Hi list! Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS. FreeRADIUS sends an Access-Challenge with the correct attributes but they are missing from the final Access-Accept. If I use eapol_test client it works fine. I used the freeradius.spec file for Suse to build the server. The file is for 1.1.3. I simply changed the version number to 1.1.4. Here is the debug output from OSX. -------------- modcall: leaving group post-auth (returns ok) for request 5 TTLS: Got tunneled reply RADIUS code 2 User-Name = "XXXXXXX" Tunnel-Private-Group-Id:0 = "315" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-CHAP2-Success = 0xe9533d34313632353645463239384442354536433344363845364130414132374337423333373433324531 MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959 MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 TTLS: Got tunneled Access-Accept TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge. modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 57 to 172.20.16.14 port 1645 User-Name = "XXXXXXX" Tunnel-Private-Group-Id:0 = "315" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959 MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 EAP-Message = 0x0140005f15800000005517030100501cc3ec5991b8db1c9fa0b2a8738e13a3adafa3d12aad4719582298263fd36dd9e40a95a7b92783655681e701373871336737a7ea70a9a07ea8a015dc51b734e3700b71dc22b33bc6686f23efc7bfeba8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1d25d75fcc645729434631403c3dd5a Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.20.16.14:1645, id=58, length=142 NAS-IP-Address = 172.20.16.14 NAS-Port = 50632 NAS-Port-Type = Ethernet User-Name = "XXXXXXX" Called-Station-Id = "00-03-6B-BE-25-8F" Calling-Station-Id = "00-14-51-2E-6C-50" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd1d25d75fcc645729434631403c3dd5a EAP-Message = 0x024000061500 Message-Authenticator = 0x2d5e6aadce0ad3a0eb864bc26e9271f9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 rlm_realm: No '@' in User-Name = "XXXXXXX", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 64 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6 Login OK: [XXXXXXX/<no User-Password attribute>] (from client SITEALAN port 50632 cli 00-14-51-2E-6C-50) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 6 modcall[post-auth]: module "LDAP1LAN" returns noop for request 6 modcall[post-auth]: module "LDAP2LAN" returns noop for request 6 modcall[post-auth]: module "LDAP1AIR" returns noop for request 6 modcall[post-auth]: module "LDAP2AIR" returns noop for request 6 modcall[post-auth]: module "LDAP1VPN" returns noop for request 6 modcall[post-auth]: module "LDAP2VPN" returns noop for request 6 modcall: leaving group post-auth (returns noop) for request 6 Sending Access-Accept of id 58 to 172.20.16.14 port 1645 MS-MPPE-Recv-Key = 0x3e5ac1123d8312388fd89060503bbc0111586573e9b05e0166f4b738ef11db5a MS-MPPE-Send-Key = 0x68dce1376add4161d31704257ac1d5d9e891b1905e62064647c2216b53454986 EAP-Message = 0x03400004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "XXXXXXX" Finished request 6 ----------------------- Here is the debug output from eapol_test. -------------- modcall: leaving group post-auth (returns ok) for request 5 TTLS: Got tunneled reply RADIUS code 2 User-Name = "XXXXXXX" Tunnel-Private-Group-Id:0 = "328" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-CHAP-MPPE-Keys = 0x79b109dec67d52c6b969bc2f0b8a40a4f2df16f387f6ee980000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 5 modcall: leaving group authenticate (returns ok) for request 5 Login OK: [anon/<no User-Password attribute>] (from client localhost port 0 cli 00-00-00-00-00-02) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 5 modcall[post-auth]: module "LDAP1LAN" returns noop for request 5 modcall[post-auth]: module "LDAP2LAN" returns noop for request 5 modcall[post-auth]: module "LDAP1AIR" returns noop for request 5 modcall[post-auth]: module "LDAP2AIR" returns noop for request 5 modcall[post-auth]: module "LDAP1VPN" returns noop for request 5 modcall[post-auth]: module "LDAP2VPN" returns noop for request 5 modcall: leaving group post-auth (returns noop) for request 5 Sending Access-Accept of id 5 to 127.0.0.1 port 32777 User-Name = "XXXXXXX" Tunnel-Private-Group-Id:0 = "328" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-CHAP-MPPE-Keys = 0x79b109dec67d52c6b969bc2f0b8a40a4f2df16f387f6ee980000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Recv-Key = 0xa74558be21dd80fe6f406921c6e2aa367e840ac12405c4ab86adf7fa48c4effa MS-MPPE-Send-Key = 0x9901fdcc0f86e0091f1a16795ff2a480b99d28b46094b557cae32f81bb4b16e2 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5 ------------------- /etc/raddb/eap.conf -------------- eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = *************** private_key_file = ${raddbdir}/certs/server_key.pem certificate_file = ${raddbdir}/certs/server_cert.pem CA_file = ${raddbdir}/certs/rootcert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = mschapv2 use_tunneled_reply = yes copy_request_to_tunnel = yes } mschapv2 { } peap { default_eap_type = mschapv2 use_tunneled_reply = yes copy_request_to_tunnel = yes } mschapv2 { } } -------------- /etc/raddb/users -------------- DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = "%{User-Name}", Fall-Through = Yes DEFAULT Huntgroup-name == "LAN", FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := LAN DEFAULT Huntgroup-name == "AIR", FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := AIR DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN, Auth-Type := Local -------------- regards/mvh Bjarni Hardarson
Hi,
Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS.
