FreeRadius: How to set up PEAP
参考URL
# cat /etc/redhat-release
CentOS release 5.4 (Final)
# rpm -qa | grep freeradius
freeradius-1.1.3-1.5.el5_4
[root@localhost raddb]# pwd
/etc/raddb
- radiusd.conf
追加。
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
- clients.conf
client 192.168.40.0/24 {
secret = secret
shortname = authenticator
}
- eap.conf
# egrep -v "#" eap.conf | grep -v "^$" | less
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
証明書は radius をパッケージでインストールしたときに入ってた。
# pwd
/etc/raddb/certs
# ls
README cert-clt.p12 cert-srv.der cert-srv.pem dh newreq.pem root.der root.pem
cert-clt.der cert-clt.pem cert-srv.p12 demoCA newcert.pem random root.p12
private key ( cert-src.pem ) にパスワードは whatever
# openssl rsa -text -in cert-srv.pem
Enter pass phrase for cert-srv.pem: whatever
Private-Key: (1024 bit)
modulus:
00:da:c5:25:42:2b:fe:db:08:26:29:a2:cb:a4:4b:
34:49:c9:0d:0a:b4:62:fb:72:c8:43:4a:78:20:98:
86:3d:7e:b7:d7:e7:00:28:c2:b7:ad:55:5a:51:cc:
75:6c:f4:fa:1d:70:91:61:5a:b4:50:d5:28:95:53:
ae:66:16:af:f0:14:a5:50:85:d6:b8:fb:4a:ee:98:
- users ( /etc/raddb/users )
"user600" User-Password == "user600"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 600
- 起動
# /etc/init.d/radiusd start
RADIUS サービスを起動中: Fri Mar 19 14:09:17 2010 : Info: Starting - reading configuration files ...
[失敗]
エラー。
ログは、パーミッションの問題かな。
Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Error: rlm_eap_tls: Error reading certificate file
Error: rlm_eap: Failed to initialize type tls
Error: radiusd.conf[10]: eap: Module instantiation failed.
Error: radiusd.conf[1940] Unknown module "eap".
Error: radiusd.conf[1887] Failed to parse authenticate section.
radiusd.conf を修正。コメントアウト
#user = radiuds
#group = radiusd
再度起動。
秘密鍵 cert-srv.pem のパスフレーズを聞かれる。
# /etc/init.d/radiusd start
RADIUS サービスを起動中 : Info: Starting - reading configuration files ...
Enter PEM pass phrase: whatever
- パスフレーズを eap.conf に追加すると、起動時に聞かれなくなる。
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
# /etc/init.d/radiusd start
RADIUS サービスを起動中: Fri Mar 19 14:18:14 2010 : Info: Starting - reading configuration files ...
[ OK ]
eap.conf にパスフレーズの平文で書くのが嫌な場合は、秘密鍵のパスフレーズを解除した
鍵を作成する。
# openssl rsa -in cert-srv.pem -out cert-srv-nopass.pem
Enter pass phrase for cert-srv.pem:whatever
writing RSA key
- eap.conf
#private_key_password = whatever
#private_key_file = ${raddbdir}/certs/cert-srv.pem
private_key_file = ${raddbdir}/certs/cert-srv-nopass.pem
# /etc/init.d/radiusd start
RADIUS サービスを起動中: Fri Mar 19 14:26:07 2010 : Info: Starting - reading configuration files ...
