Hi, I have a working configuration of FreeRADIUS configured for EAP-TLS. I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server. Client doing TTLS --> FreeRADIUS --> 3rd-Party Backend-Server with database of Users Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := "validpassword" to preproxy_users, where "validpassword" is the valid password for the given username on the Backend-Server, everything works. What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this? Any help is very welcome. Greetings, Wolfgang Burger <burgerw@immunbio.mpg.de> Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany
Wolfgang Burger wrote:
I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server.
That should work.
Client doing TTLS --> FreeRADIUS --> 3rd-Party Backend-Server with database of Users
Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := "validpassword" to preproxy_users, where "validpassword" is the valid password for the given username on the Backend-Server, everything works.
Does the tunnel contain a clear-text password? Debug mode will show this.
What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this?
Run the server in debugging mode to see what it's doing, and post the output here. Alan DeKok.
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show this.
What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this?
Run the server in debugging mode to see what it's doing, and post the output here.
The output: mac339:~ system$ sudo radiusd -X FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0, built on Oct 5 2007 at 16:14:01 Copyright (C) 2000-2007 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Config: including file: //etc/raddb/radiusd.conf Config: including file: //etc/raddb/proxy.conf Config: including file: //etc/raddb/clients.conf Config: including file: //etc/raddb/snmp.conf Config: including file: //etc/raddb/eap.conf Config: including file: //etc/raddb/sql.conf Config: including file: //etc/raddb/sql/mysql/dialup.conf Config: including file: //etc/raddb/sql/mysql/counter.conf Config: including files in directory: //etc/raddb/sites-enabled/ Config: including file: //etc/raddb/sites-enabled/default Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = "/" localstatedir = "//var" logdir = "//var/log/radius" libdir = "//lib" radacctdir = "//var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = "//var/log/radius/radius.log" log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = "//var/run/radiusd/radiusd.pid" checkrad = "//sbin/checkrad" debug_level = 0 proxy_requests = yes log { syslog_facility = "daemon" } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server dras_server { ipaddr = XXX.XXX.XXX.XXX IP address [XXX.XXX.XXX.XXX] port = 1645 type = "auth" secret = "XXX" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool dras_pool { type = fail-over home_server = dras_server } realm dras { auth_pool = dras_pool } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } listen { type = "auth" ipaddr = * port = 0 client 192.168.1.24 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear1" } client 192.168.1.132 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear2" } client 192.168.1.133 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear3" } } listen { type = "acct" ipaddr = * port = 0 } radiusd: entering modules setup radiusd: Library search path is /lib instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no use_open_directory = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "//var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } eap: Linked to sub-module rlm_eap_md5 eap: Instantiating eap-md5 eap: Linked to sub-module rlm_eap_leap eap: Instantiating eap-leap eap: Linked to sub-module rlm_eap_gtc eap: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } eap: Linked to sub-module rlm_eap_tls eap: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/1x/Mac339.pem" certificate_file = "/etc/1x/Mac339.pem" CA_file = "/etc/1x/root.pem" private_key_password = "password" dh_file = "/etc/1x/DH" random_file = "/etc/1x/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/1x/bootstrap" } rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf eap: Linked to sub-module rlm_eap_ttls eap: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } eap: Linked to sub-module rlm_eap_peap eap: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } eap: Linked to sub-module rlm_eap_mschapv2 eap: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "//etc/raddb/huntgroups" hints = "//etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "//etc/raddb/users" acctusersfile = "//etc/raddb/acct_users" preproxy_usersfile = "//etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_passwd Module: Instantiating userlist passwd userlist { filename = "/etc/raddb/userlist" format = "*User-Name:User-Password" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "//var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "//etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "//etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } Initializing the thread pool... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Nothing to do. Sleeping until we see a request. ####################################### The Request:############################ ####################################### rad_recv: Access-Request packet from host 192.168.1.24 port 1030, id=2, length=174 Message-Authenticator = 0x36e3c475bff42def9ec2405cacfa23d3 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "burgerw", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[userlist] returns notfound ++[pap] returns noop +- entering group pre-proxy preproxy_users: Matched entry DEFAULT at line 25 ++[files] returns ok Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645 Message-Authenticator = 0x00000000000000000000000000000000 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier := "10.1.3.139" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Proxy-State = 0x32 Proxying request 13 to realm dras, home server XXX.XXX.XXX.XXX port 1645 Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645 Message-Authenticator = 0x00000000000000000000000000000000 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier := "10.1.3.139" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" EAP-Type = Identity Realm = "dras" Proxy-State = 0x32 Going to the next request Waking up in 19 seconds... rad_recv: Access-Reject packet from host XXX.XXX.XXX.XXX port 1645, id=196, length=40 Reply-Message = "\r\ninvalid password" +- entering group post-proxy ++[eap] returns noop Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> burgerw attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request rad_recv: Access-Request packet from host 192.168.1.24 port 1030, id=2, length=174 Waiting to send Access-Reject to client netgear1 port 1030 - ID: 2 Sending delayed reject for request 13 Sending Access-Reject of id 2 to 192.168.1.24 port 1030 Reply-Message = "\r\ninvalid password" Waking up in 4 seconds... Cleaning up request 13 ID 2 with timestamp +7693 Nothing to do. Sleeping until we see a request. Thank you for your help Alan. I wish any commercial product would have a support as good as yours. Wolfgang Burger <burgerw@immunbio.mpg.de> Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany
Reject after first request means that remote server wasn't doing EAP. Ivan Kalik Kalik Informatika ISP Dana 2/11/2007, "Wolfgang Burger" <burgerw@immunbio.mpg.de> piše:
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show this.
