802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! We've currently a MAC authentication running with dynamic VLANs via SQL for wired clients. We return the wished VLAN for the client by using the SQL function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported authentication method. I got the setup sofar that I'm able to authenticated a client which supports it via 802.1x and the others as fallback with MAC. With MAC auth everything works but with 802.1x I'm not able to return the VLAN the switch should use. How can I tell freeradius to make a sql lookup for the reply values? And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config authorize { eap { ok = return } redundant { sql do_not_respond #send nothing to the switch if sql fails, another server will take over } if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } } Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! Thx for the fast response! But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Or would it be anyway a better Idea to have more than one issuers and I return the VLAN data based on that? E.g. one issuer for the PC net and one for the printer net? Can I use the issuer in a SQL query? As I've different switch types which need different responses. I use a SQL lookup with the NAS IP with a switch type table to get the correct response. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 22. März 2012 15:48 An: FreeRadius users mailing list Betreff: Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs Hi, On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote: > And how can I use the CN of the certificate in the SQL query? I > believe I need one query for MAC and one for EAP-TLS, as for one > I search for the MAC address and in the other the CN ... > correct? Common Name of the cert is in TLS-Client-Cert-Common-Name, but only available in post-auth. However, that should be OK to update the reply to set a VLAN. > I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config You'll need to upgrade to 2.1.12. This is too old and doesn't have the above attribute. > The last question is more general. How do I get the mac address > for a client that is authenticating with EAP-TLS, would like to > add this to the sqllog? Thx for your help! Calling-Station-Id, as usual. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
set and use internal comment variable
Hi! I've a setup where it is possible to deny a request at various places for different reasons. I use sql_log in post-auth to log the replies. It would now be nice to add a comment variable which I fill at the various stations, that can deny a request, so I know why a request was denied. How should I try to solve this? Or is there an even better way without a comment variable to do something like this? Thx for your help. Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python configTuple question
Hi! The python functions should return (return, replyTuple, configTuple). return is one of the following constants #RLM_MODULE_REJECT = 0 # /* immediately reject the request */ #RLM_MODULE_FAIL = 1 # /* module failed, don't reply */ #RLM_MODULE_OK = 2 # /* the module is OK, continue */ #RLM_MODULE_HANDLED = 3 # /* the module handled the request, so stop. */ #RLM_MODULE_INVALID = 4 # /* the module considers the request invalid. */ #RLM_MODULE_USERLOCK = 5 # /* reject the request (user is locked out) */ #RLM_MODULE_NOTFOUND = 6 # /* user not found */ #RLM_MODULE_NOOP = 7 # /* module succeeded without doing anything */ #RLM_MODULE_UPDATED = 8 # /* OK (pairs modified) */ #RLM_MODULE_NUMCODES = 9 # /* How many return codes there are */ replyTuble are the attributes which are send to the requesting NAS, but I couldn't find out what configTuple is exactly. I currently only pass an () and it works. Is it the same as "update control" and setting variables in the normal config files? What I would like to do is to provide a variable which can be used in the config file after calling the python module to compare it against "%{TLS-Client-Cert-Subject}" as I don't see a possible to get this variable in the python module to do the compare there. Thx for your help. Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