[ OK ]
[ コンフィグ ]
# egrep -v "#" radiusd.conf | grep -v "^$"
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib64
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
# egrep -v "#" eap.conf | grep -v "^$"
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_file = ${raddbdir}/certs/cert-srv-nopass.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
- clients.conf
client 192.168.40.0/24 {
secret = secret
shortname = authenticator
}
- users
"user600" User-Password == "user600"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 600
- debug モードで起動する方法
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
- Windows用に配布するため CA証明書を der 形式に変更
# openssl x509 -in certs/demoCA/cacert.pem -out cacert.der -outform DER
- 確認
CA証明書の読み込み。
cacert.der をダブルクリック -> 証明書のインストール
802.1x の設定 ( ローカルエリア接続 -> 認証 )
- radiusd -X
エラーが。
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
これが原因っぽい。usersに登録しているパスワードが NT Password じゃないのがダメっぽい。
ldap に NT Password を持たせようかな。。
- radiusd.conf の下記がヒントにならないかな。。
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
[ logs ]
modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/directpath-01 with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x2b769e6ecbe0 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
[ capture date ]
- Authenticator -> Radius
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x10 (16)
Length: 212
Authenticator: FF5012C9ACFCE30A6BFF8D314AB52EB5
[Duplicate Request: 16]
Attribute Value Pairs
AVP: l=6 t=Framed-MTU(12): 1466
Framed-MTU: 1466
AVP: l=6 t=NAS-IP-Address(4): 192.168.40.2
NAS-IP-Address: 192.168.40.2 (192.168.40.2)
AVP: l=20 t=User-Name(1): host/directpath-01
User-Name: host/directpath-01
AVP: l=6 t=Service-Type(6): Framed-User(2)
Service-Type: Framed-User (2)
AVP: l=6 t=NAS-Port(5): 14
NAS-Port: 14
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
NAS-Port-Type: Ethernet (15)
AVP: l=10 t=NAS-Port-Id(87): Port 0/5
NAS-Port-Id: Port 0/5
AVP: l=19 t=Called-Station-Id(30): 00-12-e2-08-16-23
Called-Station-Id: 00-12-e2-08-16-23
AVP: l=19 t=Calling-Station-Id(31): 00-1b-21-51-0d-a1
Calling-Station-Id: 00-1b-21-51-0d-a1
AVP: l=18 t=Connect-Info(77): CONNECT Ethernet
Connect-Info: CONNECT Ethernet
AVP: l=18 t=State(24): 7B5EF9DF9F8E0297AE6D2C50452EF6B1
State: 7B5EF9DF9F8E0297AE6D2C50452EF6B1
AVP: l=40 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 8
Length: 38
Type: PEAP [Palekar] (25)
Flags(0x0):
PEAP version 0
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 27
Encrypted Application Data: 41A61AD82F413913241CFD40ED95E4EFE790532A9CCBD397...
AVP: l=18 t=Message-Authenticator(80): 9724A3EBACCB70712C491EE1CEB86AD1
Message-Authenticator: 9724A3EBACCB70712C491EE1CEB86AD1
- Radius -> Authenticator
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0x10 (16)
Length: 44
Authenticator: B2B6E80D46E6DA5495652BF6A9E1302B
[This is a response to a request in frame 15]
[Time from request: 4.112476000 seconds]
Attribute Value Pairs
AVP: l=6 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Failure (4)
Id: 8
Length: 4
AVP: l=18 t=Message-Authenticator(80): AD7EF69831A941A95F2C25F65BF5F74B
Message-Authenticator: AD7EF69831A941A95F2C25F65BF5F74B
users のパスワードを Cleartext-Password に変更すればできそうなことが書いてあるが、
freeradius 1.1.3 にはこの指定ができない。
Radiusのバージョンを 2.1.7 に変更
[root@localhost ~]# rpm -qa | grep radius
freeradius2-2.1.7-6.el5
証明書、鍵の作成
/etc/raddb/certs/bootstarp スクリプトを実行
[root@localhost certs]# pwd
/etc/raddb/certs
[root@localhost certs]# ./bootstrap
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........+...................................+..................+..........................................................+.......+.............+..................................................................................................+.........................................+............+...............................................+.........................................................................................................+......................................................................................+..................................................................................................................+.........+............................+....................................................................................................+...............................................+......................................................+.........+.....+............................+.....................................................................................++*++*++*
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
.........................+++
.............................................................................+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
.................................................................................................................+++
................................................................................................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 23 02:02:14 2010 GMT
Not After : Mar 23 02:02:14 2011 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Mar 23 02:02:14 2011 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
[root@localhost certs]# ls
01.pem ca.cnf client.cnf index.txt.old server.cnf server.p12
Makefile ca.der dh random server.crt server.pem
README ca.key index.txt serial server.csr xpextensions
bootstrap ca.pem index.txt.attr serial.old server.key
[root@localhost certs]#
- コンフィグ
[root@localhost raddb]# egrep -v "#" radiusd.conf | egrep -v "^$"
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
[root@localhost raddb]# egrep -v "#" eap.conf | egrep -v "^$"
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
[root@localhost raddb]# egrep -v "#" users | egrep -v "^$"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
"user600" Cleartext-Password := "user600"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 600
[root@localhost modules]# pwd
/etc/raddb/modules
[root@localhost modules]# egrep -v "#" mschap | egrep -v "^$"
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
}
- 動作確認
802.1x の設定 ( ローカルエリア接続 -> 認証 )
認証できた。
radius logs ( radiusd -X ) . "Access-Accept"
Sending Access-Accept of id 75 to 192.168.40.2 port 65532
MS-MPPE-Recv-Key = 0xb8ef51d4eca31521548b0da612603d62bc7ce9385f62babc526d12bc4db87ab4
MS-MPPE-Send-Key = 0xc75d283b51302535234e8167752f83e91c7a0c164a253a7290a61fd234ccb072
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user600"