Definitive Word on FreeRadius/LDAP/EAP Requirements
Hello! I've been going in circles - as have many (based on the posts I've read all over the web) - trying to assemble a working combination of Freeradius, Fedora Directory Server (LDAP), and a fleet of wireless access points that seem to want to do EAP. I want anyone with a record in my LDAP server to be able to authenticate via 802.1x from these AP's. The records consist of uid, givenName, sn, mail and userPassword. For starters, I was hoping to just ask a few key questions to try to clear up various contradictory comments I've seen in the zillion things I've read in the last 12 hours: - Is it, in fact, possible to combine 802.1X, EAP, Freeradius and Fedora Directory Server in this manner? - If so (and I'm guessing it is possible), can someone clarify the clear-text vs. encryption issues related to EAP and LDAP? By this, I mean: - Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner - I've seen conflicting comments on whether the passwords need to be clear-text in my LDAP database or not (or at least how Fedora DS needs to handle its password encryption settings) - Again, if this combination is possible, how far off from a -default- install of the latest Freeradius would the configuration be? It's easy to start making changes to the config and lose your bearings in short order... and, of course, hundreds of lines of debug output scroll by when doing a single 802.1X login attempt. I've repeatedly been able to do radtest checks against LDAP with no problems - but I realize that isn't involving EAP. I just say this to confirm that my LDAP server and Freeradius can talk just fine. I've had no problem with a file-based account with a clear-text password working all the way through the 802.1X process from the AP using EAP. It's when I try to combine the two that things go off the rails. I'll wrap this up with a copy from the debug log of the opening request from an AP in case it helps a bit (IP address xxx'd out in my paste): rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32774, id=6, length=156 User-Name = "ldaptest" NAS-IP-Address = 6.48.0.186 NAS-Port = 0 Called-Station-Id = "00-18-0A-30-00-BA:SBC WiFi" Calling-Station-Id = "00-26-08-62-FD-6E" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0201000d016c64617074657374 Message-Authenticator = 0x51deb89362f5b9e1c391e88d255eeefa This is followed by the first query (authorize) to the LDAP server happening with TLS mode set to 1 (port 636 - should be a valid SSL conversation) and it binding successfully using an administrative DN. rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful The account I'm testing (ldaptest) is, for the time being, stored on the LDAP server with a clear-text password due to my questions above. In the test above, I had added: checkItem Cleartext-Password userPassword to my ldap.attrmap. Without that line, the same login test results in: rlm_ldap: performing search in ou=People,dc=sbc,dc=edu, with filter (uid=ldaptest) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ldaptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok The conversation continues on through the TLS segment, offering the example SSL cert to my connecting device (an iPhone talking to the AP in this test), me approving the offered cert on the iPhone and - a moment later - an error that the login/password are wrong. If I start here - with a fresh Freeradius install, references to LDAP uncommented, and basic LDAP parameters properly configured (server, bind dn, base, etc) - could I get some clear points on how to proceed with the configuration? Thanks! - Aaron
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
What EAP method are you using... The different EAP methods have different requirements. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
What EAP method are you using... The different EAP methods have different requirements.
Well, again, I'm trying to work from a default Freeradius installation. The debug output, of course, is many repetitions of authorize/authenticate. I assume it's all about establishing the SSL session to my device in a lot of those, ending with: [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled After that, the last few cycles of authorize/authenticate head in the direction of many PEAP references, and, I suspect things finally going off the rails here: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for ldaptest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. It's another round or two of authorize/auth relating to PEAP and tunneling before: [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I'd be happy to revert back to a fresh Freeradius install and step through this all again in a systematic manner. I just remain uncertain on the overall viability of LDAP/EAP in this context due to so many contradictory references I've seen about where clear-text needs to exist or not exist in the relationship. Some things I've read seem to suggest LDAP / EAP can't co-exist here - period. Others seem to suggest it works with the right combination of elements, but nothing I've tried to replicate from those examples/discussions has worked thus far. Thanks! - Aaron -- halfpress: http://www.halfpress.com TWiP: http://twiplog.com Documenting Democracy: http://www.docdem.org Aaron's MAME Boxes - http://www.mameblog.com Twitter: halfpress
On 26/6/09 15:19, Aaron Mahler wrote:
On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
What EAP method are you using... The different EAP methods have different requirements.
