eap-gtc error in authentication

Wed Nov 24 09:51:46 CET 2010

Hi,

Robert Masters <RMasters at bunnings.com.au> wrote:
> 
> We've been working on using Freeradius on RHEL5.4 to link a Motorola
> RFS6000 with Oracle OID.
> 
> We've had a number of hiccoughs along the way, and solved most of them -
> mainly thanks to the archives of this list.
> 
> We are now getting the following error:
> "rlm_eap_gtc: ERROR: Clear-test User-Password is required for
> authentication."
> 
"Bad UNIX sysadmin *BAD*"

My git log tells me you are running a version of FreeRADIUS from 
*before* Aug 15 2006.  Maybe I am the first to tell you, but it is 2010, 
and nearly 2011 :)

That error message was fixed (as was the codebase) so that 
Cleartext-Password is used instead (as User-Password comes from the 
RADIUS packet).

> instantiate {
>        exec
>        expr
> }
> authorize {
>        preprocess
> 
>        suffix
>        eap
>        files <---- comment out
>        ldap
> }
> authenticate {
>        Auth-Type PAP {
>                pap
>        }
>        Auth-Type CHAP {
>                chap
>        }
>        Auth-Type MS-CHAP {
>                mschap
>        }
>        unix
>        Auth-Type LDAP {
>                ldap
>        }
>        eap
> }
>
> [snipped]
>
The problem is that you need to populate Cleartext-Password with 
whatever is expected from the user *before* you end up calling the GTC 
module.

This is true if you want the gtc module to do the checking for you (as 
you have set the auth_type to 'Local').  This results in the gtc module 
doing the "Cleartext-Password == User-Password" check for you.

What I use, other than just a version of FreeRADIUS from this decade, is 
something like the following:
----
eap {
	...

	# do *not* pass to a inner virtual server for GTC (unless you 
	# want to do secondary authentications, two-factor?)
	ttls {
		#virtual_server = "inner-tunnel"
	}
	peap {
		#virtual_server = "inner-tunnel"
	}

	gtc {
		challenge = "%{reply:Reply-Message}"

		# as User-Password != Cleartext-Password for rfc2289
		auth_type = rfc2289
	}

	...
}

authorize {
	...

	# gets some useful information from LDAP that lets the rfc2289
	# perl module do it's thing
	ldap

	# generates Reply-Message depending on what LDAP found
	gtc-trial.perl

	gtc-trial.eap
}

authenticate {
	Auth-Type gtc-trial.eap {
		gtc-trial.eap
	}
	Auth-Type rfc2289 {
		# does the User-Password check as rfc2289 can have
                # several formats, and is not case sensitive, etc
		gtc-trial.perl
	}
}
----

> And our users file:
> DEFAULT Auth-Type = LDAP
>        Fall-Through = Yes
> DEFAULT Service-Type == Framed-User
>        Framed-IP-Address = 255.255.255.254,
>        Framed-MTU = 576,
>        Service-Type = Framed-User,
>        Fall-Through = Yes
> DEFAULT Framed-Protocol == PPP
>        Framed-Protocol = PPP,
>        Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "CSLIP"
>        Framed-Protocol = SLIP,
>        Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "SLIP"
>        Framed-Protocol = SLIP
>
This is wrong and unnecessary, you should never sent the Auth-Type 
(except to Reject or Accept); especially to 'LDAP'.

Comment out 'files' in authorize, when 'ldap' is called it will go 
hunting for accounts, and if it sees it can get enough information to 
authenticate the user, then it will; although this is not actually what 
you want here.

Cheers

-- 
Alexander Clouter
.sigmonster says:   I am a deeply superficial person. -Andy Warhol