EAP and LDAP authentication problem

[Fernando Lunardelli]

Hi

I using a Extreme Network Summit48si switch and a Windows 2000 PRO sp4 
box with MD5-challenge enabled in 802.1x authetication client.
I have been trying to get FreeRadius work with LDAP and EAP 
(authorization - authentication), but a cant have sucess.
My Freeradius version is 0.9.0

--- test1 ---

Local - authorization = OK
Local - authetication = OK
--- test2 ---

LDAP - authorization = OK
LDAP - authetication = OK
--- test3 ---

Local - authorization = OK
EAP - authentication = OK
--- test4 ---

LDAP - authorization = OK
EAP - authentication = fail
My configuration files are:

--- users -------------------
#for Local tests
"user.radius1"  Auth-Type := Local, User-Password == "1234"
               Extreme-Netlogin-Only = Enabled,
               Extreme-Netlogin-Vlan = net1
-----------------------------
---- radiusd.conf -----------

authorize {
   preprocess
   ldap
   eap
}
authenticate {
   eap
}
-----------------------------

----- ldap.attrmap ----------

replyItem       Extreme-Netlogin-Vlan           radiusExtremeNetloginVlan
replyItem       Extreme-Netlogin-Url            radiusExtremeNetloginUrl
replyItem       Extreme-Netlogin-Url-Desc       radiusExtremeNetloginUrlDesc
replyItem       Extreme-Netlogin-Only           radiusExtremeNetloginOnly
-----------------------------

------ dictionary.extreme ---

VENDOR          Extreme         1916

ATTRIBUTE       Extreme-Netlogin-Vlan           203     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Url            204     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Url-Desc       205     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Only           206     integer Extreme
VALUE   Extreme-Netlogin-Only           Disabled        0
VALUE   Extreme-Netlogin-Only           Enabled         1
------------------------------

My vendor send me a patch for solve a state.c and Extreme size of 
incompatibility (maybe that patch already has been posted here for someone)

------------------- state.c.patch for FreeRADIUS Version 0.9.0 - Extreme 
-----------------------------

--- src/modules/rlm_eap/state.c.ori    2003-03-03 15:52:25.000000000 -0400
+++ src/modules/rlm_eap/state.c    2003-12-12 13:03:43.000000000 -0400
@@ -86,21 +86,18 @@ VALUE_PAIR *generate_state(void)
    int i;
    unsigned char challenge[AUTH_VECTOR_LEN];
    unsigned char hmac[AUTH_VECTOR_LEN];
-    unsigned char value[AUTH_VECTOR_LEN+sizeof(time_t)];
+    unsigned char value[AUTH_VECTOR_LEN];
    VALUE_PAIR    *state;
-    time_t now;
    /* Generate challenge (a random value).  */
    for (i = 0; i < sizeof(challenge); i++) {
        challenge[i] = lrad_rand();
    }
-    now = time(NULL);
    memcpy(value, challenge, AUTH_VECTOR_LEN);
-    memcpy(value + AUTH_VECTOR_LEN, &now, sizeof(time_t));
    /* Generate hmac.  */
-    lrad_hmac_md5(value, AUTH_VECTOR_LEN + sizeof(time_t),
+    lrad_hmac_md5(value, AUTH_VECTOR_LEN,
              state_key, AUTH_VECTOR_LEN, hmac);
@@ -110,9 +107,9 @@ VALUE_PAIR *generate_state(void)
        radlog(L_ERR, "rlm_eap: out of memory");
        return NULL;
    }
-    memcpy(state->strvalue, value, AUTH_VECTOR_LEN+sizeof(time_t));
-    memcpy(state->strvalue+AUTH_VECTOR_LEN+sizeof(time_t), hmac, 
AUTH_VECTOR_LEN);
-    state->length = AUTH_VECTOR_LEN + sizeof(time_t) + AUTH_VECTOR_LEN;
+    memcpy(state->strvalue, value, AUTH_VECTOR_LEN);
+    memcpy(state->strvalue+AUTH_VECTOR_LEN, hmac, AUTH_VECTOR_LEN);
+    state->length = AUTH_VECTOR_LEN + AUTH_VECTOR_LEN;

    return state;
}
@@ -124,14 +121,14 @@ int verify_state(VALUE_PAIR *state)
{
    unsigned char prev_hmac[AUTH_VECTOR_LEN];
    unsigned char hmac[AUTH_VECTOR_LEN];
-    unsigned char value[AUTH_VECTOR_LEN+sizeof(time_t)];
+    unsigned char value[AUTH_VECTOR_LEN];
   
