Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
I enabled MS-CHAP on the radius whereby the request is to be proxied to. Using the configuration mentioned in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069292.html as a guide, I was able to configure the radius to proxy the request as plain MS-CHAP however encounter some problems when the response is returned. Will address this in a separate message as the subject is no longer appropriate. Regards, Ryan On Mon, Mar 24, 2008 at 10:30 AM, Ryan [EMAIL PROTECTED] wrote: Ok, thanks for pointing this out. I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP. Do you have any advise on which will be a better approach? Thanks/Regards, Ryan You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP. Ivan Kalik Kalik Informatika ISP Dana 22/3/2008, Ryan [EMAIL PROTECTED] pi?e: Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Ok, thanks for pointing this out. I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP. Do you have any advise on which will be a better approach? Thanks/Regards, Ryan You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP. Ivan Kalik Kalik Informatika ISP Dana 22/3/2008, Ryan [EMAIL PROTECTED] pi?e: Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? Thanks/Regards Ryan On Thu, Mar 20, 2008 at 9:12 PM, Ryan [EMAIL PROTECTED] wrote: Hi All, I'm having a problem trying to configure proxy from one radius to another. Users are connecting using 802.1x with EAP/PEAP. There are two groups of users, one group are authenticated on the main radius using local LDAP. However for the second group of users, they have to be authenticated via the radius proxy. The problem is the radius proxy does not have EAP configured and its not an option to reconfigure it with EAP. From the threads, I found something similar in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069230.html applies as well, will this applies to my situation as well? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi All, I'm having a problem trying to configure proxy from one radius to another. Users are connecting using 802.1x with EAP/PEAP. There are two groups of users, one group are authenticated on the main radius using local LDAP. However for the second group of users, they have to be authenticated via the radius proxy. The problem is the radius proxy does not have EAP configured and its not an option to reconfigure it with EAP. From the threads, I found something similar in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069230.html applies as well, will this applies to my situation as well? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi, Hi again and thanks, EAP-TTLS/PAP is the defaultI tried configuring the TTLS-PAP inner and outer tunnel but it will not work. EAP-TTLS/PAP ended A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. PAP Tunneled (proxied) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2) i'll assume you are running with the attribute filter running pre and post proxy? if so, you will need to allow a few other attributes through or proxy wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Joakim Lindgren wrote: EAP-TTLS/PAP is the defaultI tried configuring the TTLS-PAP inner and outer tunnel but it will not work. sigh. Read the FAQ about it doesn't work. A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2) This is pretty trivial to do in 2.0.1. You can configure the policy pretty much as you wrote it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi again, sorry have read the FAQ ;-) thought that it didn´t needed, sorry. Output below. All configurations as provided in earlier mail except users: users DEFAULT EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL SECURACCESSFreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP, Proxy-To-Realm := SECURACCESS Fall-Through := No ==ENDusers output: osuse-freeradius:/ # radiusd -XX -A Fri Feb 1 18:48:37 2008 : Info: Starting - reading configuration files ... Fri Feb 1 18:48:37 2008 : Debug: reread_config: reading radiusd.conf Fri Feb 1 18:48:37 2008 : Debug: Config: including file: /etc/raddb/proxy.conf Fri Feb 1 18:48:37 2008 : Debug: Config: including file: /etc/raddb/clients.conf Fri Feb 1 18:48:37 2008 : Debug: Config: including file: /etc/raddb/snmp.conf Fri Feb 1 18:48:37 2008 : Debug: Config: including file: /etc/raddb/eap.conf Fri Feb 1 18:48:37 2008 : Debug: Config: including file: /etc/raddb/sql.conf Fri Feb 1 18:48:37 2008 : Debug: main: prefix = /usr Fri Feb 1 18:48:37 2008 : Debug: main: localstatedir = /var Fri Feb 1 18:48:37 2008 : Debug: main: logdir = /var/log/radius Fri Feb 1 18:48:37 2008 : Debug: main: libdir = /usr/lib Fri Feb 1 18:48:37 2008 : Debug: main: radacctdir = /var/log/radius/radacct Fri Feb 1 18:48:37 2008 : Debug: main: hostname_lookups = no Fri Feb 1 18:48:37 2008 : Debug: main: max_request_time = 30 Fri Feb 1 18:48:37 2008 : Debug: main: cleanup_delay = 5 Fri Feb 1 18:48:37 2008 : Debug: main: max_requests = 1024 Fri Feb 1 18:48:37 2008 : Debug: main: delete_blocked_requests = 0 Fri Feb 1 18:48:37 2008 : Debug: main: port = 0 Fri Feb 1 18:48:37 2008 : Debug: main: allow_core_dumps = no Fri Feb 1 18:48:37 2008 : Debug: main: log_stripped_names = yes Fri Feb 1 18:48:37 2008 : Debug: main: log_file = /var/log/radius/radius.log Fri Feb 1 18:48:37 2008 : Debug: main: log_auth = yes Fri Feb 1 18:48:37 2008 : Debug: main: log_auth_badpass = yes Fri Feb 1 18:48:37 2008 : Debug: main: log_auth_goodpass = yes Fri Feb 1 18:48:37 2008 : Debug: main: pidfile = /var/run/radiusd/radiusd.pid Fri Feb 1 18:48:37 2008 : Debug: main: user = (null) Fri Feb 1 18:48:37 2008 : Debug: main: group = (null) Fri Feb 1 