802.1x issues with different NAS' types

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

802.1x issues with different NAS' types

Marco Miglietta
Hi.
In order to solve the problem in passing VLAN related attribute during
802.1x authentication with Aruba AP, I found the post below useful.
But this caused problems with VLAN assignment on Junipers switches
during the 802.1x authentication process.
What is a way to solve the problem? The solutions seem to be mutually
exclusive.

Thanks. Marco.


______________________________________________________________________________________________

Sending an attribute with the Access-Accept instead of Access-Challenge
Phil Mayers p.mayers at imperial.ac.uk
Wed Jan 12 18:00:05 CET 2011

     Previous message: Sending an attribute with the Access-Accept
instead of Access-Challenge
     Next message: Sending an attribute with the Access-Accept instead
of Access-Challenge
     Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/01/11 16:33, Vivek Umasuthan wrote:
 > Hi All,
 > I am testing 802.1x support on our platform and I'm having trouble
 > figuring out how to include some attributes with Access-Accept. I read
 > the 'users' file man page but could not get the answer.

You need to add the attribute in the "inner-tunnel" virtual server, and
ensure you've set:

use_tunneled_reply = yes

...in the "peap {}" section of "eap.conf"

     Previous message: Sending an attribute with the Access-Accept
instead of Access-Challenge
     Next message: Sending an attribute with the Access-Accept instead
of Access-Challenge
     Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Freeradius-Users mailing list

--

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x issues with different NAS' types

Alan DeKok-2
On Mar 24, 2021, at 7:15 AM, Marco Miglietta <[hidden email]> wrote:
> In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful.
> But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process.
> What is a way to solve the problem? The solutions seem to be mutually exclusive.

  There is not a unique "the problem" which is being solved.  Instead, there is a whole grab-bag of issues.

  IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel.  AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.

  IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.

  There is no "magic set of incantations" which will make FreeRADIUS do what you want.  You have to understand what's going on, including understanding how FreeRADIUS works.  And only then can you configure the server to do it.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Authentication with ldap support

Marco Miglietta
Thank you Alan. I hope in a short time to become a little expert with
freeradius while I try to solve daily problems.
I would to use freeradius for authentication and only  to verify user
password with the one that is in external ldap that I bind.
Where have I to operate, what are the involved config files ?
Do you have any suggestions ?
Thank you v.m.

Marco.



Il 24/03/21 12:39, Alan DeKok ha scritto:

> On Mar 24, 2021, at 7:15 AM, Marco Miglietta <[hidden email]> wrote:
>> In order to solve the problem in passing VLAN related attribute during 802.1x authentication with Aruba AP, I found the post below useful.
>> But this caused problems with VLAN assignment on Junipers switches during the 802.1x authentication process.
>> What is a way to solve the problem? The solutions seem to be mutually exclusive.
>    There is not a unique "the problem" which is being solved.  Instead, there is a whole grab-bag of issues.
>
>    IF you want to apply policies based on "real" name, THEN for PEAP / TTLS, that real name is only available in the inner tunnel.  AND THEN you have to apply the policies in the inner tunnel, and then copy the results to the outer reply.
>
>    IF you want to apply policies based on things like MAC addresses, THEN those addresses are always available (you don't need inner-tunnel). AND THEN you can just apply policies in the "default" outer virtual server.
>
>    There is no "magic set of incantations" which will make FreeRADIUS do what you want.  You have to understand what's going on, including understanding how FreeRADIUS works.  And only then can you configure the server to do it.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication with ldap support

Michael Schwartzkopff-3
On 30.03.21 12:25, Marco Miglietta wrote:

> Thank you Alan. I hope in a short time to become a little expert with
> freeradius while I try to solve daily problems.
> I would to use freeradius for authentication and only  to verify user
> password with the one that is in external ldap that I bind.
> Where have I to operate, what are the involved config files ?
> Do you have any suggestions ?
> Thank you v.m.
>
> Marco.
>
Hi,


freeradius has a nice LDAP module. Please read the comments in the
config file. Then try a ldapseach manually. If that succeeds, you know
all parameters that you have to configure in the ldap module of freeradius.

