Hi, I have searched high and low but I could not find answer to my problem. It may be a very simple problem for the expert users out here. Basically I'm using radius server to perform 802.1x authentication. In my set up, I use an external authentication script (written in python) which accepts user and password. I have successfully proven this set up on eapol_test with EAP-TTLS (PEAP). I perform exec in post-auth section of default. Something like this in users: Auth-Type = Accept Exec-Program-Wait = "/path/to/myscript.py %{User-Name} %{User-Password} This works fine with EAP-TTLS (PEAP). But as you know Windows built in supplicant defaults to CHAP. So I'm keen to get that working. I understand that freeradius needs to know the password (Cleartext-Password) but I can't set that in users file. I don't use ldap or sql modules. I can amend my script to print the password once it has authenticated against the external source. But how do I call my script and set the Cleartext-Password (using the script output) so that CHAP could be performed? Thanks.
EAP-TTLS is not PEAP If you mean EAP-TTLS (PAP) as I expect you do. .. then that's because the users passwords is sent in the clear inside the tunnel. So you receive it and can do things with it. PEAP and EAP-TTLS (mschapv2) send challenge response in the tunnel. You will not get the password. alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Wed, Nov 13, 2013 at 04:22:23PM +0000, Prash K wrote:
In my set up, I use an external authentication script (written in python) which accepts user and password. I have successfully proven this set up on eapol_test with EAP-TTLS (PEAP). I perform exec in post-auth section of default. Something like this in users:
Auth-Type = Accept Exec-Program-Wait = "/path/to/myscript.py %{User-Name} %{User-Password}
I can't work out what you're doing (especially in post-auth), but this doesn't look right. With EAP-TTLS/PAP the client will send an encrypted plaintext password, which you can pass to your script to test. Windows < 8 don't support EAP-TTLS/PAP. With PEAP/MS-CHAPv2 (or EAP-TTLS/MS-CHAPv2) you won't be sent a plaintext password, which means you need either - the cleartext password; or - the NTLM hash. If you've not got access to either, what you are trying to do is impossible and you need to rethink.
This works fine with EAP-TTLS (PEAP). But as you know Windows built in supplicant defaults to CHAP. So I'm keen to get that working. I understand that freeradius needs to know the password (Cleartext-Password) but I can't set that in users file. I don't use ldap or sql modules.
If you have the cleartext password, you can easily set it in the users file. There is no need to use ldap or sql. username Cleartext-Password := 'password' Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Prash K wrote:
I have searched high and low but I could not find answer to my problem. It may be a very simple problem for the expert users out here. Basically I'm using radius server to perform 802.1x authentication.
Which should be easy.
In my set up, I use an external authentication script (written in python) which accepts user and password.
Which won't work
I have successfully proven this set up on eapol_test with EAP-TTLS (PEAP).
I think you mean TTLS / PAP. PEAP is very different.
I perform exec in post-auth section of default. Something like this in users:
Auth-Type = Accept Exec-Program-Wait = "/path/to/myscript.py %{User-Name} %{User-Password}
This works fine with EAP-TTLS (PEAP). But as you know Windows built in supplicant defaults to CHAP.
No. It defaults to PEAP / MSCHAP. PLEASE use the right terminology. It matters a LOT.
So I'm keen to get that working. I understand that freeradius needs to know the password (Cleartext-Password) but I can't set that in users file. I don't use ldap or sql modules.
You will need to use LDAP or SQL. Sorry.
I can amend my script to print the password once it has authenticated against the external source. But how do I call my script and set the Cleartext-Password (using the script output) so that CHAP could be performed?
You can't. It's impossible. Alan DeKok.
