(RADIATOR) Should be EAP-TTLS working with inner authentication MSCHAPV2??
Hugh Irvine
hugh at open.com.au
Fri Aug 6 18:34:35 CDT 2004
Hello Martin -
Thanks very much for the tip - very smart.
We would of course be keen to add your extensions to the base code.
regards
Hugh
On 6 Aug 2004, at 21:48, Martin Burton wrote:
> Jan,
>
> I've pasted in a snippet of our radius configuration that does
> MSCAHP-V2 against usernames and NT-Passwords stored in LDAP. (I've
> modified MSCHAP.pm and some other stuff to allow this, one of these
> days I'll get around to asking for it to be merged into the source
> tree).
>
> The thing to note here is the line:
>
> UsernameMatchesWithoutRealm yes
>
> which allows the <user>@<realm> to match an entry of just <user> in
> the LDAP tree, but passes the whole username(including realm) onto the
> MSCHAP module (where it's needed since the MSCHAP-V2 exchange is based
> on the whole thing).
>
> That particular attribute is available as a standard option to the
> LDAP configuration of radiator, so should be what you need.
>
> --- BEGIN SNIPPET ---
> <Handler Realm=rnet1.sanger.ac.uk>
> AcctLogFileName /tmp/acctlog-%R
> <AuthBy LDAP2>
> Host ldapsrv1.internal.sanger.ac.uk
> AuthDN cn=admin,dc=sanger,dc=ac,dc=uk
> AuthPassword <CLIP>
> BaseDN ou=people,dc=sanger,dc=ac,dc=uk
> UsernameAttr uid
> NtPasswordAttr roamingPassword
> AutoMPPEKeys yes
> UsernameMatchesWithoutRealm yes
> AddToReply NN-Homeservice-Name = %R
> </AuthBy>
> </Handler>
> --- END SNIPPET ---
>
> Hope that helps.
>
> Cheers,
>
> Martin.
> ---
> Martin Burton
> Senior Systems Administrator
> The Wellcome Trust Sanger Institute
> http://www.sanger.ac.uk
>
> Jan Tomasek wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi Hugh and Terry.
>> Terry I found thread of yours about it in archvie:
>> http://www.open.com.au/archives/radiator/2004-03/msg00028.html.
>> I decided to not give up that easy with this method as Terry did ;)
>> Hugh I do
>> understand why it can't work with RewriteUsername. There are two
>> reasons why I
>> am I using RewriteUsername:
>> 1) Without it Radiator isn't able to find user data in LDAP database
>> 2) Without it Radiator will badly count user sessions.
>> Personaly I do not care about 2, but 1 is serious problem. Is there
>> any other
>> way how to bypass this problem? An option for LDAP2 module to force
>> it strip
>> realm by itself will solve this problem for me. I can code this myself
>> quickly, but if someone from OSC will add this feature for me I will
>> be pleased.
>> For this moment I trided to modify configuration of Radiator to not
>> use
>> RewriteUsername and added to myself another uid in LDAP. And it
>> almost works. But:
>> EAP-PEAP-MSCHAPV2 doesn't seam to support dynamic WEP keys so it is
>> useless
>> for us.
>> EAP-TTLS-MSCHAPV2 somehow runs in infinity loop. Radiator says that
>> "Access
>> accepted for semik at cesnet.cz" but WEP keys are not generated (If I
>> correctly
>> understand to this, it is work which belongs to Radiator).
>> EAP-TTLS-(PAP,CHAP,MSCHAP) are working for me. In file
>> http://www.tomasek.cz/stuff/eap-ttls-mschapv2.log.bz2 is log from
>> xsupplicant.
>> In file
>> http://www.tomasek.cz/stuff/radiator-eap-ttls-mschapv2.log.bz2 is log
>> from Radiator. Configuration isn't that big so it is attached. Please
>> can
>> someone check it where problem is?
>> PS: Today is last day when I'm at work, I will be at holidays till
>> 15.09. If
>> will be not responding, don't understand it that I'm no longer
>> interested in
>> this. I will be walking in beatiful Czech countryside with camera
>> trying to
>> get some outstanding photos. :)
>> Best regards
>> - --
>> - --------------------------------------------------------------
>> Jan Tomasek aka Semik work: CESNET, z.s.p.o.
>> http://www.tomasek.cz/ Zikova 4, 160 00 Praha 6
>> Czech Republic
>> phone(work): +420 2 2435 5279 http://www.cesnet.cz/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.5 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>> iD8DBQFBE1BK79++DGvj6tMRAnQ5AJ9VjLygD89YRfwWU9VYx2kXy1wkOgCggf4O
>> XQ8lrPdmWpOs6DZCEqBATNI=
>> =eR+T
>> -----END PGP SIGNATURE-----
>> ----------------------------------------------------------------------
>> --
>> Foreground
>> LogStdout
>> Trace 4
>> LogDir /var/log/radiator
>> DbDir /home/semik/iproj/Radiator-Demo-3.9
>> <AuthLog SYSLOG>
>> Identifier authlogger
>> Facility local7
>> LogSuccess 1
>> LogFailure 1
>> SuccessFormat %U:%P:OK
>> FailureFormat %U:%P:FAIL
>> </AuthLog>
>> <Log SYSLOG>
>> Facility local7
>> LogIdent radiator
>> Trace 4
>> </Log>
>> AuthPort 1645,1812
>> AcctPort 1646,1813
>> <Client localhost>
>> Secret mysecret
>> DupInterval 0
>> </Client>
>> <Client DEFAULT>
>> Secret xxx
>> </Client>
>> # -- Definition of local authentication
>> ---------------------------------------
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> # Strip realm
>> # RewriteUsername s/^(.*?)\@.*$/$1/
>> # Convert user name to lowercase
>> # RewriteUsername tr/A-Z/a-z/
>> Host localhost
>> AuthDN uid=rad1,ou=Special Users,dc=cesnet,dc=cz
>> AuthPassword xxx
>> BaseDN dc=cesnet,dc=cz
>> UsernameAttr uid
>> PasswordAttr radiusPassword
>> AuthAttrDef radiusTunnelPrivateGroupID, Tunnel-Private-Group-ID,
>> reply
>> EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge,LEAP
>> EAPTLS_CAFile /etc/ssl/certs/trusted-CA-list.crt
>> EAPTLS_CertificateFile /etc/ssl/certs/
>> radius_radius1.eduroam.cz.crt.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile /etc/ssl/private/
>> radius_radius1.eduroam.cz.key.pem
>> #EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1000
>> EAPTLS_CRLCheck
>> EAPTLS_CRLFile /etc/ssl/ed99a497.r0
>> EAPTLSRewriteCertificateCommonName s/Jan Tomasek/semik/
>> EAPTLSRewriteCertificateCommonName s/Jan Ruzicka/janru/
>>
>> AutoMPPEKeys
>> SSLeayTrace 0
>> AllowInReply Tunnel-Private-Group-ID
>> AddToReplyIfNotExist Tunnel-Private-Group-ID=1:100
>> AddToReply Tunnel-Type=1:VLAN,\
>> Tunnel-Medium-Type=1:Ether_802
>> </AuthBy>
>> # -- Local realms
>> -------------------------------------------------------------
>> <Client saint.cesnet.cz>
>> Secret xxx
>> </Client>
>> <Client radius1.eduroam.cz>
>> Secret xxx
>> </Client>
>> <Client ldap3.cesnet.cz> # radius2.eduroam.cz
>> Secret xxx
>> </Client>
>> <Handler Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/>
>> # Strip realm
>> # RewriteUsername s/^(.*?)\@.*$/$1/
>> # Convert user name to lowercase
>> # RewriteUsername tr/A-Z/a-z/
>> AuthBy CheckLDAP
>> AuthLog authlogger
>> </Realm>
>> <Handler TunnelledByTTLS=1>
>> AuthBy CheckLDAP
>> AuthLog authlogger
>> </Handler>
>> <Handler TunnelledByPEAP=1>
>> AuthBy CheckLDAP
>> AuthLog authlogger
>> </Handler>
>> #
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> ^^^^^^^
>> # -- NULL realmy nas nezajimaji takze taky zahazujeme
>> -------------------------
>> <Handler Realm=/^$/>
>> <AuthBy FILE>
>> Filename /dev/null
>> </AuthBy>
>> </Handler>
>> #
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> ^^^^^^^
>> # -- A vechno co neni nase posilame na narodni radiusy
>> ------------------------
>> <Handler>
>> <AuthBy RADIUS>
>> <Host radius1.eduroam.cz>
>> AuthPort 1812
>> AcctPort 1813
>> Secret xxx
>> </Host>
>> <Host radius2.eduroam.cz>
>> AuthPort 1812
>> AcctPort 1813
>> Secret xxx
>> </Host>
>> </AuthBy>
>> AllowInReply
>> AddToReply Tunnel-Type=1:VLAN,\
>> Tunnel-Medium-Type=1:Ether_802,\
>> Tunnel-Private-Group-ID=1:100
>> </Handler>
>> #
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> ^^^^^^^
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list