PEAP/mschapv2 - opendirectory

Kemal YILDIRIM kemaly at hotmail.com
Mon Nov 14 21:40:39 CET 2011





Hello all,
I've just able to implemented Wired 802.1x system with PEAP/mschapv2 authentication against opendirectory which is running on MacOSX server 10.6.8 Leopard.
At the end I have a "working" setup, but I like to learn more to fix my faults.
 
below you can find my study steps and config changes
 
And these are my question regarding to the following outputs.
 
Q1- Is it possible to get radius attributes with opendirectory module ( not well documented)? if yes, please share your experience.
Q2- I am not sure what is happining during below mschap challenge/response.
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] No NT-Password configured. Trying OpenDirectory Authentication.
[mschap] OD username_string = onex, OD shortUserName=onex (length = 4) 
[mschap] dsDoDirNodeAuth returns stepbuff: S=D134BC291881FAF31275724FE84FEA40648F64C6 (len=40) 
++[mschap] returns ok
MSCHAP Success 
 
 
1. Testbed:
Auth Server	: FreeRadius 2.1.3 running on MacOSX 10.6.8 Leopard, other services: opendirectory (openLDAP), Kerberos, DNS, DHCP
Authenticator	: HP Networking 2910 switchSupplicants	: WindowsXPsp3, Windows7, MacOSX (PEAP/mschapv2)Directory Admin	: diradmin
Test User		: onex
authentication 	: opendirectory (mschap module is calling opendirectory module for challenge response)
authorization	: by ldap search in post-auth section inside of inner-tunnel server.
authorization	: settings are Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id (by ldap search)
sql client db	: Mac OSX serveradmin GUI have an access to configure radius clients (max count is 64), I am not using clients.conf
 
as I understood Mac OSX server actually using openLDAP, but Apple named it as "opendirectory" by restricting and changing of access medhods.
There was no radius schema file in Apple's distribution of FreeRadius, or at least I could not find it where it normally would be. So, downloaded the schema file and extended it manually.
 
 
2. LDAP schema extention and creating radius attributes for 802.1x
/etc/openldap/slapd.conf
include /etc/openldap/schema/radius.schema
 
slaptest -f slapd.conf -F slapd.d
 
/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}radius.ldif
dn: cn={10}radius
 
restart host or restart slapd
dscl
cd LDAPv3
auth diradmin abc123
cd 127.0.0.1/Groups/vlan10
create . radiusTunnelPrivateGroupId 10
cd ..
cd vlan20
create . radiusTunnelPrivateGroupId 20
...
I will set Tunnel-Type and Tunnel-Medium-Type statically in post-auth section, radiusTunnelPrivateGroupId attribute is sufficiant in LDAP.
 
 
3. Radius config
Non-default or changed parameters are written here.
LDAP module will not be used for authentication, will be used only to set radiusTunnelPrivateGroupId
Authentication would be done through opendirectory module by mschap call.
 
MacOSX issue :  without Apple base stations Radius service could not be started from serveradmin GUI
			need to be fixed by deleting some lines regarding BaseStation check in the following file.
/Applications/Server/Server\ Admin.app/Contents/Resources/RoleBasedSetup.bundle/Contents/PlugIns/RadiusPlugin.plugin/Contents/Resources/RadiusSteps.plist 
 
 
/private/etc/raddb/modules/ldap
ldap {
        server = "radsrv.lab.com"
        identity = "uid=diradmin,cn=users,dc=radsrv,dc=lab,dc=com"
        password = abc123
        basedn = "dc=radsrv,dc=lab,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"                    // In my test only User-Name is used 
        base_filter = "(objectclass=radiusprofile)"
set_auth_type = no 	// As I know LDAP only working with pap authentication
}
 
 
/private/etc/raddb/attrs
DEFAULT
        Tunnel-Type == VLAN,
        Tunnel-Medium-Type == IEEE-802,
        Tunnel-Private-Group-Id =* ANY,
 
 
/Private/etc/raddb/ldap.attrmap
checkItem       User-Name                       uid                        			// I am not able to check ntlm or other hashes, only uid check for "return noop"
replyItem       Tunnel-Type                     radiusTunnelType
replyItem       Tunnel-Medium-Type              radiusTunnelMediumType
replyItem       Tunnel-Private-Group-Id         radiusTunnelPrivateGroupId
 
 
/private/etc/raddb/radiusd.conf
max_request = 16384
proxy_requests  = no
#$INCLUDE clients.conf                 		// MAX Client count is 64 in sql db ( if I run out of space, will use clients.conf in addition)
 
 
/private/etc/raddb/proxy.conf
realm LAB.COM {		                                  // doing nothing, but like to use it
}
 
/private/etc/raddb/eap.conf
default_eap_type = peap
#gtc
#leap
#md5
tls {
	private_key_password = Apple:UseCertAdmin
	private_key_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.key.pem"
	certificate_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.cert.pem"
	CA_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.chain.pem"
	dh_file = /etc/raddb/certs/dh
	random_file = /etc/raddb/certs/random
	}
peap {
	use_tunneled_reply = yes
}
 
/private/etc/raddb/sites-enabled/default
authorize {
#chap
#unix
#files
#pap
}
authenticate {
#       Auth-Type PAP {
#               pap
#       }
#       Auth-Type CHAP {
#               chap
#       }
#   Auth-Type opendirectory {
#      opendirectory
#    }
#unix
#       Auth-Type LDAP {
#               ldap
#       }
...
}
 
 
/private/etc/raddb/sites-enabled/inner-tunnel
authorize {
#chap
#mschap
#unix
#files
#LDAP is checking uid only, enabled for post-auth section
ldap
#pap
}
authenticate {
#       Auth-Type PAP {
#               pap
#       }
#       Auth-Type CHAP {
#               chap
#       }
}
#unix
#suffix
# in ldap search radiusTunnelPrivateGroupId attribute is reached if cn=vl* AND memberUid=%{User-Name}
# all group names need to start with "vl"
# attribute value "10" returns in this case

post-auth {
	update reply {
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = IEEE-802
                Tunnel-Private-Group-Id = "%{ldap:ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}"
	}
}
 
  4. Switch Config, HP Networking 2910 switch is used in this testbed
interface 1 name Supplicant
interface 3 name RadiusServervlan 10 name CorporateVLAN
ip add 10.10.10.1/24
ip helper 10.10.100.100
exit
vlan 40 name UnauthVLAN
ip add 10.10.40.1/24
ip helper 10.10.100.100
exit
vlan 100
ip add 10.10.100.1/24
untag 3exit
radius-server host 10.10.100.100 key 123
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
aaa port-access authenticator 1
aaa port-access authenticator 1 unauth-vid 40
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator 1 control auto
aaa port-access authenticator active
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111114/778261b8/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-X.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111114/778261b8/attachment.txt>


More information about the Freeradius-Users mailing list