[RADIATOR] EAP authentication using TLSv1.2 with OpenSSL 1.0.1f or 1.0.1g based servers may fail

2015-12-17 Thread Heikki Vatiainen 
Hello list members. It has come to our attention that TLS based EAP 
methods, such as EAP-TLS, EAP-TTLS and PEAP, may fail in some cases.

The currently verified failure case is this:
- Client wishes to use TLSv1.2 and the server agrees to do so, and
- Radiator on the server uses OpenSSL 1.0.1f or 1.0.1g, and
- The client supports certain TLS cipher suites.

The above was verified with Ubuntu 14.04 as the server and 
wpa_supplicant with GnuTLS 2.12.23 as the client.

When this happens, the server derives incorrect keying material. The 
keying material is typically used to create the Wi-Fi encryption keys 
returned with MPPE-Recv-Key and MPPE-Send-Key RADIUS attributes. As the 
result, the client authenticates normally but is unable to access the 
network because of the key mismatch between the client and the Wi-Fi 
access point/controller.

For the details, please see this message on the hostapd/wpa_supplicant 
mailing list:

http://lists.infradead.org/pipermail/hostap/2015-December/034297.html

By default Radiator 4.14 and later support all TLS versions for TLS 
based EAP methods. To configure Radiator not to use TLSv1.2, use the 
EAPTLS_Protocols configuration parameter. For example: to allow TLSv1 
and TLS1.1 only:

EAPTLS_Protocols TLSv1, TLSv1.1

See section '5.21.33 EAPTLS_Protocols' in the Radiator 4.16 reference 
manual for more information.

We are considering a patch in Radiator that disables TLSv1.2 for EAP if 
the OpenSSL version is one of the above.

Thanks to Nick Lowe for letting us know about this.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 to AD

2015-12-17 Thread Hartmaier Alexander 

Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't 
specify a BaseDN, leave it empty!
Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:
Hi.

I am working towards a config that does AD authentication with the addition of 
OTP.  I have started the AD config and have hit an issue that I can not seem to 
get around.
The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]

I have completed some research via the docs and internet searching but nothing 
has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this to work 
prior to adding the OTP settings to the config.

radius.cfg file
==
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site.

Secret IMNOTTELLLING


# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.


Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN DC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check



==

Cleansed log dump
==
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 10.0.100.8,
Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268
Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 
10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe 
User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ 
[UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 
10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 
10.0.100.8(58652):