I'm trying to clear some confusion I'm experiencing. This is probably not the right place to ask this question, but I haven't been having much luck finding any answers on the web. I have a FreeRADIUS server running that is acting as a backend authenticator for my VPN server, which is StrongSwan. FreeRADIUS is using LDAP for authorization and I have JRADIUS connected for performing post authorization. Currently, I'm using EAP-TLS for connectivity from the StrongSwan VPN client down to JRADIUS and this is working well. What I want to do now is have the StrongSwan VPN client inject some custom data into the EAP message so that data can be propagated through to JRADIUS for use in the post authorization method. Maybe something like creating my own attribute or something. Is this possible? If so, how can I do this? If not, is there a way to modify an existing FreeRADIUS attribute that can be modified by the StrongSwan VPN client? Lester Houston III lester.l.houston-iii@boeing.com
On 11/16/2011 09:53 PM, Houston-III, Lester L wrote:
What I want to do now is have the StrongSwan VPN client inject some custom data into the EAP message so that data can be propagated through to JRADIUS for use in the post authorization method. Maybe something like creating my own attribute or something. Is this possible? If so, how can I do this? If not, is there a way to modify an existing FreeRADIUS attribute that can be modified by the StrongSwan VPN client?
Ok - you want to communicate data from the StrongSwan VPN client, to JRadius? Basically this is really, really hard. You will need to extend an EAP mechanism to send some arbitrary payload, or make use of an existing EAP mechanism that can carry such data. It will require source code changes on both the StrongSwan client, and the FreeRADIUS server. You can't "use a radius attribute" - the StrongSwan client doesn't speak radius. It speaks EAP over IKE/IKEv2 to an IPSec peer, and the IPSec peer transports the EAP over radius. Any data will therefore need to travel inside the EAP mechanism. What data do you want to communicate from client to server? Instead of saying how you want to do something, state what you want to do.
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
What data do you want to communicate from client to server? Instead of saying how you want to do something, state what you want to do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/16/2011 11:36 PM, Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
Well, like I say - you'll need source code changes to implement this. Which EAP method are you using / wanting to use?
Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
EAP doesn't work like that. :( It's not a generic transport mechanism for sending data from point A to point B. The data sent in EAP is defined by the protocol. Nothing else is sent, and nothing else *can* be sent. Alan DeKok.
Thanks for the responses. I see that I need to devise a different way of getting the data across. At the very least I have the ground work done with EAP and maybe I can implement a VSA sometime later. -----Original Message----- From: freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 17, 2011 5:15 AM To: FreeRadius users mailing list Subject: Re: EAP-TLS Attributes Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
EAP doesn't work like that. :( It's not a generic transport mechanism for sending data from point A to point B. The data sent in EAP is defined by the protocol. Nothing else is sent, and nothing else *can* be sent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 17 Nov 2011, at 19:15, Houston-III, Lester L wrote:
Thanks for the responses. I see that I need to devise a different way of getting the data across. At the very least I have the ground work done with EAP and maybe I can implement a VSA sometime later.
-----Original Message----- From: freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 17, 2011 5:15 AM To: FreeRadius users mailing list Subject: Re: EAP-TLS Attributes
Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
EAP doesn't work like that. :(
It's not a generic transport mechanism for sending data from point A to point B. The data sent in EAP is defined by the protocol. Nothing else is sent, and nothing else *can* be sent.
According to Alan, attributes included in the Diameter tunnel within EAP-TTLS are automatically converted into RADIUS attributes. I honestly can't remember if TTLS allows for validation of the client certificate when setting up the TLS tunnel, but if it does, then that would probably be your best bet. If it doesn't, then you could always run EAP-TLS within EAP-TTLS which would be supported by FreeRADIUS without code modifications. You would however have to modify the supplicant. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Houston-III, Lester L -
Phil Mayers