18:48:37 2008 : Debug: main: usercollide = no Fri Feb 1 18:48:37 2008 : Debug: main: lower_user = no Fri Feb 1 18:48:37 2008 : Debug: main: lower_pass = no Fri Feb 1 18:48:37 2008 : Debug: main: nospace_user = no Fri Feb 1 18:48:37 2008 : Debug: main: nospace_pass = no Fri Feb 1 18:48:37 2008 : Debug: main: checkrad = /usr/sbin/checkrad Fri Feb 1 18:48:37 2008 : Debug: main: proxy_requests = yes Fri Feb 1 18:48:37 2008 : Debug: proxy: retry_delay = 5 Fri Feb 1 18:48:37 2008 : Debug: proxy: retry_count = 3 Fri Feb 1 18:48:37 2008 : Debug: proxy: synchronous = no Fri Feb 1 18:48:37 2008 : Debug: proxy: default_fallback = yes Fri Feb 1 18:48:37 2008 : Debug: proxy: dead_time = 120 Fri Feb 1 18:48:37 2008 : Debug: proxy: post_proxy_authorize = no Fri Feb 1 18:48:37 2008 : Debug: proxy: wake_all_if_all_dead = no Fri Feb 1 18:48:37 2008 : Debug: security: max_attributes = 200 Fri Feb 1 18:48:37 2008 : Debug: security: reject_delay = 1 Fri Feb 1 18:48:37 2008 : Debug: security: status_server = no Fri Feb 1 18:48:37 2008 : Debug: main: debug_level = 0 Fri Feb 1 18:48:37 2008 : Debug: read_config_files: reading dictionary Fri Feb 1 18:48:37 2008 : Debug: read_config_files: reading naslist Fri Feb 1 18:48:37 2008 : Debug: read_config_files: reading clients Fri Feb 1 18:48:37 2008 : Debug: read_config_files: reading realms Fri Feb 1 18:48:37 2008 : Debug: radiusd: entering modules setup Fri Feb 1 18:48:37 2008 : Debug: Module: Library search path is /usr/lib Fri Feb 1 18:48:37 2008 : Debug: Module: Loaded exec Fri Feb 1 18:48:37 2008 : Debug: exec: wait = yes Fri Feb 1 18:48:37 2008 : Debug: exec: program = (null) Fri Feb 1 18:48:37 2008 : Debug: exec: input_pairs = request Fri Feb 1 18:48:37 2008 : Debug: exec: output_pairs = (null) Fri Feb 1 18:48:37 2008 : Debug: exec: packet_type = (null) Fri Feb 1 18:48:37 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Fri Feb 1 18:48:37 2008 : Debug: Module: Instantiated exec (exec) Fri Feb 1 18:48:37 2008 : Debug: Module: Loaded expr Fri Feb 1 18:48:37 2008 : Debug: Module: Instantiated expr (expr) Fri Feb 1 18:48:37 2008 : Debug: Module: Loaded PAP Fri Feb 1 18:48:37 2008 : Debug: pap: encryption_scheme = crypt Fri Feb 1 18:48:37 2008 : Debug: pap: auto_header = yes Fri Feb 1 18:48:37 2008 : Debug: Module: Instantiated pap (pap) Fri Feb 1 18:48:37 2008 : Debug: Module: Loaded CHAP Fri Feb 1 18:48:37 2008 : Debug: Module: Instantiated chap (chap) Fri Feb 1 18:48:37 2008 : Debug: Module: Loaded MS-CHAP
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi! Jayal1972 wrote: Hi again, sorry have read the FAQ ;-) thought that it didn´t needed, sorry. Sending Access-Request of id 0 to 192.168.1.75 port 1812 Re-sending Access-Request of id 0 to 192.168.1.75 port 1812 Re-sending Access-Request of id 0 to 192.168.1.75 port 1812 Fri Feb 1 18:49:42 2008 : Proxy: marking authentication server 192.168.1.75:1812 for realm SECURACCESS dead Your proxy server does not respond. Please check if your proxy server accepts connections, no traffic filtered and proxy really processes requests from FreeRADIUS server. Replies should reach FreeRADIUS also. -- Best wishes, Dmitry Sergienko (SDA104-RIPE) Trifle Co., Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi again, I probably have to explain what I want to accomplish in detail, what I´m aiming for is this: In users file: DEFAULT EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL End all EAP-TTLS connections at proxy. If not SECURACCESS domain: check Username against LDAP. (If possible to order. Do NOT check SECURACCESS domain against LDAP SECURACCESSFreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP, Proxy-To-Realm := SECURACCESS All users found with SECURACCESS domain in name i.e. [EMAIL PROTECTED]. Proxy them with PAP authentication to SECURACCCESS domain IP address mentioned in proxy.conf. Fall-Through := No If SECURACCESS domain found in User-Name [EMAIL PROTECTED] stop after proxying. So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only PAP further (to IP address mentioned in proxy.conf). Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Looking up realm SECURACCESS for User-Name = [EMAIL PROTECTED] Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Found realm SECURACCESS So here we found SECURACCESS domain name in User-Name: Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = joakimlindgren Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Realm = SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm SECURACCESS Where proxying the request to ip address mentioned in proxy.conf (but here we don´t end the EAP?) Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module suffix returns updated for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Request already proxied. Ignoring. Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module ntdomain returns noop for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 What I want: END EAP Tunnel, do NOT EAP only PAP. Fri Feb 1 18:49:26 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm SECURACCESS. Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module eap returns noop for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module files returns notfound for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: - authorize Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization for joakimlindgren Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: 'o=Contonso' Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful Here it authenticates, What I want to do for SECUREACCESS domain is to NOT authenticate against LDAP. All OTHER domains will LDAP... (how do I accomplish this?) Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter (uid=joakimlindgren) Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module pap returns noop for request 0 I want to only do PAP (for SECURACCESS), IF other domain check against LDAP... Fri Feb 1 18:49:26 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0 Fri Feb 1 18:49:26 2008 : Debug: proxy: creating 4b01a8c0:1812 Fri Feb 1 18:49:26 2008 : Debug: proxy: allocating 4b01a8c0:1812 0 ... // Thanks Dmitry Sergienko-2 wrote: Hi! Jayal1972 wrote: Hi again, sorry have read the FAQ ;-) thought that it didn´t needed, sorry. Sending Access-Request of id 0 to 192.168.1.75 port 1812 Re-sending Access-Request
