Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

Vladimir Vuksan Fri, 18 Mar 2005 12:25:05 -0800

Alan DeKok wrote:

Vladimir testuser <[EMAIL PROTECTED]> wrote:

Great. So how do I configure it :-) to use LDAP CRYPT or MD5 hashes.
 Read the documentation and the sample configuration files.
 TTLS + PAP is *REALLY* TTLS + PAP.  Configure PAP, configure TTLS,
and TTLS + PAP will work.

Apparently I am missing something since it is not working. FreeRADIUS is 1.1.0-pre0 snapshot from 20050311. Client is Mac OS X laptop. I was able to get the client going with users file and plain text passwords.

I got following in radiusd.conf

       pap {
               encryption_scheme = md5
       }

      ldap {
               server = "ldap1.domain.com"
               basedn = "dc=domain,dc=com"
               filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
               start_tls = no
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               password_attribute = "userPassword"
               ldap_connections_number = 5
               timeout = 4
               timelimit = 3
               net_timeout = 1
       }


authorize {
       eap
       ldap
}


authenticate {
       Auth-Type PAP {
               pap
       }

       Auth-Type LDAP {
                       ldap
       }

        eap
}

In eap.conf

gtc {
auth_type = PAP
}

tls {
                       private_key_password =
                       private_key_file = /etc/freeradius/server.pem
                       certificate_file = /etc/freeradius/server.pem
                       CA_file = /etc/ldap/ca.crt
                       dh_file = ${raddbdir}/certs/dh
                       random_file = /dev/urandom
               }

               ttls {
                       default_eap_type = md5
                       copy_request_to_tunnel = no
                       use_tunneled_reply = no
               }

