Advertisement
Guest User

eap.conf

a guest
Sep 17th, 2013
111
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.34 KB | None | 0 0
  1.  
  2.  
  3.  
  4.  
  5. # -*- text -*-
  6. ######################################################################
  7. #
  8. # This is a virtual server that handles *only* inner tunnel
  9. # requests for EAP-TTLS and PEAP types.
  10. #
  11. # $Id$
  12. #
  13. ######################################################################
  14.  
  15. server inner-tunnel {
  16.  
  17. #
  18. # This next section is here to allow testing of the "inner-tunnel"
  19. # authentication methods, independently from the "default" server.
  20. # It is listening on "localhost", so that it can only be used from
  21. # the same machine.
  22. #
  23. # $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
  24. #
  25. # If it works, you have configured the inner tunnel correctly. To check
  26. # if PEAP will work, use:
  27. #
  28. # $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
  29. #
  30. # If that works, PEAP should work. If that command doesn't work, then
  31. #
  32. # FIX THE INNER TUNNEL CONFIGURATION UNTIL IT WORKS.
  33. #
  34. # Do NOT keep testing PEAP. It won't help.
  35. #
  36. listen {
  37. ipaddr = 127.0.0.1
  38. port = 18120
  39. type = auth
  40. }
  41.  
  42.  
  43. # Authorization. First preprocess (hints and huntgroups files),
  44. # then realms, and finally look in the "users" file.
  45. #
  46. # The order of the realm modules will determine the order that
  47. # we try to find a matching realm.
  48. #
  49. # Make *sure* that 'preprocess' comes before any realm if you
  50. # need to setup hints for the remote radius server
  51. authorize {
  52.  
  53. #
  54. # The chap module will set 'Auth-Type := CHAP' if we are
  55. # handling a CHAP request and Auth-Type has not already been set
  56. chap
  57.  
  58. #
  59. # If the users are logging in with an MS-CHAP-Challenge
  60. # attribute for authentication, the mschap module will find
  61. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  62. # to the request, which will cause the server to then use
  63. # the mschap module for authentication.
  64. mschap
  65.  
  66. #
  67. # If you want the inner tunnel request to be proxied, delete
  68. # the next few lines.
  69. #
  70.  
  71. #<GuestManager> Disabled proxy to realm </GuestManager>
  72. #update control {
  73. # Proxy-To-Realm := LOCAL
  74. #}
  75.  
  76. #
  77. # This module takes care of EAP-MSCHAPv2 authentication.
  78. #
  79. # It also sets the EAP-Type attribute in the request
  80. # attribute list to the EAP type from the packet.
  81. #
  82. # The example below uses module failover to avoid querying all
  83. # of the following modules if the EAP module returns "ok".
  84. # Therefore, your LDAP and/or SQL servers will not be queried
  85. # for the many packets that go back and forth to set up TTLS
  86. # or PEAP. The load on those servers will therefore be reduced.
  87. #
  88. eap {
  89. ok = return
  90. }
  91.  
  92. # peap/eap-tls
  93. inner-eap
  94.  
  95. #
  96. # Look in an SQL database. The schema of the database
  97. # is meant to mirror the "users" file.
  98. #
  99. # See "Authorization Queries" in sql.conf
  100. #GuestManager> Enable sql authentication </GuestManager>
  101. sql
  102.  
  103. #
  104. # If no other module has claimed responsibility for
  105. # authentication, then try to use PAP. This allows the
  106. # other modules listed above to add a "known good" password
  107. # to the request, and to do nothing else. The PAP module
  108. # will then see that password, and use it to do PAP
  109. # authentication.
  110. #
  111. # This module should be listed last, so that the other modules
  112. # get a chance to set Auth-Type for themselves.
  113. #
  114.  
  115. #<GuestManager> For pap/others run radius-user-auth </GuestManager>
  116. if(!control:Auth-Type) {
  117. update control {
  118. Auth-Type := PAP
  119. }
  120. }
  121.  
  122. }
  123.  
  124.  
  125. # Authentication.
  126. #
  127. #
  128. # This section lists which modules are available for authentication.
  129. # Note that it does NOT mean 'try each module in order'. It means
  130. # that a module from the 'authorize' section adds a configuration
  131. # attribute 'Auth-Type := FOO'. That authentication type is then
  132. # used to pick the apropriate module from the list below.
  133. #
  134.  
  135. # In general, you SHOULD NOT set the Auth-Type attribute. The server
  136. # will figure it out on its own, and will do the right thing. The
  137. # most common side effect of erroneously setting the Auth-Type
  138. # attribute is that one authentication method will work, but the
  139. # others will not.
  140. #
  141. # The common reasons to set the Auth-Type attribute by hand
  142. # is to either forcibly reject the user, or forcibly accept him.
