Using LDAP with EAP-TLS

Alexandros Gougousoudis gougousoudis-list at servicecenter-khs.de
Mon May 16 16:13:54 CEST 2011 

Hi Phil,

Phil Mayers schrieb:
> You've broken the default configs by adding in modules you don't need 
> and don't understand.
>
> Go back to the default configs. Then *just* configure LDAP, and things 
> will work.

Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert 
on FR 1.1) but conversation is ended without Access-OK.

Phil, I also understand a lot of things and I can read, but the 
documentation of FR is not ideal. I've googled around, looked examples 
and had more questions than before. Where are all these features 
documented, like the "if then"-things in the conf, all the keywords like 
"ok=return" and so on, what's the difference between Autz-Type and 
Auth-Type? The only thing to get help is here on the list, on the net 
you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the 
FR site) sites containing a little bit information, no much more than 
the conf-files coming with the FR-archive. I'am not complaining, because 
it's an open source project, but you should note that it's sometimes not 
the lack of understanding than the lack of well documented features. And 
if I can't find the infos I need in the docs, I start to try things out.

I've added ntlm_auth to authorize requests from NT4-Users, didn't know 
that this is a NoGo. :-)

Here's my debug:

rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139
        User-Name = "scit-beerchen"
        NAS-IP-Address = 10.48.244.28
        Called-Station-Id = "0016b64f44cc"
        Calling-Station-Id = "002268c63ff2"
        NAS-Identifier = "0016b64f44cc"
        NAS-Port = 11
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200001201736369742d626565726368656e
        Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to physalis:389, authentication 0
  [ldap] bind as / to physalis:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.48.244.28 port 3079
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe9291e9ae928135b6c752006f18ad076
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=240
Cleaning up request 0 ID 0 with timestamp +22
WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
        User-Name = "scit-beerchen"
        NAS-IP-Address = 10.48.244.28
        Called-Station-Id = "0016b64f44cc"
        Calling-Station-Id = "002268c63ff2"
        NAS-Identifier = "0016b64f44cc"
        NAS-Port = 11
        Framed-MTU = 1400
        State = 0xe9291e9ae928135b6c752006f18ad076
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020100650d00160301005a0100005603014dd12d46c92ff47f67ef53def49b382dd1bcbc2402586b0ff4cb827f86d0357600002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
        Message-Authenticator = 0x9fe2b3e6bad80f4dc0e8255016f17083
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 101
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0ee1], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange
[tls]     TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00bf], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.48.244.28 port 3079
        EAP-Message = 
0x010204000dc0000012f216030100310200002d03014dd129e0adad8673f2fce2ffdc2d9de7d042d80ddb9e351e2a4edcf3964bf407000039010005ff010001001603010ee10b000edd000eda000768308207643082054ca003020102020200a2300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f
        EAP-Message = 
0x06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3131303531363131323030335a170d3135303930323131323030335a30818c310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312a3028060355040313216e65777261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100dfeef8cb014fe248fe43e06a93e2
        EAP-Message = 
0x7ecb291d93be1541d256785c0e58a376bcd3acda16b7381691a454c0bfc93071fc156389a4219452823096a6b9a847a799dfe50de0c94c3d454255f25daa54be452d8a83ba73f9d6e9b7ac0ea8510f59b190148aec94351f0df3902a983f3ff6cbfdc67e234ca67300fa7512d382a7a626b513acc30d5b0ec159c12beeb479e1c3b652d7a38ee6afaf5e3cc7a44f675eca597bdea3d4dc339f1106e5c7f60ed277a3086ebef50dccd376c15fbcebefa3f9837334da2d60da8c788e22832c7f2db1fc51269527afacbd740c0dfc595cbeecb486bb7c827bd61dbb5a831e43c677c5ad344ead828356fc64f7089fa8ced44cc4ad4db57b035080698e6b96
        EAP-Message = 
0xd6c9928a8bee9d73bcb417faf0517733a38962d274b76aeb13fa1690260ed413415750a39db8354b2c2196f656d61d86fdcd8f33ffd3ec209a008815ecd6dd376e2ff2cab0b28366eb4e9a1aa6cb38b187daec729aeafbc01403ba25c82cc2560133e59c2608898c3ef918f58a07f664e0e3b9109b2ef687992f51ab82f8c6abbe938bd11e215e6be38ef0977501c8c72c52153cd1cd8b0f48a6cb70848b8ce4cb8af06615eda1adb8f289ee71c67980bb2db646317c91a25c37f328abe7cebffec0b2619b5a5ff1a44b676fe65497b81d0f7cdf20cf995167bfc15f3efdfd723c91415d3ccf186a49ebe6e79c7fdebe1541a6ae090203010001a38201
        EAP-Message = 0xae308201aa30090603551d13
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe9291e9ae82b135b6c752006f18ad076
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.


TIA
 Alex

More information about the Freeradius-Users mailing list