    /* Get the challenge value & hmac from the State */
-    memcpy(value, state->strvalue, AUTH_VECTOR_LEN+sizeof(time_t));
-    memcpy(prev_hmac, state->strvalue+AUTH_VECTOR_LEN+sizeof(time_t), 
AUTH_VECTOR_LEN);
+    memcpy(value, state->strvalue, AUTH_VECTOR_LEN);
+    memcpy(prev_hmac, state->strvalue+AUTH_VECTOR_LEN, AUTH_VECTOR_LEN);
   
    /* Generate hmac.  */
-    lrad_hmac_md5(value, AUTH_VECTOR_LEN + sizeof(time_t),
+    lrad_hmac_md5(value, AUTH_VECTOR_LEN,
              state_key, AUTH_VECTOR_LEN, hmac);

    /* verify both the hmacs */

-----------------------------------------------------------------------------------------

my radiusd -X -A log out is:

rad_recv: Access-Request packet from host 172.22.11.3:1076, id=69, 
length=104
       User-Name = "user.radius1"
       EAP-Message = 0x0201001101757365722e72616469757331
       NAS-IP-Address = 172.22.11.3
       Service-Type = Login-User
       Calling-Station-Id = "172.22.17.100"
       NAS-Port-Type = Virtual
       Message-Authenticator = 0xb094738ec65d9a455f65e99e3d0df6f8
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user.radius1
radius_xlat:  '(uid=user.radius1)'
radius_xlat:  'ou=People,dc=uasic,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.1.10.184:389, authentication 0
rlm_ldap: bind as / to 10.1.10.184:389
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in ou=People,dc=uasic,dc=com, with filter 
(uid=user.radius1)
request 2 done
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusExtremeNetloginOnly as Extreme-Netlogin-Only, 
value Enabled & op=11
rlm_ldap: Adding radiusExtremeNetloginVlan as Extreme-Netlogin-Vlan, 
value net1 & op=11
rlm_ldap: user user.radius1 authorized to use remote access
ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok
 rlm_eap: EAP packet type notification id 1 length 17
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: EAP packet type notification id 1 length 17
 rlm_eap: EAP Start not found
 rlm_eap: EAP Identity
 rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
 modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [user.radius1] (from client private-network-1 port 0 cli 
172.22.17.100)
Sending Access-Challenge of id 69 to 172.22.11.3:1076
       Extreme-Netlogin-Only = Enabled
       Extreme-Netlogin-Vlan = "net1"
       EAP-Message = 0x0102001604105ad17816e55e70ad8bc6f29c413779cd
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 
0x548fb951f3c4423a6880e4e0702762a61b4d792e1a3cec47ffb5ecdb976fb77e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.11.3:1077, id=126, 
length=155
       User-Name = "user.radius1"
       EAP-Message = 
0x0202002204103cde07b50cefa5b0e027691c6ebe617b757365722e72616469757331
       NAS-IP-Address = 172.22.11.3
       Service-Type = Login-User
       Calling-Station-Id = "172.22.17.100"
       NAS-Port-Type = Virtual
       State = 
0x548fb951f3c4423a6880e4e0702762a61b4d792e1a3cec47ffb5ecdb976fb77e
       Message-Authenticator = 0x17422b9a706c95f2e85673c7191c21b2
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user.radius1
radius_xlat:  '(uid=user.radius1)'
radius_xlat:  'ou=People,dc=uasic,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=uasic,dc=com, with filter 
(uid=user.radius1)
request 3 done
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusExtremeNetloginOnly as Extreme-Netlogin-Only, 
value Enabled & op=11
rlm_ldap: Adding radiusExtremeNetloginVlan as Extreme-Netlogin-Vlan, 
value sicrac & op=11
rlm_ldap: user user.radius1 authorized to use remote access
ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok
 rlm_eap: EAP packet type notification id 2 length 34
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: EAP packet type notification id 2 length 34
 rlm_eap: EAP Start not found
 rlm_eap: Request found, released from the list
 rlm_eap: EAP_TYPE - md5
 rlm_eap: processing type md5
rlm_eap_md5: No password configured for this user
 modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect: [user.radius1] (from client private-network-1 port 0 
cli 172.22.17.100)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.11.3:1077, id=126, 
length=155
Sending Access-Reject of id 126 to 172.22.11.3:1077
       EAP-Message = 0x04020004
       Message-Authenticator = 0x00000000000000000000000000000000
       Extreme-Netlogin-Only = Enabled
       Extreme-Netlogin-Vlan = "net1"
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 69 with timestamp 4043a1ff
Cleaning up request 1 ID 126 with timestamp 4043a1ff
Nothing to do.  Sleeping until we see a request. 

rlm_eap_md5: No password configured for this user it's the problem ;)

- Sorry for the long post and thanks for any help ....



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html