concurrent TTLS and PEAP usage

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

concurrent TTLS and PEAP usage

Artur Hecker
hi


we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP
mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines).
(we also have TLS users, but that's out of scope).

both work like a charm. however, we'd like to prevent PEAP accounts to
log in with TTLS and vice-versa (that's a pure policy decision - one
user profile should specify exactly one auth method). this works mainly
because we store clear text passwords for both MSCHAPv2 and PAP.

assuming e.g. two users user_peap with PEAP/MS-CHAPv2 and user_ttls with
TTLS/CHAP, we would like to modify the profile of the user user_peap so
he can't change the exterior method to TTLS/PAP and vs.

note that we don't necessarily use exterior names (since e.g. MS Windows
machines  do not permit to specify an alternative user name for the
exterior EAP tunnel).

we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for
user_ttls but that breaks both methods (which seems normal since this
EAP-Type definition is not correct for the internal EAP method which
however uses the same user name).

i thought about specifying tunneled attributes as check items. it turns
out that FR does not show them in the log and I believe that these are
not the same for the PEAP and TTLS anyway.

thus the question to the list: how can I specify an "PEAP/MS-CHAPv2
only" user profile? how can i specify a "TTLS/PAP only" user profile?


thanks
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Stefan.Neis@t-online.de
Artur Hecker schrieb:

> we naively try to specify EAP-Type == PEAP for user_peap
> and == TTLS for
> user_ttls but that breaks both methods (which seems
> normal since this
> EAP-Type definition is not correct for the internal EAP
> method which
> however uses the same user name).

Why not almost just as naively do the check vice versa:
If it's user_ttls and EAP-Type == PEAP, set Auth-Type
explicitly to reject?

         Regards,
                   Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Artur Hecker
hi


[hidden email] wrote:

>>we naively try to specify EAP-Type == PEAP for user_peap
>>and == TTLS for
>>user_ttls but that breaks both methods (which seems
>>normal since this
>>EAP-Type definition is not correct for the internal EAP
>>method which
>>however uses the same user name).
>
> Why not almost just as naively do the check vice versa:
> If it's user_ttls and EAP-Type == PEAP, set Auth-Type
> explicitly to reject?

what you are saying is that I should do something like this:

user_ttls EAP-Type != PEAP

that however only prohibits the usage of PEAP for user_ttls while i
would like to only enable TTLS for this specific user (which is not
quite the same).


ciao
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Alan DeKok
Artur Hecker <[hidden email]> wrote:
> user_ttls EAP-Type != PEAP
>
> that however only prohibits the usage of PEAP for user_ttls while i
> would like to only enable TTLS for this specific user (which is not
> quite the same).

user_ttls   EAP-Type != TTLS, Auth-Type := Reject

  See the dictionaries for EAP-Type names.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Stefan.Neis@t-online.de
In reply to this post by Artur Hecker
        Hi,

> what you are saying is that I should do something like this:
>  
> user_ttls EAP-Type != PEAP
>  
> that however only prohibits the usage of PEAP for user_ttls while i
> would like to only enable TTLS for this specific user (which is not
> quite the same).

Yes, however you said yourself, that you do _not_ want to only enable
TTLS for this specific user since you also obviously need to enable
the inner protocol used inside the tunnel...
Maybe something like if EAP-TYPE isn't EAP-TTLS and FreeRadius-Proxied-To
is not set for user_ttls,t then reject as a first rule and as a second rule
something like if FreeRadius-Proxied-To is set and AuthType isn't PAP then
reject. And similar rules for user_peap.

        Regards,
                Stefan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Artur Hecker
In reply to this post by Alan DeKok

hi Alan
hi Stefan


thanks for your help. I think I understand the idea. however my problems
are on the implementation level.

two things are still not clear to me.

