-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks,
I've been tasked with determining the feasibility of migrating a campus wireless deployment from "open wireless plus VPN" to WPA2 Enterprise. The existing VPN server authenticates against a RHEL4 FreeRADIUS server (1.0.1-3.RHEL4.5, the latest available distro-standard package), which itself primarily auts against PAM. (There are a few users defined in the RADIUS users file, but these are the exception rather than the rule.) This function is to be bolted-onto an existing, production FreeRADIUS server, which is why I'm using such an old version of FR. My NAS is talking to the FR instance (being run in "-X" debug mode, of course), but the NAS doesn't appear to be sending the "User-Password" attribute that FR is expecting. What I'm going for, here, is EAP/TTLS. I've synthesized a few HOWTOs* to arrive at my current configuration, which is attached in the form of my (sanitized) radiusd.conf, clients.conf, and eap.conf, as well as /etc/pam.d/radiusd. FWIW, I'm getting good answers when running 'radtest' locally, so the FR-to-PAM linkage is working properly. * Namely, Hack #44 from O'Reilly's "Wireless Hacks, 2nd Ed." and an article[1] from Free Software Magazine. Also attached are a few sample conversations as seen from the perspective of FR using a user that's active in PAM (radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND one using an account that's local at FR, i.e., in the /etc/raddb/users file (radiusd-X_testuser_actual_eap_client.txt). My test case will eventually include Windows XP Pro, Vista Business, and Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it seems to have very flexible native support for mucking with 802.1x settings. I did see mention of a similar symptom in my searches, and a few (including this one[2]) suggested that a fix was forthcoming in 1.1.5. By way of attempting this, I tried rolling my own 2.0.5 instance of FR, but it had the same problem. Alan's post here[3] indicates, "It needs a password." What I'm not clear on is _what_ needs a password: is the client not sending it, or does the FR server not have access to the backend against which it should be verifying the password incoming from the client? If the client is not sending it, how might I go about ascertaining why? In any case, this seems to be one of the more common errors for people attempting 802.1x auth via RADIUS, and since there are so many different scenarios cited by the posts I'm finding, I hoped that the knowledgeable ~ among you might analyze and comment on my configuration. I can provide further information and diagnostic output upon request. If at any point it's appropriate for someone to say, "You fool! You can't have WPA(2) Enterprise authentication for both Mac and Windows!" please, don't hesitate to do so. ;-) Thanks in advance for your time. Cheers, - -sth [1]http://www.freesoftwaremagazine.com/community_posts/howto_incremental_setup_freeradius_server_eap_authentications [2]http://lists.cistron.nl/pipermail/freeradius-users/2007-February/060265.html [3]http://www.mail-archive.com/[EMAIL PROTECTED]/msg22607.html sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com Yes, my television runs Linux, too. Yes, really. http://mythtv.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhQHdEACgkQX8KByLv3aQ2ZlwCdFRD/+GGPomxSZmdJq+fD3T24 8I4AoLkwSuUwdjcCrnu48HF7obHCX2qy =yzeE -----END PGP SIGNATURE-----
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client w.x.y.z {
secret = supersecret
shortname = sth_wireless_test
}
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = ultrasecret
private_key_file = ${raddbdir}/certs/eap-test.pem
certificate_file = ${raddbdir}/certs/eap-test.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
mschapv2 {
}
}
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
pam
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
[EMAIL PROTECTED] ~]$ sudo /usr/sbin/radiusd -X
Password:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/eap-test.pem"
tls: certificate_file = "/etc/raddb/certs/eap-test.pem"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "ultrasecret"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "md5"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = yes
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
...
rad_recv: Access-Request packet from host w.x.y.z:1046, id=0,
length=129
User-Name = "sthooker"
NAS-IP-Address = w.x.y.z
Called-Station-Id = "001d7e5dc520"
Calling-Station-Id = "0016cbb1f902"
NAS-Identifier = "001d7e5dc520"
NAS-Port = 10
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000d017374686f6f6b6572
Message-Authenticator = 0x8884ca25a4b0e8632525fb9ef4246dbf
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "sthooker", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 187
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_pam: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "pam" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [sthooker] (from client sth_wireless_test port 10 cli
0016cbb1f902)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to w.x.y.z:1046
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 0 with timestamp 484d91f2
Nothing to do. Sleeping until we see a request.
[EMAIL PROTECTED] consolidated_radius_configs]$ radeapclient -x localhost auth
testing123 < req.txt
+++> About to send encoded packet:
User-Name = "sthooker"
NAS-IP-Address = w.x.y.z
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "sthooker"
Message-Authenticator = 0x00
NAS-Port = 0
Sending Access-Request of id 154 to 127.0.0.1:1812
User-Name = "sthooker"
NAS-IP-Address = w.x.y.z
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port = 0
EAP-Message = 0x02d2000d017374686f6f6b6572
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=154, length=20
rlm_eap: EAP-Message not found
<+++ EAP decoded packet:
...
rad_recv: Access-Request packet from host 127.0.0.1:32830, id=154, length=75
User-Name = "sthooker"
NAS-IP-Address = w.x.y.z
Message-Authenticator = 0xd4b84d12e6dc88294f27aaff16e2547c
NAS-Port = 0
EAP-Message = 0x02d2000d017374686f6f6b6572
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "sthooker", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 210 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched DEFAULT at 187
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_pam: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "pam" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Login incorrect: [sthooker] (from client localhost port 0)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 154 to 127.0.0.1:32830
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 7 ID 154 with timestamp 484d95af
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host w.x.y.z:1046, id=0, length=177
User-Name = "testuser"
NAS-IP-Address = w.x.y.z
Called-Station-Id = "001d7e5dc520"
Calling-Station-Id = "0016cbb1f902"
NAS-Identifier = "001d7e5dc520"
NAS-Port = 10
Framed-MTU = 1400
State = 0xaafd92bfb16297927e5b53fde6e3b52d
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b190017030100205a2dd9f0761ff1874a7d6aa970845f772eec68d85a7124cc1b717f7930bc2c9a
Message-Authenticator = 0x0b925b0d2d16bdabdfe321a2c7399d42
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 7 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched testuser at 93
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Login incorrect: [testuser] (from client sth_wireless_test port 10 cli
0016cbb1f902)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to w.x.y.z:1046
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 8 ID 0 with timestamp 484d9af1
Nothing to do. Sleeping until we see a request.
clients.conf.sig
Description: Binary data
eap.conf.sig
Description: Binary data
radiusd.conf.sig
Description: Binary data
radiusd.sig
Description: Binary data
radiusd-X_actual_eap_client.txt.sig
Description: Binary data
radiusd-X_radeapclient.txt.sig
Description: Binary data
radiusd-X_testuser_actual_eap_client.txt.sig
Description: Binary data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
