Could use some help setting up freeradius ttls-pap with ldap backend serving NT-passwords
Ok first post here. Howdy.. Name is Arjan. Sorry for the long post in advance. Currently our small school is running a mac osx tiger file/web server with radius slapped onto it. As the server is getting old, I've been asked to configure a new server. (Dell 720 running Ubuntu 14.10.) Clients are numerous formats (BYOD) but mainly osx and windows machines. Testing virtually at home atm. The Apache, LDAP and Samba part are fine for me. But freeradius is really tough.. Can use some help. Trying to get a EAP-TTLS with PAP working, as that was what we had before. Users are supposed to login with their username and password. No user certificates. Doing a pap or mschap from server terminal is fine, which means the connection to ldap seems to be working. Doing TTLS-PAP from android phone gives errors. The mailing list won't allow me to post my full config and output. (>100KB) so I've put it up at a website : http://www.audiodude.nl/ldapconfig.txt Here a few excerpts: radtest -t mschap arjan Mypassword^3 localhost 0 mypassword ends with : Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44458, id=134, length=131 User-Name = "arjan" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0xe851266b3b6672aed5d53caecf5421b9 MS-CHAP-Challenge = 0x6e5a7c9078ec9181 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e8c0afd962f70b27eae06ed24a3fd2e53950c029a26de960 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "arjan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for arjan [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> arjan [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan) [ldap] expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0 [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL" [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246 [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935 [ldap] looking for reply items in directory... [ldap] user arjan authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 134 to 127.0.0.1 port 44458 MS-CHAP-MPPE-Keys = 0xd71ab5a02f21bf6c84ea1619e12e6d233ad6e6fe70164f220000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 0. So LDAP seems ok. But doing a EAP-TTLS-PAP produces results below : Should I change something in the EAP.conf file ? ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } THX in advance guys ! Ready to process requests. rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=123 User-Name = "arjan" NAS-IP-Address = 192.168.63.144 Called-Station-Id = "20aa4b81f8a3" Calling-Station-Id = "64a769fde8c7" NAS-Identifier = "20aa4b81f8a3" NAS-Port = 18 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a0161726a616e Message-Authenticator = 0x2f7a9f1fe7f8586e05b801511990fa64 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "arjan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for arjan [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> arjan [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan) [ldap] expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0 [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL" [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246 [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935 [ldap] looking for reply items in directory... [ldap] user arjan authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.63.144 port 32869 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4cfcc79b4ced9bce030871567d52b3d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=327 Cleaning up request 0 ID 0 with timestamp +41 User-Name = "arjan" NAS-IP-Address = 192.168.63.144 Called-Station-Id = "20aa4b81f8a3" Calling-Station-Id = "64a769fde8c7" NAS-Identifier = "20aa4b81f8a3" NAS-Port = 18 Framed-MTU = 1400 State = 0xb4cfcc79b4ced9bce030871567d52b3d NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0xa56f2ecfe109fcdef933ff8083a95981 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "arjan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 196 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00b9], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 080c], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.63.144 port 32869 EAP-Message = 0x0102040015c0000009a81603010039020000350301f859cacda779f3daccc335ce2f05951a6ebd8553a22fcdddd9e3f970f333aa8400c01400000dff01000100000b000403000102160301080c0b00080800080500040830820404308202eca003020102020101300d06092a864886f70d01010b050030818f310b3009060355040613024e4c310b300906035504080c024e48310f300d06035504070c064865696c6f6f31123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e4061 EAP-Message = 0x7564696f647564652e6e6c301e170d3134313131373232353630335a170d3334313131323232353630335a307e310b3009060355040613024e4c310b300906035504080c024e4831123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e40617564696f647564652e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100f4640f19e08fb8869b72176e11694ec277cb35f285ff090219a6ca6f27b8150cd9f667e29ace92c495715bb27dcae8e66d EAP-Message = 0x7dd93ef3160790f4ee9d86b43d7a5e80b1c90848a4be5fbd8ecbf36eba46dc440fdb23fc79ea81083d52362e2b34f54b3ba959e16dc547acb3956bdb93002efe024c319ccb199a18d681aad0abb92dbac30a074424daea0c853db8877502b69fb32eead1c8772a1549bf4a317fad2a0697302694063eea7a3ca3bb8c5f3393176a0c3be75e11fd8f18f01acd79a4c64e5e21531c69546c47ee2aa72b053eec7ab9bc74f59c14fddaf5ad3cbbdd70bbf1535a5bde27017f170fc0f1f29a6945f39e1ec5413ce927b5465de6d24180850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047 EAP-Message = 0x656e657261746564204365727469666963617465301d0603551d0e041604140737387034b41501c039af30da0610a01696e022301f0603551d23041830168014ced3e4ed5350edb0ae3d88f9fa1864647b84a63d300d06092a864886f70d01010b05000382010100bd4eb2a878d181e7b59b5791af99a3bf420aef6187859901d5b7a07d839b8ebde91cd7201db875f6211c112f8926c3624dc4600dd1d9935ed74b58664f7a81d38313240da1683fa8cfb5091ffb0f9156533147296da74a0acb439ab955a108a2d07461921bd1715f2c8a76d9d1d9031be91afbc0062c9b3b8e2b1bf856628b8a9d63a7119b8f8b76bf895e7be163269baea4602221 EAP-Message = 0xcd9d8cef411761a8d4ef22af Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4cfcc79b5cdd9bce030871567d52b3d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=309 Cleaning up request 1 ID 0 with timestamp +41 User-Name = "arjan" NAS-IP-Address = 192.168.63.144 Called-Station-Id = "20aa4b81f8a3" Calling-Station-Id = "64a769fde8c7" NAS-Identifier = "20aa4b81f8a3" NAS-Port = 18 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0x3e826a011acf3c3c7c4ee12c132df594 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "arjan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 196 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> arjan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 0 to 192.168.63.144 port 32869
On Jan 5, 2015, at 2:24 PM, Arjan Sinnige <arjan@audiodude.nl> wrote:
Currently our small school is running a mac osx tiger file/web server with radius slapped onto it. As the server is getting old, I’ve been asked to configure a new server. (Dell 720 running Ubuntu 14.10.) Clients are numerous formats (BYOD) but mainly osx and windows machines. Testing virtually at home atm. The Apache, LDAP and Samba part are fine for me. But freeradius is really tough.. Can use some help.
