EAP/TTLS on LDAP with freeradius 2.0.1

Hello,

I know that my problem is so simple that I should be ashamed to ask help, but
I have to say that I can't find a good way to do what I want to do.

With the previous release of freeradius 1.1.7, I could do the following
things:
- people with a correct outer identity and inner identity (login/password)
could be authorized and authenticate on a LDAP server, using an EAP-TTLS
tunnel, obtained a WPA key.
- with the same radius server, I could authenticate people with EAP-PEAP and
mschapv2 on a sql database.

It was nice, but I had a small problem: accounting was done  using the outer
identity. Since I was using the ldap to do the authorization, people who put
an other valid identity didn't be correctly accounted.

Then,  I decided to use freeradius 2.0.1. And then I don't see how to obtain a
basic configuration that is doing my first point.

I always finished by :  
rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user

If I put an Auth-Type := LDAP, it seems better in the first time, but it is
worst:
rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  You seem to have set "Auth-Type := LDAP" somewhere.
  THAT CONFIGURATION IS WRONG.  DELETE IT.
  YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
++[ldap] returns invalid
auth: Failed to validate the user.

At this point, I don't understand what freeradius want.
I don't know how to say : authorize on waht you want, I don't care, and
authenticate on my LDAP server.

Is it a good configuration sample I can find anywhere ?

Regards,

--
Thierry CHICH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

hi Thierry,

on your /etc/raddb/users file, you can put the follwing to copy the
inner identity to the outer identity (works with freeradius 1 and 2):

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
         User-Name := `%{User-Name}`,
         Fall-Through = yes



Thierry CHICH <thierry.chich@...> a écrit :



--
------------------------------------------------------------------------
Vincent Magnin                                    Vincent.Magnin@...
Ingénieur Réseau & Télécom                              +41 21 692 22 48
UNIL, Centre Informatique, 1015 Lausanne
Switzerland

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thierry CHICH wrote:
> With the previous release of freeradius 1.1.7, I could do the following
> things:
> - people with a correct outer identity and inner identity (login/password)
> could be authorized and authenticate on a LDAP server, using an EAP-TTLS
> tunnel, obtained a WPA key.
> - with the same radius server, I could authenticate people with EAP-PEAP and
> mschapv2 on a sql database.

  2.0.1 can do this, too.

1) configure certificates
2) set up test user as in the FAQ
3) validate that the test user works for EAP-TTLS && PEAP.

  Then:

4) configure SQL
5) validate that "radtest" works for users in SQL
6) validate that EAP-TTLS && PEAP work for users in SQL.

> It was nice, but I had a small problem: accounting was done  using the outer
> identity. Since I was using the ldap to do the authorization, people who put
> an other valid identity didn't be correctly accounted.

  In 2.0.1, see raddb/sites-available/inner-tunnel for comments &&
configuration to fix this.  Or, the other reply to your message.

> I always finished by :  
> rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
> auth: No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user

  The most common cause for this is that you massively edited the
configuration file without understanding what it was doing.  The simple
answer is DON'T DO THAT.

> If I put an Auth-Type := LDAP, it seems better in the first time, but it is
> worst:

  Exactly.  It breaks EAP-TTLS and PEAP.

> At this point, I don't understand what freeradius want.
> I don't know how to say : authorize on waht you want, I don't care, and
> authenticate on my LDAP server.

  Start off with the default radiusd.conf.  Configure the ldap module,
and un-comment the references to ldap.  It WILL work!

> Is it a good configuration sample I can find anywhere ?

  /etc/raddb/radiusd.conf?

  Really.

  See also "man radiusd" in 2.0.1.  It gives detailed instructions for
how to convert the default "radiusd.conf" file into something that
works, but also has your local configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Le mercredi 06 février 2008, Alan DeKok a écrit :
I didn't really think it can't do that.

I understand that very well. I  think that the "massively" is perhaps a little
bit exageratted, but I have make a really stupid mistake. I have located it
using kdiff3 (thanks to the developper, it is a great tool).

It is working better now that I really use inner-tunnel, and not believe that
I use it..... Thanks to you.

However, it the accounting is always done with the outer identity, even
putting the:
        update outer.reply {
                User-Name = "%{request.User-Name}"
        }
in the post-auth of inner-tunnel.
The
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
         User-Name := `%{User-Name}`,
         Fall-Through = yes
in the users conf file doesn't work better.

