trying to get PAP-inside-TTLS working for PAM
I am running freeradius-2.1.12. According to the last post of the following thread - http://lists.freeradius.org/pipermail/freeradius-users/2013-February/064927.... - it is possible to get radius to authenticate against PAM by configuring it to use PAP inside of TTLS. The first and final posts of that thread provide the configuration that the poster used to get it working. In /etc/freeradius/users, I have DEFAULT Auth-Type := PAM In /etc/pam.d/radiusd, I have the following: ## auth requisite /lib/arm-linux-gnueabihf/security/pam_google_authenticator.so secret=/home/${USER}/.google_authenticator nullok forward_pass auth sufficient pam_ldap.so use_first_pass auth required pam_unix.so use_first_pass ## In /etc/pam.d/sshd, I have the following lines immediately before the usual @include common-auth line: auth sufficient pam_radius_auth.so # Additionally, I have mimick'ed the configuration given in the aforementioned thread - the the eap.conf changes, and sites-enabled changes. This configuration works perfectly for ssh clients. It works for both ldap users and local unix users who ssh in from another linux box. I can see in /var/log/auth.log and the radius debug log that the user's verfication code is being checked and that their password is being checked against ldap. But this setup is not working for network devices such as iPad, that are connecting to a wireless access point, and trying to login with an ldap user. Said network devices do work but only for users explicitly given in the /etc/freeradius/users file with a plaintext password attribute. The wireless device is configured to use PAP inside TTLS, as per instructions here: http://cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-on... Freeradius debug log: EAP-Message = 0x0201000a017465737432 Message-Authenticator = 0xe3e9b79324821a27d40811ef6a24de9a Fri Jan 22 23:43:36 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group authorize {...} Fri Jan 22 23:43:36 2016 : Info: ++[preprocess] returns ok Fri Jan 22 23:43:36 2016 : Info: ++[chap] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[mschap] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[digest] returns noop Fri Jan 22 23:43:36 2016 : Info: [suffix] No '@' in User-Name = "test2", looking up realm NULL Fri Jan 22 23:43:36 2016 : Info: [suffix] No such realm "NULL" Fri Jan 22 23:43:36 2016 : Info: ++[suffix] returns noop Fri Jan 22 23:43:36 2016 : Info: [eap] EAP packet type response id 1 length 10 Fri Jan 22 23:43:36 2016 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jan 22 23:43:36 2016 : Info: ++[eap] returns updated Fri Jan 22 23:43:36 2016 : Info: [files] users: Matched entry DEFAULT at line 216 Fri Jan 22 23:43:36 2016 : Info: ++[files] returns ok Fri Jan 22 23:43:36 2016 : Info: ++[expiration] returns noop Fri Jan 22 23:43:36 2016 : Info: ++[logintime] returns noop Fri Jan 22 23:43:36 2016 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Fri Jan 22 23:43:36 2016 : Info: ++[pap] returns noop Fri Jan 22 23:43:36 2016 : Info: Found Auth-Type = PAM Fri Jan 22 23:43:36 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group authenticate {...} Fri Jan 22 23:43:36 2016 : Auth: rlm_pam: Attribute "User-Password" is required for authentication. Fri Jan 22 23:43:36 2016 : Info: ++[pam] returns invalid Fri Jan 22 23:43:36 2016 : Info: Failed to authenticate the user. Fri Jan 22 23:43:36 2016 : Info: Using Post-Auth-Type Reject Fri Jan 22 23:43:36 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Fri Jan 22 23:43:36 2016 : Info: +- entering group REJECT {...} - Michael Martinez -- ---
On Jan 28, 2016, at 6:53 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
I am running freeradius-2.1.12.
Upgrade. Please. That version is over 5 years old. There are few reasons to use such an old reason. The only acceptable reason is "it works, and we're not touching the system". As soon as you're looking to make changes.. upgrade.
According to the last post of the following thread - http://lists.freeradius.org/pipermail/freeradius-users/2013-February/064927.... - it is possible to get radius to authenticate against PAM by configuring it to use PAP inside of TTLS. The first and final posts of that thread provide the configuration that the poster used to get it working.
PAM is intended to be used once, and never again by an application. This will likely result in memory leaks inside of the PAM code. We can't fix that.
This configuration works perfectly for ssh clients. It works for both ldap users and local unix users who ssh in from another linux box. I can see in /var/log/auth.log and the radius debug log that the user's verfication code is being checked and that their password is being checked against ldap.
That's something at least.
But this setup is not working for network devices such as iPad, that are connecting to a wireless access point, and trying to login with an ldap user.
Because you forced Auth-Type = PAM. Don't do that. The documentation and recommendations for the past DECADE have said don't do that. PAM doesn't do 802.1X authentication. FreeRADIUS has to do that itself. You need to set "Auth-Type = PAM" *only* when there's no EAP-Message in the packet. And, you need to find a way to authenticate users in the "inner-tunnel" virtual server. And upgrade. Please. And don't use PAM. Alan DeKok.
On Thu, Jan 28, 2016 at 03:53:05PM -0800, Michael Martinez wrote:
In /etc/freeradius/users, I have DEFAULT Auth-Type := PAM
This will break EAP; use = rather than :=. then configure the inner-tunnel for PAM as you have done in the outer. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
It turns out my configuration worked. The issue was that during testing I wasn't including the google 2-factor code with the password. Once I started doing this (appending the code at the end of the LDAP password), it works fine. Oh, and I did replace the ":=" with "=" as suggested. On Thu, Jan 28, 2016 at 4:43 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Jan 28, 2016 at 03:53:05PM -0800, Michael Martinez wrote:
In /etc/freeradius/users, I have DEFAULT Auth-Type := PAM
This will break EAP; use = rather than :=.
then configure the inner-tunnel for PAM as you have done in the outer.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---
participants (3)
-
Alan DeKok -
Matthew Newton -
Michael Martinez