I can also report the same issue. I have been looking at it for a little while now - I thought it may have been my attribute filter being too strict - but I saw no EAP-TTLS attributes that are documented that I'm not allowing....and I believe I havent changed my attribute filter since 1.1.3 alan
A.L.M.Buxey@lboro.ac.uk wrote:
I can also report the same issue. I have been looking at it for a little while now - I thought it may have been my attribute filter being too strict - but I saw no EAP-TTLS attributes that are documented that I'm not allowing....and I believe I havent changed my attribute filter since 1.1.3
It looks to be a side effect of doing MS-CHAP in the tunnel correctly. There's already a bug filed for the PEAP side of things. I'll see what I can do tomorrow to fix it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Bjarni Hardarson wrote:
Hi list!
Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS.
FreeRADIUS sends an Access-Challenge with the correct attributes but they are missing from the final Access-Accept.
Please try the attached patch. If it works, I'll add it to 1.1.5. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog ? src/modules/rlm_eap/radeapclient Index: src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h =================================================================== RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h,v retrieving revision 1.5.4.1 diff -u -r1.5.4.1 eap_ttls.h --- src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 6 Feb 2006 16:23:57 -0000 1.5.4.1 +++ src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 16 Feb 2007 08:33:25 -0000 @@ -27,6 +27,7 @@ typedef struct ttls_tunnel_t { VALUE_PAIR *username; VALUE_PAIR *state; + VALUE_PAIR *reply; int authenticated; int default_eap_type; int copy_request_to_tunnel; Index: src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c =================================================================== RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c,v retrieving revision 1.17.2.2.2.3 diff -u -r1.17.2.2.2.3 ttls.c --- src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 18 Oct 2006 21:49:47 -0000 1.17.2.2.2.3 +++ src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 16 Feb 2007 08:33:25 -0000 @@ -611,6 +611,9 @@ DEBUG2(" TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge."); rcode = RLM_MODULE_HANDLED; t->authenticated = TRUE; + + t->reply = reply->vps; + reply->vps = NULL; } else { /* no MS-CHAP2-Success */ /* * Can only have EAP-Message if there's @@ -643,8 +646,13 @@ */ if (t->use_tunneled_reply) { pairdelete(&reply->vps, PW_PROXY_STATE); - pairadd(&request->reply->vps, reply->vps); - reply->vps = NULL; + + if (!t->reply) { + pairadd(&request->reply->vps, reply->vps); + reply->vps = NULL; + } else { + pairadd(&request->reply->vps, reply->vps); + } } break;
Alan DeKok wrote:
Please try the attached patch. If it works, I'll add it to 1.1.5.
Never mind, it doesn't work. Give me a bit... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Bjarni Hardarson wrote:
Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS.
FreeRADIUS sends an Access-Challenge with the correct attributes but they are missing from the final Access-Accept.
I've tested & committed a fix that will be in 1.1.5. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Bjarni Hardarson wrote:
Alan DeKok wrote:
I've tested & committed a fix that will be in 1.1.5.
Thanks.
Do you know when 1.1.5 will be released?
Soon, I think. In the mean time, "branch_1_1" in CVS has the fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
The help is necessary. Is 2 RADIUS servers and 1 NAS, it is necessary if authorization has not passed on the first to be authorized on the second, what it is necessary for this purpose? --
On Fri 16 Feb 2007 13:27, Larin Denis wrote:
The help is necessary. Is 2 RADIUS servers and 1 NAS, it is necessary if authorization has not passed on the first to be authorized on the second, what it is necessary for this purpose?
Most NAS support multiple radius servers.. Have a look at the NAS docs.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Could this be related to my Mac issue with the Pre-2.0 Snapshot? Granted, I'm only using PEAP.
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of Alan DeKok Sent: Friday, February 16, 2007 4:32 AM To: FreeRadius users mailing list Subject: Re: 1.1.4 - TTLS - missing attributes
Bjarni Hardarson wrote:
Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS.
FreeRADIUS sends an Access-Challenge with the correct attributes but they are missing from the final Access-Accept.
I've tested & committed a fix that will be in 1.1.5.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
King, Michael wrote:
Could this be related to my Mac issue with the Pre-2.0 Snapshot?
Umm... what MAC issue?
Granted, I'm only using PEAP.
PEAP still has the bug. I'll see if I can fix it this week. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg327 75.html
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of Alan DeKok Sent: Monday, February 19, 2007 3:25 AM To: FreeRadius users mailing list Subject: Re: 1.1.4 - TTLS - missing attributes
King, Michael wrote:
Could this be related to my Mac issue with the Pre-2.0 Snapshot?
Umm... what MAC issue?
Granted, I'm only using PEAP.
PEAP still has the bug. I'll see if I can fix it this week.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
King, Michael wrote:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg327 75.html
It's PEAP, not TTLS, so the changes in 1.1.4 (which are also in CVS head) can't be affecting it. I'm not sure what the issue is. I haven't seen other people using MACs and PEAP, so I'm not sure what to say. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Bjarni Hardarson -
King, Michael -
Larin Denis -
Peter Nixon