environment: latest freeradius from CVS RedHat Linux 8 with openssl-0.9.6b-35.8 RPM openssl-0.9.7c installed from source eDirectory 8.7.1 LDAP server Cisco AP1220 access point MeetingHouse Aegis client 2.2.0.28 doing EAP-TTLS/PAP
By installing a modern openssl and following the instructions at http://www.missl.cs.umd.edu/wireless/eaptls I was able to compile freeradius to support EAP-TTLS. The EAP-TLS and EAP-TTLS Makefiles are adjusted to use the newer openssl, while the rest of the compile uses the one from the RPM. It works as advertised. I authorize and authenticate via LDAP. Everything works fine with a clear-text connection to the LDAP server. However, as soon as I attempt an SSL bind to the LDAP server, freeradius crashes: rad_recv: Access-Request packet from host 127.0.0.1:39012, id=237, length=57 User-Name = "tulik" User-Password = "xxxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_lowerpair: User-Name now 'tulik' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 20 users: Matched DEFAULT at 22 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tulik radius_xlat: '(&(objectclass=user)(cn=tulik))' radius_xlat: 'o=CWU' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to alecto.cts.cwu.edu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=psauth,ou=operations,o=cwu/xxxxxxxxx to alecto.cts.cwu.edu:636 ^^^ At this point freeradius just exits (no segfault message). Note that EAP isn't involved in this exchange; the request is coming from radtest. I assume this is due to an openssl problem, so as an experiment I compiled freeradius to use the current openssl libraries for all modules (configure --with-openssl-libraries=... --with-openssl-includes=...). Using the current openssl things get more interesting: A radtest request succeeds for a clear-text bind: rad_recv: Access-Request packet from host 127.0.0.1:39009, id=50, length=57 User-Name = "tulik" User-Password = "xxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_lowerpair: User-Name now 'tulik' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 20 users: Matched DEFAULT at 22 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tulik radius_xlat: '(&(objectclass=user)(cn=tulik))' radius_xlat: 'o=CWU' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to megaera.cts.cwu.edu:389, authentication 0 rlm_ldap: bind as cn=psauth,ou=operations,o=cwu/xxxxx to megaera.cts.cwu.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=CWU, with filter (&(objectclass=user)(cn=tulik)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tulik authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "tulik" with password "xxxxxx" rlm_ldap: user DN: cn=tulik,ou=TST,ou=Students,o=CWU rlm_ldap: (re)connect to megaera.cts.cwu.edu:389, authentication 1 rlm_ldap: bind as cn=tulik,ou=TST,ou=Students,o=CWU/xxxxx to megaera.cts.cwu.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tulik authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group authtype returns ok for request 0 radius_xlat: '/usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU' Exec-Program: /usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU Exec-Program output: Tunnel-Private-Group-ID:1 := 723 Exec-Program-Wait: value-pairs: Tunnel-Private-Group-ID:1 := 723 Exec-Program: returned: 0 Login OK: [tulik] (from client localhost port 10) Sending Access-Accept of id 50 to 127.0.0.1:39009 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "723" Finished request 0 and also an SSL bind succeeds: rad_recv: Access-Request packet from host 127.0.0.1:39010, id=62, length=57 User-Name = "tulik" User-Password = "xxxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_lowerpair: User-Name now 'tulik' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 20 users: Matched DEFAULT at 22 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tulik radius_xlat: '(&(objectclass=user)(cn=tulik))' radius_xlat: 'o=CWU' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to alecto.cts.cwu.edu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=psauth,ou=operations,o=cwu/xxxxxx to alecto.cts.cwu.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=CWU, with filter (&(objectclass=user)(cn=tulik)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tulik authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "tulik" with password "xxxxxx" rlm_ldap: user DN: cn=tulik,ou=TST,ou=Students,o=CWU rlm_ldap: (re)connect to alecto.cts.cwu.edu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=tulik,ou=TST,ou=Students,o=CWU/xxxxxx to alecto.cts.cwu.