can EAP-PEAP-GTC use email pop3 server to authenticate?
hi: I am using freeradius 3.0.1 at scientific linux 7.0. I want to use our pop3 server as database for wireless wpa authentication. (the eap-peap-mschapv2 works fine with our Active Directory. but for some reason we need another method). I try to test the idea as two parts: 1. setup a "test1" user at /etc/raddb/users like this test1 Cleartext-Password := "testtest" and use EAP-PEAP-GTC at windows client to test it, it works fine. 2. write a perl script to authenticate via pop3 server. I use "radtest 'user@domain' my-pop3-password 127.0.0.1:18120 0 testing123" to test, it works fine. the modification part of my inner-tunnel config is like below: authorize { pop3 if (ok || updated) { update control { Auth-Type := POP3 } } } Auth-Type POP3 { pop3 } 3. I can not combine above to the final result. I can not use EAP-PEAP-GTC from windows to authenticate via pop3 server. when I debug the perl script, I found no password input when using "EAP-PEAP-GTC". I try modify many settings but still can not get it work. so I wonder if my concept is wrong. is that possible to use EAP-PEAP-GTC against a pop3 server, or we need a cleartext-password file when using EAP-PEAP-GTC? I try to make the perl script dump %RED_REQUEST as below when using EAP-PEAP-GTC: $VAR1 = { 'User-Name' => 'xxx@xxxxxx', 'EAP-Message' => '0x020f00060306', 'Realm' => 'xxxxxxxxx', 'State' => '0x2dec2f402de335af33348f2ebbe6e91d', 'Stripped-User-Name' => 'xxxx', 'EAP-Type' => 'NAK', 'FreeRADIUS-Proxied-To' => '127.0.0.1' thanks a lot for help!! Regards, tbskyd
On Mar 18, 2015, at 11:45 AM, d tbsky <tbskyd@gmail.com> wrote:
3. I can not combine above to the final result. I can not use EAP-PEAP-GTC from windows to authenticate via pop3 server.
Yes, you can. Look at the configuration for the eap-gtc module. It has an “auth_type” entry. Set that to POP3, and it shouldl work. Alan DeKok.
2015-03-19 8:35 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Mar 18, 2015, at 11:45 AM, d tbsky <tbskyd@gmail.com> wrote:
3. I can not combine above to the final result. I can not use EAP-PEAP-GTC from windows to authenticate via pop3 server.
Yes, you can. Look at the configuration for the eap-gtc module. It has an “auth_type” entry. Set that to POP3, and it shouldl work.
Alan DeKok.
Hi Alan: thanks a lot for your confirm! I almost thought that my concept is wrong and this can not be done.. what you suggest is something I want to do but don't know how. I found there are are two places seems related to eap-gtc module configuration. they are "/etc/raddb/mods-available/eap" and "/etc/raddb/mods-available/inner-eap" (this one is not enabled by default at scientific linux 7) according to the comment at the "gtc" section, it seems you can set the "auth_type" to "Local" or "PAP". if I set it to "POP3", "radiusd -X" failed and said: rlm_eap_gtc: Unknown Auth-Type POP3 rlm_eap (EAP): Failed to initialise rlm_eap_gtc /etc/raddb/mods-enabled/eap[17]: Instantiation failed for module "eap" I must miss something here. thanks again for your kindly help!! Regards, tbskyd
2015-03-19 8:35 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Mar 18, 2015, at 11:45 AM, d tbsky <tbskyd@gmail.com> wrote:
3. I can not combine above to the final result. I can not use EAP-PEAP-GTC from windows to authenticate via pop3 server.
Yes, you can. Look at the configuration for the eap-gtc module. It has an “auth_type” entry. Set that to POP3, and it shouldl work.
Alan DeKok.
Hi Alan: follow your hint, I focus on "auth_type" setting, finally I found if I want to setup "auth_type = POP3", I need to add a line to "/usr/share/freeradius/dictionary.freeradius.internal" like below: VALUE Auth-Type POP3 1066 and everything works!! but as I know I should not edit that file directly. could you suggest a way so system knows the "POP3" user-defined method? thanks for your help! Regards, tbskyd
On Mar 18, 2015, at 10:26 PM, d tbsky <tbskyd@gmail.com> wrote:
I found there are are two places seems related to eap-gtc module configuration. they are "/etc/raddb/mods-available/eap" and "/etc/raddb/mods-available/inner-eap" (this one is not enabled by default at scientific linux 7) according to the comment at the "gtc" section, it seems you can set the "auth_type" to "Local" or "PAP". if I set it to "POP3", "radiusd -X" failed and said:
rlm_eap_gtc: Unknown Auth-Type POP3
You have to list the perl script as “Auth-Type pop3” in the “authenticate” section. Alan DeKok.
