EAP/TLS -- FreeRadius -- 802.1x
Good morning FreeRadius users. I'm going forward with my attempt to configure freeradius and 802.1x to try to secure part of a wired network. I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I came accross a link that doesnt work in the freeradius wiki about exactly those subject but I found something on the linux documentation project ( http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ) which seems to cover this subject. I was wondering if users here have experience with this subject and have more documentation on the subject. My main concern being that most documents on the subject date back to 2004 and I dont know if they are still valid with the freeradius version i'm using ( 1.1.3 -> CentOS install ). Thank you in advance. -- Philippe-Alexandre Lemelin
phil lemelin wrote:
I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I came accross a link that doesnt work in the freeradius wiki about exactly those subject but I found something on the linux documentation project ( http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ) which seems to cover this subject.
See the wiki. It contains a number of howtos, including for EAP-TLS.
I was wondering if users here have experience with this subject and have more documentation on the subject. My main concern being that most documents on the subject date back to 2004 and I dont know if they are still valid with the freeradius version i'm using ( 1.1.3 -> CentOS install ).
Ugh. I would really suggest upgrading the server to something recent. My web site contains simple howtos for getting EAP to work: http://deployingradius.com Most of it should be applicable to 1.1.3, but you'll have to read the configuration carefully to know more. Alan DeKok.
I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I
came accross a link that doesnt work in the freeradius wiki about exactly those subject but I found something on the linux documentation project ( http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ) which seems to cover this subject.
See the wiki. It contains a number of howtos, including for EAP-TLS.
I looked at the 2 links about that subject on the HOW-TO and one is no valid anymore and the other leads to the edit page of the wiki.
I was wondering if users here have experience with this subject and have more documentation on the subject. My main concern being that most documents on the subject date back to 2004 and I dont know if they are still valid with the freeradius version i'm using ( 1.1.3 -> CentOS install ).
Ugh. I would really suggest upgrading the server to something recent.
My web site contains simple howtos for getting EAP to work:
Most of it should be applicable to 1.1.3, but you'll have to read the configuration carefully to know more.
Alan DeKok.
Thank you. I'll take a look at those documents. -- Philippe-Alexandre Lemelin
Thank you for your pointers Alan, I now have a port based authentication using wpa_supplicant, freeradius and a dell switch. Next step would be to use something more secure than the default MD5 i'm using. I'll keep reading. Thank you again. On Wed, Mar 18, 2009 at 12:35 PM, phil lemelin <phil.lemelin@gmail.com>wrote:
I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I
came accross a link that doesnt work in the freeradius wiki about exactly those subject but I found something on the linux documentation project ( http://tldp.org/HOWTO/html_single/8021X-HOWTO/ ) which seems to cover this subject.
See the wiki. It contains a number of howtos, including for EAP-TLS.
I looked at the 2 links about that subject on the HOW-TO and one is no valid anymore and the other leads to the edit page of the wiki.
I was wondering if users here have experience with this subject and have more documentation on the subject. My main concern being that most documents on the subject date back to 2004 and I dont know if they are still valid with the freeradius version i'm using ( 1.1.3 -> CentOS install ).
Ugh. I would really suggest upgrading the server to something recent.
My web site contains simple howtos for getting EAP to work:
Most of it should be applicable to 1.1.3, but you'll have to read the configuration carefully to know more.
Alan DeKok.
Thank you. I'll take a look at those documents.
-- Philippe-Alexandre Lemelin
-- Philippe-Alexandre Lemelin
Good morning freeradius users, Using the documents Alan linked here, I managed to configure everything to use EAP-TTLS. I have a question, which might not be related to freeradius directly, but more to EAP-TTLS. Why is the username sent in clear over the network ?
phil lemelin wrote:
I have a question, which might not be related to freeradius directly, but more to EAP-TTLS.
Why is the username sent in clear over the network ?
That's the default in your supplicant. If you want it changed, use one name for the "outer" identity, and a different one for the "inner" identity. Alan DeKok.
