different default_eap_type for different users
Hello, I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2, so I had default_eap_type=peap in my configuration. But now, I will also have to support a few 802.1x clients using TLS or MD5. The bad news is that some IP phones fail to authenticate when default_eap_type=peap (they only support MD5). Changing to default_eap_type=md5 works, but I'm not satsified with it since most clients use PEAP... In the default EAP configuration, it is written, about the default_eap_type=peap option: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge But this apparently does not work. I also tried to have several eap instances, and check User-Name to know which one to use in the authorize and authenticate section: if (User-Name == "CP-7942G-SEP0024C4BE96B7") { eap_ipphones } else { eap } But then freeradius -X fails to start with: /etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type "(User-Name == "CP-7942G-SEP0024C4BE96B7")" in authenticate sub-section. Is there a way I can have per-user default_eap_type? Regards, -- Nicolas Boullis Ecole Centrale Paris France
Nicolas Boullis wrote:
I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).
Why not 2.1.6?
The bad news is that some IP phones fail to authenticate when default_eap_type=peap (they only support MD5). Changing to default_eap_type=md5 works, but I'm not satsified with it since most clients use PEAP...
In the default EAP configuration, it is written, about the default_eap_type=peap option: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here.
Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge
But this apparently does not work.
It's a *configuration* item, not a reply item. See "man users" ... CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge ... That will work. Alan DeKok.
Alan DeKok wrote:
Nicolas Boullis wrote:
I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).
Why not 2.1.6?
No good reason for this, only that current Debian stable (Lenny) has packages for 2.0.4, not 2.1.6. (And since administration of radius servers is only a small part of my work, I'd rather rely on Debian packages and Debian security team than track the potential security issues of all the server softwares that I use.)
Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge
But this apparently does not work.
It's a *configuration* item, not a reply item. See "man users"
... CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge ...
That will work.
Unfortunately, it does not, freeradius still tries TLS (PEAP?): # freeradius -X (...) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 138.195.254.246 port 1645, id=21, length=181 User-Name = "CP-7942G-SEP0024C4BE96B7" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1F-6D-11-DD-98" Calling-Station-Id = "00-24-C4-BE-96-B7" EAP-Message = 0x0203001d0143502d37393432472d534550303032344334424539364237 Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4 NAS-Port-Type = Ethernet NAS-Port = 50024 NAS-Port-Id = "FastEthernet0/24" NAS-IP-Address = 138.195.254.246 +- entering group authorize hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 expand: %t -> Thu Jul 2 11:51:53 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "CP-7942G-SEP0024C4BE96B7", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 21 to 138.195.254.246 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b Finished request 0. Going to the next request Waking up in 4.9 seconds. Note the "hints: Matched CP-7942G-SEP0024C4BE96B7 at 78" and "rlm_eap: processing type tls". (... a few minutes later ...) I just tried to set EAP-Type in users rather that in hints, and now it works fine. Thanks! But why does it work in users and not in hints? (I thought I had to use hints because it is run before eap in the authorize section...) Cheers, -- Nicolas Boullis Ecole Centrale Paris France
participants (2)
-
Alan DeKok -
Nicolas Boullis