Hello list, I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in. So far I tried to add this line to my `users` file: DEFAULT Auth-Type := Accept With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established. This happens on both a TP-Link router with OpenWRT and an Ubiquity UniFy AP as access point. Here's the debug output of freeradius (excerpt, the full log is attached):
rad_recv: Access-Request packet from host 192.168.8.1 port 60199, id=16, length=190 User-Name = "foousername" Called-Station-Id = "C2-4A-00-6C-F1-53:use.any.password" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E8-DE-27-1D-04-02" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "54EC901D-00000008" Framed-MTU = 1400 EAP-Message = 0x029f001001666f6f757365726e616d65 Message-Authenticator = 0xd8aca58525e34524e692e7a0d3f6eab9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 159 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 16 to 192.168.8.1 port 60199 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +5
The "sites-enabled/default" config is pretty much untouched from installation. For me it seems like a successful user authorization? When running tcpdump on the access point, I only see the outgoing EAP package. I'm a bit clueless now... Greetings, Dominik
On Feb 24, 2015, at 12:08 PM, Dominik Menke <dom@digineo.de> wrote:
I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in.
That isn’t very secure.
So far I tried to add this line to my `users` file:
DEFAULT Auth-Type := Accept
That won’t work.
With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established.
Exactly. MS-CHAPv2 *requires* that the server know the users correct password. You need to do two things: 1) configure the clients to use TTLS/PAP instead of MS-CHAP 2) update the “users” file entry to say: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept Then TTLS/PAP should work. Nothing else will work, though. Alan DeKok.
(Sorry for the late response. I was tinkering with other aspects of the network and have just re-started with the FR integration.)
I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in.
That isn’t very secure.
Oh, I'm targeting for transport encryption, the net should be open for everyone. I just don't want unencrypted Wifi packages flying over the air and make it easy for blackhats to read these... I thought a WPA2/Enterprise encrypted Wifi connection backed by an FR server using proper certificates would be a good idea, wouldn't it?
So far I tried to add this line to my `users` file:
DEFAULT Auth-Type := Accept
That won’t work.
With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established.
Exactly.
MS-CHAPv2 *requires* that the server know the users correct password.
Yeah, I thought so, too. Looks like I need a predefined set of valid credentials for my Windows clients... I need to communicate some information anyway, I think I can include some username/passwords as well.
You need to do two things:
1) configure the clients to use TTLS/PAP instead of MS-CHAP
2) update the “users” file entry to say:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept
Then TTLS/PAP should work. Nothing else will work, though.
Is there anything else I need to configure? Using those two settings gives me this:
# radtest -t pap foobar snafu localhost 10 testing123 Sending Access-Request of id 222 to 127.0.0.1 port 1812 User-Name = "foobar" User-Password = "snafu" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=20
And in the server log:
rad_recv: Access-Request packet from host 127.0.0.1 port 45876, id=0, length=120 User-Name = "foobar" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000b01666f6f626172 Message-Authenticator = 0xb3ca17f074559f077c154b1f72006a21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop ++update control { ++} # update control = noop +} # group authorize = updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 0 to 127.0.0.1 port 45876
Although an Access-Accept is transmitted, the warning "no 'known good' password found for the user" makes me worry, I didn't understand a central part of FR... When I try to connect a Wifi client to a NAS speaking to the server running above, I'll get the same output (an no connection). I think tomorrow I will start to fiddle with wpa_supplicant's eapol_test. Thanks so far, Dominik
"no 'known good' password found for the user" makes me >worry, I didn't understand a central part of FR...
Er. Yes. There was no known Good password for the user as you haven't configured one and are just overriding the server with an access accept If you ran in full debug mode for that failing wifi client you could confirm what the radius server is doing. .. eg access accept (or is all going wrong as you did PEAP) eg find out if the lack of connection was due to some other part of the system (ap config, wrong vlan stuff, no dhcp etc etc) alan
On Mar 4, 2015, at 12:31 PM, Dominik Menke <dom@digineo.de> wrote:
Is there anything else I need to configure?
<sigh> Do you think I lied to you in your last message? Or maybe you got something wrong? Which one is more likely to be true?
Using those two settings gives me this:
# radtest -t pap foobar snafu localhost 10 testing123
Don’t look at the client logs to debug the server. Honestly, this isn’t difficult.
And in the server log:
rad_recv: Access-Request packet from host 127.0.0.1 port 45876, id=0, length=120 User-Name = "foobar" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000b01666f6f626172 Message-Authenticator = 0xb3ca17f074559f077c154b1f72006a21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop
It doesn’t match any entry in the “users” file.
++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop ++update control { ++} # update control = noop +} # group authorize = updated
So… you edited the “authorize” section to add: update control { Auth-Type := Accept } Did I say to do that? No. Then why did you do it?
Although an Access-Accept is transmitted, the warning "no 'known good' password found for the user" makes me worry, I didn't understand a central part of FR…
Following instructions shouldn’t be difficult. And I find it annoying when people make random changes without saying what they’re doing, or why. Then when those changes don’t work… they blame me. “But I followed your instructions!” No. No, you didn’t follow my instructions. Alan DeKok.
Add this under the authorization section, for TTLS we use the inner-tunnel. This works for all of our WiMax clients who never bothered to write down usernames and passwords. update control { Auth-Type := Accept } update outer.reply { Framed-Filter-Id := Test } Change the Framed-Filter-Id with any attributes you want to send back to the NAS, say for provisioning. David -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius.org] On Behalf Of Dominik Menke Sent: Tuesday, February 24, 2015 12:09 PM To: freeradius-users@lists.freeradius.org Subject: Accept all users? Hello list, I'm trying to secure my wireless networks with RADIUS, so that any combination of username/password will let the user in. So far I tried to add this line to my `users` file: DEFAULT Auth-Type := Accept With radtest I could get a positive feedback, but when I wire up the RADIUS server with my wireless AP and try to connect (via EAP-TTLS/MSCHAPv2), no connection is established. This happens on both a TP-Link router with OpenWRT and an Ubiquity UniFy AP as access point. Here's the debug output of freeradius (excerpt, the full log is attached):
rad_recv: Access-Request packet from host 192.168.8.1 port 60199, id=16, length=190 User-Name = "foousername" Called-Station-Id = "C2-4A-00-6C-F1-53:use.any.password" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E8-DE-27-1D-04-02" Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Id = "54EC901D-00000008" Framed-MTU = 1400 EAP-Message = 0x029f001001666f6f757365726e616d65 Message-Authenticator = 0xd8aca58525e34524e692e7a0d3f6eab9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] EAP packet type response id 159 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 16 to 192.168.8.1 port 60199 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +5
The "sites-enabled/default" config is pretty much untouched from installation. For me it seems like a successful user authorization? When running tcpdump on the access point, I only see the outgoing EAP package. I'm a bit clueless now... Greetings, Dominik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
David Peterson -
Dominik Menke