EAP-TNC supported?

Ingo Bente ingo.bente at fh-hannover.de
Thu Aug 21 13:49:06 CEST 2008 

 > Message: 3
> Date: Thu, 21 Aug 2008 08:36:07 +0200
> From: "Martin Schneider" <martincschneider at googlemail.com>
> Subject: Re: EAP-TNC supported?
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID:
> 	<690347540808202336k5ce8ffd5jc0c3efea54b1835d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi
> 
> 2008/8/20 Alan DeKok <aland at deployingradius.com>:
>> Martin Schneider wrote:
>>> - I read in wikipedia, that the spring 2008 release of FreeRadius has
>>> "experimental EAP-TNC" support. I couldn't find any information on the
>>> FreeRadius homepage or wiki, that this information is correct. Has FreeRadius
>>> EAP-TNC support? And "how experimental" is the EAP-TNC support?
>>  It's very experimental.  Some people have gotten it to work, but I
>> don't think it's ready for production use.
> 
> What a pity!
> 
> Does anybody know about a patch or something for FreeRadius that adds
> more stable EAP-TNC processing? I heard about a patch from FH Hannover
> (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I
> don't know how good this one works. Did maybe anybody of you guys play
> with that patch?
Yes, it is very experimental. We have done some refactoring the last
weeks but the new version of the EAP-TNC-Patch is currently not in the
FreeRADIUS sources. You can download it from
http://tnc.inform.fh-hannover.de. We will modify some further aspects
soon (such as removing the dynamic loading of NAA-TNCS.so at runtime).

> 
>>> - In case FreeRadius supports EAP-TNC, is it possible to run EAP-TNC
>>> "inside" a EAP-TTLS tunnel? EAP-TTLS as outer method and EAP-TNC as
>>> inner method?
>>  No.  EAP-TNC is designed to be run as an authorization method *after*
>> the user has been authenticated.  It *cannot* be run all by itself
>> inside of a TTLS tunnel.
>>
>>  You can run it inside of the TTLS tunnel after another EAP method has
>> been executed.  You may have to edit the source code to get this to work.
>
You can do EAP-TNC inside EAP-TTLS without modifying the source. I
tested it with the latest development version of wpa_supplicant. But you
will have to modify the source if you want to to EAP-TNC inside EAP-TTLS
_after_ another EAP-method (such as MD5).

> Ok, thanks for clarifying this point! I really mixed this one up.
> 
> I read in the EAP-TTLS draft, that you can perform mutual
> authentication of server AND client using EAP-TTLS. (Client also needs
> a Certificate...). So theoretically you should be able to run EAP-TNC
> directly after EAP-TTLS in the TLS tunnel without any other user
> authenticating EAP-method?
> 
Yes.

Regards

Ingo

> Regards
> Martin
> 
> 
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 21 Aug 2008 08:42:16 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: EAP-TNC supported?
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <48AD0E48.1040803 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Martin Schneider wrote:
>> Does anybody know about a patch or something for FreeRadius that adds
>> more stable EAP-TNC processing? I heard about a patch from FH Hannover
>> (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I
>> don't know how good this one works. Did maybe anybody of you guys play
>> with that patch?
> 
>   The EAP-TNC code in FreeRADIUS *is* the FH Hannover code.  There's
> just *more* work that has to be done to make it ready for a production
> environment.
> 
>> I read in the EAP-TTLS draft, that you can perform mutual
>> authentication of server AND client using EAP-TTLS. (Client also needs
>> a Certificate...). So theoretically you should be able to run EAP-TNC
>> directly after EAP-TTLS in the TLS tunnel without any other user
>> authenticating EAP-method?
> 
>   Perhaps.  Check with the TNC specifications to see if this is permitted.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 21 Aug 2008 09:31:59 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: FreeRadius 2.0.5 AD PEAP
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20080821083159.GA27802 at wildfire.net.ic.ac.uk>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> 
>>>  Perhaps try it with a Cleartext-Password in the "users" file.  i.e.
>>> *Without* using ntlm_auth.  That works for me, including with
>> eapol_test, and TTLS/EAP-MSCHAPv2.
>>
>> Can you clarify this setup/change to test?  I was pretty sure I needed
>> to use ntlm_auth to auth against AD to test mschapv2
> 
> Put a test user in the "users" file:
> 
> test	Cleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0
> 
>>>  If that still fails, then there's something wrong with the system
>> that breaks the server in 2.0.5.
>>
>> Running Samba 3.2.0 on Fedora 9
> 
> Your problem is very odd. I'm using 2.0.5 on RHEL5 with ntlm_auth and 
> it's working fine.
> 
> The only time I've seen eapol_test fail with "mismatch" is when I've 
> failed to strip the DOMAIN\ or @DOMAIN.COM from usernames with realms 
> and this has confused the key hashing - but your usernames are 
> unadorned.
> 
> Perhaps the Samba version in F9 has problems? What OS and samba version 
> is your (working) 1.1.7 server running?
> 
>>> FYI: Unknown network block for the CA_CERT with regards to the eapol 
>>> test config file
>>>  What does that mean?
>> Within the config you provided to for eapol_test at the bottom is a
>> ca_cert declaration that errors out when uncommented
>>
>> Anyone using FC9 with freeradius 2.0.5 against AD working that I can use
>> to compare?
>>
>> Thanks much appreciated
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 21 Aug 2008 10:53:17 +0200
> From: Thomas Buchberger <buchberger at nefonline.de>
> Subject: Re: Auth-Type := Accept - CHAP problems
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <48AD2CFD.3040206 at nefonline.de>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Alan and Ivan,
> 
> Alan DeKok wrote:
>>> Config looks like this:
>>>
>>> DEFAULT        Auth-Type := Accept
>>>     
>>   This completely bypasses any password checks.
>>   
>>>     ERX-Virtual-Router-Name = "vpn:XXX",
>>>     ERX-Egress-Policy-Name = "XXX",
>>>     ERX-Local-Loopback-Interface = "loopback 255",
>>>     Service-Type = Framed-User,
>>>     Framed-Protocol = PPP,
>>>     Fall-Through = Yes
>>>
>>> Test100 Password = "Test100"
>>>     
>>   Use:
>>
>> Test100	Cleartext-Password := "Test100"
>>   
> OK - now I understand...
> with Cleartext-Password PAP and CHAP behave the same way...
> For us the wrong way :-)
> Is there a possibility so solve it with freeradius?
> We want to Accept all Users but give "authenticated" (correct username
> and password) users individual attributes and "non authenticated" users
> (wrong username and / or password) different attributes but no "Login
> incorrect".
>

More information about the Freeradius-Users mailing list