  143. #
  144. authenticate {
  145. #
  146. # PAP authentication, when a back-end database listed
  147. # in the 'authorize' section supplies a password. The
  148. # password can be clear-text, or encrypted.
  149. Auth-Type PAP {
  150. python
  151. }
  152.  
  153. #
  154. # Most people want CHAP authentication
  155. # A back-end database listed in the 'authorize' section
  156. # MUST supply a CLEAR TEXT password. Encrypted passwords
  157. # won't work.
  158. Auth-Type CHAP {
  159. chap
  160. }
  161.  
  162. #
  163. # MSCHAP authentication.
  164. Auth-Type MS-CHAP {
  165.  
  166. update control {
  167. Idm-Stripped-User-Name := "%{User-Name}"
  168. Idm-Domain := ""
  169. }
  170.  
  171. if ("%{User-Name}" =~ /^(.*)@(.*)$/) {
  172.  
  173. update control {
  174. Idm-Stripped-User-Name := "%{1}"
  175. Idm-Domain := "%{2}"
  176. }
  177.  
  178. ok
  179.  
  180. }
  181.  
  182. if ("%{User-Name}" =~ /^(.*)\\\\(.*)$/) {
  183.  
  184. update control {
  185. Idm-Stripped-User-Name := "%{2}"
  186. Idm-Domain := "%{1}"
  187. }
  188.  
  189. ok
  190.  
  191. }
  192.  
  193. # machine auth in format: host/WIN-G7D4O2EJ7D1.identitynetworks.com
  194. # has username WIN-G7D4O2EJ7D1$ and domain identitynetworks.com
  195.  
  196. if ("%{User-Name}" =~ /^host\/([^\.]*)\\.(.*)$/) {
  197.  
  198. update control {
  199. Idm-Stripped-User-Name := "%{toupper:%{1}}$"
  200. Idm-Domain := "%{2}"
  201. }
  202.  
  203. ok
  204.  
  205. }
  206.  
  207.  
  208. # If we have a password then we're doing the auth with FreeRADIUS MSCHAP implementation, if not we pass
  209. # it onto ntlm_auth.
  210.  
  211. if ("%{control:Cleartext-Password}" != "") {
  212.  
  213. update control {
  214. # don't let it try ntlm_auth
  215. MS-CHAP-Use-NTLM-Auth := 0
  216. }
  217.  
  218. mschap
  219.  
  220. }
  221.  
  222. else {
  223.  
  224. mschap
  225.  
  226. }
  227.  
  228. }
  229.  
  230. #
  231. # Allow EAP authentication.
  232. eap
  233.  
  234. # peap/eap-tls
  235. inner-eap
  236. }
  237.  
  238. ######################################################################
  239. #
  240. # There are no accounting requests inside of EAP-TTLS or PEAP
  241. # tunnels.
  242. #
  243. ######################################################################
  244.  
  245.  
  246.  
  247. # Post-Authentication
  248. # Once we KNOW that the user has been authenticated, there are
  249. # additional steps we can take.
  250. post-auth {
  251.  
  252. # Run the Guest Manager authorization if its not already been run
  253. if (!reply:Idm-Auth) {
  254. update request {
  255. Cleartext-Password = "%{control:Cleartext-Password}"
  256. }
  257.  
  258. # In modules/mschap we use ntlm_auth to authenticate against AD with MSCHAPv2. Copy the returned NTLM auth attributes from the reply
  259. # to the request so we can check if we had a successful NTLM auth in RadiusUserAuth.php.
  260. #
  261. # If any one of these attributes is set, they all are: see /modules/rlm_mschap/rlm_mschap.c
  262. #
  263. # If these aren't set but the RADIUS logs says "adding MS-CHAPv2 MPPE keys" then check your freeradius is up to date (2.1.12 and later)
  264.  
  265. if (reply:MS-MPPE-Recv-Key) {
  266.  
  267. update request {
  268. MS-MPPE-Recv-Key = "%{reply:MS-MPPE-Recv-Key}"
  269. MS-MPPE-Send-Key = "%{reply:MS-MPPE-Send-Key}"
  270. MS-MPPE-Encryption-Policy = "%{reply:MS-MPPE-Encryption-Policy}"
  271. MS-MPPE-Encryption-Types = "%{reply:MS-MPPE-Encryption-Types}"
  272. }
  273.  
  274. }
  275.  
  276. # Not sure if we'll ever see this as we shouldn't get this far if an error occurs.
  277.  
  278. if (reply:MS-CHAP-Error) {
  279.  
  280. update request {
  281. MS-CHAP-Error = "{%reply:MS-CHAP-Error}"
  282. }
  283.  
  284. }
  285.  
  286. python
  287. }
  288.  
  289. }
  290.  
  291.  
  292. } # inner-tunnel server block
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement