Testing mschapv2 with custom radius attributes

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Testing mschapv2 with custom radius attributes

Munroe Sollog
I'm trying to set Aruba-Essid-Name using the -N option in the eapol_test
command.  It says I need to use the numeric ID of the attribute.  When I
look at the dictionary.aruba file the VENDOR is "14823" and the
Aruba-Essid-Name is "5".  If I am interpreting this correctly I would do
something like:

eapol_test -c /etc/eapol_test.conf -a 192.168.10.10 -ss3cr3t
-N148235:s:myessid


When I run that command I get:


0) Received Access-Request Id 0 from 192.168.0.244:48088 to
192.168.10.10:1812 length 134

(0)   User-Name = "testuser"

(0)   NAS-IP-Address = 127.0.0.1

(0)   Calling-Station-Id = "02-00-00-00-00-01"

(0)   Framed-MTU = 1400

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   Connect-Info = "CONNECT 11Mbps 802.11b"

(0)   Filter-Id = "myessid"

"Filter-Id" is showing up rather than "Aruba-Essid-Name" so obviously I am
interpreting what I need to do incorrectly.  Any help would be appreciated.
--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Alan DeKok-2

On Oct 12, 2020, at 12:56 PM, Munroe Sollog <[hidden email]> wrote:
>
> I'm trying to set Aruba-Essid-Name using the -N option in the eapol_test
> command.  It says I need to use the numeric ID of the attribute.  When I
> look at the dictionary.aruba file the VENDOR is "14823" and the
> Aruba-Essid-Name is "5".  If I am interpreting this correctly I would do
> something like:
>
> eapol_test -c /etc/eapol_test.conf -a 192.168.10.10 -ss3cr3t
> -N148235:s:myessid

  Unfortunately we didn't write eapol_test, and have very little to offer here.

  What is clear is that you can't simple concatenate "14823" and "5", to get "148235", and then expect eapol_test to figure out what you meant.

  If you're just doing MS-CHAPv2, then use "radclient".  It is included with FreeRADIUS, it supports MS-CHAPv2, and it supports VSAs.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Munroe Sollog
radclient does do a better job of sending the attributes as expected,
however I can't figure out how to construct a PEAP-mschapv2 packet to
actually allow the auth to succeed.

I think https://wiki.freeradius.org/config/Radclient assumes a more
comprehensive level of understanding than I have.

On Mon, Oct 12, 2020 at 1:01 PM Alan DeKok <[hidden email]>
wrote:

>
> On Oct 12, 2020, at 12:56 PM, Munroe Sollog <[hidden email]> wrote:
> >
> > I'm trying to set Aruba-Essid-Name using the -N option in the eapol_test
> > command.  It says I need to use the numeric ID of the attribute.  When I
> > look at the dictionary.aruba file the VENDOR is "14823" and the
> > Aruba-Essid-Name is "5".  If I am interpreting this correctly I would do
> > something like:
> >
> > eapol_test -c /etc/eapol_test.conf -a 192.168.10.10 -ss3cr3t
> > -N148235:s:myessid
>
>   Unfortunately we didn't write eapol_test, and have very little to offer
> here.
>
>   What is clear is that you can't simple concatenate "14823" and "5", to
> get "148235", and then expect eapol_test to figure out what you meant.
>
>   If you're just doing MS-CHAPv2, then use "radclient".  It is included
> with FreeRADIUS, it supports MS-CHAPv2, and it supports VSAs.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Alan DeKok-2
On Oct 12, 2020, at 1:29 PM, Munroe Sollog <[hidden email]> wrote:
>
> radclient does do a better job of sending the attributes as expected,

  That's good.

> however I can't figure out how to construct a PEAP-mschapv2 packet to
> actually allow the auth to succeed.

  Because radclient doesn't do PEAP.

  Why ask about MS-CHAPv2 if you're *actually* doing PEAP?

  And why ask on the FreeRADIUS list how to use a non-FreeRADIUS piece of software?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Munroe Sollog
I guess I'm guilty of asking an X-Y question.  So let's try again.  In
following this guide:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind I
configured a freeradius server to authenticate against active directory.
However, I made a tweak to make authentication dependent on a custom VSA
"Aruba-Essid-Name".  With that tweak the guide's advice for testing using
radtest to confirm the configuration doesn't work since radtest doesn't
seem to support manually setting the above VSA.  Elsewhere on the wiki I
see references to radclient, radeapclient, eapol_test and rad_eap_test.  I
have been unable to wrangle any of these tools correctly to test that my
freeradius configuration is behaving as I want it to.  Any help would be
appreciated.  Thanks in advance.

On Mon, Oct 12, 2020 at 3:34 PM Alan DeKok <[hidden email]>
wrote:

> On Oct 12, 2020, at 1:29 PM, Munroe Sollog <[hidden email]> wrote:
> >
> > radclient does do a better job of sending the attributes as expected,
>
>   That's good.
>
> > however I can't figure out how to construct a PEAP-mschapv2 packet to
> > actually allow the auth to succeed.
>
>   Because radclient doesn't do PEAP.
>
>   Why ask about MS-CHAPv2 if you're *actually* doing PEAP?
>
>   And why ask on the FreeRADIUS list how to use a non-FreeRADIUS piece of
> software?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Alan DeKok-2
On Oct 12, 2020, at 4:22 PM, Munroe Sollog <[hidden email]> wrote:
>
> I guess I'm guilty of asking an X-Y question.  So let's try again.  In
> following this guide:
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind I
> configured a freeradius server to authenticate against active directory.

  That's good.

> However, I made a tweak to make authentication dependent on a custom VSA
> "Aruba-Essid-Name".  With that tweak the guide's advice for testing using
> radtest to confirm the configuration doesn't work since radtest doesn't
> seem to support manually setting the above VSA.

  Yes, "radtest" is for username / password testing.  If you want more than that in the packet, use radclient.

>  Elsewhere on the wiki I
> see references to radclient, radeapclient, eapol_test and rad_eap_test.  I
> have been unable to wrangle any of these tools correctly to test that my
> freeradius configuration is behaving as I want it to.

  What does that mean?  "I did stuff, but I'm not going to tell you what I did.  Please tell me what I did wrong".

>  Any help would be
> appreciated.  Thanks in advance.

  radclient doesn't do peap.  Neither does radeapclient.  However, both of those tools *will* send any VSA you want.

  See "man radclient".  Or, read "radtest".  It's just a shell script wrapper around radclient.

  Since radclient does MSCHAP, you can do most of the tests you need.  Just give it an input file with the attributes you need.

  Or, run eapol_test, and use -N.  However, you will have to create the contents of the VSA yourself. and pass it as a hex / octet string.

  How do you create the contents of the VSA?  Run "radclient -xxxx ...", and it will print out a helpful hex dump of the packets it's sending. Then, copy the hex codes from the attribute which begins with "1a".

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Testing mschapv2 with custom radius attributes

Alan Buxey
In reply to this post by Munroe Sollog
you'll have an issue with VSA and eapol_test - you're okay with
standard RADIUS values.

you could always assume that the EAP part of the conversation is okay
and just do the testing on the inner MSCHAPv2 part - ie send
the test packets using radclient direct to the inner-tunnel listener?
Any outer stuff on the policy is easy to check with radclient too.
(you can break this up into a couple of problems to solve)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html