802.1x, WinXP and LDAP
Gary Algier
gaa at ulticom.com
Wed Jan 4 15:44:42 CET 2006
Hello:
I am trying to get an HP Procurve 2650 Ethernet switch to use Freeradius
1.0.5 for 802.1x auth. The backend is Sun's directory server with all
the necessary SambaNTPassword attributes, etc. to make Samba work.
The client is a WinXP system. I am using the builtin
supplicant. I can get it to work with the "Automatically use my
Windows login..." box _unchecked_, but not with it checked. I would
like to use the checked mode as then the user does not need to
"click here to select a certificate or credentials for
connection to the network".
When the box is not checked, I get to type any value I want for the
user ID and password. I can then get authenticated and the switch
connects me to the proper VLAN.
When the box is checked, I cannot get authenticated and the switch
puts me on the "guest" VLAN. I should be able to authenticate,
but the ID comes across as something like "MALACHITE\gaa". The
first part is the netbios hostname and the second is the real ID.
I have setup the hints, users and radiusd.conf files with:
----------------------------------------------------------------------------------------------
hints:
...
DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)"
Hint = "8021XUSER",
Stripped-User-Name = `${2}`
...
users:
...
DEFAULT Hint == "8021XUSER"
Fall-Through = 1
...
radiusd.conf:
...
ldap {
server = "ldap.ulticom.com"
basedn = "dc=ulticom,dc=com"
filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
do_xlat = yes
base_filter = "(objectclass=*)"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
...
----------------------------------------------------------------------------------------------
The problem seems to be that the hostname is not always stripped. If I compare the
output of "radiusd -X" between the two scenarios I see that the "unchecked" configuration
does a lot of ldap lookups like:
----------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 172.25.16.9:1025, id=208, length=193
Framed-MTU = 1480
NAS-IP-Address = 172.25.16.9
NAS-Identifier = "hp-50-9"
User-Name = "gaa"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-85-40-71-ff"
Calling-Station-Id = "00-14-22-dc-9b-16"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0201000801676161
Message-Authenticator = 0x29393306cb95a1c78586d546cf5eb462
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gaa
radius_xlat: '(&(objectclass=person)(uid=gaa))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.ulticom.com:389, authentication 0
rlm_ldap: bind as / to ldap.ulticom.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa))
rlm_ldap: checking if remote access for gaa is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value ABABABABABABABABABABABABABABABAB & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gaa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 176
users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
----------------------------------------------------------------------------------------------
Eventually somebody is happy with this sequence and I am "in". With the "checked"
configuration all the early lookups work, but the last lookup fails:
----------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 172.25.16.9:1025, id=222, length=254
Framed-MTU = 1480
NAS-IP-Address = 172.25.16.9
NAS-Identifier = "hp-50-9"
User-Name = "MALACHITE\\gaa"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-85-40-71-ff"
Calling-Station-Id = "00-14-22-dc-9b-16"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
State = 0xe5aab6b483e09694dcbd98eb81ac64bf
EAP-Message = 0x020600291900170301001ef47b2a4c59a72fa63123f178383e6518a535662859ed121d2819831f649f
Message-Authenticator = 0x9b8b7d5de51ffffde87cfabe52688fbc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
hints: Matched DEFAULT at 36
radius_xlat: 'gaa'
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat: '(&(objectclass=person)(uid=gaa))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa))
rlm_ldap: checking if remote access for MALACHITE\gaa is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value EFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value ABABABABABABABABABABABABABABABAB & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user MALACHITE\gaa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
rlm_eap: EAP packet type response id 6 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 157
users: Matched entry DEFAULT at line 176
users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - MALACHITE\gaa
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x02060012014d414c4143484954455c676161
PEAP: Got tunneled identity of MALACHITE\gaa
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to MALACHITE\gaa
PEAP: Sending tunneled request
EAP-Message = 0x02060012014d414c4143484954455c676161
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "MALACHITE\\gaa"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat: '(&(objectclass=person)(uid=MALACHITE))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 5
modcall: group authorize returns notfound for request 5
----------------------------------------------------------------------------------------------
So, why don't my regular expressions apply during the group authorize?
How can I fix the group authorize? Perhaps I don't need it. Some day
I may use it for controlling VLAN assignment, but for now I would be
happy to just differentiate between "auth" and "not auth".
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
More information about the Freeradius-Users
mailing list