Debug log looks like following

------------------------------------------------------------------------------------------------------------------------------------------------ Ready to process requests. rad_recv: Access-Request packet from host 192.168.200.56:2049, id=0, length=125 User-Name = "testuser" NAS-IP-Address = 192.168.200.56 Called-Station-Id = "001310190610" Calling-Station-Id = "000d93f02a24" NAS-Identifier = "001310190610" NAS-Port = 62 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b0176756b73616e Message-Authenticator = 0x2ed16692e237099aaa48b37f20445234 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.domain.com:389, authentication 0 rlm_ldap: bind as / to ldap1.domain.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.200.56:2049 Filter-Id = "Enterasys:version=1:policy=Administrator" EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc33c06ed1fa16cca420edad48001c26e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.56:2049, id=0, length=234 User-Name = "testuser" NAS-IP-Address = 192.168.200.56 Called-Station-Id = "001310190610" Calling-Station-Id = "000d93f02a24" NAS-Identifier = "001310190610" NAS-Port = 62 Framed-MTU = 1400 State = 0xc33c06ed1fa16cca420edad48001c26e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006615800000005c1603010057010000530301423b381a9a192877247eaaf0c7b095b0cfcf81234828f10fd590938482b81ba500002c00050004000aff830009ff82000300080006ff8000010016001500140013001200110018001b001a001700190100 Message-Authenticator = 0xd9057412031d60a69f77f540a5fba953 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 1 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05d2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.200.56:2049 Filter-Id = "Enterasys:version=1:policy=Administrator" EAP-Message = 0x0102040a15c00000062f160301004a020000460301423b37dd10fb93daaf4de8587f09fa6e5e0e32e318a450ec4977f936ee75d8d8206db4549a648e3013cd45125b9fee60dda72eefb3c9e89ee1d5906a3c296b4dc100050016030105d20b0005ce0005cb00025630820252308201bb020114300d06092a864886f70d0101040500308186310b3009060355040613025553310b3009060355040813024e4d311430120603550407130b416c627571756572717565311a3018060355040a1311554e4d204353204465706172746d656e7431133011060355040b130a435320537570706f72743123302106092a864886f70d0109011614637373757070 EAP-Message = 0x6f72744063732e756e6d2e656475301e170d3035303331313138303332395a170d3037303331313138303332395a30819f310b3009060355040613025553310b3009060355040813024e4d311430120603550407130b416c627571756572717565311a3018060355040a1311554e4d204353204465706172746d656e7431133011060355040b130a435320537570706f7274311730150603550403130e636f772e63732e756e6d2e6564753123302106092a864886f70d01090116146373737570706f72744063732e756e6d2e656475305c300d06092a864886f70d0101010500034b003048024100abca7a6e879c9fd9c6b2693d23f044b159658dff EAP-Message = 0x4326a6cad9a755d124174f99d3c61e5fbefb2ca4c882c21ede99ce2a57b365a113a30c21ad292685d76e1c330203010001300d06092a864886f70d0101040500038181006b7747fc6957c5e9d26de23f4e7c6579b7dae70486cf7f7d1d4c29b687850c8df4339ef0f7366f30d680b6143b0c3a596f2276796c3ee65fb67fc45cd7e5c6d2185a0f9dfc517a0979b473ead69b3466dc4316ad5e528581361c4ab3d8e4307b58f726c80925676483d00ee5058e60f49f54af679411a18027c98eab39f2c5f100036f3082036b308202d4a003020102020100300d06092a864886f70d0101040500308186310b3009060355040613025553310b3009060355 EAP-Message = 0x040813024e4d311430120603550407130b416c627571756572717565311a3018060355040a1311554e4d204353204465706172746d656e7431133011060355040b130a435320537570706f72743123302106092a864886f70d01090116146373737570706f72744063732e756e6d2e656475301e170d3034303731333138333132315a170d3130303130333138333132315a308186310b3009060355040613025553310b3009060355040813024e4d311430120603550407130b416c627571756572717565311a3018060355040a1311554e4d204353204465706172746d656e7431133011060355040b130a435320537570706f72743123302106092a EAP-Message = 0x864886f70d01090116146373737570706f7274406373 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2fe01be0bd9c9677ae6ba103d7aa6461 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.56:2049, id=0, length=138 User-Name = "testuser" NAS-IP-Address = 192.168.200.56 Called-Station-Id = "001310190610" Calling-Station-Id = "000d93f02a24" NAS-Identifier = "001310190610" NAS-Port = 62 Framed-MTU = 1400 State = 0x2fe01be0bd9c9677ae6ba103d7aa6461 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061500 Message-Authenticator = 0xa37f4cfc3f64d9f02219049ed228cb2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 0 to 192.168.200.56:2049 Filter-Id = "Enterasys:version=1:policy=Administrator" EAP-Message = 0x0103023915800000062f2e756e6d2e65647530819f300d06092a864886f70d010101050003818d0030818902818100b0a7606ad12e49c8d2fed9439673adba73c8afd42f34dbcbc83f1ba0b225c89254345a8e8d1d5334dd4b72efa30d16a9bfb411294fd5afdac60760bf0845cf8b8ed99021994d510a144c93d8b62bfe1ddfd027837d23a5b8071c25beb1b1788e9fbba4c3d5fc2dafcd6fc6f3f8d5b8901f88afdd42eba4c630b21b59afcc5bb90203010001a381e63081e3301d0603551d0e0416041488bff73c0807e02d18ac4d24344cf2cfb07f50cf3081b30603551d230481ab3081a8801488bff73c0807e02d18ac4d24344cf2cfb07f50cf EAP-Message = 0xa1818ca48189308186310b3009060355040613025553310b3009060355040813024e4d311430120603550407130b416c627571756572717565311a3018060355040a1311554e4d204353204465706172746d656e7431133011060355040b130a435320537570706f72743123302106092a864886f70d01090116146373737570706f72744063732e756e6d2e656475820100300c0603551d13040530030101ff300d06092a864886f70d010104050003818100123af85b789f41b19b87078e67ed4652e9d7b141121fb5db9e3417f7619932fa95bc6e3e0155cb198b5045b4e827ab9026b5b70e816ab3a96e046c7adce9f54753c6b72d1229359d8a7f EAP-Message = 0x8aab96fed09eb5f7942a14184c227f2f502484170c880cc6051fe22297033f07aff4da45889601e292ad8a47661e81d5a7a93e7cd35516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd87e437ca1bf96a8576a5a7df4cde570 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.56:2049, id=0, length=264 User-Name = "testuser" NAS-IP-Address = 192.168.200.56 Called-Station-Id = "001310190610" Calling-Station-Id = "000d93f02a24" NAS-Identifier = "001310190610" NAS-Port = 62 Framed-MTU = 1400 State = 0xd87e437ca1bf96a8576a5a7df4cde570 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203008415800000007a16030100461000004200408d12c99b52597c50ba914e1d04186f85ff6e325fc8a41c05bfb1cefde95a47cf13c1a411a3f7e77b3ab21305b2a58799fbcd2fd969e4c9ce8f7b5e6f786a433f140301000101160301002442b8ffb604d5fac33d751cee67bdcc04d2b7585ea21aff5fcb56cc4d6b146b45275f3597 Message-Authenticator = 0xfdbca73dbd5f5b1b358355a812b457bf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 3 length 132 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 0 to 192.168.200.56:2049 Filter-Id = "Enterasys:version=1:policy=Administrator" EAP-Message = 0x0104003915800000002f14030100010116030100244c3d51b5fd10cd31e31f5bbb913f3e202216d19f6fdc50d9d13689517781c24bd964da39 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcbebe8efa058de74c4c27165a1d802f4 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.56:2049, id=0, length=273 User-Name = "testuser" NAS-IP-Address = 192.168.200.56 Called-Station-Id = "001310190610" Calling-Station-Id = "000d93f02a24" NAS-Identifier = "001310190610" NAS-Port = 62 Framed-MTU = 1400 State = 0xcbebe8efa058de74c4c27165a1d802f4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204008d158000000083170301007e01a24ad8419634af09b681137bc1849fc08deb5ea9595f532efed2e60f79c562d6c6ceba2a5f57a7cd0bf71041d0c040cf41eafeb6e2335bed6c7e9e53b8fb77a246439c4cb2f0206312d7563f44d88ee3c161e2de630b6ec3977359992421428500cb8d263e3ebe2a979044e943e931d2bc063d428b5f8ac35f27f3d9e1 Message-Authenticator = 0x026e7f5fcd23f3246e0d39b9492d0fc5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 4 length 141 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x11e51e2be2b881db5d0d71d23265ebc6 MS-CHAP2-Response = 0x2f007e08f1097de2df2651a61c2b7cc7b90400000000000000000cecb110c91c68c0e7ebc600dfb7ebf6466d320235e316a5 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x11e51e2be2b881db5d0d71d23265ebc6 MS-CHAP2-Response = 0x2f007e08f1097de2df2651a61c2b7cc7b90400000000000000000cecb110c91c68c0e7ebc600dfb7ebf6466d320235e316a5 FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = Enterasys:version=1:policy=Administrator rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns ok for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 Filter-Id = "Enterasys:version=1:policy=Administrator" TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.200.56:2049 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 4 ID 0 with timestamp 423b37dd Nothing to do. Sleeping until we see a request. ------------------------------------------------------------------------------------------------------------------------------------------------


Thanks for looking into this.

Vladimir

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

Reply via email to