Is it possible to specify which authorization mode is being used?

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Is it possible to specify which authorization mode is being used?

Kristian Faller
Hi everyone,

I am brand new to FreeRadius so please excuse me for what could be a simple
question with a simple answer.

Is it possible to specify which authentication mode and tunnel type are
being used? If yes, what files do I need to modify in order to do this? I
have tried reading the documentation and looking through some of the config
files, but as a complete beginner at this, I'm not sure if I'm even looking
in the right places.

Background: I work with software testing for reMarkable (we create an E ink
tablet based on Linux), and we want to conduct more specified testing on
WPA Enterprise (802.1X over Wi-Fi). At the moment we have done testing on
our network gear which consists of Ubiquiti Unifi which only implements
eap_peap with MSCHAPv2. While this is probably used for many companies all
over the world, we would like to test other kinds of authentication and
tunnel types, thus I started setting up FreeRadius on a Raspberry Pi 4,
running Ubuntu 19.10 for IoT devices.

Our tablet runs a flavor of Linux, using wpa_supplicant and should (in
theory) be able to connect to most kinds of network. However, we know that
certificate-based networks won't work at the moment due to not having a way
to import licenses. However, I do believe there are other types of networks
not needing certificates, and these are the ones we'd like to test.

I got FreeRadius up and running, but for every connection attempt, I can
see from the output with "freeradius -X" that eap_peap and MSCHAPv2 are
used. I want to be able to set specific (valid) values so that our company
can implement and properly test the different variations of auth modes and
tunnels.

I have also attached the (entire) output from 'freeradius -X'.

If I miss any details or lack some information in my above text, please let
me know, and I'll make sure to clarify/elaborate.
Forhåndsvis vedlegget freeradius -x.txt
freeradius -x.txt
85 KB
<https://mail.google.com/mail/u/0?ui=2&ik=beb323e764&attid=0.1&permmsgid=msg-a:r4106961669240942744&th=17211f3c16425f46&view=att&disp=safe&realattid=f_ka5clo290>
--

*Kristian Faller*

QA Engineer



[hidden email]

+47 908 06 444 <+4790806444>



Biermanns gate 6, 0473 Oslo, Norway <https://goo.gl/maps/YU24JR1ZYQM2>

remarkable.com



[image: cid:85D31282-3FFB-4F74-B5D9-6CB7ED4003E7]



The privileged confidential information contained in this email is intended
for use only by the addressees as indicated by the original sender of this
email. If you are not the addressee indicated in this email or are not
responsible for delivery of the email to such a person, please kindly reply
to the sender indicating this fact and delete all copies of it from your
computer and network server immediately. Your cooperation is highly
appreciated. It is advised that any unauthorized use of confidential
information of REMARKABLE AS is strictly prohibited.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Is it possible to specify which authorization mode is being used?

Alan DeKok-2
On Aug 5, 2020, at 4:48 AM, Kristian Faller <[hidden email]> wrote:
> Is it possible to specify which authentication mode and tunnel type are
> being used?

  Yes and no.  The client is the one which chooses a particular EAP type.  But the server has to be configured to accept it.

> If yes, what files do I need to modify in order to do this? I
> have tried reading the documentation and looking through some of the config
> files, but as a complete beginner at this, I'm not sure if I'm even looking
> in the right places.

  mods-available/eap has full documentation.

  The default configuration is designed to work in as many situations as possible.  So generally it's just add a "known good" name/password to the config, and most EAP types will work.

  I have a full guide on my site:  http://deployingradius.com

> Background: I work with software testing for reMarkable (we create an E ink
> tablet based on Linux), and we want to conduct more specified testing on
> WPA Enterprise (802.1X over Wi-Fi). At the moment we have done testing on
> our network gear which consists of Ubiquiti Unifi which only implements
> eap_peap with MSCHAPv2. While this is probably used for many companies all
> over the world, we would like to test other kinds of authentication and
> tunnel types, thus I started setting up FreeRadius on a Raspberry Pi 4,
> running Ubuntu 19.10 for IoT devices.

  If you use wpa_supplicant, it will work everywhere, with everything.