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tulik authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group authtype returns ok for request 0 radius_xlat: '/usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU' Exec-Program: /usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU Exec-Program output: Tunnel-Private-Group-ID:1 := 723 Exec-Program-Wait: value-pairs: Tunnel-Private-Group-ID:1 := 723 Exec-Program: returned: 0 Login OK: [tulik] (from client localhost port 10) Sending Access-Accept of id 62 to 127.0.0.1:39010 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "723" Finished request 0 However, when EAP is introduced, things break. rad_recv: Access-Request packet from host 172.16.80.94:21683, id=216, length=159 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0007.85b4.049a" Calling-Station-Id = "0040.9641.dc73" WISPr-Location-Name = "Bouillon 202C" Message-Authenticator = 0x5541ded568e95b4392d2ed0945d32dc1 EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "406" NAS-Port = 406 Service-Type = Framed-User NAS-IP-Address = 172.16.80.94 rad_lowerpair: User-Name now 'anonymous' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched anonymous at 10 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 ... lots of EAP stuff deleted ... modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "tulik" User-Password = "xxxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "tulik" User-Password = "xxxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 Framed-MTU = 1400 Called-Station-Id = "0007.85b4.049a" Calling-Station-Id = "0040.9641.dc73" WISPr-Location-Name = "Bouillon 202C" NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "406" NAS-Port = 406 Service-Type = Framed-User NAS-IP-Address = 172.16.80.94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 16 users: Matched DEFAULT at 20 users: Matched DEFAULT at 22 modcall[authorize]: module "files" returns ok for request 16 modcall: group authorize returns ok for request 16 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 16 rlm_ldap: - authorize rlm_ldap: performing user authorization for tulik radius_xlat: '(&(objectclass=user)(cn=tulik))' radius_xlat: 'o=CWU' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=CWU, with filter (&(objectclass=user)(cn=tulik)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tulik authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 16 modcall: group Autz-Type returns ok for request 16 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 16 rlm_ldap: - authenticate rlm_ldap: login attempt by "tulik" with password "xxxxxx" rlm_ldap: user DN: cn=tulik,ou=TST,ou=Students,o=CWU rlm_ldap: (re)connect to alecto.cts.cwu.edu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=tulik,ou=TST,ou=Students,o=CWU/xxxxx to alecto.cts.cwu.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tulik authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 16 modcall: group authtype returns ok for request 16 radius_xlat: '/usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU' Exec-Program: /usr/local/bin/dot1x-vlan cn=tulik,ou=TST,ou=Students,o=CWU Exec-Program output: Tunnel-Private-Group-ID:1 := 723 Exec-Program-Wait: value-pairs: Tunnel-Private-Group-ID:1 := 723 Exec-Program: returned: 0 Login OK: [tulik] (from client localhost port 406 cli 0040.9641.dc73) TTLS: Got tunneled reply RADIUS code 2 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "723" TTLS: Got tunneled Access-Accept ^^^ At this point freeradius exits (no segfault message). This log was from an SSL bind, but a clear-text bind also causes freeradius to exit at the same point when it is compiled with current openssl. The EAP exchange works fine until the tunneled user is authenticated and then freeradius dies. It appears that current openssl permits LDAP SSL to function, but it breaks EAP. On the other hand, the stable openssl permits EAP to function, but breaks LDAP SSL. relevant portions of radiusd.conf: ...lines deleted... modules { ...lines deleted... eap { default_eap_type = ttls md5 { } leap { } tls { private_key_password = xxxxxxxx private_key_file = /usr/local/etc/raddb/certs/newreq.pem certificate_file = /usr/local/etc/raddb/certs/newreq.pem CA_file = /usr/local/etc/raddb/certs/root.pem dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } } ...lines deleted... ldap { server = "megaera.cts.cwu.edu" #server = "alecto.cts.cwu.edu" #port = 636 identity = "cn=psauth,ou=operations,o=cwu" password = xxxxxx basedn = "o=CWU" filter = "(&(objectclass=user)(cn=%{User-Name}))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no # don't care about these # # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # ldap_cache_timeout = 120 # ldap_cache_size = 0 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName # compare_check_items = yes } ...lines deleted... authorize { preprocess eap files Autz-Type LDAP { ldap } Autz-Type SQL { sql } } authenticate { eap authtype PAP { pap } authtype LDAP { ldap } } ...lines deleted... post-proxy { attr_filter eap } relevant portions of users: DEFAULT Autz-Type := LDAP Fall-Through = Yes DEFAULT Auth-Type == LDAP Tunnel-Type:1 := VLAN, Tunnel-Medium-Type:1 := IEEE-802, Tunnel-Private-Group-ID:1 := 726, # set dynamic VLAN Exec-Program-Wait = "/usr/local/bin/dot1x-vlan %{Ldap-UserDn}" -- David Hart - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
