EAP-PEAP GTC auth_type
Hi, I'm trying to setup freeradius 2.1.3 as a radius for wifi security. The setup is as follows : - AP is running dd-wrt, Wireless Security set Security Mode=radius - Client (Ubuntu Hardy) is setup using network-manager, connect to the wireless network using settings : Wireless Security=WPA2 Enterprise, EAP Method=PEAP, Key Type=Dynamic WEP, Phase2 Type=GTC - on freeradius the relevant eap.conf section follows #============================================== eap { default_eap_type = peap gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no max_entries = 255 } } peap { default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } } #============================================== I have ldap (lda.conf) and pam sections (on radiusd.conf) correctly setup so that I can authenticate (tested with radtest) using system users (with pam) or LDAP user. Obviously EAP is not involved here yet. The comments on eap.conf says # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. There's also this comment on LDAP.conf # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). Now I'm assuming what happens when I use PEAP-GTC with system user is that : - eap calls peap - peap calls gtc - gtc calls PAP - PAP calls pam in which case GTC should receive the password in clear text (which is also visible from radiusd -X autput). Now the question: Can I set GTC to authenticate against LDAP? Using SYSTEM user with auth_type = PAP in gtc section works, tested with wireless client. #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My system password here>" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok rlm_eap_gtc: Everything is OK. [eap] Freeing handler ++[eap] returns ok Login OK: [<My system user here>] (from client <My client name here> port 0 via TLS tunnel) #============================================== but using LDAP user with auth_type = PAP in gtc section does not work #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My LDAP password here>" [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [<My LDAP user here>] (from client <My client name here> port 0 via TLS tunnel) #============================================== ... and setting auth_type = LDAP in gtc section (obviously) does not work #============================================== rlm_eap_gtc: Unknown Auth-Type LDAP rlm_eap: Failed to initialize type gtc /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. #============================================== Is there any way I can get this to work? i.e. having eap -> peap -> gtc -> PAP -> LDAP Regards, Fajar
but using LDAP user with auth_type = PAP in gtc section does not work #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My LDAP password here>"
That's not "your LDAP password". That's the password from the User-Password field in the request.
[pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [<My LDAP user here>] (from client <My client name here> port 0 via TLS tunnel) #==============================================
And where is the part of the debug that shows what ldap did? Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
but using LDAP user with auth_type = PAP in gtc section does not work #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My LDAP password here>"
That's not "your LDAP password". That's the password from the User-Password field in the request.
It was the same as my LDAP password :) Reading eap.conf again you're right though, that's the password from the User-Password field in the request. Which means that gtc receives the password correctly as plain-text.
[pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [<My LDAP user here>] (from client <My client name here> port 0 via TLS tunnel) #==============================================
And where is the part of the debug that shows what ldap did?
Here's a complete debug log from radius startup tested with radtest, with user and pasword masked. This works correctly. http://pastebin.com/f11606cc2 Here's a complete debug log from radius startup tested with wifi client, same user and password, same config files. Somehow in this config LDAP never got to bind as my user. http://pastebin.com/f37aaf2b2 Regards, Fajar
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm pretty sure PEAPv0 does not support GTC as an inner method, and FreeRADIUS does not support PEAPv1. Use EAP-TTLS with a GTC/PAP inner. Thanks, Arran
tnt@kalik.net wrote:
but using LDAP user with auth_type = PAP in gtc section does not work #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My LDAP password here>"
That's not "your LDAP password". That's the password from the User-Password field in the request.
It was the same as my LDAP password :) Reading eap.conf again you're right though, that's the password from the User-Password field in the request. Which means that gtc receives the password correctly as plain-text.
[pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [<My LDAP user here>] (from client <My client name here> port 0 via TLS tunnel) #==============================================
And where is the part of the debug that shows what ldap did?
Here's a complete debug log from radius startup tested with radtest, with user and pasword masked. This works correctly. http://pastebin.com/f11606cc2
Here's a complete debug log from radius startup tested with wifi client, same user and password, same config files. Somehow in this config LDAP never got to bind as my user. http://pastebin.com/f37aaf2b2
Regards,
Fajar
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmlK6YACgkQcaklux5oVKJr2QCfd+oXEUbiE8OTRjFmfmbSELJU tikAn2FJw8c8JzNC6VQpWAxPuqtBkk2c =oh6a -----END PGP SIGNATURE-----
Here's a complete debug log from radius startup tested with wifi client, same user and password, same config files. Somehow in this config LDAP never got to bind as my user. http://pastebin.com/f37aaf2b2
Ah, "bind as user" works only for pap requests not eap. This is documented in ldap module configuration file. Enable ldap in authorize in inner-tunnel virtual server in order to have password available. Ivan Kalik
On Wed, Feb 25, 2009 at 6:31 PM, <tnt@kalik.net> wrote:
documented in ldap module configuration file. Enable ldap in authorize in inner-tunnel virtual server in order to have password available.
Great! It works perfectly. Other than enabling ldap in authorize and authenticate in inner-tunnel, I also had to change eap.conf's gtc section to auth_type = LDAP. This works, but it brings up another problem. Setting auth_type to PAP, Local, or commented out on gtc section does not work for LDAP. On the other hand, If I set auth_type = LDAP, PEAP-GTC with system user (which works if I set auth_type = PAP on gtc section) does not work. Is there a way I can authenticate with BOTH system user and LDAP using PEAP-GTC? the main radiusd.conf can have multiple authorize methods available, right? Why does gct have to explicitly set auth_type?
