EAP-TTLS + PAP with external script
I'm trying to use an external php script to authenticate users connecting to an Access Point. Protocol used is EAP-TTLS with PAP as inner authentication protocol. The relevant parts of config file i use is: ********** radiusd.conf ************* modules { pap { auto_header = yes } exec test { wait = yes program = "/usr/local/bin/php -f /etc/raddb/radiusaccess.php" input_pairs = request output_pairs = reply } } authorize { preprocess suffix eap pap } authenticate { Auth-Type PAP { test } eap } ************* END radiusd.conf ********** When i try to connect the TTLS comunication seems to work fine but this is the relevan ouput of radiusd -X at the final steps ************ radiusd -X ***************** Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "testa" User-Password = "testb" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "testa" User-Password = "testb" FreeRADIUS-Proxied-To = 127.0.0.1 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = "wlan1" Calling-Station-Id = "00-13-49-71-85-68" Called-Station-Id = "00-80-48-47-6B-E1:comune_segrate_milano_oltre" NAS-Identifier = "AP2" NAS-IP-Address = 192.168.11.168 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_realm: No '@' in User-Name = "testa", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 ************************ END radiusd -X ****************** As you can see there is the message: "rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9" So the php script for pap authorization is not even executed. Maybe there is something i missed in configuration? Thanx Maccari Dario _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
Hi, you're not authorising the user. theres nothing to allow them access in the authorise section.
modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_realm: No '@' in User-Name = "testa", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9
alan
Isn't "pap" in authorize section there to do the job? How can i authorize ANY user so that they will be authenticated by the php script? Bye Dario Maccari
Hi,
you're not authorising the user. theres nothing to allow them access in the authorise section.
_________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
As you can see there is the message: "rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9" So the php script for pap authorization is not even executed. Maybe there is something i missed in configuration?
Thanx Maccari Dario
That's what I did to make it works I added a new script for authorization which set the auth-type for final step and added that script in the authorize section ********** radiusd.conf ************* modules { pap { auto_header = yes } exec test { wait = yes program = "/usr/local/bin/php -f /etc/raddb/radiusaccess.php" input_pairs = request output_pairs = reply } exec papauth { wait = yes program = "/usr/local/bin/php -n -f /etc/raddb/radiusauth.php" input_pairs = request output_pairs = config } } authorize { preprocess suffix eap pap papauth } authenticate { Auth-Type PAP { test } eap } ************* END radiusd.conf **********This is the relevant script part ************* radiusauth.php ********** <?php $username = getenv("USER_NAME"); $userpass = getenv ("USER_PASSWORD"); if ($username!= "" && $userpass !="") { echo "Auth-Type = PAP\n"; } ?> ************* END radiusauth.php ********** Does what i did have any sense? Is it robust enough? Bye and thanx Dario Maccari _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
authorize { preprocess suffix eap pap papauth }
pap really should go at the end - i believe the default config mentions this...with maybe exclaimation marks or capital letters?
alan
How is this supposed to help me in any way to configure FR to do PAP authentication? Accordingly to documentation, PAP should be listed last in authorize section becouse need to check passwords added by previous modules and normalize them. In my case none previus modules (preprocess, suffix, eap) gives any known good password (and this is intended since i don't want the RADIUS server to "know" the real user password) su pap just give back NOOP. I can even comment out pap in authorize section since just respond noop in any case. Here are the log from radiusd -X in any case **************** radiusd -X with pap and not papauth ****************** rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. ************************************************************** Since eap is over (final step of ttls) and no modules are adding a "known good" password for the user, pap respond noop and there is no Auth-Type configured. **************** radiusd -X with pap after papauth ****************** Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module "papauth" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 rad_check_password: Found Auth-Type PAP auth: type "PAP" ************************************************************ The script set the Auth-Type and pap just answer noop. **************** radiusd -X with pap before papauth ****************** rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module "papauth" returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type PAP auth: type "PAP" ************************************************************** Pap still answer with noop and do not set the Auth-Type but the script do the job setting the Auth-Type and letting the second script check the credentials. **************** radiusd -X without pap in authorize ****************** Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module "papauth" returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type PAP auth: type "PAP" ************************************************************ My question is which is the best way to correctly accomplish pap authentication WITHOUT using authorization checks. My solution was to "force" Auth-Type to PAP in case we have username and password in radius attributes. Another way is, i think, using a users file with "DEFAULT Auth-Type = PAP" but i read in many place NOT TO DO THAT. Another way could be to check if is present the Auth-Type and set it to PAP if os not set and list that script as last on authorize section. Which is the best solution? Btw, in config i see: ******************* radiusd.conf ************* # As of 1.1.4, you should list "pap" last in this section. # See "man rlm_pap" for more information. ***************************************** So no exclamations and capitals, just a "should". And i do read the man page to understand a little more about what i was going to do. Thanks in advance Bye Maccari Dario _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
Dario Maccari wrote:
How is this supposed to help me in any way to configure FR to do PAP authentication?
If you are configured the *server* to do PAP authentication, then the default configuration files should be used. Your module (exec/whatever) should supply a "known good" password. The server then uses that to authenticate the user. If *your module* is doing PAP authentication, then you need to list *your module* in the "authenticate" section. You need to force Auth-Type to be *your module*. And all other authentication types will fail.
Accordingly to documentation, PAP should be listed last in authorize section becouse need to check passwords added by previous modules and normalize them.
Yes.
In my case none previus modules (preprocess, suffix, eap) gives any known good password (and this is intended since i don't want the RADIUS server to "know" the real user password) su pap just give back NOOP.
