Wired 802.1X + FreeRADIUS + LDAP issue
Hi all, I have been tasked with implementing 802.1X for our office wireless & wired connectivity - wireless through an Aruba AP, wired through a Dell PowerConnect 6200 switch - by using FreeRADIUS (2.1.12) and our backend LDAP server (Open DS). FreeRADIUS is running on Ubuntu 10.04. * Wireless 802.1X auth is working properly (verified on both OS X and Win 7) using TTLS+PAP - debug output attached for reference. * Wired 802.1X auth is not working, and I am not sure why. This is where I am hoping to be pointed in the right direction - debug output attached for this as well. For wireless, my supplicant (laptop running OS X Lion) has an 802.1X profile configured (tried with and without the FreeRADIUS server's ca certificate (ca.der)), connects to the Aruba, gets prompted for login/password, the credentials pass auth with LDAP, a certificate gets installed in my Keychain, and network access is granted. Yay! For wired, I have the same 802.1X profile configured, the laptop connects to the switch, EAP begins, the Access-Challenge gets returned, but there is seemingly no further communication done. (It has been confirmed using tcpdump that the supplicant is receiving the response from FreeRADIUS.) I get a Warning message from FreeRADIUS indicating that EAP did not complete. The message directs me to a Certificate Compatibility page on the FR wiki, but unfortunately that points a lot of fingers at Windows, which my laptop is not running. We have also tried creating the certs with the bootstrap program and modifying eap.conf accordingly, to no avail. For reference, eapol_test also fails in the same manner when running locally on the FreeRADIUS box. I am sure I am missing something - probably something simple - but I just have not been able to figure it out, and I am clearly not very good at reading the debug output. :-( I have been researching this for quite some time and have found a lot of helpful information from people on this list, so I hope somebody can help me pinpoint the issue. My apologies if I was too wordy. Any help is greatly appreciated. -- RG
Ryan Garland wrote:
I get a Warning message from FreeRADIUS indicating that EAP did not complete. The message directs me to a Certificate Compatibility page on the FR wiki, but unfortunately that points a lot of fingers at Windows, which my laptop is not running.
Whether it's windows or not, the supplicant is *always* the one who chooses to stop doing EAP.
We have also tried creating the certs with the bootstrap program and modifying eap.conf accordingly, to no avail.
For reference, eapol_test also fails in the same manner when running locally on the FreeRADIUS box.
Uh... then all bets are off. If eapol_test doesn't work, then you broke the FR configuration. FR && eapol_test work together. I do this pretty much every day. Post the output from eapol_test. It should produce *many* messages describing exactly what is going wrong, and why.
I am sure I am missing something - probably something simple - but I just have not been able to figure it out, and I am clearly not very good at reading the debug output. :-(
You read it fine. Something *else* is going on.
I have been researching this for quite some time and have found a lot of helpful information from people on this list, so I hope somebody can help me pinpoint the issue.
My apologies if I was too wordy. Any help is greatly appreciated.
Wordy is better than "I tried stuff and it didn't work." Alan DeKok.
On Sat, Dec 10, 2011 at 1:54 AM, Alan DeKok <aland@deployingradius.com> wrote:
Ryan Garland wrote:
We have also tried creating the certs with the bootstrap program and modifying eap.conf accordingly, to no avail.
For reference, eapol_test also fails in the same manner when running locally on the FreeRADIUS box.
Uh... then all bets are off. If eapol_test doesn't work, then you broke the FR configuration. FR && eapol_test work together. I do this pretty much every day.
Post the output from eapol_test. It should produce *many* messages describing exactly what is going wrong, and why.
