802.1x issues with different NAS' types
Hi. In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive. Thanks. Marco. ______________________________________________________________________________________________ Sending an attribute with the Access-Accept instead of Access-Challenge Phil Mayers p.mayers at imperial.ac.uk Wed Jan 12 18:00:05 CET 2011 Previous message: Sending an attribute with the Access-Accept instead of Access-Challenge Next message: Sending an attribute with the Access-Accept instead of Access-Challenge Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] On 12/01/11 16:33, Vivek Umasuthan wrote:
Hi All, I am testing 802.1x support on our platform and I'm having trouble figuring out how to include some attributes with Access-Accept. I read the 'users' file man page but could not get the answer.
You need to add the attribute in the "inner-tunnel" virtual server, and ensure you've set: use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf" Previous message: Sending an attribute with the Access-Accept instead of Access-Challenge Next message: Sending an attribute with the Access-Accept instead of Access-Challenge Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the Freeradius-Users mailing list --
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive.
There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues. IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply. IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server. There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it. Alan DeKok.
Thank you Alan. I hope in a short time to become a little expert with freeradius while I try to solve daily problems. I would to use freeradius for authentication and only to verify user password with the one that is in external ldap that I bind. Where have I to operate, what are the involved config files ? Do you have any suggestions ? Thank you v.m. Marco. Il 24/03/21 12:39, Alan DeKok ha scritto:
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive. There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues.
IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
On 30.03.21 12:25, Marco Miglietta wrote:
Thank you Alan. I hope in a short time to become a little expert with freeradius while I try to solve daily problems. I would to use freeradius for authentication and only to verify user password with the one that is in external ldap that I bind. Where have I to operate, what are the involved config files ? Do you have any suggestions ? Thank you v.m.
Marco.
Hi, freeradius has a nice LDAP module. Please read the comments in the config file. Then try a ldapseach manually. If that succeeds, you know all parameters that you have to configure in the ldap module of freeradius. Doc also: https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html Greetings, Michael
Il 24/03/21 12:39, Alan DeKok ha scritto:
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive. There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues.
IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Thank you Michael, I gave a look to ldap config file. I think that it could be ok. However I made a test that fails and in debug mode I had the following result in the final part with error... mschap: ERROR: MS-CHAP2-Response is incorrect I have just known that passwords are stored in md5 format in the ldap's db and problably this is the problem... but also its end (and mine) :-) What do you think ? Thanks. Marco. (41) [ldap] = ok (41) [expiration] = noop (41) [logintime] = noop (41) pap: WARNING: Auth-Type already set. Not setting to PAP (41) [pap] = noop (41) } # authorize = updated (41) Found Auth-Type = eap (41) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (41) authenticate { (41) eap: Expiring EAP session with state 0xc9668664c96f9c89 (41) eap: Finished EAP session with state 0xc9668664c96f9c89 (41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released from the list (41) eap: Peer sent packet with method EAP MSCHAPv2 (26) (41) eap: Calling submodule eap_mschapv2 to process data (41) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (41) eap_mschapv2: authenticate { (41) mschap: Found Cleartext-Password, hashing to create NT-Password (41) mschap: Found Cleartext-Password, hashing to create LM-Password (41) mschap: Creating challenge hash with username: marco.miglietta@unisalento.it (41) mschap: Client is using MS-CHAPv2 (41) mschap: ERROR: MS-CHAP2-Response is incorrect (41) [mschap] = reject (41) } # authenticate = reject Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <ms@sys4.de> ha scritto:
On 30.03.21 12:25, Marco Miglietta wrote:
Thank you Alan. I hope in a short time to become a little expert with freeradius while I try to solve daily problems. I would to use freeradius for authentication and only to verify user password with the one that is in external ldap that I bind. Where have I to operate, what are the involved config files ? Do you have any suggestions ? Thank you v.m.
Marco.
Hi,
freeradius has a nice LDAP module. Please read the comments in the config file. Then try a ldapseach manually. If that succeeds, you know all parameters that you have to configure in the ldap module of freeradius.
Doc also: https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
Greetings,
Michael
Il 24/03/21 12:39, Alan DeKok ha scritto:
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive. There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues.
IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
On Mar 30, 2021, at 6:51 PM, Marco MIGLIETTA <marco.miglietta@unisalento.it> wrote:
Thank you Michael, I gave a look to ldap config file. I think that it could be ok. However I made a test that fails and in debug mode I had the following result in the final part with error...
mschap: ERROR: MS-CHAP2-Response is incorrect
I have just known that passwords are stored in md5 format in the ldap's db and problably this is the problem... but also its end (and mine) :-)
http://deployingradius.com/documents/protocols/compatibility.html It's impossible to do MS-CHAP with MD5 passwords. Alan DeKok.
On 31.03.21 00:51, Marco MIGLIETTA wrote:
Thank you Michael, I gave a look to ldap config file. I think that it could be ok. However I made a test that fails and in debug mode I had the following result in the final part with error...
mschap: ERROR: MS-CHAP2-Response is incorrect
I have just known that passwords are stored in md5 format in the ldap's db and problably this is the problem... but also its end (and mine) :-)
What do you think ? Thanks. Marco.
Hashed passwords do not work with CHAP mech. See: http://deployingradius.com/documents/protocols/compatibility.html
(41) [ldap] = ok (41) [expiration] = noop (41) [logintime] = noop (41) pap: WARNING: Auth-Type already set. Not setting to PAP (41) [pap] = noop (41) } # authorize = updated (41) Found Auth-Type = eap (41) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (41) authenticate { (41) eap: Expiring EAP session with state 0xc9668664c96f9c89 (41) eap: Finished EAP session with state 0xc9668664c96f9c89 (41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released from the list (41) eap: Peer sent packet with method EAP MSCHAPv2 (26) (41) eap: Calling submodule eap_mschapv2 to process data (41) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (41) eap_mschapv2: authenticate { (41) mschap: Found Cleartext-Password, hashing to create NT-Password (41) mschap: Found Cleartext-Password, hashing to create LM-Password (41) mschap: Creating challenge hash with username: marco.miglietta@unisalento.it (41) mschap: Client is using MS-CHAPv2 (41) mschap: ERROR: MS-CHAP2-Response is incorrect (41) [mschap] = reject (41) } # authenticate = reject
Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <ms@sys4.de> ha scritto:
On 30.03.21 12:25, Marco Miglietta wrote:
Thank you Alan. I hope in a short time to become a little expert with freeradius while I try to solve daily problems. I would to use freeradius for authentication and only to verify user password with the one that is in external ldap that I bind. Where have I to operate, what are the involved config files ? Do you have any suggestions ? Thank you v.m.
Marco.
Hi,
freeradius has a nice LDAP module. Please read the comments in the config file. Then try a ldapseach manually. If that succeeds, you know all parameters that you have to configure in the ldap module of freeradius.
Doc also: https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
Greetings,
Michael
Il 24/03/21 12:39, Alan DeKok ha scritto:
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <marco.miglietta@unisalento.it> wrote:
In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful. But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process. What is a way to solve the problem? The solutions seem to be mutually exclusive. There is not a unique "the problem" which is being solved. Instead, there is a whole grab-bag of issues.
IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel. AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
There is no "magic set of incantations" which will make FreeRADIUS do what you want. You have to understand what's going on, including understanding how FreeRADIUS works. And only then can you configure the server to do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
participants (4)
-
Alan DeKok -
Marco Miglietta -
Marco MIGLIETTA -
Michael Schwartzkopff