We have Access Points that contain multiple SSIDs. Some are for internal use and some are for guest access. All are secured using WPA w/PEAP. I would like FreeRadius to present a cert. from our internal CA for the SSIDs that are internal and present a cert. from one of the CA's that Windows trusts by default for guest access. I haven't found a way to control this on the AP (i.e., to select a different RADIUS server address or port based upon SSID). Is it possible to accomplish this in FreeRadius given that I can determine the SSID by looking at a request attribute?
Yes.
Some ideas I have are:
- Have two instances of the EAP module (one for internal SSIDs and one for guest) and select which one to use with some unlang code (based upon the value of 1 request attribute)
That should work.
- Create a virtual server for guest access that uses an EAP module with the cert. from the well-known CA
That is insecure. Your clients will trust *any* server certificate signed by that public CA. Ivan Kalik Kalik Informatika ISP
Thanks for taking the time to reply Ivan - I appreciate your help.
- Create a virtual server for guest access that uses an EAP module with the cert. from the well-known CA
That is insecure. Your clients will trust *any* server certificate signed by that public CA.
Don't both solutions have the same risk (my first idea was to use a 2nd eap instance with the public CA)? I understand the risk; but, in this case, it's a tradeoff between presenting a cert signed by a public CA (makes it easier for these outside users to configure our wireless), have all guest users not validate the server cert (even worse) or distribute our internal CA's cert to every guest user (not logistically practical). Thanks again Ivan.
- Have two instances of the EAP module (one for internal SSIDs and one for guest) and select which one to use with some unlang code (based upon the value of 1 request attribute)
That should work.
I'm having trouble getting this to work. I added the following to my authorize section: # Extract SSID into SSID-Name attribute if (Cisco-AVPair =~ /ssid=(.*)/) { update request { SSID-Name = "%{1}" } } # Select appropriate EAP instance if (SSID-Name) { if (SSID-Name == "XX-Barcode") { eap-internal } elsif (SSID-Name == "EE-Barcode") { eap-internal } else { eap-comodo } } else { eap-comodo } I have two instances in modules/eap that are identical except for the certificate_file and key_file. When I try to connect, I see the following in the debug output (I can provide more if needed, but I think this will Illustrate what's happening). I then tried using the same certificate & key file and still received the same error: Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) Fri Jul 24 12:25:27 2009 : Info: ? Evaluating (SSID-Name) -> FALSE Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) -> FALSE Fri Jul 24 12:25:27 2009 : Info: ++- entering else else {...} Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] EAP packet type response id 2 length 18 Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] No EAP Start, assuming it's an on-going EAP conversation Fri Jul 24 12:25:27 2009 : Info: +++[eap-comodo] returns fail Fri Jul 24 12:25:27 2009 : Info: ++- else else returns fail Fri Jul 24 12:25:27 2009 : Auth: Invalid user: [BGAS\\xxxxxxxx] (from client abcd1-ab-wc01 port 1 cli 00-16-6F-16-F5-64) Fri Jul 24 12:25:27 2009 : Info: Using Post-Auth-Type Reject Fri Jul 24 12:25:27 2009 : Info: +- entering group REJECT {...} So, what causes the eap module to return "fail". There are no other messages indicating why it is failing (that I see). Here's output at startup showing that both were instantiated: Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-internal Fri Jul 24 12:25:18 2009 : Debug: eap eap-internal { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap" Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60 Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls Fri Jul 24 12:25:18 2009 : Debug: tls { Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0 Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx" Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh" Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random" Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024 Fri Jul 24 12:25:18 2009 : Debug: include_length = yes Fri Jul 24 12:25:18 2009 : Debug: check_crl = no Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap Fri Jul 24 12:25:18 2009 : Debug: peap { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2" Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2 Fri Jul 24 12:25:18 2009 : Debug: mschapv2 { Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Checking authorize {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_preprocess, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_preprocess Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating preprocess Fri Jul 24 12:25:18 2009 : Debug: preprocess { Fri Jul 24 12:25:18 2009 : Debug: huntgroups = "/usr/local/etc/raddb/huntgroups" Fri Jul 24 12:25:18 2009 : Debug: hints = "/usr/local/etc/raddb/hints" Fri Jul 24 12:25:18 2009 : Debug: with_ascend_hack = no Fri Jul 24 12:25:18 2009 : Debug: ascend_channels_per_line = 23 Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: with_specialix_jetstream_hack = no Fri Jul 24 12:25:18 2009 : Debug: with_cisco_vsa_hack = yes Fri Jul 24 12:25:18 2009 : Debug: with_alvarion_vsa_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_realm, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_realm Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating ntdomain Fri Jul 24 12:25:18 2009 : Debug: realm ntdomain { Fri Jul 24 12:25:18 2009 : Debug: format = "prefix" Fri Jul 24 12:25:18 2009 : Debug: delimiter = "\" Fri Jul 24 12:25:18 2009 : Debug: ignore_default = no Fri Jul 24 12:25:18 2009 : Debug: ignore_null = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_rewrite, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_rewrite Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating machine_UserName Fri Jul 24 12:25:18 2009 : Debug: attr_rewrite machine_UserName { Fri Jul 24 12:25:18 2009 : Debug: attribute = "User-Name" Fri Jul 24 12:25:18 2009 : Debug: searchfor = "^host/(.*).energyeast.net" Fri Jul 24 12:25:18 2009 : Debug: searchin = "packet" Fri Jul 24 12:25:18 2009 : Debug: replacewith = "%{1}$" Fri Jul 24 12:25:18 2009 : Debug: append = no Fri Jul 24 12:25:18 2009 : Debug: ignore_case = yes Fri Jul 24 12:25:18 2009 : Debug: new_attribute = no Fri Jul 24 12:25:18 2009 : Debug: max_matches = 1 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-comodo Fri Jul 24 12:25:18 2009 : Debug: eap eap-comodo { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap" Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60 Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls Fri Jul 24 12:25:18 2009 : Debug: tls { Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0 Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx" Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh" Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random" Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024 Fri Jul 24 12:25:18 2009 : Debug: include_length = yes Fri Jul 24 12:25:18 2009 : Debug: check_crl = no Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap Fri Jul 24 12:25:18 2009 : Debug: peap { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2" Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2 Fri Jul 24 12:25:18 2009 : Debug: mschapv2 { Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-proxy {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-auth {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_filter Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating attr_filter.access_reject Fri Jul 24 12:25:18 2009 : Debug: attr_filter attr_filter.access_reject { Fri Jul 24 12:25:18 2009 : Debug: attrsfile = "/usr/local/etc/raddb/attrs.access_reject" Fri Jul 24 12:25:18 2009 : Debug: key = "%{User-Name}" Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] EAP packet type response id 2 length 18 Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] No EAP Start, assuming it's an on-going EAP conversation Fri Jul 24 12:25:27 2009 : Info: +++[eap-comodo] returns fail
This issue occurs during Authorize. I looked in the source of rlm_eap.c & eap.c. Since the "No EAP Start" message appears in the debug output, I know eap_start is returning EAP_NOTFOUND (it's the next stmt after this Message). Given this, the only possible cause for a RLM_MODULE_FAIL after calling eap_start is a failure of pairmake for "Auth-Type" (rlm_eap.c line 492). Next, I added an RDEBUG in rlm_eap.c to tell me why the pairmake is Failing and I now see: Fri Jul 24 16:10:59 2009 : Info: [eap-comodo] Failed to create attribute Auth-Type: Unknown value eap-comodo for attribute Auth-Type Looking in lib/pairmake.c, it appears this occurs if it can't find the value in the dictionary for the specified attribute. I'll keep digging, but does anyone have any idea why this instance wouldn't have been added to the dictionary, at initialization, when it was processing the eap file (I didn't see any errors in the debug output when it was instantiating them)? Is it because the submodules already existed? That is, do I need an alias for all of the eap sub-modules too (e.g., tls, peap, etc.)? Thanks in advance for any insight you can provide..
Garber, Neal wrote:
Next, I added an RDEBUG in rlm_eap.c to tell me why the pairmake is Failing and I now see:
Fri Jul 24 16:10:59 2009 : Info: [eap-comodo] Failed to create attribute Auth-Type: Unknown value eap-comodo for attribute Auth-Type
Looking in lib/pairmake.c, it appears this occurs if it can't find the value in the dictionary for the specified attribute.
It's automatically added for modules listed in the "authenticate" section. The default configuration has "eap" listed in authorize *and* authenticate. If you change the name to "eapfoo", you will need to list "eapfoo" in *both* authorize and authenticate. Alan DeKok.
It's automatically added for modules listed in the "authenticate" section.
That's what I thought was going on when I looked in modules.c. Thanks for the confirmation Alan. Also, I submitted a bug report to add debug output if pairmake fails while creating Auth-Type in rlm_eap.c. Having that message in the debug output explaining why rlm_eap failed would be useful.
participants (3)
-
Alan DeKok -
Garber, Neal -
Ivan Kalik