Hello all, I've just able to implemented Wired 802.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard. At the end I have a "working" setup, but I like to learn more to fix my faults. below you can find my study steps and config changes And these are my question regarding to the following outputs. Q1- Is it possible to get radius attributes with opendirectory module ( not well documented)? if yes, please share your experience. Q2- I am not sure what is happining during below mschap challenge/response. [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] No NT-Password configured. Trying OpenDirectory Authentication. [mschap] OD username_string = onex, OD shortUserName=onex (length = 4) [mschap] dsDoDirNodeAuth returns stepbuff: S=D134BC291881FAF31275724FE84FEA40648F64C6 (len=40) ++[mschap] returns ok MSCHAP Success 1. Testbed: Auth Server : FreeRadius 2.1.3 running on MacOSX 10.6.8 Leopard, other services: opendirectory (openLDAP), Kerberos, DNS, DHCP Authenticator : HP Networking 2910 switchSupplicants : WindowsXPsp3, Windows7, MacOSX (PEAP/mschapv2)Directory Admin : diradmin Test User : onex authentication : opendirectory (mschap module is calling opendirectory module for challenge response) authorization : by ldap search in post-auth section inside of inner-tunnel server. authorization : settings are Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id (by ldap search) sql client db : Mac OSX serveradmin GUI have an access to configure radius clients (max count is 64), I am not using clients.conf as I understood Mac OSX server actually using openLDAP, but Apple named it as "opendirectory" by restricting and changing of access medhods. There was no radius schema file in Apple's distribution of FreeRadius, or at least I could not find it where it normally would be. So, downloaded the schema file and extended it manually. 2. LDAP schema extention and creating radius attributes for 802.1x /etc/openldap/slapd.conf include /etc/openldap/schema/radius.schema slaptest -f slapd.conf -F slapd.d /etc/openldap/slapd.d/cn=config/cn=schema/cn={10}radius.ldif dn: cn={10}radius restart host or restart slapd dscl cd LDAPv3 auth diradmin abc123 cd 127.0.0.1/Groups/vlan10 create . radiusTunnelPrivateGroupId 10 cd .. cd vlan20 create . radiusTunnelPrivateGroupId 20 ... I will set Tunnel-Type and Tunnel-Medium-Type statically in post-auth section, radiusTunnelPrivateGroupId attribute is sufficiant in LDAP. 3. Radius config Non-default or changed parameters are written here. LDAP module will not be used for authentication, will be used only to set radiusTunnelPrivateGroupId Authentication would be done through opendirectory module by mschap call. MacOSX issue : without Apple base stations Radius service could not be started from serveradmin GUI need to be fixed by deleting some lines regarding BaseStation check in the following file. /Applications/Server/Server\ Admin.app/Contents/Resources/RoleBasedSetup.bundle/Contents/PlugIns/RadiusPlugin.plugin/Contents/Resources/RadiusSteps.plist /private/etc/raddb/modules/ldap ldap { server = "radsrv.lab.com" identity = "uid=diradmin,cn=users,dc=radsrv,dc=lab,dc=com" password = abc123 basedn = "dc=radsrv,dc=lab,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" // In my test only User-Name is used base_filter = "(objectclass=radiusprofile)" set_auth_type = no // As I know LDAP only working with pap authentication } /private/etc/raddb/attrs DEFAULT Tunnel-Type == VLAN, Tunnel-Medium-Type == IEEE-802, Tunnel-Private-Group-Id =* ANY, /Private/etc/raddb/ldap.attrmap checkItem User-Name uid // I am not able to check ntlm or other hashes, only uid check for "return noop" replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId /private/etc/raddb/radiusd.conf max_request = 16384 proxy_requests = no #$INCLUDE clients.conf // MAX Client count is 64 in sql db ( if I run out of space, will use clients.conf in addition) /private/etc/raddb/proxy.conf realm LAB.COM { // doing nothing, but like to use it } /private/etc/raddb/eap.conf default_eap_type = peap #gtc #leap #md5 tls { private_key_password = Apple:UseCertAdmin private_key_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.key.pem" certificate_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.cert.pem" CA_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.chain.pem" dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random } peap { use_tunneled_reply = yes } /private/etc/raddb/sites-enabled/default authorize { #chap #unix #files #pap } authenticate { # Auth-Type PAP { # pap # } # Auth-Type CHAP { # chap # } # Auth-Type opendirectory { # opendirectory # } #unix # Auth-Type LDAP { # ldap # } ... } /private/etc/raddb/sites-enabled/inner-tunnel authorize { #chap #mschap #unix #files #LDAP is checking uid only, enabled for post-auth section ldap #pap } authenticate { # Auth-Type PAP { # pap # } # Auth-Type CHAP { # chap # } } #unix #suffix # in ldap search radiusTunnelPrivateGroupId attribute is reached if cn=vl* AND memberUid=%{User-Name} # all group names need to start with "vl" # attribute value "10" returns in this case post-auth { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "%{ldap:ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}" } } 4. Switch Config, HP Networking 2910 switch is used in this testbed interface 1 name Supplicant interface 3 name RadiusServervlan 10 name CorporateVLAN ip add 10.10.10.1/24 ip helper 10.10.100.100 exit vlan 40 name UnauthVLAN ip add 10.10.40.1/24 ip helper 10.10.100.100 exit vlan 100 ip add 10.10.100.1/24 untag 3exit radius-server host 10.10.100.100 key 123 aaa authentication port-access eap-radius aaa accounting network start-stop radius aaa port-access authenticator 1 aaa port-access authenticator 1 unauth-vid 40 aaa port-access authenticator 1 client-limit 2 aaa port-access authenticator 1 control auto aaa port-access authenticator active
Kemal YILDIRIM wrote:
Hello all, I've just able to implemented Wired 802.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard. At the end I have a "working" setup, but I like to learn more to fix my faults.
What is going wrong? You've posted a long message showing authentication succeeded, but no errors. Alan DeKok.
participants (2)
-
Alan DeKok -
Kemal YILDIRIM