Great! It works perfectly. Other than enabling ldap in authorize and authenticate in inner-tunnel, I also had to change eap.conf's gtc section to auth_type = LDAP.
This works, but it brings up another problem. Setting auth_type to PAP, Local, or commented out on gtc section does not work for LDAP. On the other hand, If I set auth_type = LDAP, PEAP-GTC with system user (which works if I set auth_type = PAP on gtc section) does not work.
Is there a way I can authenticate with BOTH system user and LDAP using PEAP-GTC? the main radiusd.conf can have multiple authorize methods available, right? Why does gct have to explicitly set auth_type?
Leave gtc as pap. Change set_auth_type to no in ldap module configuration. Module will then just collect the password and pass it to pap module for authentication. It will not do "bind as user" ldap authentication. Ivan Kalik Kalik Informatika ISP
On Thu, Feb 26, 2009 at 5:14 PM, <tnt@kalik.net> wrote:
Is there a way I can authenticate with BOTH system user and LDAP using PEAP-GTC? the main radiusd.conf can have multiple authorize methods available, right? Why does gct have to explicitly set auth_type?
Leave gtc as pap. Change set_auth_type to no in ldap module configuration. Module will then just collect the password and pass it to pap module for authentication. It will not do "bind as user" ldap authentication.
So in short if I want to do "bind as user" in PEAP-GTC, I can't combine it with other authentication methods (like pam)? Too bad. Oh well, at least on of my goals worked. Thanks for your help! Regards, Fajar
So in short if I want to do "bind as user" in PEAP-GTC, I can't combine it with other authentication methods (like pam)? Too bad.
Why is it "too bad". Just don't use "bind as user". You should avoid using methods where Auth-Type is forced. They are very difficult to combine with other methods. Ivan Kalik Kalik Informatika ISP
On Fri, Feb 27, 2009 at 6:32 PM, <tnt@kalik.net> wrote:
So in short if I want to do "bind as user" in PEAP-GTC, I can't combine it with other authentication methods (like pam)? Too bad.
Why is it "too bad". Just don't use "bind as user". You should avoid
The LDAP server I'm authenticating against is Lotus Domino, which stores user password in a Lotus-specific encryption. The only way to use freeradius to authenticate against it is with "bind as user".
using methods where Auth-Type is forced. They are very difficult to combine with other methods.
Yeah. The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP. I was hoping that with gtc set to pap the inner-tunnel can use multiple modules to authenticate, including bind as user when using LDAP.
The LDAP server I'm authenticating against is Lotus Domino, which stores user password in a Lotus-specific encryption. The only way to use freeradius to authenticate against it is with "bind as user".
Talk about "painting yourself into a corner".
The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
RFC: "The EAP GTC method is intended for use with the Token Cards supporting challenge/response authentication and MUST NOT be used to provide support for cleartext passwords in the absence of a protected tunnel with server authentication."
I was hoping that with gtc set to pap the inner-tunnel can use multiple modules to authenticate, including bind as user when using LDAP.
EAP TTLS/PAP. Ivan Kalik Kalik Informatika ISP
On Fri, Feb 27, 2009 at 9:54 PM, <tnt@kalik.net> wrote:
The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP.
RFC: "The EAP GTC method is intended for use with the Token Cards supporting challenge/response authentication and MUST NOT be used to provide support for cleartext passwords in the absence of a protected tunnel with server authentication."
Let me rephrase my question to several different parts : (1) eap.conf says # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. I take it that means EAP-PEAP (as well ass EAP-TTLS) provides protected tunnel already, and as such when used in PEAP-GTC, it may be used to provide support for cleartext password. Is my interpretation correct? (2) What is the difference (security-wise) between setting auth-type PAP and LDAP within PEAP-GTC, since both have clear-text passwords inside the GTC tunnel? (3) Why is the authorize/authentication combo beahvior between main radiusd.conf and inner-tunnel different with regards to LDAP bind as user? Is it : a. Design choice (e.g programmers choice, or to comply with RFP or other standards), or b. A bug
I take it that means EAP-PEAP (as well ass EAP-TTLS) provides protected tunnel already, and as such when used in PEAP-GTC, it may be used to provide support for cleartext password. Is my interpretation correct?
Yes. But you (ie. server) don't have a password (clear or encrypted) for matching.
(2) What is the difference (security-wise) between setting auth-type PAP and LDAP within PEAP-GTC, since both have clear-text passwords inside the GTC tunnel?
None.
(3) Why is the authorize/authentication combo beahvior between main radiusd.conf and inner-tunnel different with regards to LDAP bind as user? Is it : a. Design choice (e.g programmers choice, or to comply with RFP or other standards), or b. A bug
It's not. You have to tell GTC what authentication method to use. That is than set in the configuration file and can't be changed during request processing. If you leave the server to set the auth method ... If you would force DEFAULT Auth-Type := System in users file, ldap "bind as user" wouldn't work. If you put LDAP, system passwords won't work. That is in essence what GTC does. Ivan Kalik Kalik Informatika ISP
On Sat, Feb 28, 2009 at 10:12 PM, <tnt@kalik.net> wrote:
It's not. You have to tell GTC what authentication method to use. That is than set in the configuration file and can't be changed during request processing.
Ah, so that's where the problem is. Thanks for your help. Regards, Fajar
participants (3)
-
Arran Cudbard-Bell -
Fajar A. Nugraha -
tnt@kalik.net