EAP-TTLS with tunneled PAP Users files
I have a radius box set up using 1.0.1. Currently it is doing
authentication and working fine. I am trying to integrate in 802.1x
auth. I have the EAP-TTLS w/ PAP working fine with a users entry of
"username" User-Password == "test", but I am confused how the users
and authorize and authenticate sections of the radiusd file should be
set to have EAP look at an LDAP entry. I know I have to set the pap
module to md5 to work with the LDAP and that I will have a new
huntgroup just for the .1x authentication, but I am stumped from
there. Below is how my users file and radiusd look now, my question is
really how should they look when I intergrate in the .1x
Thanks in advance guys, you have helped me out in the past and I would
appreciate anything else you could do for me now.
- Joe
***radiusd.conf
...
authorize {
autztype VPN_LDAP {
redundant {
VPN_LDAP1
VPN_LDAP2
}
}
autztype Dial_LDAP {
redundant {
Dial_LDAP1
Dial_LDAP2
}
}
...
authenticate {
authtype VPN_LDAP {
redundant {
VPN_LDAP1
VPN_LDAP2
}
}
authtype Dial_LDAP {
redundant {
Dial_LDAP1
Dial_LDAP2
}
}
***users
DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN
DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name == DIAL
Service-Type == Framed-User,
Ascend-Assign-IP-Pool = 1,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1524,
Service-Type = Framed-User,
Fall-Through = No
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
Sorry about that Alan, I knew the post was somewhat cryptic when I wrote it (too many hours awake). I started off basic two years ago and I have the set up working doing all of the authentication for the VPN and Dial accounts since then. I am now doing some testing of adding .1x into the mix. The users/pass are stored on the 2 redundant LDAPs and differnet groups have different attributes which allow them to access resources, and RADIUS talks to several remote access devices. I guess what I basically need to know what the users file should look like so Freeradius knows what is going on. I was thinking along these lines: DEFAULT Auth-Type := EAP, Huntgroup-Name == 1X But that doesn't tell radius to use LDAP or which attribute to look for. One of the hang ups in my first implementation was because I had the same LDAP serving several different communities and all requiring different attributes, which led me to use Autz-Type on the recomendation of a user on this board. I want to try something like this (setting up a new ldap attribute): DEFAULT Autz-Type := 1X_LDAP, Auth-Type := EAP, Huntgroup-Name == 1X But I know that is not going to work. I hope this gave a better insight into what I was going for, if not I will try banging away at it again tomorrow. thanks again, - Joe On Wed, 15 Dec 2004 18:52:52 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > Joe Raviele <[EMAIL PROTECTED]> wrote: > > I have a radius box set up using 1.0.1. Currently it is doing > > authentication and working fine. I am trying to integrate in 802.1x > > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of > > "username" User-Password == "test", but I am confused how the users > > and authorize and authenticate sections of the radiusd file should be > > set to have EAP look at an LDAP entry. > > You don't. LDAP doesn't do EAP. LDAP stores passwords, gives them > to FreeRADIUS, and FreeRADIUS does EAP. > > My suggestion is to start with the default configuration, and > gradually add pieces to it until it does what you want. If you try to > configure everything all at once, it will be too difficult for you to > figure out what might have gone wrong. > > Alan Dekok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
EAP is in both the authenticate and authorize sections. I still have
not gotten it to work, today I am trying several different
permutations of the users file.
- Joe
On Thu, 16 Dec 2004 08:44:20 -0500 (EST), Dustin Doris
<[EMAIL PROTECTED]> wrote:
>
> > I have a radius box set up using 1.0.1. Currently it is doing
> > authentication and working fine. I am trying to integrate in 802.1x
> > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of
> > "username" User-Password == "test", but I am confused how the users
> > and authorize and authenticate sections of the radiusd file should be
> > set to have EAP look at an LDAP entry. I know I have to set the pap
> > module to md5 to work with the LDAP and that I will have a new
> > huntgroup just for the .1x authentication, but I am stumped from
> > there. Below is how my users file and radiusd look now, my question is
> > really how should they look when I intergrate in the .1x
> >
> > Thanks in advance guys, you have helped me out in the past and I would
> > appreciate anything else you could do for me now.