What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this?
Run the server in debugging mode to see what it's doing, and post the output here.
The output:
mac339:~ system$ sudo radiusd -X FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0, built on Oct 5 2007 at 16:14:01 Copyright (C) 2000-2007 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Config: including file: //etc/raddb/radiusd.conf Config: including file: //etc/raddb/proxy.conf Config: including file: //etc/raddb/clients.conf Config: including file: //etc/raddb/snmp.conf Config: including file: //etc/raddb/eap.conf Config: including file: //etc/raddb/sql.conf Config: including file: //etc/raddb/sql/mysql/dialup.conf Config: including file: //etc/raddb/sql/mysql/counter.conf Config: including files in directory: //etc/raddb/sites-enabled/ Config: including file: //etc/raddb/sites-enabled/default Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = "/" localstatedir = "//var" logdir = "//var/log/radius" libdir = "//lib" radacctdir = "//var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = "//var/log/radius/radius.log" log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = "//var/run/radiusd/radiusd.pid" checkrad = "//sbin/checkrad" debug_level = 0 proxy_requests = yes log { syslog_facility = "daemon" } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server dras_server { ipaddr = XXX.XXX.XXX.XXX IP address [XXX.XXX.XXX.XXX] port = 1645 type = "auth" secret = "XXX" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool dras_pool { type = fail-over home_server = dras_server } realm dras { auth_pool = dras_pool } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } listen { type = "auth" ipaddr = * port = 0 client 192.168.1.24 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear1" } client 192.168.1.132 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear2" } client 192.168.1.133 { secret = "XXX.XXX.XXX.XXX" shortname = "netgear3" } } listen { type = "acct" ipaddr = * port = 0 } radiusd: entering modules setup radiusd: Library search path is /lib instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no use_open_directory = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "//var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } eap: Linked to sub-module rlm_eap_md5 eap: Instantiating eap-md5 eap: Linked to sub-module rlm_eap_leap eap: Instantiating eap-leap eap: Linked to sub-module rlm_eap_gtc eap: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } eap: Linked to sub-module rlm_eap_tls eap: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/1x/Mac339.pem" certificate_file = "/etc/1x/Mac339.pem" CA_file = "/etc/1x/root.pem" private_key_password = "password" dh_file = "/etc/1x/DH" random_file = "/etc/1x/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/1x/bootstrap" } rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf eap: Linked to sub-module rlm_eap_ttls eap: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } eap: Linked to sub-module rlm_eap_peap eap: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } eap: Linked to sub-module rlm_eap_mschapv2 eap: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "//etc/raddb/huntgroups" hints = "//etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "//etc/raddb/users" acctusersfile = "//etc/raddb/acct_users" preproxy_usersfile = "//etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_passwd Module: Instantiating userlist passwd userlist { filename = "/etc/raddb/userlist" format = "*User-Name:User-Password" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "//var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "//etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "//etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } Initializing the thread pool... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Nothing to do. Sleeping until we see a request.