> Our tablet runs a flavor of Linux, using wpa_supplicant and should (in
> theory) be able to connect to most kinds of network. However, we know that
> certificate-based networks won't work at the moment due to not having a way
> to import licenses. However, I do believe there are other types of networks
> not needing certificates, and these are the ones we'd like to test.

  EAP-TLS needs client certificates.  Other EAP types (PEAP, TTLS) still need to have a CA certificate configured on the client.

> I got FreeRadius up and running, but for every connection attempt, I can
> see from the output with "freeradius -X" that eap_peap and MSCHAPv2 are
> used. I want to be able to set specific (valid) values so that our company
> can implement and properly test the different variations of auth modes and
> tunnels.

  See my web site.  There are example configuration for eapol_test to test most EAP types.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Is it possible to specify which authorization mode is being used?

Kristian Faller
Hi Mr. DeKok,

Thank you for your reply and for clarifying what side of the connection
determines what protocol is being used. I will read on your website and in
mods-available/eap as well.

ons. 5. aug. 2020 kl. 14:07 skrev Alan DeKok <[hidden email]>:

> On Aug 5, 2020, at 4:48 AM, Kristian Faller <[hidden email]>
> wrote:
> > Is it possible to specify which authentication mode and tunnel type are
> > being used?
>
>   Yes and no.  The client is the one which chooses a particular EAP type.
> But the server has to be configured to accept it.
>
> > If yes, what files do I need to modify in order to do this? I
> > have tried reading the documentation and looking through some of the
> config
> > files, but as a complete beginner at this, I'm not sure if I'm even
> looking
> > in the right places.
>
>   mods-available/eap has full documentation.
>
>   The default configuration is designed to work in as many situations as
> possible.  So generally it's just add a "known good" name/password to the
> config, and most EAP types will work.
>
>   I have a full guide on my site:  http://deployingradius.com
>
> > Background: I work with software testing for reMarkable (we create an E
> ink
> > tablet based on Linux), and we want to conduct more specified testing on
> > WPA Enterprise (802.1X over Wi-Fi). At the moment we have done testing on
> > our network gear which consists of Ubiquiti Unifi which only implements
> > eap_peap with MSCHAPv2. While this is probably used for many companies
> all
> > over the world, we would like to test other kinds of authentication and
> > tunnel types, thus I started setting up FreeRadius on a Raspberry Pi 4,
> > running Ubuntu 19.10 for IoT devices.
>
>   If you use wpa_supplicant, it will work everywhere, with everything.
>
> > Our tablet runs a flavor of Linux, using wpa_supplicant and should (in
> > theory) be able to connect to most kinds of network. However, we know
> that
> > certificate-based networks won't work at the moment due to not having a
> way
> > to import licenses. However, I do believe there are other types of
> networks
> > not needing certificates, and these are the ones we'd like to test.
>
>   EAP-TLS needs client certificates.  Other EAP types (PEAP, TTLS) still
> need to have a CA certificate configured on the client.
>
> > I got FreeRadius up and running, but for every connection attempt, I can
> > see from the output with "freeradius -X" that eap_peap and MSCHAPv2 are
> > used. I want to be able to set specific (valid) values so that our
> company
> > can implement and properly test the different variations of auth modes
> and
> > tunnels.
>
>   See my web site.  There are example configuration for eapol_test to test
> most EAP types.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--

*Kristian Faller*

QA Engineer



[hidden email]

+47 908 06 444 <+4790806444>



Biermanns gate 6, 0473 Oslo, Norway <https://goo.gl/maps/YU24JR1ZYQM2>

remarkable.com



[image: cid:85D31282-3FFB-4F74-B5D9-6CB7ED4003E7]



The privileged confidential information contained in this email is intended
for use only by the addressees as indicated by the original sender of this
email. If you are not the addressee indicated in this email or are not
responsible for delivery of the email to such a person, please kindly reply
to the sender indicating this fact and delete all copies of it from your
computer and network server immediately. Your cooperation is highly
appreciated. It is advised that any unauthorized use of confidential
information of REMARKABLE AS is strictly prohibited.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html