I got:

Login OK: [thierry.chich@.../xxxxxxxx] (from client ap-rectorat02
port 0)
+- entering group post-auth
        expand: %{request.User-Name} ->
++[outer.reply] returns noop
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [anonymous@...\000/<via Auth-Type = EAP>] (from client
ap-rectorat02 port 1 cli 00-0E-35-71-04-0C)
Sending Access-Accept of id 27 to 172.30.87.66 port 4347
        User-Name = ""
        MS-MPPE-Recv-Key =
0xec76f1095e9ec08db58453397df1c7f6a38acc1bada412e45a538ff6da6b60a5
        MS-MPPE-Send-Key =
0xb66e7bc27988a1d193f3cdb520c29a8c4fd6c75b4b5e0b4aaf8da3bda7bff2e6
        EAP-Message = 0x031b0004
        Message-Authenticator = 0x00000000000000000000000000000000


Do you know why User-Name is empty ?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thierry CHICH wrote:

> However, it the accounting is always done with the outer identity
...
> Login OK: [thierry.chich@.../xxxxxxxx] (from client ap-rectorat02
> port 0)
> +- entering group post-auth
>         expand: %{request.User-Name} ->

  That's a typo.  It should be ... "%{request:User-Name}"

  i.e. ':', not '.'.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Le mercredi 06 février 2008, Alan DeKok a écrit :

You are right. I think this typo is in the original file inner-tunnel included
in the distrib, but it work better - but not as I want. Now, I have a good
Access-Accept packet, but it is seems that the accounting-request following
don't care. Snifff.


Sending Access-Accept of id 20 to 172.30.87.66 port 4365
        User-Name = "thierry.chich@..."
        MS-MPPE-Recv-Key =
0xca8629ba7a784c91e5e5f3bd9c9079e982db2881ce6f7de5d07fa32c07ae3850
        MS-MPPE-Send-Key =
0x599f371c29d6ad682cd2a016f834166ec37c4ec1bc105f6a47425fde3b25a253
        EAP-Message = 0x03140004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 6.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Accounting-Request packet from host 172.30.87.66 port 4366, id=144,
length=159
        Acct-Status-Type = Start
        Acct-Session-Id = "00186E8FA2C0-000E3571040C-585099434"
        NAS-IP-Address = 172.30.87.66
        Acct-Input-Octets = 0
        Acct-Output-Octets = 0
        Acct-Input-Packets = 0
        Acct-Output-Packets = 0
        User-Name = "anonymous@...\000"
        Vendor-Specific = 0x564c414e2049442069733a20333032
        Vendor-Specific = 0x61632d636c65726d6f6e742e6672
        Acct-Session-Time = 4294967
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thierry CHICH wrote:
> You are right. I think this typo is in the original file inner-tunnel included
> in the distrib,

  Yes, I've fixed it.

> but it work better - but not as I want. Now, I have a good
> Access-Accept packet, but it is seems that the accounting-request following
> don't care. Snifff.

  Your NAS is broken.

> rad_recv: Accounting-Request packet from host 172.30.87.66 port 4366, id=144,
> length=159
...
>         User-Name = "anonymous@...\000"

  Sending a \000 at the end is wrong.

>         Vendor-Specific = 0x564c414e2049442069733a20333032
>         Vendor-Specific = 0x61632d636c65726d6f6e742e6672

  These are not properly formed VSA's.  This is *very* bad practice.

>         Acct-Session-Time = 4294967

  The session time is 4 million seconds?

  Tell the vendor that their product is broken.  As the author of RFC
5080, and a pending RFC on RADIUS design guidelines, I think I have
reason to be authoritative on this issue.

  e.g. for the Vendor-Specific nonsense, read Section 2.2, at the top of
page 12, of:

http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt

  i.e. it's not flat-out forbidden, but it's a retarded thing to do.

  If the vendor refuses to fix it, throw the NAS in the garbage, and buy
a real NAS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Le jeudi 07 février 2008, Alan DeKok a écrit :

I am afraid you are right. I had already found that I had to increase the size
of the AcctSessionId to 36 instead of 32 char.

My problem is that is difficult to find an access point not too expensive that
do what I want (VLAN negociated by 802.1X, multiple SSID, etc.).

Thanks a lot. I don't know what I will do, but it is nice to understand
something.  


--
Thierry CHICH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html