Re: EAP / MSCHAP / Certificate Troubles

2012-11-08 Thread Jordan Dohms 
Thanks.  Spent far too long looking at my certificates :)  Just needed
to give samba/winbind a restart.

J

On Thu, Nov 8, 2012 at 2:05 PM, Phil Mayers  wrote:
> On 11/08/2012 06:45 PM, Jordan Dohms wrote:
>
>> EAP-MSCHAPV2: Invalid authenticator response in success request
>
>
> This suggests the problem isn't certs, since you're inside the PEAP tunnel
> at this point.
>
> Check that samba/winbind are working ok, patched to the same level, etc. -
> it looks like the "well" known "mangling mschap response" issue.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP / MSCHAP / Certificate Troubles

2012-11-08 Thread Jordan Dohms 
Hey,

I need a bit of assistance.  Brief summary: I have two RADIUS servers
connected to different Active Directory domains.  I got through the
basic setup, EAP-PEAP / MSCHAP were working successfully
authenticating against both domains.

Then:
- I upgraded freeradius on both from 2.1.10 to 2.2.0.
- I generated new 'production' certificates on both servers.

Now one of them is broken.  Broken to the point where I can't even get
eapol_test to run with success (though ntlm_auth still authenticates
against AD properly).  Since I was getting the "EAP session for state
0x56783e8f517027f8 did not finish!" error, I figured I messed
something up badly with my new certs, so I blew away my
/etc/freeradius directory, reinstalled freeradius 2.2.0 again and
started from the ground up (it recreated the default certs).  Still
the same problem.  The other box is working flawlessly with 2.2.0 and
'production' certs.

>From Server:
$ eapol_test -c peap-mschapv2.conf -s XXX

Output on successful server:
[snip]
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): fe a7 76 cd 59 70 e1 d2 fb 1d fe 66
32 7c 12 d5 5f f4 29 12 8b 82 0a 17 36 83 a1 b7 93 71 fb 61
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS


Output on failed server:
[snip]
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=8 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=91) - Flags 0x00
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 07 00 2e 53
3d 46 45 36 37 32 46 35 44 33 34 42 31 30 34 34 43 31 30 44 33 34 39
30 33 41 41 43 31 34 35 34 34 34 35 43 43 45 32 32 39
EAP-PEAP: received Phase 2: code=1 identifier=8 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 8 mschapv2_id 7
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


And on the server debug, when it fails, I get an Access-Challenge,
followed by "EAP session for state 0x56783e8f517027f8 did not finish!"
 It's not Windows though, so I'm puzzled.

Server output on failure:
Sending Access-Challenge of id 7 to 127.0.0.1 port 48493
EAP-Message =
0x0108005b19001703010050cdc6ba2c896eb5118cfb064080452617ab9dac048c60afbdb3a962afa01555069719ac14235bae1e3108e284d27ef322609824fe6898c5cc497db9833039b37e92c921285a0b9bdbcafc0861676b5082
Message-Authenticator = 0x
State = 0xa24b0ed9a54317a0931e3b8d4f719448
Thu Nov  8 11:26:17 2012 : Info: Finished request 16.
Thu Nov  8 11:26:17 2012 : Debug: Going to the next request
Thu Nov  8 11:26:17 2012 : Debug: Waking up in 4.9 seconds.
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 9 ID 0 with timestamp +510
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 10 ID 1 with timestamp +510
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 11 ID 2 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 12 ID 3 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 13 ID 4 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 14 ID 5 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 15 ID 6 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 16 ID 7 with timestamp +511
Thu Nov  8 11:26:22 2012 : Debug: WARNING:
!!
Thu Nov  8 11:26:22 2012 : Debug: WARNING: !! EAP session for state
0xa24b0ed9a54317a0 did not finish!
Thu Nov  8 11:26:22 2012 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Thu Nov  8 11:26:22 2012 : Debug: WARNING:
!!



Things I've already checked:
 - eap.conf is identical on both servers (I copied it over).
 - There were some old discussions about a Samba bug, but both servers
are running 3.5.6.
 - radtest with PAP / users file is still working successfully.

