Auth-Type Perl instead of Auth-Type EAP?

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Feb 25 20:14:31 CET 2011


How are you dealing with the challenge response. If you use eap ttls with pap them this is not an issue

alan

----- Reply message -----
From: "Josh Richard" <jrichar4 at d.umn.edu>
Date: Fri, Feb 25, 2011 17:59
Subject: Auth-Type Perl instead of Auth-Type EAP?
To: "freeradius-users at lists.freeradius.org" <freeradius-users at lists.freeradius.org>

Hello list,

After a bit of digging, I would like to ask a question to ensure this
idea is even possible.
:)

I am running FR 2 on Debian.

What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless
SSID hook into the FR server above.

The FR server currently is using rlm_perl to handle authentication and
this does work with FR running with -x and a client test using
radtest:

Sending Access-Request of id 184 to <ip> port 1812
        User-Name = "jrichar4"
        User-Password = "removed"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 10
rad_recv: Access-Accept packet from host <ip> port 1812, id=184, length=20

on the server I see:

rlm_perl: Added pair User-Name = jrichar4
rlm_perl: Added pair User-Password = <removed>
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1
rlm_perl: Added pair NAS-Port = 10
rlm_perl: Added pair Crypt-Password = <removed>
rlm_perl: Added pair Auth-Type = Perl

I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius
to proxy the lookup to a different production FR server containing the
set of all users.  Neat.
I hope to use this server to flip VLANs using
$RAD_REPLY{'Tunnel-Private-Group-ID'} based on an eventual db lookup
to control wireless machine infections without mutzing with an
existing server.

When the SSID is wired in, we see this:

[peap] Got inner identity 'jrichar4'
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
rlm_perl: Added pair User-Name = jrichar4
rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Crypt-Password = *
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2

I would prefer the use Auth-Type = Perl in the EAP inner tunnel.  Is
this possible?  I am hoping something simple is amiss as this is close
to working!

I have only:
DEFAULT Auth-Type = Perl
in users.

In inner tunnel I have:
authenticate {
 ....
   Auth-Type Perl {
    perl
  }
...
 eap
}

Do I need to overload anything in eap.conf?

Thank you all and kind regards,

Josh Richard
University of Minnesota Duluth
USA
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110225/305c8d9f/attachment.html>


More information about the Freeradius-Users mailing list