Hi! I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is responsible for this problem and how to work around it. I hope someone can help me - I couldn't find anything with Google and I just can't believe I'm the first guy with this problem. The setup is following. - Windows 7 SP1 Client with 802.1x and EAP-TLS configurated - Extreme Networks 450e Switches --> LAN based 802.1x - Freeradius 2.1.12-3.el5 on RHEL5 only TLS as EAP type configured/allowed The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). With the next identity request the Client does an clean EAP-TLs handshake, but the switch already put the client into the reject network. Here is the communication flow in these cases (Wireshark): Line 5 / Packet 54 is the problem No. TimeSource DestinationProtocol Length Info 9 27.371093 switch --> client EAP 60 Request, Identity [RFC3748] 51 43.669530 switch --> client EAP 60 Request, Identity [RFC3748] 52 43.693510 client --> switch EAP 60 Response, Identity [RFC3748] 53 43.699498 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 54 43.700496 client --> switch EAP 60 Response, Legacy Nak (Response only) [RFC3748] 84 44.639980 switch --> client EAP 60 Request, Identity [RFC3748] 85 44.646980 client --> switch EAP 60 Response, Identity [RFC3748] 86 44.652974 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 87 44.758887 client --> switch TLSv1123Client Hello 88 44.765875 switch --> client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 89 44.766875 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 90 44.772880 switch --> client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 91 44.772892 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 92 44.778868 switch --> client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 93 44.779865 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 94 44.784859 switch --> client TLSv1177Server Hello, Certificate, Certificate Request, Server Hello Done 95 44.787862 client --> switch TLSv11510 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 96 44.793854 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 97 44.793861 client --> switch TLSv1530Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 98 44.807887 switch --> client TLSv187 Change Cipher Spec, Encrypted Handshake Message 102 44.818881 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 103 44.855827 switch --> client EAP 60 Success It seems to be a timing issue anyway: - Windows 7 is configured to EAP-TLS with GPOs - I've uninstalled anti-virus, behavior detection software In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it's Windows 7 ... there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. Would it help if freeradius ignores the EAP-NAK packets? Any help appreciated! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
> > The problem now is that in 1/3 of the clients boots (done over 40 times > > with a tap devices running as sniffer) the Windows Client sends an > > > > response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. > > After this the freeradius Server sends a reject ([eap] NAK asked for > > unsupported type PEAP). > Either configure PEAP, or fix the client to stop asking for PEAP. trying ... ;-) > > In the 2/3 of the cases it works the Client does not send a NAK, so I > > believe it is a client problem but it’s Windows 7 … there must be > > thousands of installs with Windows 7 and 802.1x EAP/TLS. > It's definitely a client problem. Yeah, we'll open a case. I seems to be a problem if the configuration is done via GPOs, but not sure. > My suggestion is to do a re-install on the client. Other Windows 7 > machines don't behave this way. does not help. We can reproduce the problem on multiple machines. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
Hi! We've found the problem und fixed it together with the Microsoft support and here is the link to the Hotfix, if other FreeRadius users have the same problem: http://support.microsoft.com/kb/2481614 Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 7. August 2012 13:22 An: FreeRadius users mailing list Betreff: AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP > > The problem now is that in 1/3 of the clients boots (done over 40 times > > with a tap devices running as sniffer) the Windows Client sends an > > > > response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. > > After this the freeradius Server sends a reject ([eap] NAK asked for > > unsupported type PEAP). > Either configure PEAP, or fix the client to stop asking for PEAP. trying ... ;-) > > In the 2/3 of the cases it works the Client does not send a NAK, so I > > believe it is a client problem but it’s Windows 7 … there must be > > thousands of installs with Windows 7 and 802.1x EAP/TLS. > It's definitely a client problem. Yeah, we'll open a case. I seems to be a problem if the configuration is done via GPOs, but not sure. > My suggestion is to do a re-install on the client. Other Windows 7 > machines don't behave this way. does not help. We can reproduce the problem on multiple machines. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Failed in handler question
