EAP-TLS and EAP-TTLS/MSCHAPv2 in parralel...possible ?
Hi, I've got a solution currently in place that works beautifully authenticating users with certificates using EAP-TLS. Unfortunatley, I need to start catering for users who have, shall we say, "limited" endpoints that only support TTLS/MSCHAPv2 type authentication (things like Amazon Kindle Paperwhotsits" for example, have a limited implementation that you can't seem to stick certificates on without jailbreaking... and that ain't gonna happen). So, I'm a bit lost for ideas ? I'm not a freeradius guru either... and the config files I've had a quick peek at seem to suggest bad things will happen .... e.g. the following comment .... # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Ideas most welcome ! Thanks Ben
On 28/02/14 09:11, Ben wrote:
Hi,
I've got a solution currently in place that works beautifully authenticating users with certificates using EAP-TLS.
Unfortunatley, I need to start catering for users who have, shall we say, "limited" endpoints that only support TTLS/MSCHAPv2 type
This is a standard, even trivial, config. See: http://deployingradius.com/ ...and follow the HOWTOs section. Basically, if you have EAP-TLS working, it's likely that the only thing you need to do is ensure the server can get at the password or compatible hash (for MSCHAP, NT hash only) and it'll work. Problem is you've been a bit vague. What have you tried, if anything? What version of the server are you running?
will happen .... e.g. the following comment ....
# Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.
That commend refers to forcing authentication via LDAP bind. If you don't do that, you won't have this problem. Suggest: 1. Ensuring you're on a recent version of the server, 2.2.3 2. Follow the deployingradius docs linked above on a test server 3. When you understand how it has all fit together, migrate the config to your production system, with your existing TLS CA/certs As with all systems tasks, if you're new to it then make small changes, check your results into version control after each success, follow the docs. If you've got specific questions, people can give more specific answers. Good luck,
Problem is you've been a bit vague. What have you tried, if anything? What version of the server are you running?
Apologies for the vaguesness ! My aim is Freeradius authenticating against OpenLDAP for the MSCHAP bit (there are various examples out there showing how do do this such as http://vuksan.com/linux/dot1x/802-1x-LDAP.html) , but uncommenting the LDAP elements in /server/default just seems to kill off the working eap-tls config. Currently on version 2.1.12.
Suggest:
1. Ensuring you're on a recent version of the server, 2.2.3 2. Follow the deployingradius docs linked above on a test server 3. When you understand how it has all fit together, migrate the config to your production system, with your existing TLS CA/certs
As with all systems tasks, if you're new to it then make small changes, check your results into version control after each success, follow the docs.
If you've got specific questions, people can give more specific answers.
Will take a look.
Ben wrote:
My aim is Freeradius authenticating against OpenLDAP for the MSCHAP bit (there are various examples out there showing how do do this such as http://vuksan.com/linux/dot1x/802-1x-LDAP.html) ,
That's almost 10 years old. I don't see anything glaringly wrong in it, but it seems more complicated than necessary.
but uncommenting the LDAP elements in /server/default just seems to kill off the working eap-tls config.
Well.. they shouldn't. And what's with not posting the debug log? Do you want to fix the problem or not?
Currently on version 2.1.12.
I really suggest upgrading to 2.2.3. Alan DeKok.
Well.. they shouldn't. And what's with not posting the debug log? Do you want to fix the problem or not?
This is what it looks like with ldap uncommented, i.e. EAP-TLS "broken" ..... in comparison, lower down you can see with LDAP commented again, it just gets on with the job of processing EAP-TLS. *** LDAP UNCOMMENTED***** rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=251, length=188 User-Name = "xyz_laptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXXXXXXX Message-Authenticator = 0xXXXXXXXXX # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyz_laptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for xyz_laptop_wifi [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> xyz_laptop_wifi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=xyz_laptop_wifi) [ldap] expand: ou=dot1x,dc=mydomain,dc=eu -> ou=dot1x,dc=mydomain,dc=eu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=mydomain,dc=eu/XXXXXXXXXXXXXX to localhost:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> xyz_laptop_wifi attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=251, length=188 Waiting to send Access-Reject to client wifi2 port 32771 - ID: 251 Sending delayed reject for request 0 Sending Access-Reject of id 251 to 172.16.100.254 port 32771 Waking up in 4.9 seconds. Cleaning up request 0 ID 251 with timestamp +7 Ready to process requests. ***** LDAP COMMENTED**** rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=252, length=188 User-Name = "xyzlaptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXX Message-Authenticator = 0xXXXX # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 252 to 172.16.100.254 port 32771 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7940879679418a6863a4c65145317568 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=253, length=339 User-Name = "xyzlaptop_wifi" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX" Calling-Station-Id = "60-03-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXXXX State = 0x7940879679418a6863a4c65145317568 Message-Authenticator = 0x827b75775f481e9f2b14b64f56443006 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 152 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 142 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0089], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0d03], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00ec], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 253 to 172.16.100.254 port 32771 etc. etc. etc.
On Fri, Feb 28, 2014 at 09:31:01PM +0000, Ben wrote:
This is what it looks like with ldap uncommented, i.e. EAP-TLS "broken" ..... in comparison, lower down you can see with LDAP commented again, it just gets on with the job of processing EAP-TLS.
Do LDAP in the inner tunnel, not in the outer (e.g. in sites-enabled/inner-tunnel, not sites-enabled/default). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
Ben -
Matthew Newton -
Phil Mayers