I'm trying to get freeradius/eDirectory/802.11 authentication working for a educational wireless environment and need some assistance. I'm working with SLES11sp1/OES11 and FreeRadius rpm version 2.1.1-7.12.1. I'm using a couple of HP MSM422 WAPs but the majority of the WAP's are Ruckus, with a ZoneDirector 3000. My goal is to provide private wireless networks that require user authentication and either place students and staff on different wireless vlans or return group membership to our firewall to differentiate web content filtering.
I used this document for my initial config: https://www.netiq.com/documentation/...adiusadmin.pdf.
Right now all I've been trying to do is get a user to authenticate and connect via 802.1x.
Here's what I have so far:
ldap file:
ldap {
users file:
DEFAULT Ldap-Group == "cn=StaffMember,o=ORG"
eap.conf:
eap {
If there are other relevant config files that someone would like to see, please let me know.
I have an HP MSM422 WAP configured with encryption set to WPA2/AES and Radius authentication. Here is an example of the radiusd debug output:
rad_recv: Access-Request packet from host 192.168.3.30 port 32772, id=99, length=363
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
PEAP: Setting User-Name to UserA
Sending tunneled request
EAP-Message = 0x021100421a0211003d3117c29ec2260e40cf8966bf3d774e df19000000000000000025114d54fd90897f6e1e377172baef 7c6ad9b514c3dde99a006861736c657474
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=ORG -> o=ORG
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=UserA)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=ORG, with filter (uid=UserA)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ld ap-UserDn}))(&(objectClass=GroupOfUniqueNames)(unique member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2 cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(object Class=GroupOfUniqueNames)(uniquemember=cn\3dUserA\ 2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=StaffMember,o=ORG, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2 cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(object Class=GroupOfUniqueNames)(uniquemember=cn\3dUserA\ 2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap::ldap_groupcmp: User found in group cn=StaffMember,o=ORG
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 214
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for UserA with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [UserA/<via Auth-Type = EAP>] (from client comedwap port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.3.30 port 32772
Going to the next request
Thanks for any assistance.
I used this document for my initial config: https://www.netiq.com/documentation/...adiusadmin.pdf.
Right now all I've been trying to do is get a user to authenticate and connect via 802.1x.
Here's what I have so far:
ldap file:
ldap {
server = "server.org.dom"
identity = "cn=freeRadius,o=ORG"
password = freeradiuspassword
basedn = "o=ORG"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertfile = /home/freeRadius/rootcert.pem
require_cert = "demand"
}
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = yes
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:L dap-UserDn}))(&(objectClass=GroupOfUniqueNames)(unique member=%{control:Ldap-UserDn})))"
groupmembership_attribute = StaffMember
access_attr_used_for_allow = yes
}users file:
DEFAULT Ldap-Group == "cn=StaffMember,o=ORG"
Reply-Message="you have been authenticated",
Auth-Type :=Accept,
Fall-Through = No
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = radiuskeypass
private_key_file = ${certdir}/srvcert.pem
certificate_file = ${certdir}/srvcert.pem
CA_file = ${cadir}/rootcert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}If there are other relevant config files that someone would like to see, please let me know.
I have an HP MSM422 WAP configured with encryption set to WPA2/AES and Radius authentication. Here is an example of the radiusd debug output:
rad_recv: Access-Request packet from host 192.168.3.30 port 32772, id=99, length=363
Acct-Session-Id = "e13821b5-00000064"
NAS-Port = 101
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AA111BBB2C"
NAS-IP-Address = 192.168.3.30
Framed-MTU = 1496
User-Name = "UserA"
Calling-Station-Id = "00-16-6F-88-18-24"
Called-Station-Id = "00-0F-61-BA-BD-81"
Service-Type = Framed-User
EAP-Message = 0x021100591900170301004e93d1a95094e0e72278daeaf9b9 8be33d70ec4166833a31bad41f906acf7e963b4a3d4ba8feba ea641f9c6d1df82c684565611b90ad91067c64cab7091cbea4 52997272c85911c9c89c88a87e3cb4
State = 0x34f61f0833e706a7c3ad30034d6ab423
Colubris-AVPair = "ssid=PrivateSSID"
Colubris-AVPair = "incoming-vlan-id=10"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xc67b3addfed486fb5b2822bbbc5f0706
+- entering group authorize {...}++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x021100421a0211003d3117c29ec2260e40cf8966bf3d774e df19000000000000000025114d54fd90897f6e1e377172baef 7c6ad9b514c3dde99a006861736c657474
server (null) {PEAP: Setting User-Name to UserA
Sending tunneled request
EAP-Message = 0x021100421a0211003d3117c29ec2260e40cf8966bf3d774e df19000000000000000025114d54fd90897f6e1e377172baef 7c6ad9b514c3dde99a006861736c657474
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "UserA"
State = 0xf3999ba6f388814c9ebc43799ca87859
server inner-tunnel {+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=ORG -> o=ORG
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=UserA)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=ORG, with filter (uid=UserA)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ld ap-UserDn}))(&(objectClass=GroupOfUniqueNames)(unique member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2 cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(object Class=GroupOfUniqueNames)(uniquemember=cn\3dUserA\ 2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=StaffMember,o=ORG, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2 cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(object Class=GroupOfUniqueNames)(uniquemember=cn\3dUserA\ 2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap::ldap_groupcmp: User found in group cn=StaffMember,o=ORG
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 214
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for UserA with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [UserA/<via Auth-Type = EAP>] (from client comedwap port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
Reply-Message = "you have been authenticated"
Auth-Type := Accept
MS-CHAP-Error = "\021E=691 R=1"
EAP-Message = 0x04110004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3 Reply-Message = "you have been authenticated"
Auth-Type := Accept
MS-CHAP-Error = "\021E=691 R=1"
EAP-Message = 0x04110004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.3.30 port 32772
EAP-Message = 0x011200261900170301001b772c2f752dcc139cf4e8758b8c edb4dc0d1061a21a270b11564673
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34f61f083ce406a7c3ad30034d6ab423
Finished request 26.Going to the next request
Thanks for any assistance.