EAP-TTLS with mschapv2 and edirectory

Michael Fischer michi.fischer at gmx.net
Tue Sep 8 16:08:07 CEST 2009


Hi,

I'm trying to set up 802.1x authentication on my Enterasys AccessPoints
using freeradius and eDirectory.

Freeradius and eDirectory work like a charm when I use it for Cisco-VPN
authentication.

This is the debug-output:
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=153,
length=131
	Message-Authenticator = 0x9243250f00d4eaf9edcbe955c5106fe5
	User-Name = "dfuernsin"
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	EAP-Message = 0x0201000e0164667565726e73696e
	Framed-MTU = 1000
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,o=TGM/xxxxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 153 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc467576a8938958c1a53a68b8e75ff64
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=154,
length=141
	Message-Authenticator = 0x0967d369610e907bd46340a8497b3cd1
	User-Name = "dfuernsin"
	State = 0xc467576a8938958c1a53a68b8e75ff64
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message = 0x020200060315
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 154 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message = 0x010300061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc2b5e7347d4362c9837a8cdb5ae54cef
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=155,
length=241
	Message-Authenticator = 0xd03ac83eb22acb6875c887c94c819f4e
	User-Name = "dfuernsin"
	State = 0xc2b5e7347d4362c9837a8cdb5ae54cef
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message =
0x0203006a1500160301005f0100005b03014aa65ba4b109ea3853a601da56bcfb3503d5da3b5141d5ae1d46dc029a00009b00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
    TLS_accept:error in SSLv3 read client certificate A 
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Sending Access-Challenge of id 155 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message =
0x010403e415c00000080c160301004a0200004603014aa65ba0b78781976e8fad382a31b4cbfac99b4a4b3bb7a15da50bb7a0cacbba205977e045237bf3b4079a8a6e0626197a60447cb1939ab691439bcbe1f82002b3003900160301069d0b0006990006960002cd308202c930820232a003020102020102300d06092a864886f70d010105050030819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d
	EAP-Message =
0x20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3039303132363135303931395a170d3130303132363135303931395a30819e310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b1304726164313119301706035504031310526f6f74206365727469666963617465311c301a06092a864886f70d010901160d6974734074676d2e61632e617430819f300d06092a864886f70d010101050003
	EAP-Message =
0x818d0030818902818100afcebd714b483a8a5248285e080efc98c463327d4d76ba572326e4c585de64c946dcc1ac55b96f93542a67f546c6f29161b22b6152ef36ed6e17e50cac6f69cd3cfe791d39e10478e60e767ead1fe7af84a93c2143744ddb9efc3ceeeb6050f57f914ac3ed4ac32f59003a6661e9749e1a38846ed21b8015bad99935b8f774cf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100c0c9edb6e0f7f54cdf49341bc3d31695b8a7318d1c7bc738ae316bcb4990842d5f034550ae6bc201220d38123e239cbfbb258b19e0b335461eb9e616c85402494ed2
	EAP-Message =
0x38765b36ad92c6726e697e9232aa61aa3ee705521ccb59b91dbcf4475df14af87342965b0c58fe6dd3d8750193a4a91e964029b0ba452ee46d3be0a1d8af0003c3308203bf30820328a00302010202090090e75d8098036885300d06092a864886f70d010105050030819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x72e9a4df87e4335cee24c2dbc1c9dde3
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=156,
length=141
	Message-Authenticator = 0xea43378afe10a29865cc0b2c502015c4
	User-Name = "dfuernsin"
	State = 0x72e9a4df87e4335cee24c2dbc1c9dde3
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message = 0x020400061500
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 156 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message =
0x010503e415c00000080c06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3039303132363135303931395a170d3131303132363135303931395a30819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e617430819f300d06092a864886f70d010101050003818d0030818902
	EAP-Message =
0x818100d1f5ae5fc44ca6966ed3217a38b384bce4c658868c6f8b7a1de9929348ba50c2070908a56f9c457532e6e83930ad12680ebd6494deda9215b1e401c1d9a2728782877d3bd20405861d8fafd07a79625db7c6ec0c526d5c76ada7a7f3b736c9afd4a59a78f4a3630006020208163418ecc5fbe40a3d2d6d6de4c962512548801b0203010001a382010530820101301d0603551d0e04160414b1f43b24b586334fa7c4d2a08bcc48f581e8f1fd3081d10603551d230481c93081c68014b1f43b24b586334fa7c4d2a08bcc48f581e8f1fda181a2a4819f30819c310b3009060355040613024154310f300d060355040813065669656e6e61310f30
