OD -> RADIUS -> WiFi

[stepansae]

Hi all,

I’m setting up a wireless network where users use login details provided by OpenDirectory + certificate. The goal is that user of the WIFI network must provide certificate and username with password. If the user is disabled in OD (via WGM – access account thick box), user must not access the network.

My setup:
OSX 10.4.8 Server, OpenDirectory, freeRADIUS, ZyWall 35 with WiFi AP using WPA Ent.

Clients: 99.9% Mac OSX 10.4.8

I got all setup, freeRADIUS 1.1.3 runnning, certificates, but I can’t get the freeRADIUS to check the user password from OD.

Using radtest, I have no problems:

——-
Sending Access-Request of id 123 to 127.0.0.1 port 1812
User-Name = “12345”
User-Password = “12345”
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=20
——-

How ever, when a client from WiFi logs in, username and certificate are the only criteria which are checked to grant access. If you can help, please read the debug dump below.

It seems that RADIUS has managed to decrypt the password and adds it to checklist:
rlm_ldap: Added password ******** in check items

… but then the access is granted anyway … doesn’t matter what you write in the password 🙁

To achieve my goals, am I using the correct method (EAP-TLS)? When using unecrypted connection, I can clearly see the password attribute, but that defeats the whole purpose of WPA …

I hope you guys don’t mind that I dumped bits of my log & conf into this forum, I’m getting very frustrated …

I have already added userPassword as User-Password …

RADIUS reply to connection using certificate:
——-
rad_recv: Access-Request packet from host 192.168.1.1:1131, id=16, length=144
User-Name = “12345”
NAS-IP-Address = 192.168.1.1
NAS-Identifier = “zywall”
Framed-MTU = 1496
Called-Station-Id = “00-11-22-33-44-55-66-77:Test Test”
Calling-Station-Id = “00-11-22-33-44-55”
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b00060d00
State = 0xa5e4df76eacd676aa056b162e018e148
Message-Authenticator = 0x55082c87332500d61cb52cd8ca640361
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module “preprocess” returns ok for request 9
rlm_eap: EAP packet type response id 11 length 6
rlm_eap: No EAP Start, assuming it’s an on-going EAP conversation
modcall[authorize]: module “eap” returns updated for request 9
rlm_ldap: – authorize
rlm_ldap: performing user authorization for 12345
radius_xlat: ‘(uid=12345)’
radius_xlat: ‘dc=st,dc=ln’
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=st,dc=ln, with filter (uid=12345)
rlm_ldap: checking if remote access for 12345 is allowed by uid
rlm_ldap: Added password ******** in check items
rlm_ldap: looking for check items in directory…
rlm_ldap: Adding userPassword as User-Password, value ******** & op=21
rlm_ldap: looking for reply items in directory…
rlm_ldap: user 12345 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module “ldap” returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type “EAP”
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module “eap” returns ok for request 9
modcall: leaving group authenticate (returns ok) for request 9
Sending Access-Accept of id 16 to 192.168.1.1 port 1131
MS-MPPE-Recv-Key = 0x1e908975f56513420942c8e6680139f19ebf58ee76c2c13a2315873f5ca1c6cf
MS-MPPE-Send-Key = 0xedddaafac5513c090db385d154acfe8d19c5b7e542b264e1c6974850faddb2a6
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = “12345”
Finished request 9
———

From radiusd.conf:
———
ldap {
server = “192.168.1.2”
basedn = “dc=st,dc=ln”
filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
access_attr = “uid”
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_attribute = userPassword
}

authorize {

eap
ldap

}

authenticate {

Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP {
ldap
}

eap
}

——

I have also added “checkItem User-Password userPassword” to ldap.attrmap.

Please please help, many thanks in advance!!!!
Stepan

[stepansae]

Hi All,
you were no help 🙂 but I found finally solution … So in case someone has decided to take the same path as me:

Now I know that EAP-TLS does not support passwords (!) so that method is useless for me.

A sollution is to use EAP-TTLS with PAP. My posted configuration is correct, only connection method is different. On OS X 10.4.8 when connecting to WiFi instead of Automatic select “TTLS-PAP” and enter username and password.

freeRadius binds to LDAP with WiFi user username and password so if the user is disabled ie via WGM, bind fails and user is not granted WiFi access.

So in my scenario, students will be using TTLS-PAP and members of staff can still be issued personal client certificate and enjoy EAP-TLS.

More details about auth. protocols on http://deployingradius.com/documents/protocols/compatibility.html
thanks to Alan Dekok.

Stepan

[Author]

Posts