[RADIATOR] EAP authentication using TLSv1.2 with OpenSSL 1.0.1f or 1.0.1g based servers may fail
Hello list members. It has come to our attention that TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP, may fail in some cases. The currently verified failure case is this: - Client wishes to use TLSv1.2 and the server agrees to do so, and - Radiator on the server uses OpenSSL 1.0.1f or 1.0.1g, and - The client supports certain TLS cipher suites. The above was verified with Ubuntu 14.04 as the server and wpa_supplicant with GnuTLS 2.12.23 as the client. When this happens, the server derives incorrect keying material. The keying material is typically used to create the Wi-Fi encryption keys returned with MPPE-Recv-Key and MPPE-Send-Key RADIUS attributes. As the result, the client authenticates normally but is unable to access the network because of the key mismatch between the client and the Wi-Fi access point/controller. For the details, please see this message on the hostapd/wpa_supplicant mailing list: http://lists.infradead.org/pipermail/hostap/2015-December/034297.html By default Radiator 4.14 and later support all TLS versions for TLS based EAP methods. To configure Radiator not to use TLSv1.2, use the EAPTLS_Protocols configuration parameter. For example: to allow TLSv1 and TLS1.1 only: EAPTLS_Protocols TLSv1, TLSv1.1 See section '5.21.33 EAPTLS_Protocols' in the Radiator 4.16 reference manual for more information. We are considering a patch in Radiator that disables TLSv1.2 for EAP if the OpenSSL version is one of the above. Thanks to Nick Lowe for letting us know about this. -- Heikki VatiainenRadiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2 to AD
Hi, sadly HoldServerConnection doesn't work for Active Directory for us. Not sure if that's the source of your problem though. If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't specify a BaseDN, leave it empty! Just BaseDN Best regards, Alex On 2015-12-15 18:18, Joe Honnold wrote: Hi. I am working towards a config that does AD authentication with the addition of OTP. I have started the AD config and have hit an issue that I can not seem to get around. The log file states: Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] I have completed some research via the docs and internet searching but nothing has pointed me in the right direction yet. Any input towards a resolution would be appreciated as I need this to work prior to adding the OTP settings to the config. radius.cfg file == # ad-ldap.cfg # # Example Radiator configuration file for authenticating from # Active Directory via LDAP2, possibly from a Unix host. # # This very simple file will allow you to get started with # a simple LDAP authentication system from AD. # # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # # You should consider this file to be a starting point only # $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $ Foreground LogStdout LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 # AuthPort 1645 AcctPort 1646 # You will probably want to add other Clients to suit your site. Secret IMNOTTELLLING # Authenticates users in the Organisational Unit called 'csx users' # The user name coming from the NAS must match the sAMAccountName # attribute of a user in that OU./ Users that are not in 'csx users' # will not be able to log in. Debug 255 NoDefault Host 10.0.50.80 10.0.50.82 # Microsoft AD also listens on port 3268, and # requests received on that port are reported to be # more compliant with standard LDAP, so you may want to use: Port 3268 AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM AuthPassword PLAINTEXTPASSWORD BaseDN DC=MS, DC=DOMAIN, DC=com ServerChecksPassword UsernameAttr sAMAccountName HoldServerConnection FailureBackoffTime 0 AuthAttrDef logonHours,MS-Login-Hours,check == Cleansed log dump == Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier '' Tue Dec 15 10:34:24 2015: DEBUG: Deleting session for UserJ, 10.0.100.8, Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2: Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268 Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 10.0.50.80:3268 Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: UserJ [UserJ] Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted password Tue Dec 15 10:34:24 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652): retransmit reply Tue Dec 15 10:34:29 2015: DEBUG: Packet dump: *** Sending to 10.0.100.8 port 58652 Code: Access-Reject Identifier: 188 Authentic: T<143>B*<10><203><165><29>6I<4>0<129><234><251>9 Attributes: Reply-Message = "Request Denied" Tue Dec 15 10:34:34 2015: DEBUG: Packet dump: *** Received from 10.0.100.8 port 58652 Code: Access-Request Identifier: 188 Authentic: <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4> Attributes: User-Name = "UserJ" User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ Service-Type = Login-User NAS-IP-Address = 10.0.100.8 Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 10.0.100.8(58652):