Cross platform secure login on wpa2

Brian Candler b.candler at pobox.com
Thu Dec 15 10:56:33 CET 2016 

On 15/12/2016 09:23, Henti Smith wrote:
> That is correct. I just can't find the documentation to outline how to 
> achieve this, hence using two documents each, detailing one component 
> and ending up where I am.
>
> If I can be pointed in a direction of some documentation that covers 
> exactly that, it would help a great load.
>
OK. I don't have that I'm afraid.

I have one pointer which may help. In your EAP outer config (the 
"default" virtual server) you may want something like this:

         eap {
                 ok = return
                 updated = return    # << new
         }

This is to ensure that any modules you put after this aren't invoked 
during an EAP exchange, except at the very end.

The problem I found originally was with a config like this:

         eap {
                 ok = return
         }
         mypolicy

In "mypolicy" I was setting Auth-Type := reject in some circumstances, 
based on group membership.

This was resulting in the user being rejected part-way through the EAP 
exchange, because (1) during one of the intermediate EAP steps, the eap 
module returns "updated" instead of "ok", and so it fell through to the 
next step of the default server; and (2) at that point, mypolicy was 
seeing the outer (anonymous) identity, not the true identity of the user.


I'm afraid I don't know how to invoke the krb5 module. In the 
documentation at https://wiki.freeradius.org/modules/Rlm_krb5 it says:

  Auth-Type Kerberos {
      krb5
  }


However it's not at all clear to me how Auth-Type := Kerberos is set in 
the first place.  You may have to do this explicitly in the inner tunnel 
virtual server, e.g. at the end of the authorize section put something like

     Auth-Type = Kerberos

(the '=' operator will set it only if it's not already been set to 
something else already)

Looking through the source: the rlm_krb5 module doesn't have an 
authorize hook which could do this. However the rlm_pap module appears 
to have functionality to set the auth type to its own name. Hence, if 
you create an instance of the rlm_pap module called "Kerberos" this may 
do what you want; but this is not mentioned in the rlm_pap manpage.

Regards,

Brian.

More information about the Freeradius-Users mailing list