EAP-GTC w/ "PAP-like" LDAP authentication

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

EAP-GTC w/ "PAP-like" LDAP authentication

Ian Pilcher
I am struggling to find documentation of how to set up $SUBJECT.

I've got FreeRADIUS working with both PEAP/MSCHAPv2 and (P)EAP-GTC using
a file-based test user, but the number of different protocols and
configurations supported and documented in the config files means that I
haven't been able to figure out how to achieve what I want.

Any hints, links, etc. would be appreciated.

Thanks!

--
========================================================================
Ian Pilcher                                         [hidden email]
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Alan DeKok-2
On Jan 27, 2019, at 12:43 PM, Ian Pilcher <[hidden email]> wrote:
>
> I am struggling to find documentation of how to set up $SUBJECT.
>
> I've got FreeRADIUS working with both PEAP/MSCHAPv2 and (P)EAP-GTC using
> a file-based test user, but the number of different protocols and
> configurations supported and documented in the config files means that I
> haven't been able to figure out how to achieve what I want.

  (a) Make sure PEAP works with certificates.

  (b) configure and enable LDAP.  See mods-available/ldap

  Once the LDAP module is available, the server will automatically use it.

  And, the server will automatically grab passwords from LDAP.  And, the server will automatically use those passwords to do EAP-GTC.

  It really is that easy.  The key thing is to *let the server do the work*.  Don't try to "force" a particular kind of authentication.  EAP doesn't work that way.

  If you're using Active Directory, it's harder.  Because Active Directory isn't a real LDAP server.

  It also helps to describe what you've done, what happened, and why you think it's wrong.  Otherwise, we're limited to:

Q: I tried stuff and it doesn't work.  What do I do?
A: Try different stuff

  Which isn't helpful to anyone.  Better questions means better answers.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Ian Pilcher
In reply to this post by Ian Pilcher
First, apologies for breaking threading.  (I had mail delivery turned
off, and Gmane's feed seems to be broken, so I'm cutting & pasting from
the archive.)

> Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019
>
> (a) Make sure PEAP works with certificates.

Done.  I've verified with tcpdump/Wireshark that the correct certificate
is being used.

> (b) configure and enable LDAP.  See mods-available/ldap

Done.

> Once the LDAP module is available, the server will automatically use
> it.

It's trying, but failing.

  (0) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute

> And, the server will automatically grab passwords from LDAP.  And,
> the server will automatically use those passwords to do EAP-GTC.

It will try, but it will fail, because it doesn't have permission to
read passwords/hashes from LDAP.

I need to configure FreeRADIUS to bind *as the user* to LDAP.  If the
bind succeeds then the authentication succeeds.

> It also helps to describe what you've done, what happened, and why
> you think it's wrong.  Otherwise, we're limited to:
>
> Q: I tried stuff and it doesn't work.  What do I do? A: Try different
> stuff
>
> Which isn't helpful to anyone.  Better questions means better
> answers.

Fair enough.  This seems like it would be such a common configuration
that I would have thought that it would be documented somewhere.

--
========================================================================
Ian Pilcher                                         [hidden email]
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Alan DeKok-2
On Jan 28, 2019, at 2:52 PM, Ian Pilcher <[hidden email]> wrote:
>> Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019
>> (a) Make sure PEAP works with certificates.
>
> Done.  I've verified with tcpdump/Wireshark that the correct certificate
> is being used.

  Good.

>> (b) configure and enable LDAP.  See mods-available/ldap
>
> Done.
>
>> Once the LDAP module is available, the server will automatically use
>> it.
>
> It's trying, but failing.
>
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute

  That's a usual problem.  <sigh>  "security" means not allowing your security server to read the secure passwords.

>> And, the server will automatically grab passwords from LDAP.  And,
>> the server will automatically use those passwords to do EAP-GTC.
>
> It will try, but it will fail, because it doesn't have permission to
> read passwords/hashes from LDAP.

  Yeah.

> I need to configure FreeRADIUS to bind *as the user* to LDAP.  If the
> bind succeeds then the authentication succeeds.

  That's what the "auth_type" setting is for on the EAP GTC module configuration.  Set it to something else. e.g. "ldap".  And then make sure that "ldap" is listed in the "authenticate" section of the inner-tunnel virtual server.

>> It also helps to describe what you've done, what happened, and why
>> you think it's wrong.  Otherwise, we're limited to:
>> Q: I tried stuff and it doesn't work.  What do I do? A: Try different
>> stuff
>> Which isn't helpful to anyone.  Better questions means better
>> answers.
>
> Fair enough.  This seems like it would be such a common configuration
> that I would have thought that it would be documented somewhere.

  It is.  Especially if you post debug output showing *exactly* what went wrong.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Ian Pilcher
On 1/28/19 2:40 PM, Alan DeKok wrote:
> That's what the "auth_type" setting is for on the EAP GTC module
> configuration.  Set it to something else. e.g. "ldap".  And then make
> sure that "ldap" is listed in the "authenticate" section of the
> inner-tunnel virtual server.

Boom!

That, plus the changes detailed in
http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737.html
makes both EAP-GTC and EAP-TTLS work.

Thank you!

--
========================================================================
Ian Pilcher                                         [hidden email]
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Alan DeKok-2
On Jan 29, 2019, at 2:00 PM, Ian Pilcher <[hidden email]> wrote:

>
> On 1/28/19 2:40 PM, Alan DeKok wrote:
>> That's what the "auth_type" setting is for on the EAP GTC module
>> configuration.  Set it to something else. e.g. "ldap".  And then make
>> sure that "ldap" is listed in the "authenticate" section of the
>> inner-tunnel virtual server.
>
> Boom!
>
> That, plus the changes detailed in
> http://lists.freeradius.org/pipermail/freeradius-users/2016-September/084737.html
> makes both EAP-GTC and EAP-TTLS work.

  That configuration is intended for a different use-case.  While they might work, they're not correct.

  My earlier recommendation is the correct approach.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-GTC w/ "PAP-like" LDAP authentication

Ian Pilcher
On 1/29/19 1:03 PM, Alan DeKok wrote:
> That configuration is intended for a different use-case.  While they
> might work, they're not correct.
>
> My earlier recommendation is the correct approach.

Indeed.  I was confused by the fact that the changes in that note make
radtest (and EAP-TTLS) work.

I've done a bit of testing, and I've come up with the following changes
required to make each "method" work.  (In addition to the certificate &
LDAP configuration that is common across all 3 "methods.")

* radtest

   - force Auth-Type LDAP in the authorize section of
     sites-available/default

   - enable LDAP authentication in the authenticate section of
     sites-available/default

* EAP-TTLS

   - force Auth-Type LDAP in the authorize section of
     sites-available/inner-tunnel

   - enable LDAP authentication in the authenticate section of
     sites-available/inner-tunnel

* EAP-GTC

   - set auth_type = LDAP in the gtc section of mods-available/eap

   - enable LDAP authentication in the authenticate section of
     sites-available/inner-tunnel

I hope I've got that right.

Thanks!

--
========================================================================
Ian Pilcher                                         [hidden email]
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html