Doc also:
https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html


Greetings,


Michael


>
>
> Il 24/03/21 12:39, Alan DeKok ha scritto:
>> On Mar 24, 2021, at 7:15 AM, Marco Miglietta
>> <[hidden email]> wrote:
>>> In order to solve the problem in passing VLAN related attribute
>>> during 802.1x authentication with Aruba AP, I found the post below
>>> useful.
>>> But this caused problems with VLAN assignment on Junipers switches
>>> during the 802.1x authentication process.
>>> What is a way to solve the problem? The solutions seem to be
>>> mutually exclusive.
>>    There is not a unique "the problem" which is being solved. 
>> Instead, there is a whole grab-bag of issues.
>>
>>    IF you want to apply policies based on "real" name, THEN for PEAP
>> / TTLS, that real name is only available in the inner tunnel.  AND
>> THEN you have to apply the policies in the inner tunnel, and then
>> copy the results to the outer reply.
>>
>>    IF you want to apply policies based on things like MAC addresses,
>> THEN those addresses are always available (you don't need
>> inner-tunnel). AND THEN you can just apply policies in the "default"
>> outer virtual server.
>>
>>    There is no "magic set of incantations" which will make FreeRADIUS
>> do what you want.  You have to understand what's going on, including
>> understanding how FreeRADIUS works.  And only then can you configure
>> the server to do it.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>

Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication with ldap support

Marco Miglietta
Thank you Michael, I gave a look to ldap config file. I think that it could
be ok.
However I made a test that fails and in debug mode I had the following
result in the final part with error...

mschap: ERROR: MS-CHAP2-Response is incorrect

I have just known that passwords are stored in md5 format in the ldap's db
and problably this is the problem... but also its end (and mine) :-)

What do you think ?
Thanks.
Marco.


(41)       [ldap] = ok
(41)       [expiration] = noop
(41)       [logintime] = noop
(41) pap: WARNING: Auth-Type already set.  Not setting to PAP
(41)       [pap] = noop
(41)     } # authorize = updated
(41)   Found Auth-Type = eap
(41)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(41)     authenticate {
(41) eap: Expiring EAP session with state 0xc9668664c96f9c89
(41) eap: Finished EAP session with state 0xc9668664c96f9c89
(41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released
from the list
(41) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(41) eap: Calling submodule eap_mschapv2 to process data
(41) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(41) eap_mschapv2:   authenticate {
(41) mschap: Found Cleartext-Password, hashing to create NT-Password
(41) mschap: Found Cleartext-Password, hashing to create LM-Password
(41) mschap: Creating challenge hash with username:
[hidden email]
(41) mschap: Client is using MS-CHAPv2
(41) mschap: ERROR: MS-CHAP2-Response is incorrect
(41)     [mschap] = reject
(41)   } # authenticate = reject




Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <[hidden email]>
ha scritto:

> On 30.03.21 12:25, Marco Miglietta wrote:
> > Thank you Alan. I hope in a short time to become a little expert with
> > freeradius while I try to solve daily problems.
> > I would to use freeradius for authentication and only  to verify user
> > password with the one that is in external ldap that I bind.
> > Where have I to operate, what are the involved config files ?
> > Do you have any suggestions ?
> > Thank you v.m.
> >
> > Marco.
> >
> Hi,
>
>
> freeradius has a nice LDAP module. Please read the comments in the
> config file. Then try a ldapseach manually. If that succeeds, you know
> all parameters that you have to configure in the ldap module of freeradius.
>
> Doc also:
> https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
>
>
> Greetings,
>
>
> Michael
>
>
> >
> >
> > Il 24/03/21 12:39, Alan DeKok ha scritto:
> >> On Mar 24, 2021, at 7:15 AM, Marco Miglietta
> >> <[hidden email]> wrote:
> >>> In order to solve the problem in passing VLAN related attribute
> >>> during 802.1x authentication with Aruba AP, I found the post below
> >>> useful.
> >>> But this caused problems with VLAN assignment on Junipers switches
> >>> during the 802.1x authentication process.
> >>> What is a way to solve the problem? The solutions seem to be
> >>> mutually exclusive.
> >>    There is not a unique "the problem" which is being solved.
> >> Instead, there is a whole grab-bag of issues.
> >>
> >>    IF you want to apply policies based on "real" name, THEN for PEAP
> >> / TTLS, that real name is only available in the inner tunnel.  AND
> >> THEN you have to apply the policies in the inner tunnel, and then
> >> copy the results to the outer reply.
> >>
> >>    IF you want to apply policies based on things like MAC addresses,
> >> THEN those addresses are always available (you don't need
> >> inner-tunnel). AND THEN you can just apply policies in the "default"
> >> outer virtual server.
> >>
> >>    There is no "magic set of incantations" which will make FreeRADIUS
> >> do what you want.  You have to understand what's going on, including
> >> understanding how FreeRADIUS works.  And only then can you configure
> >> the server to do it.
> >>
> >>    Alan DeKok.
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> >
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication with ldap support

Alan DeKok-2
On Mar 30, 2021, at 6:51 PM, Marco MIGLIETTA <[hidden email]> wrote:

>
> Thank you Michael, I gave a look to ldap config file. I think that it could
> be ok.
> However I made a test that fails and in debug mode I had the following
> result in the final part with error...
>
> mschap: ERROR: MS-CHAP2-Response is incorrect
>
> I have just known that passwords are stored in md5 format in the ldap's db
> and problably this is the problem... but also its end (and mine) :-)

http://deployingradius.com/documents/protocols/compatibility.html

 It's impossible to do MS-CHAP with MD5 passwords.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication with ldap support

Michael Schwartzkopff-3
In reply to this post by Marco Miglietta
On 31.03.21 00:51, Marco MIGLIETTA wrote:

> Thank you Michael, I gave a look to ldap config file. I think that it could
> be ok.
> However I made a test that fails and in debug mode I had the following
> result in the final part with error...
>
> mschap: ERROR: MS-CHAP2-Response is incorrect
>
> I have just known that passwords are stored in md5 format in the ldap's db
> and problably this is the problem... but also its end (and mine) :-)
>
> What do you think ?
> Thanks.
> Marco.

Hashed passwords do not work with CHAP mech. See:

http://deployingradius.com/documents/protocols/compatibility.html




>
> (41)       [ldap] = ok
> (41)       [expiration] = noop
> (41)       [logintime] = noop
> (41) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (41)       [pap] = noop
> (41)     } # authorize = updated
> (41)   Found Auth-Type = eap
> (41)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (41)     authenticate {
> (41) eap: Expiring EAP session with state 0xc9668664c96f9c89
> (41) eap: Finished EAP session with state 0xc9668664c96f9c89
> (41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released
> from the list
> (41) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (41) eap: Calling submodule eap_mschapv2 to process data
> (41) eap_mschapv2: # Executing group from file
> /etc/raddb/sites-enabled/inner-tunnel
> (41) eap_mschapv2:   authenticate {
> (41) mschap: Found Cleartext-Password, hashing to create NT-Password
> (41) mschap: Found Cleartext-Password, hashing to create LM-Password
> (41) mschap: Creating challenge hash with username:
> [hidden email]
> (41) mschap: Client is using MS-CHAPv2
> (41) mschap: ERROR: MS-CHAP2-Response is incorrect
> (41)     [mschap] = reject
> (41)   } # authenticate = reject
>
>
>
>
> Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <[hidden email]>
> ha scritto:
>
>> On 30.03.21 12:25, Marco Miglietta wrote:
>>> Thank you Alan. I hope in a short time to become a little expert with
>>> freeradius while I try to solve daily problems.
>>> I would to use freeradius for authentication and only  to verify user
>>> password with the one that is in external ldap that I bind.
>>> Where have I to operate, what are the involved config files ?
>>> Do you have any suggestions ?
>>> Thank you v.m.
>>>
>>> Marco.
>>>
>> Hi,
>>
>>
>> freeradius has a nice LDAP module. Please read the comments in the
>> config file. Then try a ldapseach manually. If that succeeds, you know
>> all parameters that you have to configure in the ldap module of freeradius.
>>
>> Doc also:
>> https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
>>
>>
>> Greetings,
>>
>>
>> Michael
>>
>>
>>>
>>> Il 24/03/21 12:39, Alan DeKok ha scritto:
>>>> On Mar 24, 2021, at 7:15 AM, Marco Miglietta
>>>> <[hidden email]> wrote:
>>>>> In order to solve the problem in passing VLAN related attribute
>>>>> during 802.1x authentication with Aruba AP, I found the post below
>>>>> useful.
>>>>> But this caused problems with VLAN assignment on Junipers switches
>>>>> during the 802.1x authentication process.
>>>>> What is a way to solve the problem? The solutions seem to be
>>>>> mutually exclusive.
>>>>    There is not a unique "the problem" which is being solved.
>>>> Instead, there is a whole grab-bag of issues.
>>>>
>>>>    IF you want to apply policies based on "real" name, THEN for PEAP
>>>> / TTLS, that real name is only available in the inner tunnel.  AND
>>>> THEN you have to apply the policies in the inner tunnel, and then
>>>> copy the results to the outer reply.
>>>>
>>>>    IF you want to apply policies based on things like MAC addresses,
>>>> THEN those addresses are always available (you don't need
>>>> inner-tunnel). AND THEN you can just apply policies in the "default"
>>>> outer virtual server.
>>>>
>>>>    There is no "magic set of incantations" which will make FreeRADIUS
>>>> do what you want.  You have to understand what's going on, including
>>>> understanding how FreeRADIUS works.  And only then can you configure
>>>> the server to do it.
>>>>
>>>>    Alan DeKok.
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html