Well, again, I'm trying to work from a default Freeradius installation. I'd be happy to revert back to a fresh Freeradius install and step through this all again in a systematic manner. I just remain uncertain on the overall viability of LDAP/EAP in this context due to so many contradictory references I've seen about where clear-text needs to exist or not exist in the relationship.
They're not contradictory. You know EAP is only a framework right? There are many different EAP Types which run within it. The different EAP Types require the users credentials to be stored in different forms. You appear to be using PEAPv0. With PEAPv0 and a standard LDAP directory you have three options: 1) Store the users Password in Clear-Text 2) Store the users password as an NT4-Password/LM Hash. For NT4 (the more secure one) it's an MD4 hash of a 16bit unicode encoding of the users password. 3) Choose another EAP method. I suggest you install SecureW2 on your clients (assuming they're windows) and use TTLS-PAP. With TTLS PAP, the RADIUS server receives a Cleartext copy of the users password within the TLS tunnel, it can then either hash that password in the same format as the one extracted from the LDAP directory and perform a comparison, or use the cleartext password to perform an LDAPv3 bind. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
Ldap "bind as user" authentication can't be used with EAP but that doesn't mean that you can't use passwords stored on Ldap server.
What EAP method are you using... The different EAP methods have different requirements.
Well, again, I'm trying to work from a default Freeradius installation. The debug output, of course, is many repetitions of authorize/authenticate. I assume it's all about establishing the SSL session to my device in a lot of those, ending with:
[peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled
After that, the last few cycles of authorize/authenticate head in the direction of many PEAP references, and, I suspect things finally going off the rails here:
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for ldaptest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user.
More debug would be of use. In default configuration ldap is not enabled in inner-tunnel virtual server. Enable it in inner-tunnel authorize and see if the password is available then. Ivan Kalik Kalik Informatika ISP
On 26/6/09 15:37, Ivan Kalik wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
Ldap "bind as user" authentication can't be used with EAP but that doesn't mean that you can't use passwords stored on Ldap server.
It can with EAP-TTLS-PAP or anything else that provides a cleartext password. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Is there a good example of this suggested config relative to the default install of Freeradius? I'm installing via Yum on Fedora Core 10 (mentioned in case its default config differs from a source install). Thanks! - Aaron Sent from my iPhone 3GS --- halfpress: http://halfpress.com Aaron's MAME Boxes: http://mameblog.com Twitter: http://twitter.com/halfpress On Jun 26, 2009, at 10:50 AM, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk
wrote:
On 26/6/09 15:37, Ivan Kalik wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
Ldap "bind as user" authentication can't be used with EAP but that doesn't mean that you can't use passwords stored on Ldap server.
It can with EAP-TTLS-PAP or anything else that provides a cleartext password.
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/26/2009 11:05 AM, Aaron Mahler wrote:
Is there a good example of this suggested config relative to the default install of Freeradius? I'm installing via Yum on Fedora Core 10 (mentioned in case its default config differs from a source install).
FYI, the Fedora, RHEL & CentOS do *not* modify the upstream defaults. The only minor exception to this is the fact the main freeradius rpm is not the "kitchen sink" of all possible FreeRADIUS components in the same way the upstream build produces, instead optional components are broken out into subpackages, for instance you won't get SQL support unless you install one of the SQL subpackages (e.g. freeradius-mysql, freeradius-postgresql, etc.) same holds true for ldap and all the other optional components. % yum info freeradius\* will show you all the possible packages. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Jun 26, 2009, at 10:50 AM, Arran Cudbard-Bell wrote:
On 26/6/09 15:37, Ivan Kalik wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
Ldap "bind as user" authentication can't be used with EAP but that doesn't mean that you can't use passwords stored on Ldap server.
It can with EAP-TTLS-PAP or anything else that provides a cleartext password.