2015-03-19 20:40 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Mar 18, 2015, at 10:26 PM, d tbsky <tbskyd@gmail.com> wrote:
rlm_eap_gtc: Unknown Auth-Type POP3
You have to list the perl script as “Auth-Type pop3” in the “authenticate” section.
hi Alan: I already add that to inner-tunnel. below is the working configuration. but if I have not add auth-type POP3 to dictionary, rlm_eap_gtc will complain and fail. or there is other "authenticate" section I am missing? server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { pop3 chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime pap } authenticate { Auth-Type POP3 { pop3 } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } }
On Mar 19, 2015, at 10:47 AM, d tbsky <tbskyd@gmail.com> wrote:
2015-03-19 20:40 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Mar 18, 2015, at 10:26 PM, d tbsky <tbskyd@gmail.com> wrote:
rlm_eap_gtc: Unknown Auth-Type POP3
You have to list the perl script as “Auth-Type pop3” in the “authenticate” section.
hi Alan: I already add that to inner-tunnel. below is the working configuration. but if I have not add auth-type POP3 to dictionary, rlm_eap_gtc will complain and fail.
Add that to raddb/dictionary. Not any other one.
or there is other "authenticate" section I am missing
No. You’re probably running an old version of the server. Recent ones are better with this. Alan DeKok.
2015-03-20 1:04 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
Add that to raddb/dictionary. Not any other one.
or there is other "authenticate" section I am missing
No.
You’re probably running an old version of the server. Recent ones are better with this.
hi Alan: I have tried 3.0.1 and 3.0.4 comes with RHEL 7, and 2.1 comes with RHEL6, the results are the same. I also check the source code rlm_eap_gtc.c which comes with 3.0.7, it seems eap_gtc will check dictionary for auth_type. the source code below. maybe it can be made simpler in future version :) if (inst->auth_type_name && *inst->auth_type_name) { dval = dict_valbyname(PW_AUTH_TYPE, 0, inst->auth_type_name); if (!dval) { ERROR("rlm_eap_gtc: Unknown Auth-Type %s", inst->auth_type_name); return -1; }
hi: I am sorry I have a related question about "EAP-PEAP-GTC". my script which do authenticate will receive %RAD_REQUEST attribute like below: 'User-Name' => 'xxxx', 'User-Password' => 'xxxx', 'EAP-Message' => 'xxxxxxxxx', 'EAP-Type' => 'GTC', 'State' => 'xxxxxxxxxxxx', 'FreeRADIUS-Proxied-To' => '127.0.0.1' I want to pass the attribute "Calling-Station-Id" which send by NAS to %RAD_REQUEST. but don't know how to do it. any configuration file I can focus on it? thank again for kindly help! Regards, tbskyd
On Mar 23, 2015, at 2:31 AM, d tbsky <tbskyd@gmail.com> wrote:
I want to pass the attribute "Calling-Station-Id" which send by NAS to %RAD_REQUEST. but don't know how to do it. any configuration file I can focus on it? thank again for kindly help!
Read raddb/eap.conf, or raddb/mods-available/eap in v3. Look for “copy_request_to_tunnel” Alan DeKok.
2015-03-24 1:06 GMT+08:00 Alan DeKok <aland@deployingradius.com>:
On Mar 23, 2015, at 2:31 AM, d tbsky <tbskyd@gmail.com> wrote:
I want to pass the attribute "Calling-Station-Id" which send by NAS to %RAD_REQUEST. but don't know how to do it. any configuration file I can focus on it? thank again for kindly help!
Read raddb/eap.conf, or raddb/mods-available/eap in v3. Look for “copy_request_to_tunnel”
hi: thanks a lot! I should read every word in the configuration file :) Regards, tbskyd
participants (2)
-
Alan DeKok -
d tbsky