> >
> > - Joe
> >
> >
> > ***radiusd.conf
> > ...
> > authorize {
> > autztype VPN_LDAP {
> > redundant {
> > VPN_LDAP1
> > VPN_LDAP2
> > }
> > }
> >
> > autztype Dial_LDAP {
> > redundant {
> > Dial_LDAP1
> > Dial_LDAP2
> > }
> > }
> > ...
> > authenticate {
> > authtype VPN_LDAP {
> > redundant {
> > VPN_LDAP1
> > VPN_LDAP2
> > }
> > }
> >
> > authtype Dial_LDAP {
> > redundant {
> > Dial_LDAP1
> > Dial_LDAP2
> > }
> > }
> >
> > ***users
> >
> > DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN
> >
> >
> > DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name ==
> > DIAL
> > Service-Type == Framed-User,
> > Ascend-Assign-IP-Pool = 1,
> > Framed-IP-Address = 255.255.255.254,
> > Framed-MTU = 1524,
> > Service-Type = Framed-User,
> > Fall-Through = No
> >
> > -
>
> Do you have eap in your authorize and authenticate sections?
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
I think I have tried every possible setting to get this thing to work,
so as requested here are my conf files and logs when I tried different
settings. I apologize for the long post (its is actually 2, since the
first got bounced), but I am hoping someone had this problem and will
catch something that is an easy fix.
- Joe
***radiusd.conf
modules {
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# Extensible Authentication Protocol
$INCLUDE ${confdir}/eap.conf
ldap Wireless_Staff {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap Wireless_Students {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
eap
files
autztype Wireless_Staff {
Wireless_Staff
}
autztype Wireless_Students {
Wireless_Students
}
}
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
# Allow EAP authentication.
eap
}
***eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
***users (I will explain in a moment)
"test" User-Password == "test"
DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP
**
The first log I am posting is when I comment out the Default line and
auth locally
testrad raddb # tail -f log
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host X.x.x.5:6001, id=0, length=141
User-Name = "test"
NAS-IP-Address = X.x.x.5
Called-Station-Id = "00-20-A6-4A-E7-15"
Calling-Station-Id = "00-0D-93-8A-34-81;MySchool-Staff"
NAS-Identifier = "ORiNOCO-AP-600"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200090174657374
Message-Authenticator = 0x02521fa69ec92e5d9da39a3ffb06e1f7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/X.x.x.5/auth-detail-20041220'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/X.x.x.5/auth-detail-20041220
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 2 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP co
Re: EAP-TTLS with tunneled PAP Users files - RESOLVED
Thanks everyone.
Alan, it all came down to the Freeradius proxy statement in the users
file. Once I did that everything worked fine. I am now able to
authenticate to OpenLDAP from the built in OSX client and the secureW2
client for Windows.
**users
DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type
:= Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1
**radiusd.conf
modules {
pap {
encryption_scheme = clear
}
$INCLUDE ${confdir}/eap.conf
ldap Wireless_Staff {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wireless))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap Wireless_Students {
server = "ldapchild2.MySchool.edu"
basedn = "ou=people,dc=MySchool,dc=edu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(eduPersonEntitlement=wirelessStudent))"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 15
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
}
authorize {
preprocess
eap
files
autztype Wireless_Staff {
Wireless_Staff
}
autztype Wireless_Students {
Wireless_Students
}
}
authenticate {
Auth-Type PAP {
pap
}
authtype Wireless_Staff {
Wireless_Staff
}
authtype Wireless_Students {
Wireless_Students
}
eap
}
preacct {
preprocess
acct_unique
files
}
***eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = no
}
}
On Tue, 21 Dec 2004 10:14:40 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Joe Raviele <[EMAIL PROTECTED]> wrote:
> > Now I set users to
> > :
> > DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := EAP
> >
> > and it fails with a different message: malformed EAP
>
> Changing things at random is a guaranteed way to never solve the
> problem.
