Freeradius PROXY: EAP-PEAP - TLS with NT-Password and Cleartext-Password
Hi, could someone help me with the example of my configuration below? I have *Client* <---> * Wireless Controller*: MYWLAN(802.1x EAP) <---> *Freeradius.* AAA Server setting in Controller with IP: 192.168.100.3 (my internal freeradius) Freeradius *Version 3.0.16 with Mysql* *Two Freeradius servers: one HCRPP(internal) and CR(External)* radcheck attribute is *NT-Password* (HCRPP) , and the user stored in the database is without suffix. *radcheck attribute is Cleartext-Password to (CR)* *Freeradius HCRRP use EAP 802.1x and CR - PAP cleartext* *What I need is when a user authenticates without suffix or with suffix (@hcrpp.com <http://hcrpp.com>), use EAP-PEAP or TLS to authenticates in my local freeradius and if the suffix was @cr.net <http://cr.net> proxy to 126.100.20.3 with cleartext password.* When i'm logging with username and password *without suffix*, *it's works*, but when i'm logging with *suffix *like testuser@hcrpp.com or testuser@ cr.net i get this error message: suffix: Checking for suffix after "@" (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@ hcrpp.com" (22) suffix: Found realm "hcrpp.com" (22) suffix: Adding Realm = "hcrpp.com" (22) suffix: Proxying request from user testuser@hcrpp.com to realm hcrpp.com (22) suffix: Preparing to proxy authentication request to realm "hcrpp.com" (22) [suffix] = updated (22) update control { (22) &Proxy-To-Realm := "LOCAL" (22) } # update control = noop (22) eap: Peer sent EAP Response (code 2) ID 6 length 81 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) sql: EXPAND %{User-Name} (22) sql: --> testuser@hcrpp.com (22) sql: SQL-User-Name set to 'testuser@hcrpp.com' rlm_sql (sql): Reserved connection (19) (22) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (22) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (22) sql: --> SELECT groupname FROM radusergroup WHERE username = ' testuser@hcrpp.com' ORDER BY priority (22) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser@hcrpp.com' ORDER BY priority (22) sql: User not found in any groups rlm_sql (sql): Released connection (19) (22) [sql] = notfound (22) [pap] = noop (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) authenticate { (22) eap: Expiring EAP session with state 0xa05ae720a05cfdb8 (22) eap: Finished EAP session with state 0xa05ae720a05cfdb8 (22) eap: Previous EAP request found for state 0xa05ae720a05cfdb8, released from the list (22) eap: Peer sent packet with method EAP MSCHAPv2 (26) (22) eap: Calling submodule eap_mschapv2 to process data (22) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) eap_mschapv2: Auth-Type MS-CHAP { *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password* *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password* (22) mschap: Creating challenge hash with username: dbarcelini@cirp.usp.br (22) mschap: Client is using MS-CHAPv2 *(22) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication* *(22) mschap: ERROR: MS-CHAP2-Response is incorrect* *My config below* *proxy.conf* home_server HCRPP { type = auth+acct ipaddr = 192.168.100.3 port = 1821 secret = XXXX require_message_authenticator = yes response_window = 20 zombie_period = 40 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 } home_server CR { type = auth+acct ipaddr = 126.100.20.3 port = 1812 secret = XXXX } home_server_pool HCRPPOOL { type = fail-over home_server = HCRPP } home_server_pool CRPOOL { type = fail-over home_server = CR } realm hcrpp.com { auth_pool = HCRPPOOL strip } realm cr.net { auth_pool = CRPOOL nostrip } ------------------------------------------ *mods-enabled/eap* eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } * ...* ttls { tls = tls-common copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" *sites-enabled/default* authorize { preprocess sql eap { ok = return updated = return } suffix *sites-enabled/inner-tunnel* authorize { suffix update control { &Proxy-To-Realm := "LOCAL" } eap { ok = return } sql Thanks
Hi, could someone help me with the example of my configuration below? I have *Client* <---> * Wireless Controller*: MYWLAN(802.1x EAP) <---> *Freeradius.* AAA Server setting in Controller with IP: 192.168.100.3 (my internal freeradius) Freeradius *Version 3.0.16 with Mysql* *Two Freeradius servers: one HCRPP(internal) and CR(External)* radcheck attribute is *NT-Password* (HCRPP) , and the user stored in the database is without suffix. *radcheck attribute is Cleartext-Password to (CR)* *Freeradius HCRRP use EAP 802.1x and CR - PAP cleartext* *What I need is when a user authenticates without suffix or with suffix (@hcrpp.com <http://hcrpp.com/>), use EAP-PEAP or TLS to authenticates in my local freeradius and if the suffix was @cr.net <http://cr.net/> proxy to 126.100.20.3 with cleartext password.