RE: Force "Accept" to authentication
Phil Thanks a lot will give it a try Regards Zeev -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 11:32 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force "Accept" to authentication On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote: > > Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so > the authentication fails > > What we are trying to do is to accept the very first Access Request Sorry, I don't think that's possible. If the WiMAX client is only capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete TLS negotiation and completion. I assume it's impossible for you to enable EAP-TLS for some reason? > > I am thinking just to set authentication type on the Server as a user id > /password and allow any user, so we can answer with accept on very first > message If you do that, the WiMAX client will basically see this: client: EAP-TLS: TLS client hello server: EAP-Success ...and the client will assume something has gone wrong, because it was expecting a TLS packet back. This is what I mean when I say you can't interfere with the outer tunnel - it's *designed* that way to be secure and prevent interference. HOWEVER - possibly the WiMAX client is dumb, and will do this: client: EAP-TLS: TLS client hello server: EAP-Success client: Ok, that's fine If so it's insecure, but it will solve your problem. Try this in sites-enabled/default: authorize { # Put any comparison you like here if (Calling-Station-Id == "the_wimax_mac?") { update control { Auth-Type := Accept } } } ...but I doubt it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force "Accept" to authentication
Lubenski, Zeev [GCS] wrote: > We have a WiMAX client that supports only EAP-TLS, on our side (long story > why) - we support only EAP-TTLS This will not work. > What we are trying to do is to accept the very first Access Request This is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force "Accept" to authentication
On 27/05/11 16:59, Gary Gatten wrote: Can one not "override" the ... not sure what it would be called... Example; if I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns a "reject", can I not override the reject with and accept using "update control" or some similar function? It depends. If you're using ntlm_auth to do MSCHAP, then no. The MS-CHAPv2 reply adds a final response, that proves to the *client* that the *server* is valid. The authentication flow is as follows: nas -> client: challenge client -> nas: response nas -> radius: challenge, response radius -> nas: final response nas -> client: final response ...the client checks that the final response is valid against the challenge and response, as well as it's own password, using crypto. The protocol is *designed* to stop this kind of interference. Now, a buggy client might ignore the final response, but that is a big security hole - it means you can man-in-the-middle the MSCHAP - and as far as I'm aware, all MSCHAP clients (including EAP-PEAP with EAP-MSCHAP inner, and EAP-TTLS with EAP-MSCHAP inner) check this. You can of course just "accept" PAP requests, so if you're doing EAP-TTLS with PAP inner, you can force accept - but you must do it at the *inner* auth. The outer TTLS still needs to be allowed to flow to completion unhindered. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force "Accept" to authentication
On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote: Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails What we are trying to do is to accept the very first Access Request Sorry, I don't think that's possible. If the WiMAX client is only capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete TLS negotiation and completion. I assume it's impossible for you to enable EAP-TLS for some reason? I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message If you do that, the WiMAX client will basically see this: client: EAP-TLS: TLS client hello server: EAP-Success ...and the client will assume something has gone wrong, because it was expecting a TLS packet back. This is what I mean when I say you can't interfere with the outer tunnel - it's *designed* that way to be secure and prevent interference. HOWEVER - possibly the WiMAX client is dumb, and will do this: client: EAP-TLS: TLS client hello server: EAP-Success client: Ok, that's fine If so it's insecure, but it will solve your problem. Try this in sites-enabled/default: authorize { # Put any comparison you like here if (Calling-Station-Id == "the_wimax_mac?") { update control { Auth-Type := Accept } } } ...but I doubt it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force "Accept" to authentication
Our problem that we can't change the state machine on the ASN GW and disable authentication from the client, but we are trying somehow to completely disable it on the AAA (some workaround) -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force "Accept" to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: > Phil > > I am new to free radius, How can I change authentication type on the > server to something simple - like user id/password and than accept > always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force "Accept" to authentication
Phil We have a WiMAX client that supports only EAP-TLS, on our side (long story why) - we support only EAP-TTLS Here is the scenario: Client > Server Access Request Server---> Client Challenge with EAP-TTLS Client--> Server - nop EAP TLS Server ---> Client Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails What we are trying to do is to accept the very first Access Request I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message Regards Zeev -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force "Accept" to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: > Phil > > I am new to free radius, How can I change authentication type on the > server to something simple - like user id/password and than accept > always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force "Accept" to authentication
Can one not "override" the ... not sure what it would be called... Example; if I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns a "reject", can I not override the reject with and accept using "update control" or some similar function? G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force "Accept" to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: > Phil > > I am new to free radius, How can I change authentication type on the > server to something simple - like user id/password and than accept > always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force "Accept" to authentication
On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: Phil I am new to free radius, How can I change authentication type on the server to something simple - like user id/password and than accept always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html