EAP-TTLS with tunneled PAP Users files
I have a radius box set up using 1.0.1. Currently it is doing authentication and working fine. I am trying to integrate in 802.1x auth. I have the EAP-TTLS w/ PAP working fine with a users entry of "username" User-Password == "test", but I am confused how the users and authorize and authenticate sections of the radiusd file should be set to have EAP look at an LDAP entry. I know I have to set the pap module to md5 to work with the LDAP and that I will have a new huntgroup just for the .1x authentication, but I am stumped from there. Below is how my users file and radiusd look now, my question is really how should they look when I intergrate in the .1x Thanks in advance guys, you have helped me out in the past and I would appreciate anything else you could do for me now. - Joe ***radiusd.conf ... authorize { autztype VPN_LDAP { redundant { VPN_LDAP1 VPN_LDAP2 } } autztype Dial_LDAP { redundant { Dial_LDAP1 Dial_LDAP2 } } ... authenticate { authtype VPN_LDAP { redundant { VPN_LDAP1 VPN_LDAP2 } } authtype Dial_LDAP { redundant { Dial_LDAP1 Dial_LDAP2 } } ***users DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name == DIAL Service-Type == Framed-User, Ascend-Assign-IP-Pool = 1, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1524, Service-Type = Framed-User, Fall-Through = No - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
Sorry about that Alan, I knew the post was somewhat cryptic when I wrote it (too many hours awake). I started off basic two years ago and I have the set up working doing all of the authentication for the VPN and Dial accounts since then. I am now doing some testing of adding .1x into the mix. The users/pass are stored on the 2 redundant LDAPs and differnet groups have different attributes which allow them to access resources, and RADIUS talks to several remote access devices. I guess what I basically need to know what the users file should look like so Freeradius knows what is going on. I was thinking along these lines: DEFAULT Auth-Type := EAP, Huntgroup-Name == 1X But that doesn't tell radius to use LDAP or which attribute to look for. One of the hang ups in my first implementation was because I had the same LDAP serving several different communities and all requiring different attributes, which led me to use Autz-Type on the recomendation of a user on this board. I want to try something like this (setting up a new ldap attribute): DEFAULT Autz-Type := 1X_LDAP, Auth-Type := EAP, Huntgroup-Name == 1X But I know that is not going to work. I hope this gave a better insight into what I was going for, if not I will try banging away at it again tomorrow. thanks again, - Joe On Wed, 15 Dec 2004 18:52:52 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > Joe Raviele <[EMAIL PROTECTED]> wrote: > > I have a radius box set up using 1.0.1. Currently it is doing > > authentication and working fine. I am trying to integrate in 802.1x > > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of > > "username" User-Password == "test", but I am confused how the users > > and authorize and authenticate sections of the radiusd file should be > > set to have EAP look at an LDAP entry. > > You don't. LDAP doesn't do EAP. LDAP stores passwords, gives them > to FreeRADIUS, and FreeRADIUS does EAP. > > My suggestion is to start with the default configuration, and > gradually add pieces to it until it does what you want. If you try to > configure everything all at once, it will be too difficult for you to > figure out what might have gone wrong. > > Alan Dekok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
EAP is in both the authenticate and authorize sections. I still have not gotten it to work, today I am trying several different permutations of the users file. - Joe On Thu, 16 Dec 2004 08:44:20 -0500 (EST), Dustin Doris <[EMAIL PROTECTED]> wrote: > > > I have a radius box set up using 1.0.1. Currently it is doing > > authentication and working fine. I am trying to integrate in 802.1x > > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of > > "username" User-Password == "test", but I am confused how the users > > and authorize and authenticate sections of the radiusd file should be > > set to have EAP look at an LDAP entry. I know I have to set the pap > > module to md5 to work with the LDAP and that I will have a new > > huntgroup just for the .1x authentication, but I am stumped from > > there. Below is how my users file and radiusd look now, my question is > > really how should they look when I intergrate in the .1x > > > > Thanks in advance guys, you have helped me out in the past and I would > > appreciate anything else you could do for me now. > > > > - Joe > > > > > > ***radiusd.conf > > ... > > authorize { > > autztype VPN_LDAP { > > redundant { > > VPN_LDAP1 > > VPN_LDAP2 > > } > > } > > > > autztype Dial_LDAP { > > redundant { > > Dial_LDAP1 > > Dial_LDAP2 > > } > > } > > ... > > authenticate { > > authtype VPN_LDAP { > > redundant { > > VPN_LDAP1 > > VPN_LDAP2 > > } > > } > > > > authtype Dial_LDAP { > > redundant { > > Dial_LDAP1 > > Dial_LDAP2 > > } > > } > > > > ***users > > > > DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN > > > > > > DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name == > > DIAL > > Service-Type == Framed-User, > > Ascend-Assign-IP-Pool = 1, > > Framed-IP-Address = 255.255.255.254, > > Framed-MTU = 1524, > > Service-Type = Framed-User, > > Fall-Through = No > > > > - > > Do you have eap in your authorize and authenticate sections? > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
I think I have tried every possible setting to get this thing to work, so as requested here are my conf files and logs when I tried different settings. I apologize for the long post (its is actually 2, since the first got bounced), but I am hoping someone had this problem and will catch something that is an easy fix. - Joe ***radiusd.conf modules { # # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = crypt } # Extensible Authentication Protocol $INCLUDE ${confdir}/eap.conf ldap Wireless_Staff { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } ldap Wireless_Students { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess auth_log eap files autztype Wireless_Staff { Wireless_Staff } autztype Wireless_Students { Wireless_Students } } # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # Allow EAP authentication. eap } ***eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } } ***users (I will explain in a moment) "test" User-Password == "test" DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP ** The first log I am posting is when I comment out the Default line and auth locally testrad raddb # tail -f log radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host X.x.x.5:6001, id=0, length=141 User-Name = "test" NAS-IP-Address = X.x.x.5 Called-Station-Id = "00-20-A6-4A-E7-15" Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff" NAS-Identifier = "ORiNOCO-AP-600" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200090174657374 Message-Authenticator = 0x02521fa69ec92e5d9da39a3ffb06e1f7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP co