Hi! I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the time ... just some authentications fail, but some minutes later the same client authenticates without a problem. As it happens only once every few days and always with a new client I cannot put a sniffer between the PC and switch, as I don't know which client is the next. But I enabled the debug logging on the freeradius server. The Clients are Windows 7 PCs and I'm running freeradius2-2.1.12-3.el5 on RHEL5. My first question is, how can I decode a EAP-Message from the debug log to check if the request is itself ok. Here is first packet from this client in some time, and it already generates the error. But the same client worked before and after it for days without a problem: rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = "host/x.tirol.local" EAP-Message = 0x02ff00690d80005f160301005a0156030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef818002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 10.xxx.xxx.4 Service-Type = Login-User Calling-Station-Id = "xx-xx-xx-xx-xx-xx" NAS-Port-Id = "2:3" NAS-Port = 2003 NAS-Port-Type = Ethernet State = 0x8df2b5f98df2b8eb6e43e372671f4335 Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8 and the relevant other log lines: ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 255 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Invalid means I return a reject ... should I return something else? Is this a client problem or a misconfiguration on my part? Thx for your help! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP-TLS Failed in handler question
Hi! first thx for your response. > My first question is, how can I decode a EAP-Message from the debug > Wireshark, or read the EAP RFC and decode it manually (see below) ok, I'll believe i got lucky and got a tcpdump trace on a client yesterday ... need to check it and if it is the same problem I'll provide more info. > > log to check if the request is itself ok. Here is first packet from > No, this is *not* the first packet, because it has a "State" attribute, > which is only present in 2nd and subsequent packets of the EAP exchange. With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h > The reason you're getting the error message is that the "State" > attribute is unknown, so FR can't proceed with the EAP session and has > no choice but to drop it. > Check you haven't reduced the "timer_expire" value in eap.conf to a > too-low value. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 default was 60 .. I doubled it some weeks ago, as I saw "No EAP session matching the State variable" entries in the log. > How many FR servers do you have serving this NAS? Is it possible the NAS > is sending packets in a round-robin fashion (which is bad) which is why > you're seeing a packet for which you don't have State? In this case it is only one .. we're running in pre-production with the IT department clients (about 100 clients) to make sure it is stable before rollout. But in production it will be more than one ... good point, we need to check that too, before going into production. > I guess it's possible something is mangling the State attribute from the > previous packet (which is *actually* the first packet). > Otherwise, the client or NAS is doing something odd. > It *could* be that the client just got stuck and is responding (very) > late. But I'm quite surprised the NAS didn't timeout the EAP auth before > that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 following other timers are set to the default values: server-timeout Configure RADIUS server timeout for 802.1X supp-resp-timeout Configure supplicant response timeout > > rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, > > id=151, length=244 User-Name = "host/x.tirol.local" > > EAP-Message = 0x02ff00690d80005f160301005a01 > > > > Ok so this says: > > 02 - eap response > ff - eap ID 255 - bit odd.. > 0069 - length in hex > 0d - eap type 13 (EAP-TLS) > 80 - eap TLS flags = length included > 005f - tls length > 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0) > 005a - record length > 01 - handshake=client hello cool !! > > etc. etc. > > So, it's the start of an EAP-TLS exchange, but as above, it's *not* the > first packet. If you start a tcpdump on the server, you'll see how this > works: > > C: Access-Request, no state, EAP-Identity=abc > S: Access-Challenge, state=, EAP-TLS blah > C: Access-Request, state=, EAP-TLS blah ok > i.e. the NAS has to reflect the "State" back to FreeRADIUS on each > packet. Something is interfering with that, or erasing the "State" at > your end (a timer or restart). > > > rlm_eap: No EAP session matching the State variable > See? But I didn't see a reason for it ;-) > > Invalid means I return a reject ... should I return something else? > No. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? > > Is this a client problem or a misconfiguration on my part? > It's probably a client or NAS problem, unless you've set timer_expire > too low. > However: I guess this could also happen right after the server is > restarted. Could that be it - is a cron job restarting it maybe? no the server is running for > 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TLS Failed in handler question