Following on my adventure with freeradius, I decided to enable mysql and use EAP-TTLS. Having my passwords in SQL, I now want to encrypt them ( MD5 ) and use them to authenticate my user. After reading the protocols compatibility matrix ,I saw that with EAP-TTLS, with tunneled PAP, I should be able to do so. I configured my client (wpa_supplicant) to use EAP=TTLS and phase2="auth=PAP" When I look into my radiusd -X log, I can see that I have a "Found Auth-Type = PAP" then "+- entering group PAP {...}". So that confirms my supplicant is correctly configured and that I have uncommented the correct lines in the "sites-enabled/inner-tunnel" to have radius look into mysql. NOW the questions : 1- What do I set the "attribute" field to in the radcheck table to use MD5 passwords ? 2- What do I set the "attribute" field to in the radgroupcheck IF I have too ( I should'nt have right ? decided by user unless I want to lock them out of a method (read something like that in the radius files) ) 3- Is there a good reference to setup the mysql database to use authentication ? Frankly, the ammount of questions and conflicting information found on google is not helping. radiusd -X : ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "unpassword" <-- Password sent by supplicant [pap] Using clear text password "$apr1$52gvO/..$3EWsna/pFsS3YSrKNmIcW0" <-- Password in mysql table. Mysql : mysql> select * from radcheck; +----+----------+-----------+----+---------------------------------------+ | id | username | attribute | op | value | +----+----------+-----------+----+---------------------------------------+ | 1 | myuser | Password | := | $apr1$52gvO/..$3EWsna/pFsS3YSrKNmIcW0 | +----+----------+-----------+----+---------------------------------------+ 1 row in set (0.00 sec) -- Philippe-Alexandre Lemelin
phil lemelin wrote:
1- What do I set the "attribute" field to in the radcheck table to use MD5 passwords ?
Crypt-Password
2- What do I set the "attribute" field to in the radgroupcheck IF I have too ( I should'nt have right ? decided by user unless I want to lock them out of a method (read something like that in the radius files) )
You shouldn't put passwords radinto groupcheck.
3- Is there a good reference to setup the mysql database to use authentication ? Frankly, the ammount of questions and conflicting information found on google is not helping.
The comments and documentation that ship with the server are fine. The main issue is there is no example of inserting a sample row containing a password. Alan DeKok.
1- What do I set the "attribute" field to in the radcheck table to use MD5 passwords ?
Crypt-Password
In which scenario should MD5-Password be used ?
3- Is there a good reference to setup the mysql database to use
authentication ? Frankly, the ammount of questions and conflicting information found on google is not helping.
The comments and documentation that ship with the server are fine. The main issue is there is no example of inserting a sample row containing a password.
And would someone have such an example ready to share ? I'm getting [pap] login attempt with password "unpassword" [pap] Using CRYPT Encryption. [pap] Passwords don't match So I suspect I did something wrong in my password insertion. I did triple check the password from the supplicant and from the database. Thank you for you help. -- Philippe-Alexandre Lemelin
Okay. Generating my password with : htpasswd -nd plemelin ( crypt ) and setting the attribute to crypt-password in mysql did the trick. Generating the password with : htpasswd -nm plemelin ( md5 ) and setting the attribute to MD5-password doesnt work. I think i did enough radius for the week. Thank you Alan, with your pointers I learned a great deal. -- Philippe-Alexandre Lemelin
Looks like I can't get enough radius. I started testing with different users today and noticed something I can't explain. Let's say my user is : phil Let's say the pass is : unpassword If I enter the following password : punpassword I get the following in radiusd -X : [pap] login attempt with password "punpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match If I enter the following password : unpasswordp I get the folling in radiusd -X : [pap] login attempt with password "unpasswordp" [pap] Using CRYPT encryption. [pap] User authenticated successfully <-- Hold on. I didnt enter the right password ? -- Philippe-Alexandre Lemelin
Let's say my user is : phil Let's say the pass is : unpassword
If I enter the following password : punpassword I get the following in radiusd -X :
[pap] login attempt with password "punpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match
If I enter the following password : unpasswordp I get the folling in radiusd -X :
[pap] login attempt with password "unpasswordp" [pap] Using CRYPT encryption. [pap] User authenticated successfully <-- Hold on. I didnt enter the right password ?
Actually - you have. Crypt encrypts only first 8 characters of the password. Anything after that is ignored. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
phil lemelin -
tnt@kalik.net