LDAP authorize for both EAP-TLS and EAP-PEAP

David Hartburn D.J.Hartburn at kent.ac.uk
Thu Jan 28 17:41:58 CET 2016


Thanks Alan and Matthew, that has got it going (after a long time 
looking at a stupid mistake I made!).

On a reject I did get an error message detailed below. I changed the 
LDAP condition to check for a group called 'cheese', rather than my real 
LDAP group in order to force a rejection. This does reject but gives an 
EAP error. Is this just the normal way it drops out of the check-eap-tls 
virtual server?

It certainly does what I want, but at the moment I'm treating red as 
something bad.

Dave

(44)      if (Ldap-Group != "cheese")  -> TRUE
(44)     if (Ldap-Group != "cheese")  {
(44)      update config {
(44)  	Auth-Type := Reject
(44)      } # update config = noop
(44)     } # if (Ldap-Group != "cheese")  = noop
(44)    } # if ("%{User-Name}" =~ /^host\/(.*)\\.ad\\.kent\\.ac\\.uk$/i) 
  = noop
(44)   auth_log : EXPAND 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(44)   auth_log :    --> 
/var/log/radius/radacct/129.12.6.216/auth-detail-20160128
(44)   auth_log : 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/129.12.6.216/auth-detail-20160128
(44)   auth_log : EXPAND %t
(44)   auth_log :    --> Thu Jan 28 16:29:23 2016
(44)    [auth_log] = ok
(44)   } #  authorize = ok
(44)  Found Auth-Type = Reject
(44)  Auth-Type = Reject, rejecting user
(44)  Failed to authenticate the user
(44)  Login incorrect: [host/LT7VISC18.ad.kent.ac.uk] (from client 
cwlc-cer port 2 cli 24:77:03:ac:c4:94 via TLS tunnel)
(44)  Using Post-Auth-Type Reject
(44)    Reply:
(44)  } # server check-eap-tls
(44)  eap_tls : Certificates were rejected by the virtual server
   SSL: Removing session 
819d396e4ac42d139e27941979cef5340eeca0bba6ed20fb285ff3dd518d3d6f from 
the cache
(44)  ERROR: eap : Failed continuing EAP TLS (13) session. EAP 
sub-module failed
(44)  eap : Failed in EAP select
(44)   [eap] = invalid
(44)  } #  authenticate = invalid
(44) Failed to authenticate the user
(44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP 
sub-module failed)






On 25/01/16 17:08, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> I'm struggling to find any documentation or examples on using the
>> check_eap_tls module. It is a case of putting something in our local
>> eduroam virtual server to punt TLS attempts off to this server?
>> Where would you put that without breaking the EAP-PEAP
>> authentication?
>
> just call virtual_server = check-eap-tls in the TLS specific sub-section of
> eap
>
> the original commit for this feature is:
>
> https://github.com/mcnewton/freeradius-server/commit/fbee1e9b4ce93c15d0f074ad3fdfb71ba095a4ed
>
>
> peap and ttls have their own subsections so can be treated differently
>
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list