proxy incoming PAP request as outgoing PEAP/TTLS requests
Hi, I have a question about proxy requests on freeradius 3.0.9 I wonder to know can I proxy incoming PAP request as outgoing PEAP/TTLS requests? That is, RADIUS supplicants ---------PAP-------> freeradius server --------PEAP or TTLS-----> another RADIUS server If it is, what configuration I should config? Thanks a lot. This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
On 21 Sep 2015, at 09:49, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
Hi,
I have a question about proxy requests on freeradius 3.0.9 I wonder to know can I proxy incoming PAP request as outgoing PEAP/TTLS requests?
No. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks for your reply. Are there any plan to support this in the future release? Thanks. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 21, 2015 4:53 PM To: FreeRadius users mailing list Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests
On 21 Sep 2015, at 09:49, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
Hi,
I have a question about proxy requests on freeradius 3.0.9 I wonder to know can I proxy incoming PAP request as outgoing PEAP/TTLS requests?
No. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
On 21 Sep 2015, at 09:59, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
Thanks for your reply.
Are there any plan to support this in the future release?
No. There's no code in the server to perform the supplicant side of the EAP methods. It would be a significant amount of work, with no benefit for the majority of users. You could look at eapol_test/wpa_supplicant and see if they accept credentials on the command line or via a control socket (I have no idea if they do or not). If they do, you could then call them via rlm_exec. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi All, Thanks a lot for your ideas and suggestions. I think I will do this via invoking an external program. Thanks a lot. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 21, 2015 5:10 PM To: FreeRadius users mailing list Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests
On 21 Sep 2015, at 09:59, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
Thanks for your reply.
Are there any plan to support this in the future release?
No. There's no code in the server to perform the supplicant side of the EAP methods. It would be a significant amount of work, with no benefit for the majority of users. You could look at eapol_test/wpa_supplicant and see if they accept credentials on the command line or via a control socket (I have no idea if they do or not). If they do, you could then call them via rlm_exec. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
On 21-09-15 10:49, Ian Chang-張志邦 wrote:
Hi,
I have a question about proxy requests on freeradius 3.0.9 I wonder to know can I proxy incoming PAP request as outgoing PEAP/TTLS requests? That is, RADIUS supplicants ---------PAP-------> freeradius server --------PEAP or TTLS-----> another RADIUS server
If it is, what configuration I should config? Thanks a lot.
You could try to compile eapol_test (see http://deployingradius.com/scripts/eapol_test/), use rlm_exec to call the eapol_test executable when receiving a PAP request, and do something with the return value to decide if you have to send an Access-Accept or an Access-Reject. Sounds like a terrible hack though. -- Herwin Weststrate
On 21-09-15 11:21, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
oh , it is. if the worry is the insecurity of PAP being sent upstream, then make the upstream connection a RADSEC connection.
Another use case I could think of is that the remote RADIUS server does not accept PAP authentications. I remember that the Microsoft RADIUS (NPS?) did only accept PEAP by default, it could be configured to accept MSCHAPv2 as well, but I don't remember we ever could make it to accept PAP. But I don't think this is the reason here, since it doesn't accept TTLS. -- Herwin Weststrate
Hi,
Another use case I could think of is that the remote RADIUS server does not accept PAP authentications. I remember that the Microsoft RADIUS (NPS?) did only accept PEAP by default, it could be configured to accept MSCHAPv2 as well, but I don't remember we ever could make it to accept PAP. But I don't think this is the reason here, since it doesn't accept TTLS.
making NPS accept PAP requests is quite easy - its part of the connection policy. why you'd want to do such a thing is another matter altogether....the server makes it quite clear that its a dangerous thing to do when you do enable PAP are you sure...are you really sure? ;-) alan
Hi,
Another use case I could think of is that the remote RADIUS server does
another use case that *I* could think of its another attempted MITM attack against eg 802.1X systems....one in particular I am closely connected to. Present a captive portal.... get people to login using user/pass - the upstream servers are configured to reject non EAP methods so you dont know if such things are true details.... but if you converted that PAP request to an EPA method...... alan
Hi Alan, This is exactly we would like to do. captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default. Hence, we would like to proxy the PAP requests as PEAP/TTLS requests. It is better that we could authenticate with the upstream server in the tunnel. Thanks a lot. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Monday, September 21, 2015 10:48 PM To: FreeRadius users mailing list Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests Hi,
Another use case I could think of is that the remote RADIUS server does
another use case that *I* could think of its another attempted MITM attack against eg 802.1X systems....one in particular I am closely connected to. Present a captive portal.... get people to login using user/pass - the upstream servers are configured to reject non EAP methods so you dont know if such things are true details.... but if you converted that PAP request to an EPA method...... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
This is exactly we would like to do. captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server
OK....
