How to implement two possible passwords? (one for PEAP and other forTTLS)
Sergio Belkin
sebelk at gmail.com
Wed Apr 30 16:09:50 CEST 2008
Hi Ivan and word,
Well I've read documentation you mentioned and files into sites-enabled.
But there are some things that I don't understand fully and I want to
repeat what I have and what I want:
I have a radius 2.0.2 working with EAP-TTLS, users passwords are in a
LDAP server. Itis working well. Please bear in mind that password and
encrypted in LDAP server and I can't modifiy that (my boss don't
want!). So I need a "secondary" password in clear-text only for
radius, because of this I've added to LDAP an attribute that looks
like userPassword called radiusPassword.
Then, you've suggested me that I create a virtual for peap server.
Sorry for stupid questions, but I want to be sure...
So, should I set virtual_server = "inner-tunnel" in eap.conf?
The only that will differ between first virtual server and second one is that
1)First server: use EAP-TTLS and use LDAP authentication as usual
2)Second Server: use EAP-PEAP and it should use radiusPassword instead
of userPassword. I'd want to avoid usage of "plain users" in user
files, but if itsn't alternative, well I will do that...
I don't understand well how to apply these difference in config files
for virtual servers...
Could you help me please?
Thanks in advance!!
2008/4/30 Ivan Kalik <tnt at kalik.net>:
> 1) Leave as it is.
>
> http://www.freeradius.org/features/virtual_servers.html
>
> 2) Create a virtual server for peap and send peap requests to it. In
> users file for that server enter:
>
> DEFAULT Cleartext-Password := whatever
>
> You don't need radiusPassword attribute at all.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 30/4/2008, "Sergio Belkin" <sebelk at gmail.com> piše:
>
>
>
> >Hi,
> >
> >I've added an new attribute called "radiusPassword" this a clear-text
> >password exclusively for radius usage. I want that:
> >
> >1) All Linux, MAC OS X, and all Windows users that want to and can
> >install (or already have installed and configured) securew2 use their
> >usual encrypted userPassword. (EAP-TTLS)
> >2) All users that don't want to install securew2 (Windows users) and
> >want to use PEAP instead TTLS use the radiusPassword as their password
> >for access to wireless network.
> >
> >How can I do that? These are my current config files:
> >
> >----------
> >radiusd.conf
> >----------------
> >
> >prefix = /usr/local-2.0.2
> >exec_prefix = ${prefix}
> >sysconfdir = ${prefix}/etc
> >localstatedir = ${prefix}/var
> >sbindir = ${exec_prefix}/sbin
> >logdir = ${localstatedir}/log/radius
> >raddbdir = ${sysconfdir}/raddb
> >radacctdir = ${logdir}/radacct
> >confdir = ${raddbdir}
> >run_dir = ${localstatedir}/run/radiusd
> >db_dir = $(raddbdir)
> >libdir = ${exec_prefix}/lib
> >pidfile = ${run_dir}/radiusd.pid
> >user = radiusd
> >group = radiusd
> >max_request_time = 30
> >cleanup_delay = 5
> >max_requests = 1024
> >listen {
> > type = auth
> > ipaddr = 190.69.213.5
> > port = 0
> >}
> >listen {
> > ipaddr = 190.69.213.5
> > port = 0
> > type = acct
> >}
> >hostname_lookups = no
> >allow_core_dumps = no
> >regular_expressions = yes
> >extended_expressions = yes
> >log {
> > destination = files
> > file = ${logdir}/radius.log
> > syslog_facility = daemon
> > stripped_names = yes
> > auth = yes
> > auth_badpass = no
> > auth_goodpass = no
> >}
> >checkrad = ${sbindir}/checkrad
> >security {
> > max_attributes = 190
> > reject_delay = 1
> > status_server = yes
> >}
> >proxy_requests = no
> >$INCLUDE proxy.conf
> >$INCLUDE clients.conf
> >snmp = no
> >$INCLUDE snmp.conf
> >thread pool {
> > start_servers = 5
> > max_servers = 32
> > min_spare_servers = 3
> > max_spare_servers = 10
> > max_requests_per_server = 0
> >}