>
> Again, write down a clear description of what you want to happen,
> and when. Wrote down a description of what attributes are in the
> packets in the different scenarios you define above. Write down how
> to configure the server to match those attributes, and therefore match
> those scenarios, and therefore do what you want.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with Gentoo Linux
I have it working as well. 802.1x, Gentoo to LDAP. Post any specific problems. - joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help for using eap and TTLS
We are doing EAP-TTLS/PAP and have seen this on two different occasions.
We were having this problem with our OSX machines that had upgraded to
Tiger. Something seems to get messed up with the certs during the
upgrade. Once we cleared the CA, and server certs everything worked
fine.
All of our windows machines running the SecureW2 client were initially
having this problem. There is a setting under the advanced config in
the client that says to renew DHCP after connecting. Once we did that
we were fine.
- Joe
On 6/1/05, Maurice.Bourguel <[EMAIL PROTECTED]> wrote:
> Hi,
> Thanks to David for you answer; Changing tls by ttls in the eap module
> don't change the rlm_eap message:
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned
>
> If I change tls par ttls in the tls module the mac OSX ask for accepting
> certificate and I obtain: client connected via TTLS in the 802.1X logging
> window. But I don't connect to my network. I don't understand what happens
> now.
> If I configure the en1 interface by hand (ifconfig en1 .., route add default
> .)
> I can connect.
> Does this problem know of anyone ?
>
> regards
>
> Maurice
> --
> The used eap.conf file:
> ---
> eap {
> # MB tlsdefault_eap_type = md5
> default_eap_type = tls
> timer_expire = 60
> # MB yesignore_unknown_eap_types = no
> ignore_unknown_eap_types = yes
> cisco_accounting_username_bug = no
> #MD5#
> md5 {
> }
> # Cisco LEAP
> leap {
> }
> gtc {
> auth_type = PAP
> }
> ## EAP-TLS
># decommente MB
> tls {
> # changing tls by ttls to obtain freeradisu to work
> default_eap_type = ttls
> # CA_path=${raddbdir}/certs
> private_key_password = whatever
> private_key_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
> # If Private key & Certificate are located in
> # the same file, then private_key_file &
> # certificate_file must contain the same file
> # name.
> certificate_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
> # Trusted Root CA list
> CA_file = ${raddbdir}/certs/root.pem
> # CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> # MB 1750 fragment_size = 1024
> fragment_size = 1750
> include_length = yes
> check_crl = yes
> }
>
> ttls {
> # default_eap_type = md5
> #
> # allowed values: {no, yes}
> copy_request_to_tunnel = yes# MB yes
> # allowed values: {no, yes}
> use_tunneled_reply = yesa # MB yes
> }
>
> The radiusd debugging output
> -
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 26
> HASH: user mbourguel found in hashtable bucket 32912
> modcall[authenticate]: module "unix" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/X] (from client localhost port 265 cli
> 0011.2420.94f9)
> Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 26
> radius_xlat: '/var/log/radius/radacct/localhost/reply-detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/localhost/reply-detail-20050601
> modcall[post-auth]: module "reply_log" returns ok for request 26
> modcall: group post-auth returns ok for request 26
> TTLS: Got tunneled Access-Accept
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/] (from client Radius port
> 265
> cli 0011.2420.94f9)
> Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 26
> radius_xlat: '/var/log/radius/radacct/Wf-bast5/reply-detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/Wf-bast5/reply-detail-20050601
> modcall[post-auth]: module "reply_log" returns ok for request 26
> modcall: group post-auth returns ok for request 26
> Sending Access-Acce
