Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem

Sven 'Darkman' Michels sven at darkman.de
Tue Mar 25 23:37:38 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

we use Freeradius (1.1.0 from sles10) to provide 802.1x on all wired
switches in the company. As backend we have Novell eDir where all users
are stored. We also use per user vlans, which are stored in the eDir.
This setup is working so far. Now we want to secure the authentification
by ssl certificates (to protect the client from "foreign" server getting
their credentials, and the "eDir" from "foreign" clients - to avoid
brute force attacks). Our idea was:
Using a "general" certificate to identify every supplicant/client and
use this cert to protect the tunnel where user/pass is provided.
We have configured a guest-vlan (2) on the cisco switch where all
unauthentificated or "unknown" supplicants/clients get into. The next
vlan (4) is for supplicants/clients which have the right cert installed,
and last but not least the users own vlan (300).
- From vlan 2 you're not allowed to do "anything" beside stageing the
client (for new installations). At vlan 4 you may connect to a few
servers (to get your box ready for production when no user is setup) and
300 is a fully working vlan.
For now this works "a bit". It seems that you cannot use "just" a cert
to get into the vlan 4 (you need user + user defined in users file, at
least for the cisco client, who *needs* a user when using a cert..).
Beside that, i noticed that when using a wrong ssl cert and user+pw
(to get vlan300) freeradius *first* checks the edirectory, and THEN
the eap/ttls stuff - shouldn't this be exactly the other way around?

Our config looks like:
radius.conf:
modules {
	eap {
		default_eap_type = ttls
		ignore_unknown_eap_types = no
		tls {
			private_key_file = key
			certificate_file = cert
			CA_file = ca.crt
		}
		ttls {
			private_key_file = key
			certificate_file = cert
			CA_file = ca.cert
			default_eap_type = md5
			copy_request_to_tunnel = yes
			use_tunneled_reply = yes
		}
	}
	ldap {
		server = "edir.company.lan"
		port = 636
		identify = "cn=freeradius,o=admin"
		password = xxx
		basedn = "o=company"
		tls_mode = yes
		...
		edir_account_policy_check = yes
	}
	files {
		# defaultstuff
	}
}
authorize {
	preprocess
	eap
	ldap
}
authenticate {
	eap
	Auth-Type LDAP {
		ldap
	}
}
post-auth {
	ldap
	Post-Auth-Type REJECT {
		ldap
	}
}

users:
	DEFAULT Auth-Type = LDAP
		Tunnel-Type := "VLAN",
		Tunnel-Medium-Type := "IEEE-802",
		Fall-Through = Yes
	DEFAULT Service-Type == Framed-User
		Framed-IP-Address = 255.255.255.254,
		Framed-MTU = 576,
		Service-Type = Framed-User,
		Fall-Through = Yes,
	DEFAULT Framed-Protocol == PPP
		Framed-Protocol = PPP,
		Framed-Compression = Van-Jacobson-TCP-IP

So why doesn't it check the tunnel (ssl) first and stops if the client
has no valid cert?

I think i just overlooked something... but i'm a bit puzzled now...

Regards and thanks,
Sven Michels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH6X6yQoCguWUBzBwRArY8AJ4/BiDsM4rnxoHfmYUkMNLKjOhGbgCcCtnM
dzeTmRQRC7qB8QlhiVlOG6w=
=vAqe
-----END PGP SIGNATURE-----



More information about the Freeradius-Users mailing list