Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
Sven 'Darkman' Michels
sven at darkman.de
Tue Mar 25 23:37:38 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
we use Freeradius (1.1.0 from sles10) to provide 802.1x on all wired
switches in the company. As backend we have Novell eDir where all users
are stored. We also use per user vlans, which are stored in the eDir.
This setup is working so far. Now we want to secure the authentification
by ssl certificates (to protect the client from "foreign" server getting
their credentials, and the "eDir" from "foreign" clients - to avoid
brute force attacks). Our idea was:
Using a "general" certificate to identify every supplicant/client and
use this cert to protect the tunnel where user/pass is provided.
We have configured a guest-vlan (2) on the cisco switch where all
unauthentificated or "unknown" supplicants/clients get into. The next
vlan (4) is for supplicants/clients which have the right cert installed,
and last but not least the users own vlan (300).
- From vlan 2 you're not allowed to do "anything" beside stageing the
client (for new installations). At vlan 4 you may connect to a few
servers (to get your box ready for production when no user is setup) and
300 is a fully working vlan.
For now this works "a bit". It seems that you cannot use "just" a cert
to get into the vlan 4 (you need user + user defined in users file, at
least for the cisco client, who *needs* a user when using a cert..).
Beside that, i noticed that when using a wrong ssl cert and user+pw
(to get vlan300) freeradius *first* checks the edirectory, and THEN
the eap/ttls stuff - shouldn't this be exactly the other way around?
Our config looks like:
radius.conf:
modules {
eap {
default_eap_type = ttls
ignore_unknown_eap_types = no
tls {
private_key_file = key
certificate_file = cert
CA_file = ca.crt
}
ttls {
private_key_file = key
certificate_file = cert
CA_file = ca.cert
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
ldap {
server = "edir.company.lan"
port = 636
identify = "cn=freeradius,o=admin"
password = xxx
basedn = "o=company"
tls_mode = yes
...
edir_account_policy_check = yes
}
files {
# defaultstuff
}
}
authorize {
preprocess
eap
ldap
}
authenticate {
eap
Auth-Type LDAP {
ldap
}
}
post-auth {
ldap
Post-Auth-Type REJECT {
ldap
}
}
users:
DEFAULT Auth-Type = LDAP
Tunnel-Type := "VLAN",
Tunnel-Medium-Type := "IEEE-802",
Fall-Through = Yes
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes,
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
So why doesn't it check the tunnel (ssl) first and stops if the client
has no valid cert?
I think i just overlooked something... but i'm a bit puzzled now...
Regards and thanks,
Sven Michels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH6X6yQoCguWUBzBwRArY8AJ4/BiDsM4rnxoHfmYUkMNLKjOhGbgCcCtnM
dzeTmRQRC7qB8QlhiVlOG6w=
=vAqe
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list