Date: Tue, 03 Jul 2007 22:20:57 +0100 From: Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> Subject: Re: RADIUS & PEAP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <468ABDB9.3080801@sussex.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
If your using the Windows supplicant (which nearly everyone is, despite it's nastyness), and want passwordless authentication using EAP, your only other solution is to set up local PKI (public key infrastructure), and start issuing client certificates, and use EAP-PEAP-TLS (Microsofts version of EAP TLS).
What you're attempting to do is impossible because MS-CHAP is a mutual authentication protocol. If the RADIUS server does not demonstrate knowledge of the password to the supplicant, a well-behaved the supplicant *should* refuse the connection.(I also wouldn't be surprised if the RADIUS server >barfs because it can't get a valid user-password in order to construct the authentication response but I can't comment authoritatively on this).
Finally, you can't authenticate MS-CHAP against /etc/passwd or /etc/shadow; MS-CHAP >requires access to the cleartext password or its NTLM hash.
Thanks for the response. I was afraid that what I was attempting was impossible. I had been trying to use PEAP rather than TTLS because PEAP is supported natively by windows, but I've switched to TTLS, using the w2secure TTLS client for windows. I followed the instructions on the freeradius site for configuring system authentication with TTLS and EAP-MD5, but I am getting the error 'rlm_unix: Attribute "User-Password" is required for authentication'. When a run 'radtest' locally, I can authenticate properly. I have copied the output from radiusd -X below. Thank you for your help! -Adrienne radiusd -X [root@CentOSTest raddb]# radiusd -fX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 160.39.105.254:32769, id=81, length=153 User-Name = "testuser" NAS-IP-Address = 160.39.105.254 NAS-Port = 4097 Called-Station-Id = "00-90-0B-0A-9D-1C:mins" Calling-Station-Id = "00-12-F0-7B-48-E7" Framed-MTU = 900 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT Unknown radio" EAP-Message = 0x0201000d017465737475736572 Message-Authenticator = 0x66faae1fa2563d763c27ceb6b6ef98e9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 76 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request
josh.
-----Original Message-----
From: freeradius-users-bounces+josh.howlett=ja.net@lists.freeradius. org [mailto:freeradius-users-bounces+josh.howlett=ja.net@lists.fre
eradius.org] On Behalf Of Adrienne Rau
Sent: 03 July 2007 19:30 To: freeradius-users@lists.freeradius.org Subject: RADIUS & PEAP
I am configuring a wireless network with EAP Authentication. I can connect successfully with the following line in my users file.
testuser User-Password == "testing"
I would like to be able to authenticate with ANY password. I tried using the "!=" operand, but that causes an MS-CHAP incorrect response error. Is there any way to make EAP authenticate with any password. If not, how can I have it authenticate against the /etc/passwd and /etc/shadow files?
Thank you for your help, Adrienne Rau
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adrienne Rau
users: Matched entry DEFAULT at line 76
rad_check_password: Found Auth-Type System auth: type "System"
It looks like you have a DEFAULT entry in your users file setting Auth-Type System that's breaking EAP. Remove it. Ivan Kalik Kalik Informatika ISP
Thanks for the response. I was afraid that what I was attempting was impossible. I had been trying to use PEAP rather than TTLS because PEAP is supported natively by windows, but I've switched to TTLS, using the w2secure TTLS client for windows. I followed the instructions on the freeradius site for configuring system authentication with TTLS and EAP-MD5, but I am getting the error 'rlm_unix: Attribute "User-Password" is required for authentication'. When a run 'radtest' locally, I can authenticate properly. I have copied the output from radiusd -X below.
Thank you for your help!
-Adrienne
participants (2)
-
Adrienne Rau -
tnt@kalik.co.yu