Hello Ian, eap tls should work, you have to configure the freeradius side to add the CA public key (eap.conf).
To make it work with ldap (eap mschapv2) you need to have the clear text password or the nthash password in an attribute. (like edir with the universal password). http://deployingradius.com/documents/protocols/compatibility.html https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute Regards Fabrice Le 2016-03-10 00:15, Ian MacDonald a écrit : > After getting the OpenWRT 15.05 running with packetfence dynamic VLANs > on open SSIDs we ran into some problems with the secure SSIDs. > > We seem to be able to connect on Open SSIDs without problem using the > registration portal authenticating against our LDAP directory. > > With the secure SSID's we just get username and password prompts, but > cannot seem to be authenticated. > > In our case all users are using email addresses as their usernames > which could be from any domain.. i.e. @gmail.com <http://gmail.com> , > etc. Our original plan was to allow users with credentials to use > them, and have everyone else do self-service registration or > pre-registration. > > It seems to fail processing type tls, ttls, md5 and mschapv2 > > Is there some limitation that EAP can not bind to LDAP on the backend > the same way as the web form. > > Attached as a tar.gz is our rad_auth.txt with one of the relevant > sections included here below: > > Going to the next request > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host 10.3.1.3 port 45715, id=70, > length=291 > User-Name = "[email protected] <mailto:[email protected]>" > NAS-Identifier = "archer6b3a" > Called-Station-Id = "62-E3-27-A4-6B-38:PF-SECURE" > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1 > Calling-Station-Id = "F8-16-54-CD-36-0B" > Connect-Info = "CONNECT 54Mbps 802.11a" > Acct-Session-Id = "56E0DDF6-00000008" > WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 > WLAN-AKM-Suite = 1027073 > Framed-MTU = 1400 > EAP-Message = > 0x028e00471500170303003c60a8fabc799f83aaca02cbdb1ce74225675e42e35f07bfe19c1dee8e9729a2076afed74fe38ab14b34b544830d693483d70d8441d348beb1e4e1fa42 > State = 0x3c3f451f38b150869fbafde7b9b852f6 > Message-Authenticator = 0x214c1ce62a29cb057019af2f45d145a0 > server packetfence { > # Executing section authorize from file > /usr/local/pf/raddb//sites-enabled/packetfence > +group authorize { > ++policy rewrite.calling_station_id { > +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ > /^%{config:policy.mac-addr}$/i) > ?? Evaluating (Calling-Station-Id) -> TRUE > expand: %{Calling-Station-Id} -> F8-16-54-CD-36-0B > expand: policy.mac-addr -> policy.mac-addr > expand: ^%{config:policy.mac-addr}$ -> > ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ > ? Evaluating ("%{Calling-Station-Id}" =~ > /^%{config:policy.mac-addr}$/i) -> TRUE > +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ > /^%{config:policy.mac-addr}$/i) -> TRUE > +++if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ > /^%{config:policy.mac-addr}$/i) { > ++++update request { > expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> F8:16:54:CD:36:0B > expand: %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> f8:16:54:cd:36:0b > ++++} # update request = noop > ++++[updated] = updated > +++} # if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ > /^%{config:policy.mac-addr}$/i) = updated > +++ ... skipping else for request 6: Preceding "if" was taken > ++} # policy rewrite.calling_station_id = updated > ++policy set.called_station_ssid { > +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ > /^%{config:policy.mac-addr}(:(.+))?$/i) > ?? Evaluating (Called-Station-Id) -> TRUE > expand: %{Called-Station-Id} -> 62-E3-27-A4-6B-38:PF-SECURE > expand: policy.mac-addr -> policy.mac-addr > expand: ^%{config:policy.mac-addr}(:(.+))?$ -> > ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ > ? Evaluating ("%{Called-Station-Id}" =~ > /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE > +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ > /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE > +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ > /^%{config:policy.mac-addr}(:(.+))?