I'm pleased to report that, earlier this evening, everything fell into place. As I'd done a few times before, I removed and reinstalled Freeradius and began systematically applying various settings. This time around, I hit the right combination - thanks in part, of course - to some of the feedback here in the forum. My final working scenario consisted mainly of the following elements: - Uncommenting of ldap references in the default config files - Uncommenting of ldap references in the sites-enabled/inner-tunnel (had been focusing mostly on default before now) - ldap server configured to be used on port 636 / SSL - ldap server binding with an privileged CN - though, as I think back, this might be irrelevant now - I'll test that... - addition of "Cleartext-password" mapped to "userPassword" in ldap.attrmap - Test LDAP record (and, after success, ALL LDAP records) set to use cleartext password storage The first success came testing from my iPhone which was using EAP- TTLS. My test OS X machine was defaulting to TLS and wanting to provide a user cert, but I overrode that locally and confirmed it worked. Afterward, I set the eap.conf to default to EAP-TTLS. I remembered then, however, that Windows clients don't inherently support this, so I moved the default EAP method to PEAP. Everything has been working nicely since and I've tested from OS X, iPhone and Ubuntu. I'll hit XP and Vista machines with WiFi soon and check those, but am not worried at this point. My next issue has to do with my SSL cert to avoid clients getting warned that it's untrusted (despite using a valid, commercial wildcard cert from GoDaddy... but this appears to be related to use of an intermediate cert). Since this is a different issue from the one in this thread, I'll start a new thread (though I think I know the answer based on previous posts). Thanks to all! - Aaron
Regarding my previous reply (and original email) - I can offer more debug output and config information, but I suspect the experts here are sick of seeing massive posts with hundreds of lines of debug output just thrown out there with a plea. I'm working to better understand the whole interrelationship between the various parts in this system (protocols and all). If my replies are too general to help me, feel free to point that out and let me know what details I need to provide. I definitely want to enhance my understanding of the process rather than just get a "fix" and move on. Thanks! - Aaron On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
What EAP method are you using... The different EAP methods have different requirements.
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- halfpress: http://www.halfpress.com TWiP: http://twiplog.com Documenting Democracy: http://www.docdem.org Aaron's MAME Boxes - http://www.mameblog.com Twitter: halfpress
Aaron Mahler wrote:
Regarding my previous reply (and original email) - I can offer more debug output and config information, but I suspect the experts here are sick of seeing massive posts with hundreds of lines of debug output just thrown out there with a plea.
Reading some posts the previous few days... The experts here are sick of _NOT_ seeing hundreds on lines of debug!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Johan Meiring wrote:
The experts here are sick of _NOT_ seeing hundreds on lines of debug!!
I agree 110%. Nearly every time someone posts the debug log, the answer is in it. The people who post debug logs get friendly answers, and their problems solved quickly. The people who don't post debug logs get told to post debug logs... and often get angry with this answer. It's rather maddening. Alan DeKok.
Happy to post a full debug log here in a bit. I just had conceptual questions initially and wanted to wait until I knew what (or if) I should post. Totally understand that they have the details, so happy to oblige as soon as I run the next tests this afternoon. Thanks! - Aaron Sent from my iPhone 3GS --- halfpress: http://halfpress.com Aaron's MAME Boxes: http://mameblog.com Twitter: http://twitter.com/halfpress On Jun 26, 2009, at 12:34 PM, Alan DeKok <aland@deployingradius.com> wrote:
Johan Meiring wrote:
The experts here are sick of _NOT_ seeing hundreds on lines of debug!!
I agree 110%.
Nearly every time someone posts the debug log, the answer is in it.
The people who post debug logs get friendly answers, and their problems solved quickly.
The people who don't post debug logs get told to post debug logs... and often get angry with this answer. It's rather maddening.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aaron Mahler wrote:
Happy to post a full debug log here in a bit. I just had conceptual questions initially
LDAP is a database. FreeRADIUS is an authentication server. Configure the two so that FreeRADIUS can get the "known good" password from LDAP. FreeRADIUS will take care of the rest. Yes, it is that easy. Most of the frustrations and delays that people run into are (a) Active Directory, and (b) they try to use LDAP as an authentication server. See: http://deployingradius.com/documents/configuration/auth_type.html And also: http://deployingradius.com/documents/protocols/oracles.html Alan DeKok.
participants (6)
-
Aaron Mahler -
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik -
Johan Meiring -
John Dennis