> >modules {
> > pap {
> > auto_header = yes
> > }
> > chap {
> > authtype = CHAP
> > }
> > pam {
> > pam_auth = radiusd
> > }
> > unix {
> > radwtmp = ${logdir}/radwtmp
> > }
> >$INCLUDE eap.conf
> > mschap {
> > }
> > ldap {
> > server = "ldap.cadorna.edu
> > identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
> > port = 636
> > password = doyouwantocrakforgetitdude
> > basedn = "ou=people,dc=cadorna,dc=edu"
> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > ldap_connections_number = 5
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > tls {
> > start_tls = no
> > cacertfile = /etc/raddb-2.0.2/cacert.pem
> > randfile = /dev/urandom
> > require_cert = "allow"
> > }
> > access_attr = "radiusAllowed"
> > dictionary_mapping = ${confdir}/ldap.attrmap
> > edir_account_policy_check = no
> > }
> > realm IPASS {
> > format = prefix
> > delimiter = "/"
> > }
> > realm suffix {
> > format = suffix
> > delimiter = "@"
> > }
> > realm realmpercent {
> > format = suffix
> > delimiter = "%"
> > }
> > realm ntdomain {
> > format = prefix
> > delimiter = "\\"
> > }
> > checkval {
> > item-name = Calling-Station-Id
> > check-name = Calling-Station-Id
> > data-type = string
> > }
> >
> > preprocess {
> > huntgroups = ${confdir}/huntgroups
> > hints = ${confdir}/hints
> > with_ascend_hack = no
> > ascend_channels_per_line = 23
> > with_ntdomain_hack = no
> > with_specialix_jetstream_hack = no
> > with_cisco_vsa_hack = no
> > }
> > files {
> > usersfile = ${confdir}/users
> > acctusersfile = ${confdir}/acct_users
> > preproxy_usersfile = ${confdir}/preproxy_users
> > compat = no
> > }
> > detail {
> > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > detailperm = 0600
> > header = "%t"
> > suppress {
> > User-Password
> > }
> > }
> > detail auth_log {
> > detailfile =
> >${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
> > suppress {
> > User-Password
> > }
> > }
> > acct_unique {
> > key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> >Client-IP-Address, NAS-Port"
> > }
> > $INCLUDE sql.conf
> >
> > radutmp {
> > filename = ${logdir}/radutmp
> > username = %{User-Name}
> > case_sensitive = yes
> > check_with_nas = yes
> > perm = 0600
> > callerid = "yes"
> > }
> > radutmp sradutmp {
> > filename = ${logdir}/sradutmp
> > perm = 0644
> > callerid = "no"
> > }
> > attr_filter attr_filter.post-proxy {
> > attrsfile = ${confdir}/attrs
> > }
> > attr_filter attr_filter.pre-proxy {
> > attrsfile = ${confdir}/attrs.pre-proxy
> > }
> > attr_filter attr_filter.access_reject {
> > key = %{User-Name}
> > attrsfile = ${confdir}/attrs.access_reject
> > }
> > attr_filter attr_filter.accounting_response {
> > key = %{User-Name}
> > attrsfile = ${confdir}/attrs.accounting_response
> > }
> > counter daily {
> > filename = ${db_dir}/db.daily
> > key = User-Name
> > count-attribute = Acct-Session-Time
> > reset = daily
> > counter-name = Daily-Session-Time
> > check-name = Max-Daily-Session
> > reply-name = Session-Timeout
> > allowed-servicetype = Framed-User
> > cache-size = 5000
> > }
> > $INCLUDE sql/mysql/counter.conf
> > always fail {
> > rcode = fail
> > }
> > always reject {
> > rcode = reject
> > }
> > always noop {
> > rcode = noop
> > }
> > always handled {
> > rcode = handled
> > }
> > always updated {
> > rcode = updated
> > }
> > always notfound {
> > rcode = notfound
> > }
> > always ok {
> > rcode = ok
> > simulcount = 0
> > mpp = no
> > }
> > expr {
> > }
> > digest {
> > }
> > expiration {
> > reply-message = "Password Has Expired\r\n"
> > }
> > logintime {
> > reply-message = "You are calling outside your allowed
> >timespan\r\n"
> > minimum-timeout = 60
> > }
> > exec {
> > wait = yes
> > input_pairs = request
> > shell_escape = yes
> > output = none
> > }
> > exec echo {
> > wait = yes
> > program = "/bin/echo %{User-Name}"