Trying to get a EAP-TTLS with PAP working, as that was what we had before. Users are supposed to login with their username and password. No user certificates.
That should be simple. Follow my guide: http://deployingradius.com/ It gives full instructions for getting TTLS to work.
Doing a pap or mschap from server terminal is fine, which means the connection to ldap seems to be working. Doing TTLS-PAP from android phone gives errors.
The mailing list won’t allow me to post my full config and output. (>100KB) so I’ve put it up at a website : http://www.audiodude.nl/ldapconfig.txt
We don’t need the config. Just the debug output.
So LDAP seems ok.
That’s good.
But doing a EAP-TTLS-PAP produces results below : Should I change something in the EAP.conf file ?
No. The defaults are fine. You *do* need to edit raddb/sites-enabled/inner-tunnel, and enable “ldap”. Just like you did with raddb/sites-enabled/default.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
That’s a problem with the access point. The access point is SUPPOSED to send a “State” attribute in the packet. It’s not doing that. Throw your access point in the garbage, and buy one that works. Alan DeKok.
Alan, THX for the answer, I did follow your guide, although openLDAP is not really covered, but it helped with the initial setting up.
The mailing list won't allow me to post my full config and output. (>100KB) so I've put it up at a website : http://www.audiodude.nl/ldapconfig.txt We don't need the config. Just the debug output. The debug output is there as well.
You *do* need to edit raddb/sites-enabled/inner-tunnel, and enable "ldap". Just like you did with raddb/sites-enabled/default. Both in authorize AND authenticate ? or just authorize ?
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request That's a problem with the access point. The access point is SUPPOSED to send a "State" attribute in the packet. It's not doing that. Throw your access point in the garbage, and buy one that works. The access point at home is a cisco/Linksys EA2700 for testing. Will try updating firmware and otherwise will try to get one of the Apple Extremes in from work.
Hardware error.. :-( THX again.
On Jan 5, 2015, at 3:36 PM, Arjan Sinnige <arjan@audiodude.nl> wrote:
THX for the answer, I did follow your guide, although openLDAP is not really covered, but it helped with the initial setting up.
The guide is intended to cover ONE issue at a time. There’s no real way to write a guide which covers everyone’s configuration.
You *do* need to edit raddb/sites-enabled/inner-tunnel, and enable "ldap". Just like you did with raddb/sites-enabled/default. Both in authorize AND authenticate ? or just authorize ?
Both for simplicity.
The access point at home is a cisco/Linksys EA2700 for testing. Will try updating firmware and otherwise will try to get one of the Apple Extremes in from work.
That should work. Alan DeKok.
Alan, You are a star. Never would have guessed for hw error. Updated the firmware on the EA2700 and voila, all working. Now to lock it down and create student guides. Might come back for more though.. Arjan -----Original Message----- From: freeradius-users-bounces+arjan=audiodude.nl@lists.freeradius.org [mailto:freeradius-users-bounces+arjan=audiodude.nl@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, January 5, 2015 9:51 PM To: FreeRadius users mailing list Subject: Re: Could use some help setting up freeradius ttls-pap with ldap backend serving NT-passwords On Jan 5, 2015, at 3:36 PM, Arjan Sinnige <arjan@audiodude.nl> wrote:
THX for the answer, I did follow your guide, although openLDAP is not really covered, but it helped with the initial setting up.
The guide is intended to cover ONE issue at a time. There's no real way to write a guide which covers everyone's configuration.
You *do* need to edit raddb/sites-enabled/inner-tunnel, and enable "ldap". Just like you did with raddb/sites-enabled/default. Both in authorize AND authenticate ? or just authorize ?
Both for simplicity.
The access point at home is a cisco/Linksys EA2700 for testing. Will try updating firmware and otherwise will try to get one of the Apple Extremes in from work.
That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Arjan Sinnige