After getting the OpenWRT 15.05 running with packetfence dynamic VLANs on open SSIDs we ran into some problems with the secure SSIDs.
We seem to be able to connect on Open SSIDs without problem using the registration portal authenticating against our LDAP directory. With the secure SSID's we just get username and password prompts, but cannot seem to be authenticated. In our case all users are using email addresses as their usernames which could be from any domain.. i.e. @gmail.com , etc. Our original plan was to allow users with credentials to use them, and have everyone else do self-service registration or pre-registration. It seems to fail processing type tls, ttls, md5 and mschapv2 Is there some limitation that EAP can not bind to LDAP on the backend the same way as the web form. Attached as a tar.gz is our rad_auth.txt with one of the relevant sections included here below: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.1.3 port 45715, id=70, length=291 User-Name = "[email protected]" NAS-Identifier = "archer6b3a" Called-Station-Id = "62-E3-27-A4-6B-38:PF-SECURE" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "F8-16-54-CD-36-0B" Connect-Info = "CONNECT 54Mbps 802.11a" Acct-Session-Id = "56E0DDF6-00000008" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 EAP-Message = 0x028e00471500170303003c60a8fabc799f83aaca02cbdb1ce74225675e42e35f07bfe19c1dee8e9729a2076afed74fe38ab14b34b544830d693483d70d8441d348beb1e4e1fa42 State = 0x3c3f451f38b150869fbafde7b9b852f6 Message-Authenticator = 0x214c1ce62a29cb057019af2f45d145a0 server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +group authorize { ++policy rewrite.calling_station_id { +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> F8-16-54-CD-36-0B expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { ++++update request { expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> F8:16:54:CD:36:0B expand: %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> f8:16:54:cd:36:0b ++++} # update request = noop ++++[updated] = updated +++} # if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) = updated +++ ... skipping else for request 6: Preceding "if" was taken ++} # policy rewrite.calling_station_id = updated ++policy set.called_station_ssid { +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) ?? Evaluating (Called-Station-Id) -> TRUE expand: %{Called-Station-Id} -> 62-E3-27-A4-6B-38:PF-SECURE expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { ++++update request { expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 62:E3:27:A4:6B:38 expand: %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 62:e3:27:a4:6b:38 ++++} # update request = noop ++++? if ("%{8}") expand: %{8} -> PF-SECURE ? Evaluating ("%{8}") -> TRUE ++++? if ("%{8}") -> TRUE ++++if ("%{8}") { +++++update request { expand: %{Called-Station-Id}:%{8} -> 62:e3:27:a4:6b:38:PF-SECURE expand: %{8} -> PF-SECURE +++++} # update request = noop ++++} # if ("%{8}") = noop ++++ ... skipping elsif for request 6: Preceding "if" was taken ++++ ... skipping elsif for request 6: Preceding "if" was taken ++++ ... skipping elsif for request 6: Preceding "if" was taken ++++[updated] = updated +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated +++ ... skipping else for request 6: Preceding "if" was taken ++} # policy set.called_station_ssid = updated [suffix] Looking up realm "gmail.com" for User-Name = "[email protected] " [suffix] No such realm "gmail.com" ++[suffix] = noop [ntdomain] No '\' in User-Name = "[email protected]", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] = noop ++[preprocess] = ok [eap] EAP packet type response id 142 length 71 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0200001a01612e736861726f6e33363940676d61696c2e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of [email protected] [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x0200001a01612e736861726f6e33363940676d61696c2e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "[email protected]" NAS-Identifier = "archer6b3a" Called-Station-Id = "62:e3:27:a4:6b:38:PF-SECURE" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "f8:16:54:cd:36:0b" Connect-Info = "CONNECT 54Mbps 802.11a" Acct-Session-Id = "56E0DDF6-00000008" WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 Framed-MTU = 1400 NAS-IP-Address = 10.3.1.3 server packetfence-tunnel { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel +group authorize { [suffix] Looking up realm "gmail.com" for User-Name = "[email protected] " [suffix] No such realm "gmail.com" ++[suffix] = noop [ntdomain] No '\' in User-Name = "[email protected]", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] = noop [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server packetfence-tunnel [ttls] Got tunneled reply code Access-Challenge EAP-Message = 0x010100160410555fe7f19531a0da99b2cce5ed16e573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd13e8fedd13f8bd8fd1bfa0e59347e73 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled } # server packetfence Sending Access-Challenge of id 70 to 10.3.1.3 port 45715 EAP-Message = 0x018f004715800000003d170303003832fec58b22c67e2b827de5b69ccc83883311ae2aea8e2d266001fc716b808162ba2e6d552ec4c06183c7cfd2f290dca403bc25229e709312 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3c3f451f39b050869fbafde7b9b852f6
rad_auth.txt.tar.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