	EAP-Message =
0x0d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e617482090090e75d8098036885300c0603551d13040530030101ff300d06092a864886f70d010105050003818100a93705a500a9f692697fbafd7a4380ac915c099012ad7e5b7fa81bcf88a194503a21d078015fdcc8b6002c7271e83185f5dd0a1930b833563f58721af1bab7d3a80f55e587a878f9efac9531cc56f6bce90c22ca458b
	EAP-Message =
0x950c0b8bd8f07773e654c74153aa54c20bfe9c0ec6c4330b00267c19cb777433bfabf26680f70f881972160301010d0c0001090040b0e40717d408c7bd95e486445a58ca90105eeb618a3cb101fedfa1f30852a72fb8585db5f4876611a2bdb3114e7806a3499aa7ab9fdaecd98b24b49dd737c7730001020040188269e7cb45c48d98c9afaf784b98f4097dc6cbacf7317ce7e57bc2dacae876e0a5d27d2accd4f5240e2228b99397b4d5cb25420942cbbdfc51b4e644cd3111008061c8942076db0af63f340a6e3658f5e512fcf58f5e087ef2f0619b78c225311d16046e6a769f383c23baadd1c35251c5b3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x9c3953fde1abb5c5aebec8ebfc86a1bb
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=157,
length=141
	Message-Authenticator = 0x3d7ea6f61b767389629d49596205cbd9
	User-Name = "dfuernsin"
	State = 0x9c3953fde1abb5c5aebec8ebfc86a1bb
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message = 0x020500061500
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 157 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message =
0x0106006215800000080c4735a6c865221013a00e96f493261b33521a8a8db63b2eeaa24bbd1fbbfc067771b65a0811beec00e57b7699eda4802ca8e81aabeca2dad6fd539cc217fb20f99d55eeb228d6da1110ae9c86e2f2f216030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x5661a0f5ce45e239b4bc70859f6a2bf9
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=158,
length=275
	Message-Authenticator = 0x1b944ca85d6a4c92fa947f1637831748
	User-Name = "dfuernsin"
	State = 0x5661a0f5ce45e239b4bc70859f6a2bf9
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message =
0x0206008c150016030100461000004200403239103fe96393b4442f69821e1784ab56e448c25d9a02d3b76fd0201fc53bdf165556558f1539d40400185a164646a89aba0412c2e205ca7828ce2ba98b5aa114030100010116030100308b32065275900efdd52cf6124e1f032aca7d1f771bf611b925590b7412b935621bbd62f33a4bc4b97ee483a5a62e8dca
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
Sending Access-Challenge of id 158 to 10.3.4.10 port 1088
	Class = 0x54474d2d495453
	EAP-Message =
0x0107004515800000003b140301000101160301003040dc94e72be53bf55ddf8e541c965363d17b6a5afcd21214d85ead7b55840e0c48e144c6967f3431d935d8ea893dd23f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x37827b68d6e2834e52f9b31f421d6b57
rad_recv: Access-Request packet from host 10.3.4.10:1088, id=159,
length=327
	Message-Authenticator = 0xeaeace0d6f9aaa5a9b076145efdf883e
	User-Name = "dfuernsin"
	State = 0x37827b68d6e2834e52f9b31f421d6b57
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
	EAP-Message =
0x020700c015001703010020509e2651521db9d8f55ea9236544febdd1847d3d90824b31e7e4b065cce3be5f1703010090cd17c1519d0a3444677865909a065f47f58b4a429faa437acaefd64fcde712221684a961867da9ca7c65ac67c87a736bbd2ec83b4fa5620def3c9956dc47c89f0ba1cfc1119b276190b960dcc5feb1ab8ef37f84bfa605f215956585e7235faf28e1a5693cd43753121cebfbe74f628a8085c0844def4a1031da34e452d3cec56bf86dfdd77790388a97af5de4b1af82
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  TTLS: Got tunneled request
	User-Name = "dfuernsin"
	MS-CHAP-Challenge = 0x45343e241414cc6e2b419a80ca3c0679
	MS-CHAP2-Response =
0xf90021c10a7e8786f207105e79fcf645fcea00000000000000000e9d76ed745951eb086371741cc54c64e7ec7e2ac6a29979
	FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
	User-Name = "dfuernsin"
	MS-CHAP-Challenge = 0x45343e241414cc6e2b419a80ca3c0679
	MS-CHAP2-Response =
0xf90021c10a7e8786f207105e79fcf645fcea00000000000000000e9d76ed745951eb086371741cc54c64e7ec7e2ac6a29979
	FreeRADIUS-Proxied-To = 127.0.0.1
	NAS-IP-Address = 10.3.4.10
	NAS-Port = 2
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00-1D-E0-64-67-4B"
	Called-Station-Id = "00-01-F4-1C-9B-89:TGM"
	Framed-MTU = 1000
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Login incorrect: [dfuernsin] (from client localhost port 2 cli
00-1D-E0-64-67-4B)
  TTLS: Got tunneled reply RADIUS code 3
	Class = 0x54474d2d495453
	MS-CHAP-Error = "\371E=691 R=1"
Login incorrect: [dfuernsin] (from client management port 2 cli
00-1D-E0-64-67-4B)