As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.
That isn't true.
Hence, we would like to proxy the PAP requests as PEAP/TTLS requests. It is better that we could authenticate with the upstream server in the tunnel.
No. That's not true, either. The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is. The access point doesn't know it. The intermediate proxies don't know it. Since the captive portal already sees the PAP password, adding EAP is useless. It's *worse* than useless because it's adding complexity for no benefit. This is like saying "locks as good. But my house is old, and doesn't have a lock on the front door. So I'll put a lock on the floor beside my bed. That will help!" No, it won't help. Alan DeKok.
Hi Alan, Thanks for your comment. Actually, the captive portal backend service and the freeradius server are on the same device. We would like to transfer the requests as PEAP/TTLS before the requests go out the device. Thanks a lot. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, September 22, 2015 9:02 AM To: FreeRadius users mailing list Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
This is exactly we would like to do. captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server
OK....
As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.
That isn't true.
Hence, we would like to proxy the PAP requests as PEAP/TTLS requests. It is better that we could authenticate with the upstream server in the tunnel.
No. That's not true, either. The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is. The access point doesn't know it. The intermediate proxies don't know it. Since the captive portal already sees the PAP password, adding EAP is useless. It's *worse* than useless because it's adding complexity for no benefit. This is like saying "locks as good. But my house is old, and doesn't have a lock on the front door. So I'll put a lock on the floor beside my bed. That will help!" No, it won't help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Hi, Is it better do this in pam_radius_auth? Thanks a lot. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of Ian Chang-張志邦 Sent: Tuesday, September 22, 2015 9:25 AM To: FreeRadius users mailing list Subject: RE: proxy incoming PAP request as outgoing PEAP/TTLS requests Hi Alan, Thanks for your comment. Actually, the captive portal backend service and the freeradius server are on the same device. We would like to transfer the requests as PEAP/TTLS before the requests go out the device. Thanks a lot. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, September 22, 2015 9:02 AM To: FreeRadius users mailing list Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
This is exactly we would like to do. captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server
OK....
As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.
That isn't true.
Hence, we would like to proxy the PAP requests as PEAP/TTLS requests. It is better that we could authenticate with the upstream server in the tunnel.
No. That's not true, either. The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is. The access point doesn't know it. The intermediate proxies don't know it. Since the captive portal already sees the PAP password, adding EAP is useless. It's *worse* than useless because it's adding complexity for no benefit. This is like saying "locks as good. But my house is old, and doesn't have a lock on the front door. So I'll put a lock on the floor beside my bed. That will help!" No, it won't help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
On Sep 21, 2015, at 9:25 PM, Ian Chang-張志邦 <Ian.Chang@zyxel.com.tw> wrote:
Actually, the captive portal backend service and the freeradius server are on the same device. We would like to transfer the requests as PEAP/TTLS before the requests go out the device.
That's still a bad idea. If you need secure communication between the captive portal and the RADIUS server, use IPSec. Or RADIUS over TLS. You would be MUCH better off using a RADIUS proxy on the captive portal to use RADIUS over TLS, then use a RADIUS proxy next to NPS which receives the TLS connection, and then sends PAP to NPS. That is using the protocols the way they are intended to be used. Changing PAP to PEAP / TTLS is the wrong thing to use. You can get the same benefit with fewer problems by using RADIUS over TLS. Alan DeKok.
Hi,
I have a question about proxy requests on freeradius 3.0.9 I wonder to know can I proxy incoming PAP request as outgoing PEAP/TTLS requests? That is, RADIUS supplicants ---------PAP-------> freeradius server --------PEAP or TTLS-----> another RADIUS server
you cant. well, you can by doing something funky, using an external program such as wpa_supplicant in the exec section of the first hop RADIUS server and target that request to the 'another RADIUS server; - basically a MITM alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Herwin Weststrate -
Ian Chang-張志邦