EAP-TTLS/PAP with realm - <no User-Password attribute>
I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test. Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d) While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields. Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing. Suggestions? Thanks, -Rob
Rob, Can you show us the full debug log of the home server (I'm assuming you are running that in debug mode)? Thanks! Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44 Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of rwgorrel@uncg.edu> wrote:
I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test.
Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d)
While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields.
Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing.
Suggestions? Thanks, -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad_recv: Access-Request packet from host X.X.X.X port 60228, id=0, length=143 User-Name = "bob@rgorrell.net" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x4f289c2272a467016443cfb6451893d6 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "rgorrell.net" for User-Name = "bob@rgorrell.net" [suffix] Found realm "rgorrell.net" [suffix] Adding Stripped-User-Name = "bob" [suffix] Adding Realm = "rgorrell.net" [suffix] Proxying request from user bob to realm rgorrell.net [suffix] Preparing to proxy authentication request to realm "rgorrell.net" ++[suffix] = updated [eap] Request is supposed to be proxied to Realm rgorrell.net. Not doing EAP. ++[eap] = noop ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=162, length=133 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x07dbdd4ec778378a16cdaa6a93788d62 Proxy-State = 0x30 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Identity (bob@rgorrell.net) does not match User-Name (bob). Authentication failed. [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 0 cli 70-6F-6C-69-73-68) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 162 to 127.0.0.1 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=162, length=23 Proxy-State = 0x30 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 0 cli 70-6F-6C-69-73-68) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob@rgorrell.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 0 to X.X.X.X port 60228 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 162 with timestamp +9 Cleaning up request 0 ID 0 with timestamp +9 Ready to process requests. On Sun, Mar 13, 2016 at 4:32 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Rob,
Can you show us the full debug log of the home server (I'm assuming you are running that in debug mode)?
Thanks!
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of rwgorrel@uncg.edu> wrote:
I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test.
Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d)
While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields.
Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing.
Suggestions? Thanks, -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Robert W. Gorrell Systems Architect, Identity and Access Management University of NC at Greensboro 336-334-5954 PGP Key ID B36DB0CA
Hi, you are proxying the request (entry in proxy.conf) to local....with default options - so its stripping the realm. the failure then occurs because the realm doesnt exist and the server is looking at auth options and finding none with suitable password
++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop
what you probably want is 'nostrip' in the proxy definition along with suitable auth methods in the inner-tunnel virtual server alan
So when I try nostrip in my "realm rgorrell.net {" definition inside proxy.conf, I get what appears to be an infinite loop and a bunch of zombie messages out of the log file. My inner-tunnel virtual server has authorize pap and authenticate Auth-Type PAP. I'm very much an new at setting up EAP, so most certainly I'm still doing something wrong, but for the pieces just aren't making clicking for me yet. any clarification you could provide me on "with suitable auth methods in the inner-tunnel virtual server"I would appreciate. Thanks -Rob On Mon, Mar 14, 2016 at 6:10 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
you are proxying the request (entry in proxy.conf) to local....with default options - so its stripping the realm. the failure then occurs because the realm doesnt exist and the server is looking at auth options and finding none with suitable password
++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop
what you probably want is 'nostrip' in the proxy definition along with suitable auth methods in the inner-tunnel virtual server
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Robert W. Gorrell Systems Architect, Identity and Access Management University of NC at Greensboro 336-334-5954 PGP Key ID B36DB0CA
On Mar 14, 2016, at 7:54 PM, Rob Gorrell <rwgorrel@uncg.edu> wrote:
So when I try nostrip in my "realm rgorrell.net {" definition inside proxy.conf, I get what appears to be an infinite loop and a bunch of zombie messages out of the log file.
Except you didn't configure it for that realm and "nostrip". You configured it to proxy that realm back to localhost. Which creates an infinite loop. Don't do that. If you want a realm to be handled as a local realm, just add this to proxy.conf: realm rgorrel.net { } That's it.
I'm very much an new at setting up EAP, so most certainly I'm still doing something wrong, but for the pieces just aren't making clicking for me yet. any clarification you could provide me on "with suitable auth methods in the inner-tunnel virtual server"I would appreciate.
Follow the instructions on http://deployingradius.com. It WILL work. That web site contains detailed instructions on what to do, and why it works. Alan DeKok.
Ah, thank you Alan, I see and understand what I did wrong. after making that slight change, I'm getting Access-Accepts through eapol_test's now. Thanks for your patience and help in understanding freeradius. -Rob On Mon, Mar 14, 2016 at 8:03 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 14, 2016, at 7:54 PM, Rob Gorrell <rwgorrel@uncg.edu> wrote:
So when I try nostrip in my "realm rgorrell.net {" definition inside proxy.conf, I get what appears to be an infinite loop and a bunch of
zombie
messages out of the log file.
Except you didn't configure it for that realm and "nostrip". You configured it to proxy that realm back to localhost. Which creates an infinite loop.
Don't do that.
If you want a realm to be handled as a local realm, just add this to proxy.conf:
realm rgorrel.net { }
That's it.
I'm very much an new at setting up EAP, so most certainly I'm still doing something wrong, but for the pieces just aren't making clicking for me yet. any clarification you could provide me on "with suitable auth methods in the inner-tunnel virtual server"I would appreciate.
Follow the instructions on http://deployingradius.com. It WILL work.
That web site contains detailed instructions on what to do, and why it works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Robert W. Gorrell Systems Architect, Identity and Access Management University of NC at Greensboro 336-334-5954 PGP Key ID B36DB0CA
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Rob Gorrell -
Stefan Paetow