FreeRadius 2.1.8 and MySQL

[John Gammons]

All,

I have a 2.1.8 freeradius server running and have recently added MySQL
into the mix.  I am attempting to authenticate a user via EAP-TTLS
with a PAP inner (for simplicities sake atm).  The user is valid, in
the DB with Cleartext-Password, and auths fine when doing a radtest
(PAP), however, when EAP-TTLS is thrown in the mix it fails with the
following no auth type config'd error.  I also attempted to place an
Auth-Type == PAP into the DB, but that didn't help the EAP auth.  When
I remove MySQL, and revert to the users file, the user auths fine even
with EAP-TTLS and a PAP inner.  I have been scratching my head on this
one trying different settings and DB entries and looking at the logs,
but am failing to see what I am missing.  Any ideas?

Thanks,
John

++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = testing, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = testing
[suffix] Adding Realm = NULL
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [testing/password] (from client purewave port 0 cli
00:1d:8f:00:03:4d via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[John Gammons]

This configuration is located in proxy.conf.

To proxy any @MYREALM1 requests to one server, and @MYREALM2 to
another, you would enter something like the following in that file

realm MYREALM1 {
   authhost= radius.company1.com:1600
   accthost= radius.company1.com:1601
   secret  = testing123
   nostrip
}

realm MYREALM2 {
   authhost= radius.company2.com:1812
   accthost= radius.company2.com:1813
   secret  = testing123
   nostrip
}

There are a lot of options, but it is explained in great detail in proxy.conf.

Hope that helps.

John


On Fri, Apr 23, 2010 at 8:38 AM,  brisston...@free.fr wrote:
 Selon Alan DeKok al...@deployingradius.com:

 brisston...@free.fr wrote:
  I have a question about proxy request with freeradius : is it possible to
 run
  multiple instance of proxy (not the same but the same daemon) which use
  different realm configuration.

   Yes.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 Thanks but... can you explain me how can I do? I try to put realm section in
 server section but it doesn't work. Can you help me please?

 Thanks in advance
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius proxy with 802.1x termination

[John Gammons]

Thanks for the tips guys.  Been doing some more digging and learning a
lot... but maybe I should take a step back here and explain what I am
trying to accomplish

My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2.

My NAS, only supports access-requests using PAP/CHAP passwords in clear-text.

I am attempting to setup a Radius Proxy that terminates the EAP-TTLS
outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text
user/pass to the NAS for authentication.  The more I read, the more I
am getting the impression that this is not possible.  Is that the
case?

John

On Wed, Jan 6, 2010 at 3:43 PM, Alan DeKok al...@deployingradius.com wrote:
 John Gammons wrote:
 After doing some more digging, I think I am catching onto this... somewhat.

 It sounds like I need to have the Radius Proxy, authenticate the Outer
 Identity of the EAP-TTLS session locally, while the Inner Identity is
 proxied to the Home Radius server.

  Yes.

 I have setup the Outer identity to be anonym...@outer which is proxied
 to LOCAL,

  Er... no.  Don't proxy it.

 while the Inner identity is @inner and proxied to Home
 Radius.  The problem is that when I run radiusd -x, I never see the
 @outer message, so the @inner is getting forwarded as an EAP, instead
 of only as a MS-CHAP-V2.

  See eap.conf, proxy_tunneled_request_as_eap.

 Anyone know what I am overlooking?  I have a crude understanding of
 this entire process at best, I know.  :)

  See doc/aaa.txt for a simple introduction to the process.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius proxy with 802.1x termination

[John Gammons]

Sorry, by NAS I was referring to the Home Radius Server (guess my
terminology was incorrect), but I guess that answers the question
anyways.

John



On Thu, Jan 7, 2010 at 12:55 PM, Alan DeKok al...@deployingradius.com wrote:
 John Gammons wrote:
 My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2.

 My NAS, only supports access-requests using PAP/CHAP passwords in clear-text.

  What does that mean?

 I am attempting to setup a Radius Proxy that terminates the EAP-TTLS
 outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text
 user/pass to the NAS for authentication.

  The NAS is a RADIUS client.  It originates Access-Requests.  It
 doesn't receive them, and it definitely doesn't do authentication.

  The more I read, the more I
 am getting the impression that this is not possible.  Is that the
 case?

  You can't convert MS-CHAP into PAP or CHAP.  And I have no idea what
 you mean when you say the NAS does authentication.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius proxy with 802.1x termination

[John Gammons]

After doing some more digging, I think I am catching onto this... somewhat.

It sounds like I need to have the Radius Proxy, authenticate the Outer
Identity of the EAP-TTLS session locally, while the Inner Identity is
proxied to the Home Radius server.

I have setup the Outer identity to be anonym...@outer which is proxied
to LOCAL, while the Inner identity is @inner and proxied to Home
Radius.  The problem is that when I run radiusd -x, I never see the
@outer message, so the @inner is getting forwarded as an EAP, instead
of only as a MS-CHAP-V2.

Anyone know what I am overlooking?  I have a crude understanding of
this entire process at best, I know.  :)

John



On Tue, Jan 5, 2010 at 12:08 PM,  jgamm...@gmail.com wrote:
 I am attempting to configure freeradius to terminate an 802.1x EAP-TTLS
 authentication, but forward/proxy the user/pass to another radius server. I
 can get it to standard proxy, and I can get it to function as a standalone
 radius server with EAP-TTLS, but can't seem to find any good information on
 how to do this

 I assume someone has been there done that... any help would be greatly
 appreciated.

 Thanks,
 John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html