> > With first packet I meant first packet the radius server saw in some time > > ... the switch forces a reauthentification every 2h > A re-auth is a fresh EAP session. So even on a re-auth, the first packet > would not have a "State" attribute, absent software bugs. ok > >> It *could* be that the client just got stuck and is responding (very) > >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before > >> that. > > > > We're running Extreme Networks Switches with following timers set: > > > > configure netlogin dot1x timers quiet-period 30 > > configure netlogin dot1x timers reauth-period 7200 > We run SummitX edge, and when I've tested dot1x netlogin in the past, I > haven't seen this issue. We've never widely deployed it, however, so > it's possible there's an XOS bug where a small percentage of re-auths > erroneously re-use the "State". You'd need to get a packet capture to be > sure. ok ... will try to get one .. is not easy ... > > but reject means the switch sets the port to the guest vlan, and therefor > > the PC loses the connections ... is there a way to request a new full > > eap/tls handshake from the client? > > You're not understanding, or I'm not making myself clear. > > Suggestion: fire up wireshark, and take a careful look at a normal EAP > authentication. You'll see that the first packet is an EAP-Identity > without a "State" attribute, which the server responds to with an > Access-Challenge containing the default eap type "start" payload, and a > "State" attribute. > > Are you *absolutely sure* that these packets are really the first RADIUS > packet in the auth/re-auth? will check again and get back to you > If you're sure, your problem seems to be that the correct first packet > isn't being sent; the switch is just jumping straight in with the EAP > payload *and* a "State" attribute. I am curious to know where it's > getting that "State" attribute. > > The server source code assumes that a "State" attribute will be valid. > There's no setting to "just accept it". > > Interestingly, I see the RADIUS RFC does actually allow clients to send > a previous "State" if you send an Access-Accept with: > > Termination-Action = RADIUS-request > You're not doing that, are you? no, I'm not > No. As above, re-auths start new EAP sessions. You would only reject any > EAP sessions that were in the *middle* of performing an auth, as the > "state" would be lost across restarts. But this is a very narrow window. so I would be best to set iptables to drop requests for 1min than restart the radius und remove the iptables rules? or can I set freeradius in a mode where is does not accept new sessions? and after 2 minutes I restart it? So that the switch is forced onto the other switch. or what is the best practice to never have falls rejects? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TLS Failed in handler question
Hi! I was still not able to get a trace on the client site, but I believe these debug log entries should help. This time I got the start packet and it is within some seconds that I get the 2 packet to the radius server and the State variable seems to be the same. Ready to process requests. rad_recv: Access-Request packet from host 10.xx.xx.5 port 54217, id=11, length=152 User-Name = "host/x.local" EAP-Message = 0x02ff002101686f73742f4456542d303039363832322e7469726f6c2e6c6f63616c NAS-IP-Address = 10.xx.xx.5 Service-Type = Login-User Calling-Station-Id = "xx-xx-xx-xx-xx-xx" NAS-Port-Id = "1:29" NAS-Port = 1029 NAS-Port-Type = Ethernet Message-Authenticator = 0xd080844ef3e47a9bc21e8c848b5a8548 .. [eap] EAP packet type response id 255 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 .. Sending Access-Challenge of id 11 to 10.xx.xx.5 port 54217 EAP-Message = 0x01060d20 Message-Authenticator = 0x State = 0x642534cc642539e20b4be1e3ae0328c0 Finished request 62603. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10. xx.xx.5 port 54217, id=12, length=242 User-Name = "host/x.tirol.local" EAP-Message = 0x02ff00690d80005f160301005a0156030150bd9377fb696c9f5eaedc568220f9aa35ab65930cf2232f4131c054b056295418002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 10.xx.xx.5 Service-Type = Login-User Calling-Station-Id = "xx-xx-xx-xx-xx-xx" NAS-Port-Id = "1:29" NAS-Port = 1029 NAS-Port-Type = Ethernet State = 0x642534cc642539e20b4be1e3ae0328c0 Message-Authenticator = 0xeada93f9da1ca47a6f0325e8ad0414a9 ... [eap] EAP packet type response id 255 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid There is no other packet between this two and only 5 seconds, server has not been restarted. Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 27. November 2012 17:38 An: FreeRadius users mailing list Betreff: AW: AW: EAP-TLS Failed in handler question > > With first packet I meant first packet the radius server saw in some time > > ... the switch forces a reauthentification every 2h > A re-auth is a fresh EAP session. So even on a re-auth, the first packet > would not have a "State" attribute, absent software bugs. ok > >> It *could* be that the client just got stuck and is responding (very) > >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before > >> that. > > > > We're running Extreme Networks Switches with following timers set: > > > > configure netlogin dot1x timers quiet-period 30 > > configure netlogin dot1x timers reauth-period 7200 > We run SummitX edge, and when I've tested dot1x netlogin in the past, I > haven't seen this issue. We've never widely deployed it, however, so > it's possible there's an XOS bug where a small percentage of re-auths > erroneously re-use the "State". You'd need to get a packet capture to be > sure. ok ... will try to get one .. is not easy ... > > but reject means the switch sets the port to the guest vlan, and therefor > > the PC loses the connections ... is there a way to request a new full > > eap/tls handshake from the client? > > You're not understanding, or I'm not making myself clear. > > Suggestion: fire up wireshark, and take a careful look at a normal EAP > authentication. You'll see that the first packet is an EAP-Identity > without a "State" attribute, which the server responds to with an > Access-Challenge containing the default eap type "start"
AW: AW: AW: EAP-TLS Failed in handler question
> > There is no other packet between this two and only 5 seconds, server has > > not been restarted. > Weird. > But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: AW: EAP-TLS Failed in handler question
@PhilMayers: Did you get the Mail with the full logfile? do you need more? Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at From: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] On Behalf Of PENZ Robert [robert.p...@tirol.gv.at] Sent: Wednesday, December 05, 2012 8:32 AM To: FreeRadius users mailing list Subject: AW: AW: AW: EAP-TLS Failed in handler question > > There is no other packet between this two and only 5 seconds, server has > > not been restarted. > Weird. > But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, thx again for your help - according to Extreme the bug has been fixed in summitX-15.2.2.7-patch1-2 PD4-3163943281 802.1x re-authentication fails when EAP ID reaches 255. This version fixes also a bug we reported which is related to 802.1x PD4-3271740739 While using Dot1x and MAC-based netlogin on the same port, the MAC reauthentication timer should stop after the client is authenticated with dot1x credentials. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 11. Dezember 2012 16:30 An: FreeRadius users mailing list Betreff: AW: AW: AW: EAP-TLS Failed in handler question Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Override EAP invalid result in authentication section
Hi! I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not reject them to the guest VLAN. My config looks like this: authorize { # we don't know the MAC reject it to the guest net if (!ok) { update control { MACAU-Reason := "MAC address not in DB" } reject } # if not 802.1x its only MAC auth if (!EAP-Message) { # mac has already been checked, accept (it gets into the remediation VLAN) update control { Auth-Type := Accept MACAU-Reason := "only MAC, no 802.1x" } } else { # we're in the 802.1x path continued in the authenticate section eap } } authenticate { Auth-Type EAP { eap { handled = 1 invalid = 1 } if (ok) { # update VLAN to production client network # this part works perfectly } else { # EAP didn't work if (EAP-Type == "NAK") { update control { MACAU-Reason := "unsupported EAP typ --> Client misconfiguration" Auth-Type := Accept } } else { update control { MACAU-Reason := "certificate invalid (e.g. revoked/expired)" Auth-Type := Accept } } ok<- does not work } I just need an accept here, the VLAN which will be returned is already the remediation VLAN (as it is the same as if the client uses only MAC authentication). Currently the client gets rejected if e.g. the certificate is expired as the client has not been in the network for some time. MACAU-Reason is logged to the DB in post-auth. This is the log: Mon May 27 15:17:55 2013 : Info: [tls] eaptls_process returned 4 Mon May 27 15:17:55 2013 : Info: [eap] Handler failed in EAP/tls Mon May 27 15:17:55 2013 : Info: [eap] Failed in EAP select Mon May 27 15:17:55 2013 : Info: ++[eap] returns invalid Mon May 27 15:17:55 2013 : Info: ++? if (ok) Mon May 27 15:17:55 2013 : Info: ? Evaluating (ok) -> FALSE Mon May 27 15:17:55 2013 : Info: ++? if (ok) -> FALSE Mon May 27 15:17:55 2013 : Info: ++- entering else else {...} Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK") Mon May 27 15:17:55 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE Mon May 27 15:17:55 2013 : Info: +++- entering else else {...} Mon May 27 15:17:55 2013 : Info: [control] returns invalid Mon May 27 15:17:55 2013 : Info: +++- else else returns invalid Mon May 27 15:17:55 2013 : Info: ++- else else returns invalid Mon May 27 15:17:55 2013 : Info: Failed to authenticate the user. Mon May 27 15:17:55 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host/x/] (from client port cli xxx) Mon May 27 15:17:55 2013 : Info: Using Post-Auth-Type Reject I hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 74 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Override EAP invalid result in authentication section