####################################### The Request:############################ #######################################
rad_recv: Access-Request packet from host 192.168.1.24 port 1030, id=2, length=174 Message-Authenticator = 0x36e3c475bff42def9ec2405cacfa23d3 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "burgerw", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[userlist] returns notfound ++[pap] returns noop +- entering group pre-proxy preproxy_users: Matched entry DEFAULT at line 25 ++[files] returns ok Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645 Message-Authenticator = 0x00000000000000000000000000000000 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier := "10.1.3.139" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Proxy-State = 0x32 Proxying request 13 to realm dras, home server XXX.XXX.XXX.XXX port 1645 Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645 Message-Authenticator = 0x00000000000000000000000000000000 Service-Type = Framed-User User-Name = "burgerw" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier := "10.1.3.139" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0162757267657277 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" EAP-Type = Identity Realm = "dras" Proxy-State = 0x32 Going to the next request Waking up in 19 seconds... rad_recv: Access-Reject packet from host XXX.XXX.XXX.XXX port 1645, id=196, length=40 Reply-Message = "\r\ninvalid password" +- entering group post-proxy ++[eap] returns noop Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> burgerw attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request rad_recv: Access-Request packet from host 192.168.1.24 port 1030, id=2, length=174 Waiting to send Access-Reject to client netgear1 port 1030 - ID: 2 Sending delayed reject for request 13 Sending Access-Reject of id 2 to 192.168.1.24 port 1030 Reply-Message = "\r\ninvalid password" Waking up in 4 seconds... Cleaning up request 13 ID 2 with timestamp +7693 Nothing to do. Sleeping until we see a request.
Thank you for your help Alan. I wish any commercial product would have a support as good as yours.
Wolfgang Burger <burgerw@immunbio.mpg.de>
Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 02.11.2007 um 16:27 schrieb <tnt@kalik.co.yu>:
Reject after first request means that remote server wasn't doing EAP.
Ivan Kalik Kalik Informatika ISP
Exactly. That remote server is´nt even supposed to do. That´s why I´m using FreeRADIUS for the EAP stuff and want to proxy a simple Access-Request to that other server with no EAP or TTLS or whatever in it at all. All that should be in that Request is the username and password transmitted in the original TTLS-tunnel (plus the required protocoll stuff of course). Sorry, that did´nt come out right in the first mail. You wrote earlier:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := other_server
Does that mean, that FreeRADIUS recieves the EAP-Request, takes the inner TTLS payload and forwards it to itself (localhost) in default? And i can just redirect it to "other_server"? Thanks for your help Regards, Wolfgang Burger
You wrote earlier:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := other_server
Does that mean, that FreeRADIUS recieves the EAP-Request, takes the inner TTLS payload and forwards it to itself (localhost) in default? And i can just redirect it to "other_server"?
Thanks for your help
Regards, Wolfgang Burger
Yes. Ivan Kalik Kalik Informatika ISP
Wolfgang Burger wrote:
The output:
mac339:~ system$ sudo radiusd -X FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0,
Hmm... grab the latest CVS version. It's now called 2.0.0-beta, and it much better than -pre2. See raddb/sites-available/, and eap.conf for samples of virtual servers. You can control the inner-tunnel authentication COMPLETELY separately from everything else. ...
Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645 ... EAP-Message = 0x0200000c0162757267657277
You've configured it to proxy the OUTER session, not the inner one. $ cd raddb/sites-enabled $ ln -s ../sites-available/inner-tunnel $ cd ../.. $ vi eap.conf (un-comment "virtual_server = inner-tunnel". $ vi sites-available/inner-tunnel In the "authorize" section, add: update control { Proxy-To-Realm := "realm..." } And probably delete everything else from the "authorize" section. This will tell the server to proxy the inner tunnel section to somewhere else...
Thank you for your help Alan. I wish any commercial product would have a support as good as yours.
<g> Some may argue. But they're WRONG! Alan DeKok.
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := other_server Ivan Kalik Kalik Informatika ISP Dana 2/11/2007, "Wolfgang Burger" <burgerw@immunbio.mpg.de> piše:
Hi,
I have a working configuration of FreeRADIUS configured for EAP-TLS.
I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server.
Client doing TTLS --> FreeRADIUS --> 3rd-Party Backend-Server with database of Users
Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := "validpassword" to preproxy_users, where "validpassword" is the valid password for the given username on the Backend-Server, everything works.
What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this?
Any help is very welcome.
Greetings,
Wolfgang Burger <burgerw@immunbio.mpg.de>
Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
tnt@kalik.co.yu -
Wolfgang Burger