* When i'm logging with username and password *without suffix*, *it's works*, but when i'm logging with *suffix *like testuser@hcrpp.com or testuser@ cr.net i get this error message: suffix: Checking for suffix after "@" (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@ hcrpp.com" (22) suffix: Found realm "hcrpp.com" (22) suffix: Adding Realm = "hcrpp.com" (22) suffix: Proxying request from user testuser@hcrpp.com to realm hcrpp.com (22) suffix: Preparing to proxy authentication request to realm "hcrpp.com" (22) [suffix] = updated (22) update control { (22) &Proxy-To-Realm := "LOCAL" (22) } # update control = noop (22) eap: Peer sent EAP Response (code 2) ID 6 length 81 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) sql: EXPAND %{User-Name} (22) sql: --> testuser@hcrpp.com (22) sql: SQL-User-Name set to 'testuser@hcrpp.com' rlm_sql (sql): Reserved connection (19) (22) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (22) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (22) sql: --> SELECT groupname FROM radusergroup WHERE username = ' testuser@hcrpp.com' ORDER BY priority (22) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser@hcrpp.com' ORDER BY priority (22) sql: User not found in any groups rlm_sql (sql): Released connection (19) (22) [sql] = notfound (22) [pap] = noop (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) authenticate { (22) eap: Expiring EAP session with state 0xa05ae720a05cfdb8 (22) eap: Finished EAP session with state 0xa05ae720a05cfdb8 (22) eap: Previous EAP request found for state 0xa05ae720a05cfdb8, released from the list (22) eap: Peer sent packet with method EAP MSCHAPv2 (26) (22) eap: Calling submodule eap_mschapv2 to process data (22) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) eap_mschapv2: Auth-Type MS-CHAP { *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password* *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password* (22) mschap: Creating challenge hash with username: testuser@ <dbarcelini@cirp.usp.br>hcrpp.com (22) mschap: Client is using MS-CHAPv2 *(22) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication* *(22) mschap: ERROR: MS-CHAP2-Response is incorrect* *My config below* *proxy.conf* home_server HCRPP { type = auth+acct ipaddr = 192.168.100.3 port = 1821 secret = XXXX require_message_authenticator = yes response_window = 20 zombie_period = 40 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 } home_server CR { type = auth+acct ipaddr = 126.100.20.3 port = 1812 secret = XXXX } home_server_pool HCRPPOOL { type = fail-over home_server = HCRPP } home_server_pool CRPOOL { type = fail-over home_server = CR } realm hcrpp.com { auth_pool = HCRPPOOL strip } realm cr.net { auth_pool = CRPOOL nostrip } ------------------------------------------ *mods-enabled/eap* eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } * ...* ttls { tls = tls-common copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" *sites-enabled/default* authorize { preprocess sql eap { ok = return updated = return } suffix *sites-enabled/inner-tunnel* authorize { suffix update control { &Proxy-To-Realm := "LOCAL" } eap { ok = return } sql Thanks
On Jun 28, 2018, at 2:02 PM, Andrei Antonelli <andreirp@gmail.com> wrote:
Hi, could someone help me with the example of my configuration below?
Please only post one message instead of two.
When i'm logging with username and password *without suffix*, *it's works*, but when i'm logging with *suffix *like testuser@hcrpp.com or testuser@ cr.net i get this error message:
suffix: Checking for suffix after "@" (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@ hcrpp.com" (22) suffix: Found realm "hcrpp.com" (22) suffix: Adding Realm = "hcrpp.com"
That's fine.
(22) suffix: Proxying request from user testuser@hcrpp.com to realm hcrpp.com (22) suffix: Preparing to proxy authentication request to realm "hcrpp.com" (22) [suffix] = updated (22) update control { (22) &Proxy-To-Realm := "LOCAL" (22) } # update control = noop
Why are you doing this? It's unnecessary. You can just set the "hcrpp.com" realm to be a local realm. In proxy.conf, do: realm hcrpp.com { } That's it. See the comments in proxy.conf for more documentation.
(22) eap: Peer sent EAP Response (code 2) ID 6 length 81 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) sql: EXPAND %{User-Name} (22) sql: --> testuser@hcrpp.com (22) sql: SQL-User-Name set to 'testuser@hcrpp.com'
See the comments in raddb/mods-config/main/mysql/queries.conf You should edit the "sql_user_name" to be: sql_user_name = %{%{Stripped-User-Name}:-%{User-Name}} Which will then use "testuser" instead of "testuser@hcrpp.com"
*My config below*
We don't need the configuration. See http://wiki.freeradius.org/list-help
realm hcrpp.com { auth_pool = HCRPPOOL strip }
Which causes packets containing "username@hcrpp.com" to be proxied. If you don't want them to be proxied, read the comments in proxy.conf. This is explained in detail. Alan DeKok.