> > input_pairs = request
> > output_pairs = reply
> > shell_escape = yes
> > }
> > ippool main_pool {
> > range-start = 192.168.1.1
> > range-stop = 192.168.3.254
> > netmask = 255.255.255.0
> > cache-size = 800
> > session-db = ${db_dir}/db.ippool
> > ip-index = ${db_dir}/db.ipindex
> > override = no
> > maximum-timeout = 0
> > }
> > policy {
> > filename = ${confdir}/policy.txt
> > }
> >}
> >instantiate {
> > exec
> > expr
> > expiration
> > logintime
> >}
> >$INCLUDE policy.conf
> >$INCLUDE sites-enabled/
> >
> >EOF
> >
> >--------------
> >eap.conf
> >----------------
> >eap {
> > default_eap_type = peap
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> > md5 {
> > }
> > leap {
> > }
> > gtc {
> > auth_type = PAP
> > }
> > tls {
> > private_key_file =
> >/etc/pki/tls/certs/ips-spectrum-key.pem
> > certificate_file =
> >/etc/pki/tls/certs/ips-spectrum-crt.pem
> > CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
> > dh_file = ${raddbdir}/certs/dh
> > random_file = ${raddbdir}/certs/random
> > cipher_list = "DEFAULT"
> > }
> > ttls {
> > default_eap_type = md5
> > copy_request_to_tunnel = no
> > use_tunneled_reply = yes
> > }
> > peap {
> > default_eap_type = mschapv2
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > }
> > mschapv2 {
> > }
> > }
> >EOF
> >
> >-------------------
> >ldap.attrmap
> >checkItem $GENERIC$ radiusCheckItem
> >replyItem $GENERIC$ radiusReplyItem
> >checkItem Cleartext-Password clrtxtPassword
> >checkItem User-Password userPassword
> >replyItem Tunnel-Type radiusTunnelType
> >replyItem Tunnel-Medium-Type radiusTunnelMediumType
> >replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
> >checkItem Auth-Type radiusAuthType
> >checkItem Simultaneous-Use radiusSimultaneousUse
> >checkItem Called-Station-Id radiusCalledStationId
> >checkItem Calling-Station-Id radiusCallingStationId
> >checkItem LM-Password lmPassword
> >checkItem NT-Password ntPassword
> >checkItem LM-Password sambaLmPassword
> >checkItem NT-Password sambaNtPassword
> >checkItem SMB-Account-CTRL-TEXT acctFlags
> >checkItem Expiration radiusExpiration
> >checkItem NAS-IP-Address radiusNASIpAddress
> >replyItem Service-Type radiusServiceType
> >replyItem Framed-Protocol radiusFramedProtocol
> >replyItem Framed-IP-Address radiusFramedIPAddress
> >replyItem Framed-IP-Netmask radiusFramedIPNetmask
> >replyItem Framed-Route radiusFramedRoute
> >replyItem Framed-Routing radiusFramedRouting
> >replyItem Filter-Id radiusFilterId
> >replyItem Framed-MTU radiusFramedMTU
> >replyItem Framed-Compression radiusFramedCompression
> >replyItem Login-IP-Host radiusLoginIPHost
> >replyItem Login-Service radiusLoginService
> >replyItem Login-TCP-Port radiusLoginTCPPort
> >replyItem Callback-Number radiusCallbackNumber
> >replyItem Callback-Id radiusCallbackId
> >replyItem Framed-IPX-Network radiusFramedIPXNetwork
> >replyItem Class radiusClass
> >replyItem Session-Timeout radiusSessionTimeout
> >replyItem Idle-Timeout radiusIdleTimeout
> >replyItem Termination-Action radiusTerminationAction
> >replyItem Login-LAT-Service radiusLoginLATService
> >replyItem Login-LAT-Node radiusLoginLATNode
> >replyItem Login-LAT-Group radiusLoginLATGroup
> >replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
> >replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
> >replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
> >replyItem Port-Limit radiusPortLimit
> >replyItem Login-LAT-Port radiusLoginLATPort
> >replyItem Reply-Message radiusReplyMessage
> >
> >EOF
> >
> >Thanks in advance!!
> >
> >--
> >--
> >Open Kairos http://www.openkairos.com
> >Watch More TV http://sebelk.blogspot.com
> >Sergio Belkin -
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
More information about the Freeradius-Users
mailing list