Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # -*- text -*-
- ######################################################################
- #
- # This is a virtual server that handles *only* inner tunnel
- # requests for EAP-TTLS and PEAP types.
- #
- # $Id$
- #
- ######################################################################
- server inner-tunnel {
- #
- # This next section is here to allow testing of the "inner-tunnel"
- # authentication methods, independently from the "default" server.
- # It is listening on "localhost", so that it can only be used from
- # the same machine.
- #
- # $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
- #
- # If it works, you have configured the inner tunnel correctly. To check
- # if PEAP will work, use:
- #
- # $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
- #
- # If that works, PEAP should work. If that command doesn't work, then
- #
- # FIX THE INNER TUNNEL CONFIGURATION UNTIL IT WORKS.
- #
- # Do NOT keep testing PEAP. It won't help.
- #
- listen {
- ipaddr = 127.0.0.1
- port = 18120
- type = auth
- }
- # Authorization. First preprocess (hints and huntgroups files),
- # then realms, and finally look in the "users" file.
- #
- # The order of the realm modules will determine the order that
- # we try to find a matching realm.
- #
- # Make *sure* that 'preprocess' comes before any realm if you
- # need to setup hints for the remote radius server
- authorize {
- #
- # The chap module will set 'Auth-Type := CHAP' if we are
- # handling a CHAP request and Auth-Type has not already been set
- chap
- #
- # If the users are logging in with an MS-CHAP-Challenge
- # attribute for authentication, the mschap module will find
- # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
- # to the request, which will cause the server to then use
- # the mschap module for authentication.
- mschap
- #
- # If you want the inner tunnel request to be proxied, delete
- # the next few lines.
- #
- #<GuestManager> Disabled proxy to realm </GuestManager>
- #update control {
- # Proxy-To-Realm := LOCAL
- #}
- #
- # This module takes care of EAP-MSCHAPv2 authentication.
- #
- # It also sets the EAP-Type attribute in the request
- # attribute list to the EAP type from the packet.
- #
- # The example below uses module failover to avoid querying all
- # of the following modules if the EAP module returns "ok".
- # Therefore, your LDAP and/or SQL servers will not be queried
- # for the many packets that go back and forth to set up TTLS
- # or PEAP. The load on those servers will therefore be reduced.
- #
- eap {
- ok = return
- }
- # peap/eap-tls
- inner-eap
- #
- # Look in an SQL database. The schema of the database
- # is meant to mirror the "users" file.
- #
- # See "Authorization Queries" in sql.conf
- #GuestManager> Enable sql authentication </GuestManager>
- sql
- #
- # If no other module has claimed responsibility for
- # authentication, then try to use PAP. This allows the
- # other modules listed above to add a "known good" password
- # to the request, and to do nothing else. The PAP module
- # will then see that password, and use it to do PAP
- # authentication.
- #
- # This module should be listed last, so that the other modules
- # get a chance to set Auth-Type for themselves.
- #
- #<GuestManager> For pap/others run radius-user-auth </GuestManager>
- if(!control:Auth-Type) {
- update control {
- Auth-Type := PAP
- }
- }
- }
- # Authentication.
- #
- #
- # This section lists which modules are available for authentication.
- # Note that it does NOT mean 'try each module in order'. It means
- # that a module from the 'authorize' section adds a configuration
- # attribute 'Auth-Type := FOO'. That authentication type is then
- # used to pick the apropriate module from the list below.
- #
- # In general, you SHOULD NOT set the Auth-Type attribute. The server
- # will figure it out on its own, and will do the right thing. The
- # most common side effect of erroneously setting the Auth-Type
- # attribute is that one authentication method will work, but the
- # others will not.
- #
- # The common reasons to set the Auth-Type attribute by hand
- # is to either forcibly reject the user, or forcibly accept him.
- #
- authenticate {
- #
- # PAP authentication, when a back-end database listed
- # in the 'authorize' section supplies a password. The
- # password can be clear-text, or encrypted.
- Auth-Type PAP {
- python
- }
- #
- # Most people want CHAP authentication
- # A back-end database listed in the 'authorize' section
- # MUST supply a CLEAR TEXT password. Encrypted passwords
- # won't work.
- Auth-Type CHAP {
- chap
- }
- #
- # MSCHAP authentication.
- Auth-Type MS-CHAP {
- update control {
- Idm-Stripped-User-Name := "%{User-Name}"
- Idm-Domain := ""
- }
- if ("%{User-Name}" =~ /^(.*)@(.*)$/) {
- update control {
- Idm-Stripped-User-Name := "%{1}"
- Idm-Domain := "%{2}"
- }
- ok
- }
- if ("%{User-Name}" =~ /^(.*)\\\\(.*)$/) {
- update control {
- Idm-Stripped-User-Name := "%{2}"
- Idm-Domain := "%{1}"
- }
- ok
- }
- # machine auth in format: host/WIN-G7D4O2EJ7D1.identitynetworks.com
- # has username WIN-G7D4O2EJ7D1$ and domain identitynetworks.com
- if ("%{User-Name}" =~ /^host\/([^\.]*)\\.(.*)$/) {
- update control {
- Idm-Stripped-User-Name := "%{toupper:%{1}}$"
- Idm-Domain := "%{2}"
- }
- ok
- }
- # If we have a password then we're doing the auth with FreeRADIUS MSCHAP implementation, if not we pass
- # it onto ntlm_auth.
- if ("%{control:Cleartext-Password}" != "") {
- update control {
- # don't let it try ntlm_auth
- MS-CHAP-Use-NTLM-Auth := 0
- }
- mschap
- }
- else {
- mschap
- }
- }
- #
- # Allow EAP authentication.
- eap
- # peap/eap-tls
- inner-eap
- }
- ######################################################################
- #
- # There are no accounting requests inside of EAP-TTLS or PEAP
- # tunnels.
- #
- ######################################################################
- # Post-Authentication
- # Once we KNOW that the user has been authenticated, there are
- # additional steps we can take.
- post-auth {
- # Run the Guest Manager authorization if its not already been run
- if (!reply:Idm-Auth) {
- update request {
- Cleartext-Password = "%{control:Cleartext-Password}"
- }
- # In modules/mschap we use ntlm_auth to authenticate against AD with MSCHAPv2. Copy the returned NTLM auth attributes from the reply
- # to the request so we can check if we had a successful NTLM auth in RadiusUserAuth.php.
- #
- # If any one of these attributes is set, they all are: see /modules/rlm_mschap/rlm_mschap.c
- #
- # If these aren't set but the RADIUS logs says "adding MS-CHAPv2 MPPE keys" then check your freeradius is up to date (2.1.12 and later)
- if (reply:MS-MPPE-Recv-Key) {
- update request {
- MS-MPPE-Recv-Key = "%{reply:MS-MPPE-Recv-Key}"
- MS-MPPE-Send-Key = "%{reply:MS-MPPE-Send-Key}"
- MS-MPPE-Encryption-Policy = "%{reply:MS-MPPE-Encryption-Policy}"
- MS-MPPE-Encryption-Types = "%{reply:MS-MPPE-Encryption-Types}"
- }
- }
- # Not sure if we'll ever see this as we shouldn't get this far if an error occurs.
- if (reply:MS-CHAP-Error) {
- update request {
- MS-CHAP-Error = "{%reply:MS-CHAP-Error}"
- }
- }
- python
- }
- }
- } # inner-tunnel server block
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement