(RADIATOR) Should be EAP-TTLS working with inner authentication MSCHAPV2??
Martin Burton
mvb at sanger.ac.uk
Fri Aug 6 06:48:35 CDT 2004
Jan,
I've pasted in a snippet of our radius configuration that does MSCAHP-V2
against usernames and NT-Passwords stored in LDAP. (I've modified
MSCHAP.pm and some other stuff to allow this, one of these days I'll get
around to asking for it to be merged into the source tree).
The thing to note here is the line:
UsernameMatchesWithoutRealm yes
which allows the <user>@<realm> to match an entry of just <user> in the
LDAP tree, but passes the whole username(including realm) onto the
MSCHAP module (where it's needed since the MSCHAP-V2 exchange is based
on the whole thing).
That particular attribute is available as a standard option to the LDAP
configuration of radiator, so should be what you need.
--- BEGIN SNIPPET ---
<Handler Realm=rnet1.sanger.ac.uk>
AcctLogFileName /tmp/acctlog-%R
<AuthBy LDAP2>
Host ldapsrv1.internal.sanger.ac.uk
AuthDN cn=admin,dc=sanger,dc=ac,dc=uk
AuthPassword <CLIP>
BaseDN ou=people,dc=sanger,dc=ac,dc=uk
UsernameAttr uid
NtPasswordAttr roamingPassword
AutoMPPEKeys yes
UsernameMatchesWithoutRealm yes
AddToReply NN-Homeservice-Name = %R
</AuthBy>
</Handler>
--- END SNIPPET ---
Hope that helps.
Cheers,
Martin.
---
Martin Burton
Senior Systems Administrator
The Wellcome Trust Sanger Institute
http://www.sanger.ac.uk
Jan Tomasek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Hugh and Terry.
>
> Terry I found thread of yours about it in archvie:
> http://www.open.com.au/archives/radiator/2004-03/msg00028.html.
>
> I decided to not give up that easy with this method as Terry did ;) Hugh I do
> understand why it can't work with RewriteUsername. There are two reasons why I
> am I using RewriteUsername:
> 1) Without it Radiator isn't able to find user data in LDAP database
> 2) Without it Radiator will badly count user sessions.
> Personaly I do not care about 2, but 1 is serious problem. Is there any other
> way how to bypass this problem? An option for LDAP2 module to force it strip
> realm by itself will solve this problem for me. I can code this myself
> quickly, but if someone from OSC will add this feature for me I will be pleased.
>
> For this moment I trided to modify configuration of Radiator to not use
> RewriteUsername and added to myself another uid in LDAP. And it almost works. But:
>
> EAP-PEAP-MSCHAPV2 doesn't seam to support dynamic WEP keys so it is useless
> for us.
>
> EAP-TTLS-MSCHAPV2 somehow runs in infinity loop. Radiator says that "Access
> accepted for semik at cesnet.cz" but WEP keys are not generated (If I correctly
> understand to this, it is work which belongs to Radiator).
> EAP-TTLS-(PAP,CHAP,MSCHAP) are working for me. In file
> http://www.tomasek.cz/stuff/eap-ttls-mschapv2.log.bz2 is log from xsupplicant.
> In file http://www.tomasek.cz/stuff/radiator-eap-ttls-mschapv2.log.bz2 is log
> from Radiator. Configuration isn't that big so it is attached. Please can
> someone check it where problem is?
>
> PS: Today is last day when I'm at work, I will be at holidays till 15.09. If
> will be not responding, don't understand it that I'm no longer interested in
> this. I will be walking in beatiful Czech countryside with camera trying to
> get some outstanding photos. :)
>
> Best regards
> - --
> - --------------------------------------------------------------
> Jan Tomasek aka Semik work: CESNET, z.s.p.o.
> http://www.tomasek.cz/ Zikova 4, 160 00 Praha 6
> Czech Republic
> phone(work): +420 2 2435 5279 http://www.cesnet.cz/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBE1BK79++DGvj6tMRAnQ5AJ9VjLygD89YRfwWU9VYx2kXy1wkOgCggf4O
> XQ8lrPdmWpOs6DZCEqBATNI=
> =eR+T
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------
>
> Foreground
> LogStdout
> Trace 4
> LogDir /var/log/radiator
> DbDir /home/semik/iproj/Radiator-Demo-3.9
>
> <AuthLog SYSLOG>
> Identifier authlogger
> Facility local7
> LogSuccess 1
> LogFailure 1
> SuccessFormat %U:%P:OK
> FailureFormat %U:%P:FAIL
> </AuthLog>
> <Log SYSLOG>
> Facility local7
> LogIdent radiator
> Trace 4
> </Log>
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
> <Client localhost>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client DEFAULT>
> Secret xxx
> </Client>
>
> # -- Definition of local authentication ---------------------------------------
> <AuthBy LDAP2>
> Identifier CheckLDAP
>
> # Strip realm
> # RewriteUsername s/^(.*?)\@.*$/$1/
> # Convert user name to lowercase
> # RewriteUsername tr/A-Z/a-z/
>
> Host localhost
>
> AuthDN uid=rad1,ou=Special Users,dc=cesnet,dc=cz
> AuthPassword xxx
>
> BaseDN dc=cesnet,dc=cz
> UsernameAttr uid
> PasswordAttr radiusPassword
> AuthAttrDef radiusTunnelPrivateGroupID, Tunnel-Private-Group-ID, reply
> EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge,LEAP
>
> EAPTLS_CAFile /etc/ssl/certs/trusted-CA-list.crt
> EAPTLS_CertificateFile /etc/ssl/certs/radius_radius1.eduroam.cz.crt.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/ssl/private/radius_radius1.eduroam.cz.key.pem
> #EAPTLS_PrivateKeyPassword whatever
>
> EAPTLS_MaxFragmentSize 1000
>
> EAPTLS_CRLCheck
> EAPTLS_CRLFile /etc/ssl/ed99a497.r0
>
> EAPTLSRewriteCertificateCommonName s/Jan Tomasek/semik/
> EAPTLSRewriteCertificateCommonName s/Jan Ruzicka/janru/
>
> AutoMPPEKeys
>
> SSLeayTrace 0
>
> AllowInReply Tunnel-Private-Group-ID
> AddToReplyIfNotExist Tunnel-Private-Group-ID=1:100
> AddToReply Tunnel-Type=1:VLAN,\
> Tunnel-Medium-Type=1:Ether_802
> </AuthBy>
>
> # -- Local realms -------------------------------------------------------------
> <Client saint.cesnet.cz>
> Secret xxx
> </Client>
>
> <Client radius1.eduroam.cz>
> Secret xxx
> </Client>
>
> <Client ldap3.cesnet.cz> # radius2.eduroam.cz
> Secret xxx
> </Client>
>
> <Handler Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/>
> # Strip realm
> # RewriteUsername s/^(.*?)\@.*$/$1/
> # Convert user name to lowercase
> # RewriteUsername tr/A-Z/a-z/
>
> AuthBy CheckLDAP
> AuthLog authlogger
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> AuthBy CheckLDAP
> AuthLog authlogger
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> AuthBy CheckLDAP
> AuthLog authlogger
> </Handler>
> # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> # -- NULL realmy nas nezajimaji takze taky zahazujeme -------------------------
> <Handler Realm=/^$/>
> <AuthBy FILE>
> Filename /dev/null
> </AuthBy>
> </Handler>
> # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> # -- A vechno co neni nase posilame na narodni radiusy ------------------------
> <Handler>
> <AuthBy RADIUS>
> <Host radius1.eduroam.cz>
> AuthPort 1812
> AcctPort 1813
> Secret xxx
> </Host>
> <Host radius2.eduroam.cz>
> AuthPort 1812
> AcctPort 1813
> Secret xxx
> </Host>
> </AuthBy>
>
> AllowInReply
> AddToReply Tunnel-Type=1:VLAN,\
> Tunnel-Medium-Type=1:Ether_802,\
> Tunnel-Private-Group-ID=1:100
> </Handler>
> # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list