Hi! > That doesn't work. You MUST return an EAP-Message attribute in the > reply. Just sending an Access-Accept means that the NAS will *ignore* > it, and close the connection. I've removed the "Auth-Type := Accept" lines and keep the "ok" line. so it looks this way # EAP didn't work if (EAP-Type == "NAK") { update control { MACAU-Reason := "unsupported EAP typ --> Client misconfiguration" } } else { update control { MACAU-Reason := "certificate invalid (e.g. revoked/expired)" } } ok which leads to this Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") Tue May 28 09:49:44 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE Tue May 28 09:49:44 2013 : Info: +++- entering else else {...} Tue May 28 09:49:44 2013 : Info: [control] returns invalid Tue May 28 09:49:44 2013 : Info: +++- else else returns invalid Tue May 28 09:49:44 2013 : Info: ++- else else returns invalid Tue May 28 09:49:44 2013 : Info: Failed to authenticate the user. Tue May 28 09:49:44 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host//] (from client xxx port 1015 cli ) Tue May 28 09:49:44 2013 : Info: Using Post-Auth-Type Reject Tue May 28 09:49:44 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default > And this kind of thing is generally not recommended, because the > server isn't really designed to fail authentication, and then force a > success. > You should instead do as little as possible in the "authenticate" > section. Just change the return code to "ok". > Then do any policy setting (VLAN, etc.) in post-auth. But I can't change a Reject to Accept in Post-Auth .. at least that's what I read. Can you show me what I should to? I don't need to change VLANs .. just need an accept, the VLAN is already correct (set in authorize already as it's the same as for MAC authentication) Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Override EAP invalid result in authentication section
Hi! I need to send devices with expired or revoked certificates to a remediation vlan, but my reject vlan is for guest access. Both checks happen at the end of the EAP process where the switch expects a reject or accept packet. I need now to change the reject for the expired to a accept. Setting the vlan for the switch is no problem I do that already, I just need an accept. ;-) I hope it's clear what I want/need. ;-) Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Dienstag, 4. Juni 2013 11:37 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: Override EAP invalid result in authentication section On 04/06/13 08:55, PENZ Robert wrote: > Hi Phil! > > do you need something additional from me? I'm not really sure what the question is. You've setup FreeRADIUS to reject certain certificates, using the "verify" callout config option. If you don't want to reject those certs, change the callout to permit them, and instead return the "sandbox" VLAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic VLANs for many switches
Hi! We've a quite big network and I want to assign VLANs dynamically based on the MAC address, as backend I want to uses a SQL database. My problem now is that the VLAN IDs on different access switch stacks (used Layer2 switches) are different for the same network area, e.g. on switch1 vlan 123 is used for printers and on switch2 vlan124 is used for printers. The reason for this is the Layer3 switch (which we use as a distribution switch of the building) needs to be part of all VLANs and we can't use one VLAN for a building as the subnet would get too big. A other requirement is that a device can roam between different access switches(=floors and buildings), so the VLAN the switch port should get set needs to be different, based on which switch is making the request. This problem is easily solvable if I can use VLAN names in Tunnel-Private-Group-ID tags, as I would set the name always e.g. to printervlan. But in RFC 3580 is written: Note that the VLANID is 12-bits, taking a value between 1 and 4094, inclusive. Since the Tunnel-Private-Group-ID is of type String as defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer value is encoded as a string. So what is the recommended solution if I can use only the numerical IDs. Thx for your help! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dynamic VLANs for many switches