Then your module needs to do the authentication. Any why do you care if the server knows the password? Is it for "security"? Are you aware that for TTLS + PAP, if your external script returns "authenticated", the server *knows* that the PAP password is correct? So why not simplify your life, and give the server the real user password?
Here are the log from radiusd -X in any case
**************** radiusd -X with pap and not papauth ****************** rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
i.e. you haven't told the server what the "known good" password is, and you haven't told the server how to authenticate the user.
The script set the Auth-Type and pap just answer noop.
Huh? You're setting Auth-Type to PAP in your script? Do you expect the PAP module to m I've deleted the other attempts at "let's make random changes to see if it works". Stop making changes until you understand how the server works. Start with the default configuration, and then do this in the "inner-tunnel" virtual server. (i.e. also use 2.0.4) authorize { ... update control { Cleartext-Password := `/path/to/script %{User-Name}` } pap } The script should use the username to look up the "known good" password, and then print it to STDOUT. e.g. "echo hello" would be a good start. EAP-TTLS + PAP will then WORK. And YES, you will be giving the server the "real user password". This is NOT a problem. If you think it's a problem, then you need to change your opinion. It's NOT a problem. Alan Dekok.
If you are configured the *server* to do PAP authentication, then the default configuration files should be used. Your module (exec/whatever) should supply a "known good" password. The server then uses that to authenticate the user.
I configured the CLIENT to do EAP-TTLS with inner PAP. The server needs to "fit" inside a more complex structure in wich no "known good" password is available. User data are stored outside the radius server and can't be accessed in any other way than the ones that are given to me. Actually i can't ask for the password of a user so to provide this password to pap module. All i can do is to check if the pair username/password is correct and there is nothing i can do about that. That's why i can't provide a known good password to pap module and that's why pap module for authorization can not be used.
If *your module* is doing PAP authentication, then you need to list *your module* in the "authenticate" section. You need to force Auth-Type to be *your module*. And all other authentication types will fail.
That's very interesting and is something i haven't found in documentations (my fault). You mean that using a userfile file with DEFAULT Auth-Type = DONALDUCK and in radiusd.conf have something like (cutting out default stuff): ********************************** modules { exec myauth { wait = yes program = "/path/to/my/script" input_pairs = request output_pairs = reply } } authorize { eap file } authenticate { Auth-Type DONALDUCK { myauth } } ********************************* Will work?.
i.e. you haven't told the server what the "known good" password is, and you haven't told the server how to authenticate the user.
Right, i can't provide the known good password as stated before
Huh? You're setting Auth-Type to PAP in your script?
That was my solution to force the pap authentication module to do the authentication.
I've deleted the other attempts at "let's make random changes to see if it works".
It wasn't a "let's make random changes to see if it works", it works since the beginning. I have even provided other possible solutions too. The tests where just there to point out that the response that "pap really should go at the end" with other annoing comments about exclaimation marks and capital letters were plain inappropriate.
Stop making changes until you understand how the server works. Start with the default configuration, and then do this in the "inner-tunnel" virtual server. (i.e. also use 2.0.4)
Unfortunatly even this is not an aoption. I can't switch to 2.0.4 and am forced to use 1.1.7 untill my company in cludev 2.0 in accepted software. It's not my fault and can't do much about it.
The script should use the username to look up the "known good" password, and then print it to STDOUT. e.g. "echo hello" would be a good start.
EAP-TTLS + PAP will then WORK. And YES, you will be giving the server the "real user password". This is NOT a problem. If you think it's a problem, then you need to change your opinion. It's NOT a problem.
It IS a problem for me since the external server owner will NOT give me any access other then the ability to check if the pair username/password is valid. And all it is now working, just asking what is the best solution between using a script to "force" Auth-Type, use a users file. Don't care if other authentication methods will not work. Bye and thanks again Maccari Dario _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
Dario Maccari wrote:
I configured the CLIENT to do EAP-TTLS with inner PAP.
Yes, you said that.
The server needs to "fit" inside a more complex structure in wich no "known good" password is available.
<sigh> That is NOT what you said before. ..
Will work?.
It should. Alan DeKok.
<sigh> That is NOT what you said before.
Sorry, probably a language barrier. I think my english is not good enough to really explain what i was trying to accomplish. Thanks for your patience.
It should.
I'll try that solution than wich will lead at, at least, less misunderstanding with pap client-side and pap server-side. Thanks again for your help Bye Dario Maccari
I configured the CLIENT to do EAP-TTLS with inner PAP. The server needs to "fit" inside a more complex structure in wich no "known good" password is available. User data are stored outside the radius server and can't be accessed in any other way than the ones that are given to me.
So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that. Ivan Kalik Kalim Informatika ISP
So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that.
I need to insert a wpa/wpa2 enterprise wlan, which do need eap and radius, side by side a prexisting unencrypted wlan wich authenticate with a captive portal. That's why that php script. It's basically the same used by the captive portal to authenticate the unencrypted wlan users with the externale server. Maybe i can port it in perl or even c/c++ to make it a real module and gain more control over its behaviuor and better performance but for now is just something more than a "proof of concept" ;) If all goes as it should i can even convince the external holder of the user database to setup a radius server where to proxy requests but this is a future project. The accounting is not made with radius too since it need to be "hardware independant" and unfortunatly not all access points used support radius accounting even if they do support wpa/wpa2 enterprise. I know, it's a wierd configuration but i have to deal with it :( Thanx Dario Maccari
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
d_maccari -
Dario Maccari -
Ivan Kalik