Thanks for the response, Alan. It turns out part of my issue was certificate related. This has been resolved, but eapol_test continues to fail for a different reason. However, I am having trouble determining a fix. Attached is the eapol_test configuration, debug output, FreeRADIUS configuration & debug output. It appears that the relevant portion of the FreeRADIUS debug output is: Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user ryan [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I am having an even more difficult time deciphering the eapol_test debug output - I just see the EAP failure from the radius server. I have also tried commenting out 'virtual_server = "inner-tunnel"' in the ttls section of eap.conf to force it to use default (as the documentation inside the "default" virtual server would seem to imply I should do) and I get the same result. I may be mis-reading it, however. Do you see something glaringly wrong? I appreciate any insight you can provide. -RG
On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland <sheffy@gmail.com> wrote:
Thanks for the response, Alan.
It turns out part of my issue was certificate related. This has been resolved, but eapol_test continues to fail for a different reason. However, I am having trouble determining a fix.
Attached is the eapol_test configuration, debug output, FreeRADIUS configuration & debug output.
It appears that the relevant portion of the FreeRADIUS debug output is:
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user ryan [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
I am having an even more difficult time deciphering the eapol_test debug output - I just see the EAP failure from the radius server.
I have also tried commenting out 'virtual_server = "inner-tunnel"' in the ttls section of eap.conf to force it to use default (as the documentation inside the "default" virtual server would seem to imply I should do) and I get the same result. I may be mis-reading it, however.
Do you see something glaringly wrong? I appreciate any insight you can provide.
Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. I am attempting to get eapol_test to work since it sounds like this should be my first priority. The OS X supplicant continues not to respond to the Access-Challenge even though its profile is set up with the corrected ca.der - but, one step at a time. -RG
On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland <sheffy@gmail.com> wrote:
[eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Sorry, I should have been more clear.
I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure.
Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same one for wired. There should be an option to select which authentication method to use for wired 802.1x. -- Fajar
On Mon, Dec 12, 2011 at 7:12 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland <sheffy@gmail.com> wrote:
Sorry, I should have been more clear.
I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure.
Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same one for wired. There should be an option to select which authentication method to use for wired 802.1x.
Ok, I changed auth type to PAP in the eapol_test configuration and it worked. Thanks, I didn't realize it was as simple as changing the phase2 auth type. However, my original problem persists. My supplicant continues not to respond to the FreeRADIUS Access-Challenge. Keep in mind I am using the same .mobileconfig on my OS X Lion machine and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless. I am not sure how to tell which authentication method the supplicant is using for Wired as I can only see authentication protocols listed under the Wi-Fi section of the profile generated using the iPhone Configuration Utility (I was led to believe that the same profile can work with both Wired and Wireless 802.1X, hence me being stumped). If there is not an issue with FreeRADIUS as far as the experts on this list can tell from the debug output in my original post (the Wired failure attachment), then I may have to look elsewhere for input (Apple support forums perhaps? Ugh :P) Thanks again for your assistance thus far. -RG
On Tue, Dec 13, 2011 at 11:34 AM, Ryan Garland <sheffy@gmail.com> wrote:
However, my original problem persists. My supplicant continues not to respond to the FreeRADIUS Access-Challenge.
Keep in mind I am using the same .mobileconfig on my OS X Lion machine and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless. I am not sure how to tell which authentication method the supplicant is using for Wired as I can only see authentication protocols listed under the Wi-Fi section of the profile generated using the iPhone Configuration Utility (I was led to believe that the same profile can work with both Wired and Wireless 802.1X, hence me being stumped).
Try using something that you know you can configure to use TTLS-PAP. Like Ubuntu. Just to be extra sure. Even using live CD should be enough.
If there is not an issue with FreeRADIUS as far as the experts on this list can tell from the debug output in my original post (the Wired failure attachment),
Pretty much so. You don't have cleartext password in your LDAP schema, so EAP-MD5 (as well as EAP-PEAP-MSCHAPv2) won't work.
then I may have to look elsewhere for input (Apple support forums perhaps? Ugh :P)
If Ubuntu works, then it's 100% Apple issue :) -- Fajar
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
Ryan Garland