EAP-TLS testing, occasional errors

2013-03-07 Thread Bertalan Voros 
Hello All,

I have configured a server to test EAP-TLS.

Created the CA, a server and one client certificate.
The same client certificate was then installed on three different devices;
OSX, Windows 7 and an Android 4.2.

All is well, all the devices can authenticate successfully, however, every
now and again I can see similar entries in the log like the one below.

A failure.
Thu Mar  7 14:30:57 2013 : Error: TLS Alert write:fatal:handshake failure
Thu Mar  7 14:30:57 2013 : Error: TLS_accept: error in SSLv3 read
client certificate B
Thu Mar  7 14:30:57 2013 : Error: rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Thu Mar  7 14:30:57 2013 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Thu Mar  7 14:30:57 2013 : Auth: Login incorrect (TLS Alert
write:fatal:handshake failure): [wifiuser] (from client CiscoAP port 289
cli 10-68-3F-48-41-46)

Then a success soon after from the same device (this is the Android one)
Thu Mar  7 14:32:10 2013 : Auth: Login OK: [wifiuser] (from client CiscoAP
port 291 cli 10-68-3F-48-41-46)

Very occasionally the Android device would give up and not attempt to
reauthenticate.

The AP is set to reauthenticate clients every 10 minutes. (a rickety old
Cisco Aironet 1200).

Has anyone seen this before?

Thanks in advance,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

277 realms to maintain

2013-02-25 Thread Bertalan Voros 
Hello All,

In order to be able to use the home server pools and fail-over I had to
create a list of 277 realms.

There are now 277 entires similar to this:

realm domain.com {
auth_pool = my_auth_failover
nostrip
}

Could I use an $INCLUDE statement here to maintain the list of realms in a
separate file?
That way it would be easier to automate the creation of the realms list.

Is there a better way of doing this?

Thank you,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DEFAULT realm proxy fail over

2013-02-21 Thread Bertalan Voros 
Hello All,

I would like to get help with the following.

There is a freeradius server that is proxying every mschapv2 request to a
homeserver using the DEFAULT realm.

The same server is also handling EAP requests and then proxying the inner
request through the DEFAULT realm.

Is is possible to set up fail-over using two home servers in this scenario?

Thank you and best regards,

Bertalan Voros
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd running config - is it possible to display

2013-02-05 Thread Bertalan Voros 
Hello All,

Is it possible to display the running config of freeradius without having
to capture the output of radiusd -X?

Best regards,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy based on auth type?

2013-02-01 Thread Bertalan Voros 
Hello All,

Another lame ass question.

Is it possible to proxy requests based on Auth-Type?

I now have a config which terminates PEAP locally and proxies through the
inner-tunnel to an NPS using MSCHAP.
This was my original goal.

However, when I do a radtest to check what happens to an mschap request it
fails locally instead of being proxied.
There is a combination of peap and mschap requests coming to the server.

If I uncomment suffix in sites-enabled/default then it's reversed, mschap
gets proxied but PEAP requests doesn't get sent through the inner tunnel.

In proxy.conf I have the DEFAULT realm set to our NPS and have nostrip set
for each entry in clients.conf.
The reason for this is that in the AD we have the user's email set as UPN
and there are hundreds of email domains in use, the users's AD username
cannot be determined based on the email address.

Output of debug mode when plain mschap fails:

*Ready to process requests.*
*rad_recv: Access-Request packet from host 10.205.128.7 port 54292, id=242,
length=154*
*User-Name = bertalan.vo...@onedomain.com*
*NAS-IP-Address = x.x.x.x*
*NAS-Port = 0*
*Message-Authenticator = 0x8402c1883262ac3e5a71b538490e1082*
*MS-CHAP-Challenge = 0x9580349e1047ab7c*
*MS-CHAP-Response =
0x0001ce764eb9fbdbfd3c66d06ecbfbf934845bfc12ed2a697dc4
*
*# Executing section authorize from file /etc/raddb/sites-enabled/default*
*+- entering group authorize {...}*
*++[preprocess] returns ok*
*[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'*
*++[mschap] returns ok*
*[eap] No EAP-Message, not doing EAP*
*++[eap] returns noop*
*Found Auth-Type = MSCHAP*
*# Executing group from file /etc/raddb/sites-enabled/default*
*+- entering group MS-CHAP {...}*
*[mschap] No Cleartext-Password configured.  Cannot create LM-Password.*
*[mschap] No Cleartext-Password configured.  Cannot create NT-Password.*
*[mschap] Told to do MS-CHAPv1 with NT-Password*
*[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.*
*[mschap] MS-CHAP-Response is incorrect.*
*++[mschap] returns reject*
*Failed to authenticate the user.*
*Login incorrect: [bertalan.voros**@onedomain.com**] (from client CiscoAP
port 0)*
*Using Post-Auth-Type Reject*
*# Executing group from file /etc/raddb/sites-enabled/default*
*+- entering group REJECT {...}*
*[attr_filter.access_reject] expand: %{User-Name} - bertalan.voros**@
onedomain.com*
*attr_filter: Matched entry DEFAULT at line 11*
*++[attr_filter.access_reject] returns updated*
*Delaying reject of request 11 for 1 seconds*
*Going to the next request*
*Waking up in 0.9 seconds.*
*Sending delayed reject for request 11*
*Sending Access-Reject of id 242 to 10.205.128.7 port 54292*
*MS-CHAP-Error = \000E=691 R=1*
*Waking up in 4.9 seconds.*
*Cleaning up request 11 ID 242 with timestamp +13*
*Ready to process requests.*


Your help will be appreciated,

-- 
Bertalan Voros
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy based on auth type?

2013-02-01 Thread Bertalan Voros 
Thanks Alan,

It did fix the problem perfectly.

On 1 February 2013 14:33, Alan DeKok al...@deployingradius.com wrote:

 Bertalan Voros wrote:
  Is it possible to proxy requests based on Auth-Type?

   Yes, but you don't want to do that.

  If I uncomment suffix in sites-enabled/default then it's reversed,
  mschap gets proxied but PEAP requests doesn't get sent through the inner
  tunnel.

   You need to *conditionally* run the suffix module then.  In the
 sites-enabled/default, do:

 authorize {
 ...
 if (!EAP-Message) {
 suffix
 }
 ...

 }

   That should solve the problem quite nicely.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Bertalan Voros
m: 07932858025
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

2013-01-25 Thread Bertalan Voros 
Hello All,

Could someone tell me if it is possible to terminate PEAP on a freeradius
server then proxy the request to an NPS server using MSCHAPv2?

Thenk you and best regards,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

2013-01-25 Thread Bertalan Voros 
Hi Phil,

Thanks a lot for the quick response.

The reason I was attempting this is because I have to provide a service for
roaming users and I was having issues with obtaining a certificate for the
NPS server.

Does this mean that I could use a self signed certificate for the NPS that
is recognized by the freeradius and have a commercial certificate on the
freeradius that is then recognized by the clients?
So it's kept EAP-MSCHAPv2 all the way.

Is this correct?

Sorry for the lame questions but I am reasonably new to freeradius have
only been using it to blindly proxy requests to the NPS.

On 25 January 2013 13:45, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 01/25/2013 01:19 PM, Bertalan Voros wrote:

 Hello All,

 Could someone tell me if it is possible to terminate PEAP on a
 freeradius server then proxy the request to an NPS server using MSCHAPv2?