$/i) { > ++++update request { > expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 62:E3:27:A4:6B:38 > expand: %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 62:e3:27:a4:6b:38 > ++++} # update request = noop > ++++? if ("%{8}") > expand: %{8} -> PF-SECURE > ? Evaluating ("%{8}") -> TRUE > ++++? if ("%{8}") -> TRUE > ++++if ("%{8}") { > +++++update request { > expand: %{Called-Station-Id}:%{8} -> 62:e3:27:a4:6b:38:PF-SECURE > expand: %{8} -> PF-SECURE > +++++} # update request = noop > ++++} # if ("%{8}") = noop > ++++ ... skipping elsif for request 6: Preceding "if" was taken > ++++ ... skipping elsif for request 6: Preceding "if" was taken > ++++ ... skipping elsif for request 6: Preceding "if" was taken > ++++[updated] = updated > +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ > /^%{config:policy.mac-addr}(:(.+))?$/i) = updated > +++ ... skipping else for request 6: Preceding "if" was taken > ++} # policy set.called_station_ssid = updated > [suffix] Looking up realm "gmail.com <http://gmail.com>" for User-Name > = "[email protected] <mailto:[email protected]>" > [suffix] No such realm "gmail.com <http://gmail.com>" > ++[suffix] = noop > [ntdomain] No '\' in User-Name = "[email protected] > <mailto:[email protected]>", looking up realm NULL > [ntdomain] No such realm "NULL" > ++[ntdomain] = noop > ++[preprocess] = ok > [eap] EAP packet type response id 142 length 71 > [eap] Continuing tunnel setup. > ++[eap] = ok > +} # group authorize = ok > Found Auth-Type = EAP > # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence > +group authenticate { > [eap] Request found, released from the list > [eap] EAP/ttls > [eap] processing type ttls > [ttls] Authenticate > [ttls] processing EAP-TLS > [ttls] eaptls_verify returned 7 > [ttls] Done initial handshake > [ttls] eaptls_process returned 7 > [ttls] Session established. Proceeding to decode tunneled attributes. > [ttls] Got tunneled request > EAP-Message = 0x0200001a01612e736861726f6e33363940676d61696c2e636f6d > FreeRADIUS-Proxied-To = 127.0.0.1 > [ttls] Got tunneled identity of [email protected] > <mailto:[email protected]> > [ttls] Setting default EAP type for tunneled EAP session. > [ttls] Sending tunneled request > EAP-Message = 0x0200001a01612e736861726f6e33363940676d61696c2e636f6d > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "[email protected] <mailto:[email protected]>" > NAS-Identifier = "archer6b3a" > Called-Station-Id = "62:e3:27:a4:6b:38:PF-SECURE" > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1 > Calling-Station-Id = "f8:16:54:cd:36:0b" > Connect-Info = "CONNECT 54Mbps 802.11a" > Acct-Session-Id = "56E0DDF6-00000008" > WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 > WLAN-AKM-Suite = 1027073 > Framed-MTU = 1400 > NAS-IP-Address = 10.3.1.3 > server packetfence-tunnel { > # Executing section authorize from file > /usr/local/pf/raddb//sites-enabled/packetfence-tunnel > +group authorize { > [suffix] Looking up realm "gmail.com <http://gmail.com>" for User-Name > = "[email protected] <mailto:[email protected]>" > [suffix] No such realm "gmail.com <http://gmail.com>" > ++[suffix] = noop > [ntdomain] No '\' in User-Name = "[email protected] > <mailto:[email protected]>", looking up realm NULL > [ntdomain] No such realm "NULL" > ++[ntdomain] = noop > [eap] EAP packet type response id 0 length 26 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] = updated > ++[files] = noop > ++[expiration] = noop > ++[logintime] = noop > +} # group authorize = updated > Found Auth-Type = EAP > # Executing group from file > /usr/local/pf/raddb//sites-enabled/packetfence-tunnel > +group authenticate { > [eap] EAP Identity > [eap] processing type md5 > rlm_eap_md5: Issuing Challenge > ++[eap] = handled > +} # group authenticate = handled > } # server packetfence-tunnel > [ttls] Got tunneled reply code Access-Challenge > EAP-Message = 0x010100160410555fe7f19531a0da99b2cce5ed16e573 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xd13e8fedd13f8bd8fd1bfa0e59347e73 > [ttls] Got tunneled Access-Challenge > ++[eap] = handled > +} # group authenticate = handled > } # server packetfence > Sending Access-Challenge of id 70 to 10.3.1.3 port 45715 > EAP-Message = > 0x018f004715800000003d170303003832fec58b22c67e2b827de5b69ccc83883311ae2aea8e2d266001fc716b808162ba2e6d552ec4c06183c7cfd2f290dca403bc25229e709312 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x3c3f451f39b050869fbafde7b9b852f6 > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