Re: EAP-TTLS with tunneled PAP Users files - RESOLVED
Thanks everyone. Alan, it all came down to the Freeradius proxy statement in the users file. Once I did that everything worked fine. I am now able to authenticate to OpenLDAP from the built in OSX client and the secureW2 client for Windows. **users DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1 **radiusd.conf modules { pap { encryption_scheme = clear } $INCLUDE ${confdir}/eap.conf ldap Wireless_Staff { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } ldap Wireless_Students { server = "ldapchild2.MySchool.edu" basedn = "ou=people,dc=MySchool,dc=edu" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 15 timeout = 4 timelimit = 3 net_timeout = 1 } instantiate { exec expr } authorize { preprocess eap files autztype Wireless_Staff { Wireless_Staff } autztype Wireless_Students { Wireless_Students } } authenticate { Auth-Type PAP { pap } authtype Wireless_Staff { Wireless_Staff } authtype Wireless_Students { Wireless_Students } eap } preacct { preprocess acct_unique files } ***eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = no } } On Tue, 21 Dec 2004 10:14:40 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > Joe Raviele <[EMAIL PROTECTED]> wrote: > > Now I set users to > > : > > DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP > > > > and it fails with a different message: malformed EAP > > Changing things at random is a guaranteed way to never solve the > problem. > > Again, write down a clear description of what you want to happen, > and when. Wrote down a description of what attributes are in the > packets in the different scenarios you define above. Write down how > to configure the server to match those attributes, and therefore match > those scenarios, and therefore do what you want. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with Gentoo Linux
I have it working as well. 802.1x, Gentoo to LDAP. Post any specific problems. - joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help for using eap and TTLS
We are doing EAP-TTLS/PAP and have seen this on two different occasions. We were having this problem with our OSX machines that had upgraded to Tiger. Something seems to get messed up with the certs during the upgrade. Once we cleared the CA, and server certs everything worked fine. All of our windows machines running the SecureW2 client were initially having this problem. There is a setting under the advanced config in the client that says to renew DHCP after connecting. Once we did that we were fine. - Joe On 6/1/05, Maurice.Bourguel <[EMAIL PROTECTED]> wrote: > Hi, > Thanks to David for you answer; Changing tls by ttls in the eap module > don't change the rlm_eap message: > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned > > If I change tls par ttls in the tls module the mac OSX ask for accepting > certificate and I obtain: client connected via TTLS in the 802.1X logging > window. But I don't connect to my network. I don't understand what happens > now. > If I configure the en1 interface by hand (ifconfig en1 .., route add default > .) > I can connect. > Does this problem know of anyone ? > > regards > > Maurice > -- > The used eap.conf file: > --- > eap { > # MB tlsdefault_eap_type = md5 > default_eap_type = tls > timer_expire = 60 > # MB yesignore_unknown_eap_types = no > ignore_unknown_eap_types = yes > cisco_accounting_username_bug = no > #MD5# > md5 { > } > # Cisco LEAP > leap { > } > gtc { > auth_type = PAP > } > ## EAP-TLS ># decommente MB > tls { > # changing tls by ttls to obtain freeradisu to work > default_eap_type = ttls > # CA_path=${raddbdir}/certs > private_key_password = whatever > private_key_file=${raddbdir}/certs/euler.univ-mrs.fr.pem > # If Private key & Certificate are located in > # the same file, then private_key_file & > # certificate_file must contain the same file > # name. > certificate_file=${raddbdir}/certs/euler.univ-mrs.fr.pem > # Trusted Root CA list > CA_file = ${raddbdir}/certs/root.pem > # CA_file = ${raddbdir}/certs/demoCA/cacert.pem > > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > # MB 1750 fragment_size = 1024 > fragment_size = 1750 > include_length = yes > check_crl = yes > } > > ttls { > # default_eap_type = md5 > # > # allowed values: {no, yes} > copy_request_to_tunnel = yes# MB yes > # allowed values: {no, yes} > use_tunneled_reply = yesa # MB yes > } > > The radiusd debugging output > - > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 26 > HASH: user mbourguel found in hashtable bucket 32912 > modcall[authenticate]: module "unix" returns ok for request 26 > modcall: group authenticate returns ok for request 26 > Login OK: [mbourguel/X] (from client localhost port 265 cli > 0011.2420.94f9) > Processing the post-auth section of radiusd.conf > modcall: entering group post-auth for request 26 > radius_xlat: '/var/log/radius/radacct/localhost/reply-detail-20050601' > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d > expands to /var/log/radius/radacct/localhost/reply-detail-20050601 > modcall[post-auth]: module "reply_log" returns ok for request 26 > modcall: group post-auth returns ok for request 26 > TTLS: Got tunneled Access-Accept > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns ok for request 26 > modcall: group authenticate returns ok for request 26 > Login OK: [mbourguel/] (from client Radius port > 265 > cli 0011.2420.94f9) > Processing the post-auth section of radiusd.conf > modcall: entering group post-auth for request 26 > radius_xlat: '/var/log/radius/radacct/Wf-bast5/reply-detail-20050601' > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d > expands to /var/log/radius/radacct/Wf-bast5/reply-detail-20050601 > modcall[post-auth]: module "reply_log" returns ok for request 26 > modcall: group post-auth returns ok for request 26 > Sending Access-Acce