Hi! > This is not a FreeRADIUS question, it is a NAS question and whether your > NAS supports VLAN *names* rather than just numbers. I'm looking for a way to work with switches that do not support VLAN Names, and therefore I believe it is a free radius question. E.g. It would be possible for me to create a table with the VLAN IDs and the NAS IPs, so that freeradius could match them and send the correct VLAN ID, but I don't know how to use the NAS IP for such an lookup. Or maybe there is a better way to do it. > For the record, Cisco switches do support the use of names (if you have > put it in your VLAN database), and their thick and thin AP's do too. > YMMV with other venduhs though. > To be honest, the time it took you to send this email, you could have > actually tested it on your equipment...*sigh*. I don't know the vendor of the switches so far as it is a running "public tendering procedure" (hope that's the correct English term for it) where I was not able to require it as MUST feature, but I need to make the planning for migration and implementation of dynamic VLANs now. ;-( Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
timeout if mysql backend not reachable
Hi! I've more than one radius server configured on my switches. If one server timeouts the switch takes the second server. On each radius server a freeradius and a mysql db is running. I'm now searching for a way that the freeradius does not return anything (=timeout for the switch) if he cannot reach its mysql db (on the same machine). Currently I get a reject reply for the authentication request. How can I configure that? Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary vendor options
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I copied following into the /etc/raddb/dictionary VENDOR Extreme 1916 ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme ATTRIBUTE Extreme-Shell-Command 202 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme ATTRIBUTE Extreme-Netlogin-Url204 string Extreme ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme ATTRIBUTE Extreme-User-Location 208 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme ATTRIBUTE Extreme-Security-Profile212 string Extreme VALUE Extreme-CLI-Authorization Disabled0 VALUE Extreme-CLI-Authorization Enabled 1 VALUE Extreme-Netlogin-Only Disabled0 VALUE Extreme-Netlogin-Only Enabled 1 which seems ok for me but the freeradius thinks otherwise as I get including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option "Extreme" Does anyone know the problem with my config? thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dictionary vendor options
Hi! Ah, did not know about the default extreme config. I just went along the official Howto from Extreme Networks and it stated that I need to put the lines into the dictionary... Thx for the Info ;-) Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 20. September 2010 11:40 An: FreeRadius users mailing list Betreff: Re: dictionary vendor options PENZ Robert wrote: > # rpm -qa | grep radius > freeradius2-mysql-2.1.7-7.el5 ... > and I copied following into the /etc/raddb/dictionary Why? What's wrong with the "dictionary.extreme" file that is included with the server? After 10 years of doing FreeRADIUS, I *still* don't understand why many people feel the need to destroy the default configuration as soon as they install the server. > including dictionary file /etc/raddb/dictionary > Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown > option "Extreme" It's a bug in 2.1.7. If you used the *default* dictionaries, the VSAs would work, and there wouldn't be a problem. > Does anyone know the problem with my config? thx! Stop destroying the default configuration. If you did *less* work, you would have *better* results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert mac adresses to lower case
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "0025B3A013AA" [pap] Using clear text password "0025b3a013aa" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: convert mac adresses to lower case
Hi! But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von ironr...@yahoo.com Gesendet: Montag, 20. September 2010 15:26 An: FreeRadius users mailing list Betreff: Re: convert mac adresses to lower case I beieve there is a lower() function you can use in the sql statement. Sent from Verizon Wireless -Original Message- From: PENZ Robert Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 20 Sep 2010 14:11:14 To: FreeRadius users mailing list Reply-To: FreeRadius users mailing list Subject: convert mac adresses to lower case Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "0025B3A013AA" [pap] Using clear text password "0025b3a013aa" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html