My apologies. I got the protocols mixed up. But yes you all understood my question perfectly. I have been able to use TTLS/PAP which is supported by Windows>=8 out of the box because I can pass user/pass combo to my external script.For the users < Win 8, I was looking to get PEAP/MSCHAP working but as you say radius needs either the clear text password or NTLM hash. I have neither as my python script needs user/pass to validate against the external source. If I understand correctly, I switch to LDAP and get rid of the script all together, radius will work with both TTLS/PAP & PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner tunnel. Now assuming I stick with the script and support TTLS/PAP only, I wanted to understand how radius distinguishes between two types of requests. I did not mention it earlier but I have another script that does MOTP in the same radius server. At the moment I use realms to distinguish between the two but I'm pretty sure there is an elegant way to let radius work it out itself. My users file contains something like this DEFAULT Suffix == "@8021x", Auth-Type = Accept Exec-Program-Wait = "/path/to/my8021xscript.py %{Stripped-User-Name} %{User-Password} DEFAULT Suffix == "@motp", Auth-Type = Accept Exec-Program-Wait = "/path/to/mymotpscript.py %{Stripped-User-Name} %{User-Password} I have defined these two realms in proxy.conf. Many Thanks. On 13 November 2013 17:07, Alan DeKok <aland@deployingradius.com> wrote:
Prash K wrote:
I have searched high and low but I could not find answer to my problem. It may be a very simple problem for the expert users out here. Basically I'm using radius server to perform 802.1x authentication.
Which should be easy.
In my set up, I use an external authentication script (written in python) which accepts user and password.
Which won't work
I have successfully proven this set up on eapol_test with EAP-TTLS (PEAP).
I think you mean TTLS / PAP. PEAP is very different.
I perform exec in post-auth section of default. Something like this in users:
Auth-Type = Accept Exec-Program-Wait = "/path/to/myscript.py %{User-Name} %{User-Password}
This works fine with EAP-TTLS (PEAP). But as you know Windows built in supplicant defaults to CHAP.
No. It defaults to PEAP / MSCHAP.
PLEASE use the right terminology. It matters a LOT.
So I'm keen to get that working. I understand that freeradius needs to know the password (Cleartext-Password) but I can't set that in users file. I don't use ldap or sql modules.
You will need to use LDAP or SQL. Sorry.
I can amend my script to print the password once it has authenticated against the external source. But how do I call my script and set the Cleartext-Password (using the script output) so that CHAP could be performed?
You can't. It's impossible.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
If I understand correctly, I switch to LDAP and get rid of the script all together, radius will work with both TTLS/PAP & PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner tunnel.
depends on how your passwords are stoped in the LDAP. read the deployingradius web site
Now assuming I stick with the script and support TTLS/PAP only, I wanted to understand how radius distinguishes between two types of requests. I
if you look at debug mode you will see whats going on. depending on the content of the packet certain modules will do things - eg the mschap module - which will then activate the MSCHAPv2 stuff for dealing with the challenge response, the pap module deals with plain text stuff. the ldap module will have got a value for that PAP module to deal with. with the type known and the method defined, you could use eg unlang to fire off the correct external script..if still needed...rather than do those frankly nasty (and lucky they work) things in the users file alan
P K wrote:
My apologies. I got the protocols mixed up. But yes you all understood my question perfectly. I have been able to use TTLS/PAP which is supported by Windows>=8 out of the box because I can pass user/pass combo to my external script.For the users < Win 8, I was looking to get PEAP/MSCHAP working but as you say radius needs either the clear text password or NTLM hash. I have neither as my python script needs user/pass to validate against the external source.
As I said, it's *impossible*.
If I understand correctly, I switch to LDAP and get rid of the script all together, radius will work with both TTLS/PAP & PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner tunnel.
It will work if LDAP supplies the clear-text password or the NT hash to FreeRADIUS. Otherwise, it's impossible.
Now assuming I stick with the script and support TTLS/PAP only, I wanted to understand how radius distinguishes between two types of requests.
Read the debug output. The EAP supplicant *tells* the server it's using TTLS or PEAP.
I did not mention it earlier but I have another script that does MOTP in the same radius server. At the moment I use realms to distinguish between the two but I'm pretty sure there is an elegant way to let radius work it out itself.
As always, read the debug output. If you can tell the difference between the two requests, then you can write a rule to distinguish between the two requests. Alan DeKok.
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Matthew Newton -
P K -
Prash K