Hi Alan, Thanks a lot, it worked with suffix testuser@hcrpp.com and without suffix testuser for the domain hcrpp.com, but when i authenticate with of external domain cr.net i get this error message: (17) eap: Expiring EAP session with state 0x94f1143794f70ec2 (17) eap: Finished EAP session with state 0x94f1143794f70ec2 (17) eap: Previous EAP request found for state 0x94f1143794f70ec2, released from the list (17) eap: Peer sent packet with method EAP MSCHAPv2 (26) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (17) eap_mschapv2: Auth-Type MS-CHAP { (17) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (17) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (17) mschap: Creating challenge hash with username: testuser@cr.net (17) mschap: Client is using MS-CHAPv2 (17) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (17) mschap: ERROR: MS-CHAP2-Response is incorrect Can i send cleartext-password for only the specific domain cr.net ? Thanks a lot, Alan! On Thu, Jun 28, 2018 at 3:29 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 28, 2018, at 2:02 PM, Andrei Antonelli <andreirp@gmail.com> wrote:
Hi, could someone help me with the example of my configuration below?
Please only post one message instead of two.
When i'm logging with username and password *without suffix*, *it's works*, but when i'm logging with *suffix *like testuser@hcrpp.com or testuser@ cr.net i get this error message:
suffix: Checking for suffix after "@" (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@ hcrpp.com" (22) suffix: Found realm "hcrpp.com" (22) suffix: Adding Realm = "hcrpp.com"
That's fine.
(22) suffix: Proxying request from user testuser@hcrpp.com to realm hcrpp.com (22) suffix: Preparing to proxy authentication request to realm " hcrpp.com" (22) [suffix] = updated (22) update control { (22) &Proxy-To-Realm := "LOCAL" (22) } # update control = noop
Why are you doing this? It's unnecessary. You can just set the " hcrpp.com" realm to be a local realm. In proxy.conf, do:
realm hcrpp.com { }
That's it. See the comments in proxy.conf for more documentation.
(22) eap: Peer sent EAP Response (code 2) ID 6 length 81 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) sql: EXPAND %{User-Name} (22) sql: --> testuser@hcrpp.com (22) sql: SQL-User-Name set to 'testuser@hcrpp.com'
See the comments in raddb/mods-config/main/mysql/queries.conf
You should edit the "sql_user_name" to be:
sql_user_name = %{%{Stripped-User-Name}:-%{User-Name}}
Which will then use "testuser" instead of "testuser@hcrpp.com"
*My config below*
We don't need the configuration. See http://wiki.freeradius.org/list-help
realm hcrpp.com { auth_pool = HCRPPOOL strip }
Which causes packets containing "username@hcrpp.com" to be proxied. If you don't want them to be proxied, read the comments in proxy.conf. This is explained in detail.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 28, 2018, at 3:13 PM, Andrei Antonelli <andreirp@gmail.com> wrote:
Thanks a lot, it worked with suffix testuser@hcrpp.com and without suffix testuser for the domain hcrpp.com, but when i authenticate with of external domain cr.net i get this error message:
i.e. "it doesn't work" What do you want it to *do*? Read this: http://wiki.freeradius.org/list-help
(17) eap: Expiring EAP session with state 0x94f1143794f70ec2 (17) eap: Finished EAP session with state 0x94f1143794f70ec2 (17) eap: Previous EAP request found for state 0x94f1143794f70ec2, released from the list (17) eap: Peer sent packet with method EAP MSCHAPv2 (26) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (17) eap_mschapv2: Auth-Type MS-CHAP { (17) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (17) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (17) mschap: Creating challenge hash with username: testuser@cr.net (17) mschap: Client is using MS-CHAPv2 (17) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (17) mschap: ERROR: MS-CHAP2-Response is incorrect
Can i send cleartext-password for only the specific domain cr.net ?
I have no idea what that means. Alan DeKok.
Thanks a lot, it worked with suffix testuser@hcrpp.com and without suffix testuser for the domain hcrpp.com, but when i authenticate with
of
external domain cr.net i get this error message:
i.e. "it doesn't work"
What do you want it to *do*? Read this: http://wiki.freeradius.org/list-help
Thanks Alan, because the external freeradius only accepts the cleartext-password attribute.
Thank you for the information.
participants (2)
-
Alan DeKok -
Andrei Antonelli