Problems with "virtual_server" for EAP-pwd
Christian Strauf
strauf at rz.tu-clausthal.de
Mon Mar 27 16:14:05 CEST 2017
Hi all!
For our eduroam setup we use FreeRADIUS to authenticate EAP-TTLS, PEAP as well as EAP-pwd requests. For each of these EAP types you have to configure the "virtual_server" which deals with the tunneled authentication (which is a little odd with respect to EAP-pwd because it isn't a tunneled method). Within the "inner-tunnel*" virtual servers we connect to an LDAP server to get the user credentials and RADIUS attributes that are associated with a specific user. Furthermore, we call a policy in the authorize section that is defined in policy.d/ that simply checks whether a certain attribute is set to "yes" or "no". The check basically looks like this:
if ( ...<some check>... ) {
reject
}
This works nicely with the inner-tunnel virtual servers that are used for EAP-TTLS and PEAP. It basically looks like this if the check yields a reject:
11) if (...<some check>...) {
(11) [reject] = reject
(11) } # if (...<some check>...) = reject
(11) } # policy XXXX = reject
(11) } # authorize = reject
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(11) Post-Auth-Type REJECT {
...
(11) } # Post-Auth-Type REJECT = updated
(11) } # server inner-tunnel
(11) Virtual server sending reply
This reject is forwarded to the outer session and this works as expected. However, it doesn't work with the inner-tunnel virtual server that we use for EAP-pwd. Please note that the configuration is virtually identical (except that you obviously don't need inner authentications methods for EAP-pwd). You basically get debugging output that looks like this:
(2) if (...<some check>...) {
(2) [reject] = reject
(2) } # if (...<some check>...) = reject
(2) } # policy XXXX = reject
(2) } # authorize = reject
(2) eap_pwd: } # server inner-tunnel-eap-pwd
(2) eap_pwd: Got tunneled reply code 0
It looks like the eap_pwd module doesn't receive the reject generated within the authorize section of the inner-tunnel virtual server. Please note that EAP-pwd authentication per se works without any problems. Furthermore, I perfectly understand that only the authorize section of the inner-tunnel virtual server is used by EAP-pwd anyhow (it's simply used to retrieve credentials). However, it's not clear to me why the exact same configuration works for EAP-TTLS / PEAP but not for EAP-pwd because other things that we do within the authorize section (like setting RADIUS attributes that are used in the outer session etc.) work. I was thinking about working around the problem by doing something like
update outer.session-state { ... }
to generate a reject within the outer session. Do you have any suggestions what the right way would be to work around this? Apart from a workaround, do you think this could be a bug in the EAP-pwd module? I tried to read the source code but I'm not a programmer and I couldn't figure out how the EAP-pwd module works differently from the EAP-TTLS and PEAP modules with respect to how it works with inner-tunnel virtual servers. Any help would be highly appreciated.
Kind regards,
Christian Strauf
--
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology E-Mail: strauf at rz.tu-clausthal.de
Rechenzentrum Web: www.rz.tu-clausthal.de
Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5172 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170327/7127d0f9/attachment-0001.bin>
More information about the Freeradius-Users
mailing list