Re: vlan + ldap

Alan DeKok a =E9crit :

>REMY Lionel <remy@cict.fr> wrote:
> =20
>
>>I use freeradius 1.0.1 to authenticate wireless users with EAP-TTLS or=20
>>PEAP against an LDAP backend.
>> =20
>>
>
> No. LDAP is a database, not an authentication server. LDAP
>supplies a clear-text password, and FreeRADIUS does EAP
>authentication.
>
> =20
>
>>It works... but with some conditions. The NAS put the user in the good=20
>>vlan if the vlan reply items are _outside_ the TLS tunnel.
>> =20
>>
>
> Yes... the NAS can't see inside the TLS tunnel.
>
> =20
>
>>So I have to put the same User-Name in the request inside _and_ outside=
=20
>>the tunnel to take effect because the option "use_tunneled_reply" in=20
>>eap.conf doesn't work with PEAP.
>> =20
>>
>
> Hmm... that may be a bug.
>
> =20
>
>>And it is a security problem : If I know a valid User-Name authorized t=
o=20
>>acces another vlan, I can authenticate with my credentials but puting=20
>>that valid User-Name outside the tunnel permits me to access the vlan=20
>>attached to this User-Name.
>> =20
>>
>
> Sounds like a problem.
>
> =20
>
>>My question is : How can I solve this problem ?
>> =20
>>
>
> Fix the PEAP module so "use_tunneled_reply" works.
>
> When the code was written, it was tested & verified to work. It
>*doesn't* work when the tunneled session is proxied to another server.
>
> Alan DeKok.
>
>
>-=20
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user=
s.html
>
>
> =20
>
In fact, "use_tunneled_reply" works with PEAP when I put the same=20
User-Name inside and outside the tunnel but create an error if I put=20
different User-Name :

rlm_eap: Request found, released from the list
rlm_eap: Identity does not match User-Name. Authentication failed.
rlm_eap: Failed in handler

But using the option "use_tunneled_reply" in eap-TTLS doesn't solve my=20
problem of 'vlan stealing' because the Access-Accept looks like this :

Sending Access-Accept of id 106 to 130.120.72.240:21645
Tunnel-Private-Group-Id:0 =3D "Personnel"
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
Tunnel-Private-Group-Id:0 =3D "Etudiant"
Tunnel-Type:0 =3D VLAN
Tunnel-Medium-Type:0 =3D IEEE-802
MS-MPPE-Recv-Key =3D=20
0x18670f0b4afee475cdad5059c42deb55f3e21a7df625f240 f566de8b577ef97e
MS-MPPE-Send-Key =3D=20
0x7c5f2b88ae6c3280e2c121d52a5f721d03c23ae2e4e88b61 cb555abfc519e81b
EAP-Message =3D 0x03060004
Message-Authenticator =3D 0x00000000000000000000000000000000
User-Name =3D "persotest"
Finished request 4

And of course, it is the wrong vlan that is considered by the access=20
point :(

Is there a solution to that problem, manipulating attributes ?

Regards,
REMY Lionel

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html