1. we use 'sql' and not 'files' (my fault i didn't mention it
previously) and thus I don't see how I can add the line below to my user
profile who already has things like User-Password ==..., etc. I tried
adding user user_ttls into group TTLS and then using radgroupcheck like
this:

radgroupcheck:
id User Attribute op Value
2 user_ttls EAP-Type != TTLS
3 user_ttls Auth-Type := Reject

but then user_ttls gets rejected. how do I implement it with SQL?

2. we experimented with EAP-Type, but at least for PEAP as soon as we
specify it somewhere in radcheck, PEAP breaks with a server error
message saying that the client has sent a TLV rejecting the connection.

Alan: like Stefan proposed I also thought about something like
FreeRadius-Proxied-To, because i think that you proposal might not work
as soon as the internal method starts for the user. Or don't external
methods use EAP-Type? (still I am not sure how to define "conditions" in
sql tables: if EAP-Type not this value, then add Auth-Type=...)


ciao
artur


Alan DeKok wrote:

> Artur Hecker <[hidden email]> wrote:
>
>>user_ttls EAP-Type != PEAP
>>
>>that however only prohibits the usage of PEAP for user_ttls while i
>>would like to only enable TTLS for this specific user (which is not
>>quite the same).
>
>
> user_ttls   EAP-Type != TTLS, Auth-Type := Reject
>
>   See the dictionaries for EAP-Type names.
>
>   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: concurrent TTLS and PEAP usage

Artur Hecker

Alan, Stefan


replying to myself:

using 'files' I've managed to make it work. the correct (working)
configuration is:


user_ttls       FreeRadius-Proxied-To == "127.0.0.1", User-Password ==
"test_ttls"
                 Session-Timeout = 3600

user_ttls       EAP-Type != EAP-TTLS
                 Auth-Type := Reject

user_peap       FreeRadius-Proxied-To == "127.0.0.1", User-Password ==
"test_peap"
                 Session-Timeout = 3600

user_peap       EAP-Type != PEAP
                 Auth-Type := Reject


that does exactly what I wanted. works like a charm for both PEAP and
TTLS users.

could somebody explain me how I can translate it into an SQL config?


ciao
artur



Artur Hecker wrote:

>
> hi Alan
> hi Stefan
>
>
> thanks for your help. I think I understand the idea. however my problems
> are on the implementation level.
>
> two things are still not clear to me.
>
> 1. we use 'sql' and not 'files' (my fault i didn't mention it
> previously) and thus I don't see how I can add the line below to my user
> profile who already has things like User-Password ==..., etc. I tried
> adding user user_ttls into group TTLS and then using radgroupcheck like
> this:
>
> radgroupcheck:
> id    User        Attribute    op    Value  
> 2     user_ttls     EAP-Type     !=     TTLS
> 3     user_ttls     Auth-Type    :=    Reject
>
> but then user_ttls gets rejected. how do I implement it with SQL?
>
> 2. we experimented with EAP-Type, but at least for PEAP as soon as we
> specify it somewhere in radcheck, PEAP breaks with a server error
> message saying that the client has sent a TLV rejecting the connection.
>
> Alan: like Stefan proposed I also thought about something like
> FreeRadius-Proxied-To, because i think that you proposal might not work
> as soon as the internal method starts for the user. Or don't external
> methods use EAP-Type? (still I am not sure how to define "conditions" in
> sql tables: if EAP-Type not this value, then add Auth-Type=...)
>
>
> ciao
> artur
>
>
> Alan DeKok wrote:
>
>> Artur Hecker <[hidden email]> wrote:
>>
>>> user_ttls    EAP-Type != PEAP
>>>
>>> that however only prohibits the usage of PEAP for user_ttls while i
>>> would like to only enable TTLS for this specific user (which is not
>>> quite the same).
>>
>>
>>
>> user_ttls   EAP-Type != TTLS, Auth-Type := Reject
>>
>>   See the dictionaries for EAP-Type names.
>>
>>   Alan DeKok.
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html