Can someone point me in the right direction?  Where should I be
looking?  Is something lingering from my certificates fail

Re: Identifying Virtual-Server from Inner-Tunnel

2012-10-05 Thread Jordan Dohms 
Exactly what I needed, thank you.  This worked perfectlyand needs
just one virtual-server.

if ("%{outer.request:Packet-Dst-Port}" == "1912") {
}

elsif ("%{outer.request:Packet-Dst-Port}" == "1812") {
}

On Thu, Oct 4, 2012 at 4:21 PM, Matthew Newton  wrote:
> On Thu, Oct 04, 2012 at 01:07:57PM -0600, Jordan Dohms wrote:
>> - Depending on the virtual server the request was received through,
>> call a different mschap module from the inner-tunnel or reject the
>> request. (not working)
>
> You've gone to the hassle of duplicating RADIUS server configs in
> your clients and sending requests to different ports, so you could
> do your check based on Packet-Dst-Port.
>
>> If there's a better/cleaner/simpler way to do this, I'm all ears.
>
> If there is something in the packet that can indicate which
> network is being connected to, you likely don't need to use two
> ports as you can just do it all in one server (testing based on
> that attribute). For example, with wireless networks, you can
> usually get the SSID in the request somehow.
>
>> virtual-server?  Should I need to set a separate variable in the
>> outer-server and read it below?
>
> I guess that's another way of doing it. Personally unless
> functionality was a lot different (which it doesn't sound like it
> is), I'd probably do it all in one outer server and test based on
> request attribute or Packet-Dst-Port, but if it works then it's
> OK.
>
> Cheers
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. 
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Identifying Virtual-Server from Inner-Tunnel

2012-10-04 Thread Jordan Dohms 
I’m still fairly new at FreeRADIUS.  Running 2.1.10 (we are planning
our upgrade shortly).

Kind of a two pronged question here...I'm encountering a particular
issue, but also would like to hear if my broad approach is suitable.

I am attempting to do the following:
- Use one FreeRADIUS server to authenticate for two different 802.1X
networks (EAP-PEAP / MSCHAP).
- Both will use the mschap module to interface with Microsoft Active Directory.
- The first 802.1X network will authenticate against DOMAIN1, the
second against both DOMAIN1 and DOMAIN2.  The first network should
reject authentication attempts from DOMAIN2.
- All usernames are specified with a full realm / fqdn.
- The RADIUS clients (wireless access points) will all be the same for
the two networks.

What (I think) is the solution:
- In order for FreeRADIUS to distinguish what set of users (DOMAIN1 or
DOMAIN1/2) to authenticate against, I have setup two virtual servers
listening on different ports and (obviously) different names.
(working)
- The clients connect to FreeRADIUS over a different port depending on
the network they're attempting to connect to. (working)
- Setup realms for both DOMAIN1 and DOMAIN2 to have them both
authenticate locally. (working)
- Setup two mschap modules to call ntlm_auth command with the proper
DOMAIN string. (working)
- Depending on the realm provided, call a different mschap module from
the inner-tunnel. (working)
- Depending on the virtual server the request was received through,
call a different mschap module from the inner-tunnel or reject the
request. (not working)

If there's a better/cleaner/simpler way to do this, I'm all ears.

My issue:
Since its EAP-PEAP, the request passes through the outer and
inner-tunnel virtual servers.  In my inner-tunnel, I'm doing an IF on
the Realm.  That seems to be evaluating properly if I look at the
debug logs.  If I do an IF on Virtual-Server it comes back with
'inner-tunnel'.  If I do outer.request:Virtual-Server it oddly also
comes back with 'inner-tunnel'.  How do I see the actual
virtual-server?  Should I need to set a separate variable in the
outer-server and read it below?

Here is my attempted code in "server inner-tunnel"

authenticate {
Auth-Type MS-CHAP {
if ("%{outer.request:Virtual-Server}" == "secure") {
mschap_domain1
}
else {
if ("%{Realm}" == "domain1.fqdn.org") {
mschap_domain1
}
elsif ("%{Realm}" == "domain2.fqdn.org") {
mschap_domain2
}
}
}
eap
}

In my debug logs:

Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure")
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] expand:
%{outer.request:Virtual-Server} -> inner-tunnel
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ? Evaluating
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ++- entering else else {...}
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org")
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain1.fqdn.org") -> FALSE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org") -> FALSE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org")
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain2.fqdn.org") -> TRUE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org") -> TRUE
Thu Oct  4 13:05:18 2012 : Info: [mschapv2] +++- entering elsif
("%{Realm}" == "domain2.fqdn.org") {...}

Any suggestions for what I'm doing wrong or maybe a better way to tackle it?

Thanks,
Jordan Dohms
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html