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Sorry, got it wrong in last post, read this one instead: DEFAULT EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL End all EAP-TTLS connections at proxy. If not SECURACCESS domain: check Username against LDAP. (If possible to order. Do NOT check SECURACCESS domain against LDAP SECURACCESSFreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP, Proxy-To-Realm := SECURACCESS All users found with SECURACCESS domain in name i.e. [EMAIL PROTECTED]. Proxy them with PAP authentication to SECURACCCESS domain IP address mentioned in proxy.conf. Fall-Through := No If SECURACCESS domain found in User-Name [EMAIL PROTECTED] stop after proxying. So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only PAP further (to IP address mentioned in proxy.conf). Fri Feb 1 18:48:37 2008 : Debug: Listening on accounting *:1813 Fri Feb 1 18:48:37 2008 : Debug: Listening on proxy *:1814 Fri Feb 1 18:48:37 2008 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.150:32797, id=161, ... Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Looking up realm SECURACCESS for User-Name = joakimlindgren at SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Found realm SECURACCESS So here we found SECURACCESS domain name in User-Name: Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = joakimlindgren Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Realm = SECURACCESS Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm SECURACCESS End all EAP connections. Because SECURACCESS domain name found where proxying the request to ip address mentioned in proxy.conf. Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module suffix returns updated for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Request already proxied. Ignoring. Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module ntdomain returns noop for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm SECURACCESS. Not doing EAP. END EAP Tunnel, do NOT EAP only PAP. Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module eap returns noop for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module files returns notfound for request 0 Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: - authorize Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization for joakimlindgren Here it authorizes against LDAP , What I want to do for SECUREACCESS domain is to NOT authorize against LDAP. All OTHER domains will authorize LDAP... (how do I accomplish this?) Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: 'o=Contonso' Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: setting TLS CACert File to /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: starting TLS Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: bind as cn=admin,o=Contonso/toor to 192.168.1.71:389 Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: waiting for bind result ... Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter (uid=joakimlindgren) Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Added the eDirectory password in check items Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: looking for check items in directory... Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: looking for reply items in directory... Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: user joakimlindgren
Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP
Hi all (and really thanks to Alan DeKok), I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP. Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius. In that case it works, briefly how do I do? Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-) Sincerely Joakim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP
Joakim You could certainly do this with EAP-TTLS/PAP. I know because I've done it myself in a previous job. It's quite simple really. You have the outer authentication using one realm (possibly the null realm and using the name 'anonymous'). In the inner authentication, you use another realm that is proxied by the FreeRADIUS server to the remote server supporting PAP. I've done exactly this with CryptoCARD servers and with Vasco servers. You may need to strip the decoration from the username before forwarding the PAP authentication request to the back end server. e.g. [EMAIL PROTECTED] might need to be reduced to just guyd before that username would be correctly authenticated by the backend server. Rgds, Guy On 31/01/2008, Joakim Lindgren [EMAIL PROTECTED] wrote: Hi all (and really thanks to Alan DeKok), I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP. Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius. In that case it works, briefly how do I do? Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-) Sincerely Joakim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP
Hi all, thanks for your explanation earlier! I need your help with EAP-TTLS and PAP. I have earlier setup EAP-PEAP/EAP-TTLS and EAP-TLS working OK! I tried configuring the TTLS-PAP inner and outer tunnel but it will not work (and yes I have searched the forum, as always ;-) Here are my explanation of what I´m trying to do: A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I didn´t name the server ;-) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2). I have tried several different conf. and as best I see requests coming to Radius Nr2 but the´re encrypted (Wireshark). The config files looks like this (as for now, thanks in advance!): eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = password private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } ===END EAP== users DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := SECURACCESS, Auth-Type := PAP DEFAULTAuth-Type != LDAP Proxy.conf realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm SECURACCESS { type= radius authhost= 192.168.1.75:1812 accthost= 192.168.1.75:1813 secret = toor # nostrip } radiusd.conf ... modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = 192.168.1.71 identity = cn=admin,o=Contonso password = toor basedn = o=Contonso filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_mode = no tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword tls_require_cert = allow timeout = 4 timelimit = 3 net_timeout = 1 port = 389 edir_account_policy_check=yes } realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } ... authorize { preprocess chap mschap suffix ntdomain eap files ldap pap } authenticate
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Think about upgrading to 2.0.1. You can then configure default home server to handle requests A and another virtual server to terminate TLS and proxy PAP requests to a remote home server. I don't quite get this bit about encrypted requests. Radius packets *are* encrypted. Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, Joakim Lindgren [EMAIL PROTECTED] piše: Hi all, thanks for your explanation earlier! I need your help with EAP-TTLS and PAP. I have earlier setup EAP-PEAP/EAP-TTLS and EAP-TLS working OK! I tried configuring the TTLS-PAP inner and outer tunnel but it will not work (and yes I have searched the forum, as always ;-) Here are my explanation of what I´m trying to do: A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I didn´t name the server ;-) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2). I have tried several different conf. and as best I see requests coming to Radius Nr2 but the´re encrypted (Wireshark). The config files looks like this (as for now, thanks in advance!): eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = password private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } ===END EAP== users DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := SECURACCESS, Auth-Type := PAP DEFAULTAuth-Type != LDAP Proxy.conf realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm SECURACCESS { type= radius authhost= 192.168.1.75:1812 accthost= 192.168.1.75:1813 secret = toor # nostrip } radiusd.conf modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = 192.168.1.71 identity = cn=admin,o=Contonso password = toor basedn = o=Contonso filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_mode = no tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword tls_require_cert = allow timeout = 4 timelimit = 3 net_timeout = 1 port = 389 edir_account_policy_check=yes } realm suffix { format = suffix delimiter = @
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Sorry, I just read your subject line. What is the request sent from the supplicant: PEAP or EAP-TTLS/PAP? Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, Joakim Lindgren [EMAIL PROTECTED] piše: Hi all, thanks for your explanation earlier! I need your help with EAP-TTLS and PAP. I have earlier setup EAP-PEAP/EAP-TTLS and EAP-TLS working OK! I tried configuring the TTLS-PAP inner and outer tunnel but it will not work (and yes I have searched the forum, as always ;-) Here are my explanation of what I´m trying to do: A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I didn´t name the server ;-) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2). I have tried several different conf. and as best I see requests coming to Radius Nr2 but the´re encrypted (Wireshark). The config files looks like this (as for now, thanks in advance!): eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = password private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } ===END EAP== users DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := SECURACCESS, Auth-Type := PAP DEFAULTAuth-Type != LDAP Proxy.conf realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm SECURACCESS { type= radius authhost= 192.168.1.75:1812 accthost= 192.168.1.75:1813 secret = toor # nostrip } radiusd.conf modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = 192.168.1.71 identity = cn=admin,o=Contonso password = toor basedn = o=Contonso filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_mode = no tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword tls_require_cert = allow timeout = 4 timelimit = 3 net_timeout = 1 port = 389 edir_account_policy_check=yes } realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = \\
Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi again and thanks, EAP-TTLS/PAP is the defaultI tried configuring the TTLS-PAP inner and outer tunnel but it will not work. EAP-TTLS/PAP ended A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to OTHER (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. PAP Tunneled (proxied) B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to SECURSERVER domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2) Sincerely Joakim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html