Using LDAP with EAP-TLS
Alexandros Gougousoudis
gougousoudis-list at servicecenter-khs.de
Mon May 16 16:13:54 CEST 2011
Hi Phil,
Phil Mayers schrieb:
> You've broken the default configs by adding in modules you don't need
> and don't understand.
>
> Go back to the default configs. Then *just* configure LDAP, and things
> will work.
Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert
on FR 1.1) but conversation is ended without Access-OK.
Phil, I also understand a lot of things and I can read, but the
documentation of FR is not ideal. I've googled around, looked examples
and had more questions than before. Where are all these features
documented, like the "if then"-things in the conf, all the keywords like
"ok=return" and so on, what's the difference between Autz-Type and
Auth-Type? The only thing to get help is here on the list, on the net
you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the
FR site) sites containing a little bit information, no much more than
the conf-files coming with the FR-archive. I'am not complaining, because
it's an open source project, but you should note that it's sometimes not
the lack of understanding than the lack of well documented features. And
if I can't find the infos I need in the docs, I start to try things out.
I've added ntlm_auth to authorize requests from NT4-Users, didn't know
that this is a NoGo. :-)
Here's my debug:
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=139
User-Name = "scit-beerchen"
NAS-IP-Address = 10.48.244.28
Called-Station-Id = "0016b64f44cc"
Calling-Station-Id = "002268c63ff2"
NAS-Identifier = "0016b64f44cc"
NAS-Port = 11
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001201736369742d626565726368656e
Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> scit-beerchen
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=scit-beerchen)
[ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de ->
dc=verwaltung,dc=kh-berlin,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to physalis:389, authentication 0
[ldap] bind as / to physalis:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.48.244.28 port 3079
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe9291e9ae928135b6c752006f18ad076
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=240
Cleaning up request 0 ID 0 with timestamp +22
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "scit-beerchen"
NAS-IP-Address = 10.48.244.28
Called-Station-Id = "0016b64f44cc"
Calling-Station-Id = "002268c63ff2"
NAS-Identifier = "0016b64f44cc"
NAS-Port = 11
Framed-MTU = 1400
State = 0xe9291e9ae928135b6c752006f18ad076
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100650d00160301005a0100005603014dd12d46c92ff47f67ef53def49b382dd1bcbc2402586b0ff4cb827f86d0357600002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
Message-Authenticator = 0x9fe2b3e6bad80f4dc0e8255016f17083
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 101
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> scit-beerchen
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=scit-beerchen)
[ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de ->
dc=verwaltung,dc=kh-berlin,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0ee1], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00bf], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.48.244.28 port 3079
EAP-Message =
0x010204000dc0000012f216030100310200002d03014dd129e0adad8673f2fce2ffdc2d9de7d042d80ddb9e351e2a4edcf3964bf407000039010005ff010001001603010ee10b000edd000eda000768308207643082054ca003020102020200a2300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f
EAP-Message =
0x06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3131303531363131323030335a170d3135303930323131323030335a30818c310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312a3028060355040313216e65777261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100dfeef8cb014fe248fe43e06a93e2
EAP-Message =
0x7ecb291d93be1541d256785c0e58a376bcd3acda16b7381691a454c0bfc93071fc156389a4219452823096a6b9a847a799dfe50de0c94c3d454255f25daa54be452d8a83ba73f9d6e9b7ac0ea8510f59b190148aec94351f0df3902a983f3ff6cbfdc67e234ca67300fa7512d382a7a626b513acc30d5b0ec159c12beeb479e1c3b652d7a38ee6afaf5e3cc7a44f675eca597bdea3d4dc339f1106e5c7f60ed277a3086ebef50dccd376c15fbcebefa3f9837334da2d60da8c788e22832c7f2db1fc51269527afacbd740c0dfc595cbeecb486bb7c827bd61dbb5a831e43c677c5ad344ead828356fc64f7089fa8ced44cc4ad4db57b035080698e6b96
EAP-Message =
0xd6c9928a8bee9d73bcb417faf0517733a38962d274b76aeb13fa1690260ed413415750a39db8354b2c2196f656d61d86fdcd8f33ffd3ec209a008815ecd6dd376e2ff2cab0b28366eb4e9a1aa6cb38b187daec729aeafbc01403ba25c82cc2560133e59c2608898c3ef918f58a07f664e0e3b9109b2ef687992f51ab82f8c6abbe938bd11e215e6be38ef0977501c8c72c52153cd1cd8b0f48a6cb70848b8ce4cb8af06615eda1adb8f289ee71c67980bb2db646317c91a25c37f328abe7cebffec0b2619b5a5ff1a44b676fe65497b81d0f7cdf20cf995167bfc15f3efdfd723c91415d3ccf186a49ebe6e79c7fdebe1541a6ae090203010001a38201
EAP-Message = 0xae308201aa30090603551d13
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe9291e9ae82b135b6c752006f18ad076
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
TIA
Alex
More information about the Freeradius-Users
mailing list