And here is my config:
ldap {
                server = "localhost"
                identity = "cn=admin,o=TGM"
                password = xxxxxxx
                basedn = "o=TGM"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=tgmPerson)"

                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                # The StartTLS operation is supposed to be used with
normal
                # ldap connections instead of using ldaps (port 689)
connections
                start_tls = yes

                 tls_cacertfile = /etc/raddb/certs/rootder.b64
                # tls_cacertdir         = /path/to/ca/dir/
                # tls_certfile          = /path/to/radius.crt
                # tls_keyfile           = /path/to/radius.key
                # tls_randfile          = /path/to/rnd
                # tls_require_cert      = "demand"

                # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
                profile_attribute = "radiusProfileDn"
                # access_attr = "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                #
                # NOTICE: The password_header directive is NOT case
insensitive
                #
                # password_header = "{clear}"
                #
                # Set:

                password_attribute = nspmPassword

                #
                # to get the user's password from a Novell eDirectory
                # backend. This will work *only if* freeRADIUS is
                # configured to build with --with-edir option.
                #
                #
                #  The server can usually figure this out on its own,
and pull
                #  the correct User-Password or NT-Password from the
database.
                #
                #  Note that NT-Passwords MUST be stored as a 32-digit
hex
                #  string, and MUST start off with "0x", such as:
                #
                #       0x000102030405060708090a0b0c0d0e0f
                #
                #  Without the leading "0x", NT-Passwords will not work.
                #  This goes for NT-Passwords stored in SQL, too.
                #
                # password_attribute = userPassword
                #
                # Un-comment the following to disable Novell eDirectory
account               # policy check and intruder detection. This will
work *only if*
                # FreeRADIUS is configured to build with --with-edir
option.
                #
                edir_account_policy_check=yes
                #
                # groupname_attribute = cn
                # groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=
%{Ldap-UserDn})))"
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
                # access_attr_used_for_allow = yes

                #
                #  By default, if the packet contains a User-Password,
                #  and no other module is configured to handle the
                #  authentication, the LDAP module sets itself to do
                #  LDAP bind for authentication.
                #
                #  You can disable this behavior by setting the
following
                #  configuration entry to "no".
                #
                #  allowed values: {no, yes}
                # set_auth_type = yes
        }


Can somebody help me?

Thanks,
Mike
-- 
Please stop top-quoting!
email: michi.fischer at gmx.net




More information about the Freeradius-Users mailing list