Re: Re: Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as part of the peap module itself? All the documentation i've found on LDAP requires the ldap modules to be referenced in both the authorize and authentication sections directly. It would be useful to see some more examples. -----Inline Message Follows----- Have you tried to configure an inner-tunnel for peap? it will reduce the ldap lookups. 2009/9/17 Brian Wilson <briw111@yahoo.com>:
Hi all,
A few months ago I had posted this topic to the list, and unfortunately before I could work further on it I got pulled onto another assignment. I apologize to those that tried helping before. I modified my config per their recommendations, but still having the same problem....
I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2, freeradius and edirectory setup. Essentially, the ldap requests are taking 3-4 seconds to resolve. In addition, freeradius ends up doing in the neighborhood of 5-6 ldap lookups for each client trying to attach. I am unsure of why this is happening. Below is my configuration: (This is freeradius 2.1.6)
authorize{ preprocess auth_log suffix ntdomain eap { ok = return } files { notfound = reject noop = reject fail = reject } redundant-load-balance { LDAPsvr1 LDAPsvr2 } expiration logintime }
authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { redundant-load-balance { LDAPsvr1 LDAPsvr2 } } eap }
and in eap.conf, i have default-eap-type set to peap, and not mschapv2.
here is a snippet of debug info I had posted before; this tends to repeat at nassuem about 4-5 more times before the actual access-accept is sent:
rad_recv: Access-Request packet from host blah port 32769, id=5, length=196 User-Name = "test" Calling-Station-Id = "mac" Called-Station-Id = "mac:blah" NAS-Port = 1 NAS-IP-Address = ipblah
NAS-Identifier = "nameblah" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = (trimmed) Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134 +- entering group authorize {...} [preprocess] expand: %{Called-Station-Id} -> mac:blah
++[preprocess] returns ok [auth_log] expand: (trimmed) [auth_log](trimmed) [auth_log] expand: %t -> Wed Jun 17 10:00:10 2009 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "company" for User-Name = "test" [ntdomain] Found realm "company" [ntdomain] Adding Stripped-User-Name = "test" [ntdomain] Adding Realm = "company" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 178 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [LDAPsvr2] performing user authorization for test [LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test) [LDAPsvr2] expand: t=company -> t=company rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=company, with filter (cn=test) [LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password [LDAPsvr2] No default NMAS login sequence [LDAPsvr2] looking for check items in directory... [LDAPsvr2] looking for reply items in directory... [LDAPsvr2] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[LDAPsvr2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 5 to blah port 32769 EAP-Message = (trimmed) Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfea96b9cfeaa7186011d5bcc3cb2528f Finished request 67. Going to the next request Waking up in 9.9 seconds. rad_recv: Access-Request packet from host blah port 32769, id=6, length=193 User-Name = "test" Calling-Station-Id = "mac" Called-Station-Id = "mac:blah" NAS-Port = 1 NAS-IP-Address = blah
NAS-Identifier = "nameblah" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060319 State = 0xfea96b9cfeaa7186011d5bcc3cb2528f Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c +- entering group authorize {...} [preprocess] expand: %{Called-Station-Id} -> mac:blah ++[preprocess] returns ok [auth_log] expand: (trimmed) [auth_log] (trimmed) [auth_log] expand: (trimmed) ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "company" for User-Name = "test" [ntdomain] Found realm "company" [ntdomain] Adding Stripped-User-Name = "test" [ntdomain] Adding Realm = "company" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 178 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [LDAPsvr1] performing user authorization for test [LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test) [LDAPsvr1] expand: t=company -> t=company rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=company, with filter (cn=test) [LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password [LDAPsvr1] No default NMAS login sequence [LDAPsvr1] looking for check items in directory... [LDAPsvr1] looking for reply items in directory... [LDAPsvr1] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[LDAPsvr1] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 6 to blah port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfea96b9cffad7286011d5bcc3cb2528f Finished request 68. Going to the next request Waking up in 5.2 seconds.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hi,
I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as part of the peap module itself?
no - you simply configure the required part of the inner-tunnel virtual server - inner-tunnel virtual server gets called as part of the EAP config - and _only_ as part of EAP with default config - check the default raddb config alan
I will need to do some more research on inner-tunnels, as i'm not too familiar with them.
Well it's right beside default server in sites-enabled.
How would I add the ldap components?
You should comment it in there and commet it out in default virtual server.
as part of the peap module itself?
No.
All the documentation i've found on LDAP requires the ldap modules to be referenced in both the authorize and authentication sections directly.
You do need it in authorize but not authenticate (you can't do ldap "bind as user" authentication for peap). Just pass the password from ldap to radius for authentication. You didn't copy 1.x configuration files to 2.x server by any chance? Ivan Kalik Kalik Informatika ISP
Brian Wilson <briw111@yahoo.com> wrote:
I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as part of the peap module itself? All the documentation i've found on LDAP requires the ldap modules to be referenced in both the authorize and authentication sections directly. It would be useful to see some more examples.
Looking below the problem in not removing the LDAP lookups but speeding them up. I would strongly recommend you speak to the LDAP administrator and tell them to index 'cn' and 'objectclass'. As you are using eDirectory I would normally guess So the alternative plan of action is look at your use object classes and make your searches more specific, I use something like: (&(objectClass=Person)(cn=%{%{Stripped-User-Name}:-%{User-Name}})) As you are querying eDirectory there will be *lots* of objects in there that are not actual users. You use 'objectClass' to only search for *real* people (stripping out file shares, files, workstations, printers, etc etc) and then you hunt for the username. By using "ldapsearch -LLL -x -h ldap.example.com '<query>'" you will be able to work out what is fast and what is slow against your directory. As you are using eDirectory I assume you work in academica, I *strongly* recommend you force people to enter in their realm with their username (for example bob@example.edu) from the start...other wise you are going to be kicking yourself when you look to things like 'eduroam'[1]. Cheers [1] your users will roam to other universities to find their credentials do not work as they are presenting themselves as 'bob' rather than 'bob@example.edu' and so their request is rejected. The solution is to reject realmless logins even locally as your helpdesk will refuse to listen unless when they do does not work -- Alexander Clouter .sigmonster says: There's no time like the pleasant.
participants (4)
-
Alan Buxey -
Alexander Clouter -
Brian Wilson -
Ivan Kalik