concurrent TTLS and PEAP usage
hi we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines). (we also have TLS users, but that's out of scope). both work like a charm. however, we'd like to prevent PEAP accounts to log in with TTLS and vice-versa (that's a pure policy decision - one user profile should specify exactly one auth method). this works mainly because we store clear text passwords for both MSCHAPv2 and PAP. assuming e.g. two users user_peap with PEAP/MS-CHAPv2 and user_ttls with TTLS/CHAP, we would like to modify the profile of the user user_peap so he can't change the exterior method to TTLS/PAP and vs. note that we don't necessarily use exterior names (since e.g. MS Windows machines do not permit to specify an alternative user name for the exterior EAP tunnel). we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for user_ttls but that breaks both methods (which seems normal since this EAP-Type definition is not correct for the internal EAP method which however uses the same user name). i thought about specifying tunneled attributes as check items. it turns out that FR does not show them in the log and I believe that these are not the same for the PEAP and TTLS anyway. thus the question to the list: how can I specify an "PEAP/MS-CHAPv2 only" user profile? how can i specify a "TTLS/PAP only" user profile? thanks artur
Artur Hecker schrieb:
we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for user_ttls but that breaks both methods (which seems normal since this EAP-Type definition is not correct for the internal EAP method which however uses the same user name).
Why not almost just as naively do the check vice versa: If it's user_ttls and EAP-Type == PEAP, set Auth-Type explicitly to reject? Regards, Stefan
hi Stefan.Neis@t-online.de wrote:
we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for user_ttls but that breaks both methods (which seems normal since this EAP-Type definition is not correct for the internal EAP method which however uses the same user name).
Why not almost just as naively do the check vice versa: If it's user_ttls and EAP-Type == PEAP, set Auth-Type explicitly to reject?
what you are saying is that I should do something like this: user_ttls EAP-Type != PEAP that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same). ciao artur
Artur Hecker <hecker@enst.fr> wrote:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same).
user_ttls EAP-Type != TTLS, Auth-Type := Reject See the dictionaries for EAP-Type names. Alan DeKok.
hi Alan hi Stefan thanks for your help. I think I understand the idea. however my problems are on the implementation level. two things are still not clear to me. 1. we use 'sql' and not 'files' (my fault i didn't mention it previously) and thus I don't see how I can add the line below to my user profile who already has things like User-Password ==..., etc. I tried adding user user_ttls into group TTLS and then using radgroupcheck like this: radgroupcheck: id User Attribute op Value 2 user_ttls EAP-Type != TTLS 3 user_ttls Auth-Type := Reject but then user_ttls gets rejected. how do I implement it with SQL? 2. we experimented with EAP-Type, but at least for PEAP as soon as we specify it somewhere in radcheck, PEAP breaks with a server error message saying that the client has sent a TLV rejecting the connection. Alan: like Stefan proposed I also thought about something like FreeRadius-Proxied-To, because i think that you proposal might not work as soon as the internal method starts for the user. Or don't external methods use EAP-Type? (still I am not sure how to define "conditions" in sql tables: if EAP-Type not this value, then add Auth-Type=...) ciao artur Alan DeKok wrote:
Artur Hecker <hecker@enst.fr> wrote:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same).
user_ttls EAP-Type != TTLS, Auth-Type := Reject
See the dictionaries for EAP-Type names.
Alan DeKok.
Alan, Stefan replying to myself: using 'files' I've managed to make it work. the correct (working) configuration is: user_ttls FreeRadius-Proxied-To == "127.0.0.1", User-Password == "test_ttls" Session-Timeout = 3600 user_ttls EAP-Type != EAP-TTLS Auth-Type := Reject user_peap FreeRadius-Proxied-To == "127.0.0.1", User-Password == "test_peap" Session-Timeout = 3600 user_peap EAP-Type != PEAP Auth-Type := Reject that does exactly what I wanted. works like a charm for both PEAP and TTLS users. could somebody explain me how I can translate it into an SQL config? ciao artur Artur Hecker wrote:
hi Alan hi Stefan
thanks for your help. I think I understand the idea. however my problems are on the implementation level.
two things are still not clear to me.
1. we use 'sql' and not 'files' (my fault i didn't mention it previously) and thus I don't see how I can add the line below to my user profile who already has things like User-Password ==..., etc. I tried adding user user_ttls into group TTLS and then using radgroupcheck like this:
radgroupcheck: id User Attribute op Value 2 user_ttls EAP-Type != TTLS 3 user_ttls Auth-Type := Reject
but then user_ttls gets rejected. how do I implement it with SQL?
2. we experimented with EAP-Type, but at least for PEAP as soon as we specify it somewhere in radcheck, PEAP breaks with a server error message saying that the client has sent a TLV rejecting the connection.
Alan: like Stefan proposed I also thought about something like FreeRadius-Proxied-To, because i think that you proposal might not work as soon as the internal method starts for the user. Or don't external methods use EAP-Type? (still I am not sure how to define "conditions" in sql tables: if EAP-Type not this value, then add Auth-Type=...)
ciao artur
Alan DeKok wrote:
Artur Hecker <hecker@enst.fr> wrote:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same).
user_ttls EAP-Type != TTLS, Auth-Type := Reject
See the dictionaries for EAP-Type names.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Artur Hecker -
Stefan.Neis@t-online.de