Re: Force Accept to authentication
On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: Phil I am new to free radius, How can I change authentication type on the server to something simple - like user id/password and than accept always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force Accept to authentication
Can one not override the ... not sure what it would be called... Example; if I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns a reject, can I not override the reject with and accept using update control or some similar function? G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force Accept to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: Phil I am new to free radius, How can I change authentication type on the server to something simple - like user id/password and than accept always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force Accept to authentication
Phil We have a WiMAX client that supports only EAP-TLS, on our side (long story why) - we support only EAP-TTLS Here is the scenario: Client Server Access Request Server--- Client Challenge with EAP-TTLS Client-- Server - nop EAP TLS Server --- Client Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails What we are trying to do is to accept the very first Access Request I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message Regards Zeev -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force Accept to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: Phil I am new to free radius, How can I change authentication type on the server to something simple - like user id/password and than accept always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force Accept to authentication
Our problem that we can't change the state machine on the ASN GW and disable authentication from the client, but we are trying somehow to completely disable it on the AAA (some workaround) -Original Message- From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 10:53 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force Accept to authentication On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote: Phil I am new to free radius, How can I change authentication type on the server to something simple - like user id/password and than accept always ? Can you describe your setup in more detail? There are several possible answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Accept to authentication
On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so
the authentication fails
What we are trying to do is to accept the very first Access Request
Sorry, I don't think that's possible. If the WiMAX client is only
capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete
TLS negotiation and completion.
I assume it's impossible for you to enable EAP-TLS for some reason?
I am thinking just to set authentication type on the Server as a user id
/password and allow any user, so we can answer with accept on very first message
If you do that, the WiMAX client will basically see this:
client: EAP-TLS: TLS client hello
server: EAP-Success no data
...and the client will assume something has gone wrong, because it was
expecting a TLS packet back. This is what I mean when I say you can't
interfere with the outer tunnel - it's *designed* that way to be secure
and prevent interference.
HOWEVER - possibly the WiMAX client is dumb, and will do this:
client: EAP-TLS: TLS client hello
server: EAP-Success no data
client: Ok, that's fine
If so it's insecure, but it will solve your problem.
Try this in sites-enabled/default:
authorize {
# Put any comparison you like here
if (Calling-Station-Id == the_wimax_mac?) {
update control {
Auth-Type := Accept
}
}
}
...but I doubt it will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Accept to authentication
On 27/05/11 16:59, Gary Gatten wrote: Can one not override the ... not sure what it would be called... Example; if I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns a reject, can I not override the reject with and accept using update control or some similar function? It depends. If you're using ntlm_auth to do MSCHAP, then no. The MS-CHAPv2 reply adds a final response, that proves to the *client* that the *server* is valid. The authentication flow is as follows: nas - client: challenge client - nas: response nas - radius: challenge, response radius - nas: final response nas - client: final response ...the client checks that the final response is valid against the challenge and response, as well as it's own password, using crypto. The protocol is *designed* to stop this kind of interference. Now, a buggy client might ignore the final response, but that is a big security hole - it means you can man-in-the-middle the MSCHAP - and as far as I'm aware, all MSCHAP clients (including EAP-PEAP with EAP-MSCHAP inner, and EAP-TTLS with EAP-MSCHAP inner) check this. You can of course just accept PAP requests, so if you're doing EAP-TTLS with PAP inner, you can force accept - but you must do it at the *inner* auth. The outer TTLS still needs to be allowed to flow to completion unhindered. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Accept to authentication
Lubenski, Zeev [GCS] wrote: We have a WiMAX client that supports only EAP-TLS, on our side (long story why) - we support only EAP-TTLS This will not work. What we are trying to do is to accept the very first Access Request This is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force Accept to authentication
Phil
Thanks a lot will give it a try
Regards
Zeev
-Original Message-
From: freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org
[mailto:freeradius-users-bounces+zlubensk=lgsinnovations@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: Friday, May 27, 2011 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Force Accept to authentication
On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so
the authentication fails
What we are trying to do is to accept the very first Access Request
Sorry, I don't think that's possible. If the WiMAX client is only
capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete
TLS negotiation and completion.
I assume it's impossible for you to enable EAP-TLS for some reason?
I am thinking just to set authentication type on the Server as a user id
/password and allow any user, so we can answer with accept on very first
message
If you do that, the WiMAX client will basically see this:
client: EAP-TLS: TLS client hello
server: EAP-Success no data
...and the client will assume something has gone wrong, because it was
expecting a TLS packet back. This is what I mean when I say you can't
interfere with the outer tunnel - it's *designed* that way to be secure
and prevent interference.
HOWEVER - possibly the WiMAX client is dumb, and will do this:
client: EAP-TLS: TLS client hello
server: EAP-Success no data
client: Ok, that's fine
If so it's insecure, but it will solve your problem.
Try this in sites-enabled/default:
authorize {
# Put any comparison you like here
if (Calling-Station-Id == the_wimax_mac?) {
update control {
Auth-Type := Accept
}
}
}
...but I doubt it will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