 Yes. Simply set Proxy-To-Realm in inner-tunnel/authorize, and FreeRADIUS
 will proxy the packets.

 server inner-tunnel {
   authorize {
 ...
 update control {
   Proxy-To-Realm := NPS
 }
 ...
   }

 However, personally I would strongly recommend you proxy the inner as
 EAP-MSCHAPv2, rather than using the magic turn into plain mschapv2 code
 i.e. you *should* set in eap.conf:

 eap {
   ...
   peap {
 ...
 proxy_tunneled_request_as_eap = yes
 ...
   }
 }

 If you set this option to no the proxied packet will be changed into
 plain MSCHAP, but that code path is complex and has had problems in the
 past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do
 this.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html




-- 
Bertalan Voros
m: 07932858025
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

2013-01-25 Thread Bertalan Voros 
The clients are employees of a fairly loose network of companies, each on
their own AD, some doesn't even have ad.

A frustrating mixture of Windows and OSX.

We maintain a central AD with all the user accounts in it but there are no
machines associated with that AD.

The self signed certificate works but people get prompted to accept it and
we were asked if it was possible for that to not happen.
The most likely users of this service would be the VIP types, it is
expected to just work so here I am.

Self signed or commercial makes no difference as the certificate is only
used for server authentication.
The only difference is users having to manually trust a cert or not.
Unless I am wrong.

On 25 January 2013 14:23, a.l.m.bu...@lboro.ac.uk wrote:

 Hi,

 The reason I was attempting this is because I have to provide a
 service
 for roaming users and I was having issues with obtaining a
 certificate for
 the NPS server.

 whats wrong with just using your current FR certificate on the NPS box?

 Does this mean that I could use a self signed certificate for the NPS
 that
 is recognized by the freeradius and have a commercial certificate on
 the
 freeradius that is then recognized by the clients?

 what are your clients/userbase?  why do you have to use a commercial
 certificate
 for your server?   if the clients authenticating are your clients then
 they can have
 the required private CA installed - the authentication is a closed loop.
  if you use
 a commercial cert eg thawte, verisign etc and only use that as trust then
 anyone can
 get a cert signed by that commercial CA as a first point to subverting
 your security

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Bertalan Voros
m: 07932858025
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

2013-01-25 Thread Bertalan Voros 
Hi Alan,

Thanks for your insight, you are absolutely correct regarding the issues.
I will have to find a compromise that is acceptable by everyone.


 We maintain a central AD with all the user accounts in it but there
 are no
 machines associated with that AD.

 any reasons for proxying to the NPS rather than binding the FR system into
 the AD
 and authenticating locally?


Only that the FR site mentioned it to be complicated and we already have an
NPS that we are otherwise happy with.
Looks like this would be the best option.



 The self signed certificate works but people get prompted to accept
 it and
 we were asked if it was possible for that to not happen.

 some clients may prompt for the RADIUS or CA certificate anyway.

 The most likely users of this service would be the VIP types, it is
 expected to just work so here I am.

 ah...the VIP types who 'just want it to work!' - and thus decide that
 security
 requirements are superfluous and get in the way. fine, you need to
 demonstrate the
 issue with a classic man in the middle attack - a couple of easy to boot
 systems
 exist which do that.

 Self signed or commercial makes no difference as the certificate is
 only
 used for server authentication.

 correct.

 The only difference is users having to manually trust a cert or not.
 Unless I am wrong.

 I would seriously advise that you look to having the right security in
 place and avoid
 users/clients having to configure their systems - ie an 802.1X deployment
 tool (such
 as XpressConnect from CloudPath) which will do all the work/configuration
 and installation
 of a CA for you as per your requirements - multi-platform and will do
 wireless and wired.
 (there are alternatives but none that are as feature-rich and support as
 many clients)


Will definitely look into that.
The difficulty is that some of the users are so remote from us that our
only encounter with them is seeing a log entry.
This is a global solution very removed from the local tech team, only used
to let roaming users on the wireless network.
We are providing a radius so they don't have to maintain a full copy of all
the users in the network (network of companies).

It's a continuous headache for us.



 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Bertalan Voros
m: 07932858025
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html