Freeradius PROXY: EAP-PEAP - TLS with NT-Password and Cleartext-Password
Andrei Antonelli
andreirp at gmail.com
Thu Jun 28 20:15:25 CEST 2018
Hi, could someone help me with the example of my configuration below?
I have
*Client* <---> * Wireless Controller*: MYWLAN(802.1x EAP) <--->
*Freeradius.*
AAA Server setting in Controller with IP: 192.168.100.3 (my internal
freeradius)
Freeradius *Version 3.0.16 with Mysql*
*Two Freeradius servers: one HCRPP(internal) and CR(External)*
radcheck attribute is *NT-Password* (HCRPP) , and the user stored in the
database is without suffix.
*radcheck attribute is Cleartext-Password to (CR)*
*Freeradius HCRRP use EAP 802.1x and CR - PAP cleartext*
*What I need is when a user authenticates without suffix or with suffix
(@hcrpp.com <http://hcrpp.com/>), use EAP-PEAP or TLS to authenticates in
my local freeradius and if the suffix was @cr.net <http://cr.net/> proxy
to 126.100.20.3 with cleartext password.*
When i'm logging with username and password *without suffix*, *it's works*,
but when i'm logging with *suffix *like testuser at hcrpp.com or testuser@
cr.net i get this error message:
suffix: Checking for suffix after "@"
(22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@
hcrpp.com"
(22) suffix: Found realm "hcrpp.com"
(22) suffix: Adding Realm = "hcrpp.com"
(22) suffix: Proxying request from user testuser at hcrpp.com to realm
hcrpp.com
(22) suffix: Preparing to proxy authentication request to realm "hcrpp.com"
(22) [suffix] = updated
(22) update control {
(22) &Proxy-To-Realm := "LOCAL"
(22) } # update control = noop
(22) eap: Peer sent EAP Response (code 2) ID 6 length 81
(22) eap: No EAP Start, assuming it's an on-going EAP conversation
(22) [eap] = updated
(22) sql: EXPAND %{User-Name}
(22) sql: --> testuser at hcrpp.com
(22) sql: SQL-User-Name set to 'testuser at hcrpp.com'
rlm_sql (sql): Reserved connection (19)
(22) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(22) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser at hcrpp.com' ORDER BY id
(22) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser at hcrpp.com' ORDER BY id
(22) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(22) sql: --> SELECT groupname FROM radusergroup WHERE username = '
testuser at hcrpp.com' ORDER BY priority
(22) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser at hcrpp.com' ORDER BY priority
(22) sql: User not found in any groups
rlm_sql (sql): Released connection (19)
(22) [sql] = notfound
(22) [pap] = noop
(22) } # authorize = updated
(22) Found Auth-Type = eap
(22) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(22) authenticate {
(22) eap: Expiring EAP session with state 0xa05ae720a05cfdb8
(22) eap: Finished EAP session with state 0xa05ae720a05cfdb8
(22) eap: Previous EAP request found for state 0xa05ae720a05cfdb8, released
from the list
(22) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(22) eap: Calling submodule eap_mschapv2 to process data
(22) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(22) eap_mschapv2: Auth-Type MS-CHAP {
*(22) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password*
*(22) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password*
(22) mschap: Creating challenge hash with username: testuser@
<dbarcelini at cirp.usp.br>hcrpp.com
(22) mschap: Client is using MS-CHAPv2
*(22) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication*
*(22) mschap: ERROR: MS-CHAP2-Response is incorrect*
*My config below*
*proxy.conf*
home_server HCRPP {
type = auth+acct
ipaddr = 192.168.100.3
port = 1821
secret = XXXX
require_message_authenticator = yes
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server CR {
type = auth+acct
ipaddr = 126.100.20.3
port = 1812
secret = XXXX
}
home_server_pool HCRPPOOL {
type = fail-over
home_server = HCRPP
}
home_server_pool CRPOOL {
type = fail-over
home_server = CR
}
realm hcrpp.com {
auth_pool = HCRPPOOL
strip
}
realm cr.net {
auth_pool = CRPOOL
nostrip
}
------------------------------------------
*mods-enabled/eap*
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
* ...*
ttls {
tls = tls-common
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
*sites-enabled/default*
authorize {
preprocess
sql
eap {
ok = return
updated = return
}
suffix
*sites-enabled/inner-tunnel*
authorize {
suffix
update control {
&Proxy-To-Realm := "LOCAL"
}
eap {
ok = return
}
sql
Thanks
More information about the Freeradius-Users
mailing list