How to implement two possible passwords? (one for PEAP and other for TTLS)

Sergio Belkin sebelk at gmail.com
Wed Apr 30 14:33:40 CEST 2008


Hi,

I've added an new attribute called "radiusPassword" this a clear-text
password exclusively for radius usage. I want that:

1) All Linux, MAC OS X, and all Windows users that want to and can
install (or already have installed and configured) securew2 use their
usual encrypted userPassword. (EAP-TTLS)
2) All users that don't want to install securew2 (Windows users) and
want to use PEAP instead TTLS use the radiusPassword as their password
for access to wireless network.

How can I do that? These are my current config files:

----------
radiusd.conf
----------------

prefix = /usr/local-2.0.2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = 190.69.213.5
        port = 0
}
listen {
        ipaddr = 190.69.213.5
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = yes
        auth = yes
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 190
        reject_delay = 1
        status_server = yes
}
proxy_requests  = no
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp    = no
$INCLUDE snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                auto_header = yes
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE eap.conf
        mschap {
        }
        ldap {
                server = "ldap.cadorna.edu
                identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
                port = 636
                password = doyouwantocrakforgetitdude
                basedn = "ou=people,dc=cadorna,dc=edu"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                tls {
                        start_tls = no
                        cacertfile      = /etc/raddb-2.0.2/cacert.pem
                        randfile                = /dev/urandom
                        require_cert    = "allow"
                }
                access_attr = "radiusAllowed"
                dictionary_mapping = ${confdir}/ldap.attrmap
                edir_account_policy_check = no
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
        }
        realm suffix {
                format = suffix
                delimiter = "@"
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
                header = "%t"
                suppress {
                         User-Password
                }
        }
         detail auth_log {
                 detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
                suppress {
                         User-Password
                }
         }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
        }
        $INCLUDE sql.conf

        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter attr_filter.post-proxy {
                attrsfile = ${confdir}/attrs
        }
        attr_filter attr_filter.pre-proxy {
                attrsfile = ${confdir}/attrs.pre-proxy
        }
        attr_filter attr_filter.access_reject {
                key = %{User-Name}
                attrsfile = ${confdir}/attrs.access_reject
        }
        attr_filter attr_filter.accounting_response {
                key = %{User-Name}
                attrsfile = ${confdir}/attrs.accounting_response
        }
        counter daily {
                filename = ${db_dir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                reply-name = Session-Timeout
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        $INCLUDE sql/mysql/counter.conf
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always noop {
                rcode = noop
        }
        always handled {
                rcode = handled
        }
        always updated {
                rcode = updated
        }
        always notfound {
                rcode = notfound
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        expiration {
                reply-message = "Password Has Expired\r\n"
        }
        logintime {
                reply-message = "You are calling outside your allowed
timespan\r\n"
                minimum-timeout = 60
        }
        exec {
                wait = yes
                input_pairs = request
                shell_escape = yes
                output = none
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
                shell_escape = yes
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${db_dir}/db.ippool
                ip-index = ${db_dir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
        policy {
               filename = ${confdir}/policy.txt
        }
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

EOF

--------------
eap.conf
----------------
eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        private_key_file =
/etc/pki/tls/certs/ips-spectrum-key.pem
                        certificate_file =
/etc/pki/tls/certs/ips-spectrum-crt.pem
                        CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        cipher_list = "DEFAULT"
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = yes
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
                mschapv2 {
                }
        }
EOF

-------------------
ldap.attrmap
checkItem       $GENERIC$                       radiusCheckItem
replyItem       $GENERIC$                       radiusReplyItem
checkItem   Cleartext-Password       clrtxtPassword
checkItem       User-Password                   userPassword
replyItem   Tunnel-Type                            radiusTunnelType
replyItem   Tunnel-Medium-Type             radiusTunnelMediumType
replyItem   Tunnel-Private-Group-Id        radiusTunnelPrivateGroupId
checkItem       Auth-Type                       radiusAuthType
checkItem       Simultaneous-Use                radiusSimultaneousUse
checkItem       Called-Station-Id               radiusCalledStationId
checkItem       Calling-Station-Id              radiusCallingStationId
checkItem       LM-Password                     lmPassword
checkItem       NT-Password                     ntPassword
checkItem       LM-Password                     sambaLmPassword
checkItem       NT-Password                     sambaNtPassword
checkItem       SMB-Account-CTRL-TEXT           acctFlags
checkItem       Expiration                      radiusExpiration
checkItem       NAS-IP-Address                  radiusNASIpAddress
replyItem       Service-Type                    radiusServiceType
replyItem       Framed-Protocol                 radiusFramedProtocol
replyItem       Framed-IP-Address               radiusFramedIPAddress
replyItem       Framed-IP-Netmask               radiusFramedIPNetmask
replyItem       Framed-Route                    radiusFramedRoute
replyItem       Framed-Routing                  radiusFramedRouting
replyItem       Filter-Id                       radiusFilterId
replyItem       Framed-MTU                      radiusFramedMTU
replyItem       Framed-Compression              radiusFramedCompression
replyItem       Login-IP-Host                   radiusLoginIPHost
replyItem       Login-Service                   radiusLoginService
replyItem       Login-TCP-Port                  radiusLoginTCPPort
replyItem       Callback-Number                 radiusCallbackNumber
replyItem       Callback-Id                     radiusCallbackId
replyItem       Framed-IPX-Network              radiusFramedIPXNetwork
replyItem       Class                           radiusClass
replyItem       Session-Timeout                 radiusSessionTimeout
replyItem       Idle-Timeout                    radiusIdleTimeout
replyItem       Termination-Action              radiusTerminationAction
replyItem       Login-LAT-Service               radiusLoginLATService
replyItem       Login-LAT-Node                  radiusLoginLATNode
replyItem       Login-LAT-Group                 radiusLoginLATGroup
replyItem       Framed-AppleTalk-Link           radiusFramedAppleTalkLink
replyItem       Framed-AppleTalk-Network        radiusFramedAppleTalkNetwork
replyItem       Framed-AppleTalk-Zone           radiusFramedAppleTalkZone
replyItem       Port-Limit                      radiusPortLimit
replyItem       Login-LAT-Port                  radiusLoginLATPort
replyItem       Reply-Message                   radiusReplyMessage

EOF

Thanks in advance!!

-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -



More information about the Freeradius-Users mailing list