EAP-TTLS & Kerberos

Thorsten Fischer thorsten at net.t-labs.tu-berlin.de
Wed Feb 2 17:29:55 CET 2011 

All,

I have a number of NASs - wireless APs running hostapd. I am setting up a
freeradius 2.1.10 server to control the authentication of
username at net.example.com to the wireless network; the decision is to be made by
a Kerberos server. The setup is not working as intended, which I think stems
either from my misunderstanding of the protocols involved or of how to set up
freeradius correctly. Or both.

Later, all authentication requests of username at example.com (without the net.)
are to be forwarded to another Radius server. There will likely be more
services integrated in the same vein later, so I would like to branch out into
separate virtual servers based on realm.

My understanding is that the communication between a user at net.example.com and
freeradius needs to involve EAP-TTLS, because of the cleartext password which
is required to be passed on to kerberos. The required keytab is set up and
configured correctly. modules/krb5 is set up accordingly. bootstrap in 
raddb/certs has been run to create self-signed certs.

I have an entry in the users file:

DEFAULT    Realm == "net.example.com", Auth-Type = Kerberos

The realm is set up like this:

realm net.example.com {
        virtual_server = net.example.com
}

And the virtual server as well as the inner-tunnel have Auth-Type Kerberos { krb5 } in their authenticate section, right after Auth-Type PAP. 

Key changes in eap.conf:

eap {
  default_eap_type = ttls

  ttls {
    default_eap_type = md5
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
  }
}

Local tests succeed as follows:

$ radtest -t pap thorsten at net.example.com pwd 127.0.0.1 0 testing123
$ radtest -t eap-md5 thorsten at net.example.com pwd 127.0.0.1 0 testing123
$ radtest -t pap thorsten at net.example.com pwd 127.0.0.1:18120 0 testing123

In each of these cases, the reason for success is successful communication with
Kerberos, as exemplified by the following lines (and wrong kerberos passwords
let authentication fail):

Wed Feb  2 15:59:06 2011 : Info: Found Auth-Type = Kerberos
Wed Feb  2 15:59:06 2011 : Info: # Executing group from file /etc/freeradius/sites-enabled/net.example.com
Wed Feb  2 15:59:06 2011 : Info: +- entering group Kerberos {...}
Wed Feb  2 15:59:06 2011 : Info: ++[krb5] returns ok
Wed Feb  2 15:59:06 2011 : Auth: Login OK: [thorsten] (from client localhost port 0 via TLS tunnel)

However, tests with eapol_test locally as well as with the actual access points fail:

$ cat eap-ttls.conf
network={
        ssid="myssid"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="thorsten at net.example.com"
        password="pwd"
        phase2="auth=PAP"
}
$ eapol_test -c eap-ttls.conf -s testing123

produces:

rad_recv: Access-Request packet from host 127.0.0.1 port 60596, id=0, length=172
        User-Name = "thorsten at net.example.com"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        Calling-Station-Id ="02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020000250174686f727374656e406e65742e742d6c6162732e74752d6265726c696e2e6465
        Message-Authenticator = 0x3f0be4354cfc77a6285a0ad074341101
Wed Feb  2 15:33:32 2011 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Feb  2 15:33:32 2011 : Info: +- entering group authorize {...}
Wed Feb  2 15:33:32 2011 : Info: ++[preprocess] returns ok
Wed Feb  2 15:33:32 2011 : Info: ++[chap] returns noop
Wed Feb  2 15:33:32 2011 : Info: ++[mschap] returns noop
Wed Feb  2 15:33:32 2011 : Info: ++[digest] returns noop
Wed Feb  2 15:33:32 2011 : Info: [suffix] Looking up realm "net.example.com" for User-Name = "thorsten at net.example.com"
Wed Feb  2 15:33:32 2011 : Info: [suffix] Found realm "net.example.com"
Wed Feb  2 15:33:32 2011 : Info: [suffix] Adding Stripped-User-Name = "thorsten"
Wed Feb  2 15:33:32 2011 : Info: [suffix] Adding Realm = "net.example.com"
Wed Feb  2 15:33:32 2011 : Info: [suffix] Proxying request from user thorsten to realm net.example.com
Wed Feb  2 15:33:32 2011 : Info: [suffix] Preparing to proxy authentication request to realm "net.example.com" 
Wed Feb  2 15:33:32 2011 : Info: ++[suffix] returns updated
Wed Feb  2 15:33:32 2011 : Info: [eap] Request is supposed to be proxied to Realm net.example.com.  Not doing EAP.
Wed Feb  2 15:33:32 2011 : Info: ++[eap] returns noop
Wed Feb  2 15:33:32 2011 : Info: [files] users: Matched entry DEFAULT at line 71
Wed Feb  2 15:33:32 2011 : Info: ++[files] returns ok
Wed Feb  2 15:33:32 2011 : Info: ++[expiration] returns noop
Wed Feb  2 15:33:32 2011 : Info: ++[logintime] returns noop
Wed Feb  2 15:33:32 2011 : Info: ++[pap] returns noop
Wed Feb  2 15:33:32 2011 : Info:   WARNING: Empty pre-proxy section.  Using default return values.
Wed Feb  2 15:33:32 2011 : Info: >>> Sending proxied request internally to virtual server.
Wed Feb  2 15:33:32 2011 : Info: server net.example.com {
Wed Feb  2 15:33:32 2011 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/net.example.com
Wed Feb  2 15:33:32 2011 : Info: +- entering group authorize {...}
Wed Feb  2 15:33:32 2011 : Info: ++[preprocess] returns ok
Wed Feb  2 15:33:32 2011 : Info: ++[digest] returns noop
Wed Feb  2 15:33:32 2011 : Info: [suffix] Request already proxied.  Ignoring.
Wed Feb  2 15:33:32 2011 : Info: ++[suffix] returns ok
Wed Feb  2 15:33:32 2011 : Info: [files] users: Matched entry DEFAULT at line 71
Wed Feb  2 15:33:32 2011 : Info: ++[files] returns ok
Wed Feb  2 15:33:32 2011 : Info: ++[expiration] returns noop
Wed Feb  2 15:33:32 2011 : Info: ++[logintime] returns noop
Wed Feb  2 15:33:32 2011 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Feb  2 15:33:32 2011 : Info: ++[pap] returns noop
Wed Feb  2 15:33:32 2011 : Info: Found Auth-Type = Kerberos
Wed Feb  2 15:33:32 2011 : Info: # Executing group from file /etc/freeradius/sites-enabled/net.example.com
Wed Feb  2 15:33:32 2011 : Info: +- entering group Kerberos {...}
Wed Feb  2 15:33:32 2011 : Auth: rlm_krb5: Attribute "User-Password" is required for authentication.
Wed Feb  2 15:33:32 2011 : Info: ++[krb5] returns invalid
Wed Feb  2 15:33:32 2011 : Info: Failed to authenticate the user.
[...]

Apparently, the cleartext password does not get passed on. And I need to figure
out why.

This is were you come in, mailing list ;) Thank you in advance for suggestions.


Cheers,

t

-- 
Thorsten Fischer, BOWL Project Administrator
<thorsten at net.t-labs.tu-berlin.de>
Technische Universität Berlin, FG INET, TEL16, 18th floor
Ernst-Reuter-Platz 7, 10587 Berlin, Germany
Tel: +49 30 835358542, Fax: +49 391 53478347

More information about the Freeradius-Users mailing list