP.
Not finding a clear-text password? Why can´t it suddenly use the password stored in the eDirectory (Stored as clear-text?).
Mon Feb 4 13:04:04 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 0 Mon Feb 4 13:04:04 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0 Mon Feb 4 13:04:04 2008 : Debug: WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL >realm! Cancelling invalid proxy request.
Only a warning right?
Mon Feb 4 13:04:04 2008 : Debug: auth: type Local Mon Feb 4 13:04:04 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request
Failed due to not finding a User-Password...Why?
Mon Feb 4 13:04:04 2008 : Debug: auth: Failed to validate the user.
// Thanks Ivan Kalik wrote:
Eap-Type != peap. Local ones are using PEAP and remote EAP-TTLS/PAP, right?
Ivan Kalik Kalik Informatika ISP
Dana 2/2/2008, "Jayal1972" <joakim.lindgren@gmail.com> piše:
Hi again,
I mean: how to detect a special name in the request. And to NOT proxy
local
calls... Is my configuration OK?
// J
Jayal1972 wrote:
Hi Ivan, I can´t thank you enough for the help.
Have different names for a server realm and user domain so you can
choose
when to proxy.
Could you please leave me a hont how to do that.
Why doesn´t it do PAP? When the connection reach the home server it´s encrypted?
// J
Ivan Kalik wrote:
All users found with SECURACCESS domain in name i.e.
"anyname@SECURACCESS".
Proxy them with PAP authentication to "SECURACCCESS" domain IP address mentioned in proxy.conf.
Fall-Through := No
If SECURACCESS domain found in User-Name "anyname@SECURACCESS" stop after proxying.
So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only PAP further (to IP address mentioned in proxy.conf).
Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Looking up realm "SECURACCESS" for User-Name = >"joakimlindgren@SECURACCESS" Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Found realm "SECURACCESS"
So here we found SECURACCESS domain name in User-Name:
Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = "joakimlindgren" Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm >SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Realm = "SECURACCESS" Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm "SECURACCESS"
Where proxying the request to ip address mentioned in proxy.conf (but here we don�´t end the EAP?)
Have different names for a server realm and user domain so you can choose when to proxy. Leave user as user@SECURACCESS; configure SECURACCESS to be a LOCAL realm; configure home server realm as SECURE and proxy to that one.
Again, you should think about 2.0.1 where you can define one virtual server to deal with @SECURACCESS requests and another for others.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Terminate-EAP-PEAP-client-connection-at-FreeRadius-Pro... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Terminate-EAP-PEAP-client-connection-at-FreeRadius-Pro... Sent from the FreeRadius - User mailing list archive at Nabble.com.