Discussion:
pap + mac auth authentication problem
Frédéric Goudal
2018-10-30 14:45:40 UTC
Permalink
Hello,

I’m in the following situation :
- I have switches that share either wifi and wired connexions.
- on wifi connexion I have an eap/peap authentication
- what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.

I have a working wifi configuration on a first server
I have a working wired configuration on a second server

Is there any way to mix both on a single server ?


Server version is 3.0.17

The wifi configuration is :

authorize {
preprocess
mschap
suffix
eap
files
ldap
}

authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}

The wired configuration is :
authorize {
filter_username
rewrite.called_station_id_ipb
rewrite.calling_station_id_ipb
preprocess
suffix
update control {
Auth-Type := Accept
Tunnel-Private-Group-Id :=" %{ldap:ldap://ldap.xxx/ou=hosts,dc=xxx,dc=xxx?radiusTunnelPrivateGroupId?sub?(&(objectClass=radiusProfile)(macAddress=%{Calling-Station-ID}))}"
}
if (!"%{control:Tunnel-Private-Group-ID}") {
reject
}
expiration
logintime
}

authenticate {
}

post-auth {
update {
&reply: += &session-state:
}
-sql
update reply {
&Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}"
&Tunnel-Medium-Type := "IEEE-802"
&Tunnel-Type := "VLAN"
}
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
}
Post-Auth-Type Challenge {
}
}


-
List info/subscribe/unsubscribe? See http://w
Alan DeKok
2018-10-30 15:51:34 UTC
Permalink
Post by Frédéric Goudal
- I have switches that share either wifi and wired connexions.
- on wifi connexion I have an eap/peap authentication
- what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.
I have a working wifi configuration on a first server
I have a working wired configuration on a second server
Is there any way to mix both on a single server ?
Yes.
Please don't post configurations to the list. We don't need to see them.

We're also not going to edit the configurations for you, or create the custom configuration you want.

What you have to do is look for differences in the packets, and then key off of those differences. For WiFi, this means looking for EAP-Message:

authorize {
if (EAP-Message) {
... WiFi stuff ...
}
else {
... MAC auth stuff...
}
}

Alan DeKok.


-
List info/subscribe/uns
Frédéric Goudal
2018-10-30 15:57:36 UTC
Permalink
Post by Alan DeKok
Post by Frédéric Goudal
- I have switches that share either wifi and wired connexions.
- on wifi connexion I have an eap/peap authentication
- what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.
I have a working wifi configuration on a first server
I have a working wired configuration on a second server
Is there any way to mix both on a single server ?
Yes.
Please don't post configurations to the list. We don't need to see them.
Different mailing list different usages, I don’t have them all in mind… some want the configuration some like this one don’t…
Post by Alan DeKok
We're also not going to edit the configurations for you, or create the custom configuration you want.
:) Did I ask for that ? No. (Answer of a tired admin sys that have been digging in what is self-called a documentation for several days)
Post by Alan DeKok
authorize {
if (EAP-Message) {
... WiFi stuff ...
}
else {
... MAC auth stuff...
}
}
Thanks.

f.g.





-
List info/subscribe/uns
Frédéric Goudal
2018-10-30 17:05:25 UTC
Permalink
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient.
What is the correct way to build a request with an EAP-Message ?

f.g.
Post by Frédéric Goudal
Post by Frédéric Goudal
authorize {
if (EAP-Message) {
... WiFi stuff ...
}
else {
... MAC auth stuff...
}
}
Thanks.
f.g.
-
List info/subscribe/unsubscribe? S
Herwin Weststrate
2018-10-30 17:09:09 UTC
Permalink
Post by Frédéric Goudal
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient.
What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/
--
Herwin Weststrate
-
List info/subscribe/unsubscribe?
Frédéric Goudal
2018-10-31 08:53:20 UTC
Permalink
Post by Herwin Weststrate
Post by Frédéric Goudal
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient.
What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/
Thans for your answer, it works BUT (and I know it is not a freeradius issue, but I think this info can help)
- the 2.6 version does NOT complile on ubuntu 18.4 (__bitwise multiple defined).
- the 2.5 version does NOT compile on ubuntu 18.4 :
../src/crypto/crypto_openssl.c: In function ‘openssl_digest_vector’:
../src/crypto/crypto_openssl.c:68:13: error: storage size of ‘ctx’ isn’t known

I had to switch to an old jessie distro AND
- use 2.5
- remove the -Werror from the Makefile

f.g.
-
List info/subscribe/unsubsc
Herwin Weststrate
2018-10-31 09:09:16 UTC
Permalink
Post by Frédéric Goudal
Post by Herwin Weststrate
Post by Frédéric Goudal
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient.
What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/
Thans for your answer, it works BUT (and I know it is not a freeradius issue, but I think this info can help)
- the 2.6 version does NOT complile on ubuntu 18.4 (__bitwise multiple defined).
../src/crypto/crypto_openssl.c:68:13: error: storage size of ‘ctx’ isn’t known
I had to switch to an old jessie distro AND
- use 2.5
- remove the -Werror from the Makefile
That looks as if the source has not been updated to work correctly with
newer OpenSSL versions. I don't have a recent Ubuntu system at hand, but
it might be worth to try to fetch the apt source and using the patch in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700870 instead. I'm
not sure if it works without changes on the Ubuntu repository.
--
Herwin Weststrate
-
List info/subscribe/unsubscribe? See http://
Alan DeKok
2018-10-30 17:18:53 UTC
Permalink
Post by Frédéric Goudal
Post by Alan DeKok
Please don't post configurations to the list. We don't need to see them.
Different mailing list different usages, I don’t have them all in mind… some want the configuration some like this one don’t…
When you join this mailing list, you get an email pointing you to documentation about the mailing list. That document says what to post, and what not to post.

If you're not going to read the documentation, you'll have a very bad time.
Post by Frédéric Goudal
Post by Alan DeKok
We're also not going to edit the configurations for you, or create the custom configuration you want.
:) Did I ask for that ? No. (Answer of a tired admin sys that have been digging in what is self-called a documentation for several days)
The documentation describes how FreeRADIUS works. If you want to know more, ask questions.

And no, we *don't* document how to do every possible thing. This is RADIUS. Everyone wants to do something slightly different. So that list of things is near-infinite.

We really on people *reading the documentation*, and then *asking questions*.

Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.

Alan DeKok.


-
List info/subscribe/unsubsc
Frédéric Goudal
2018-10-31 09:16:04 UTC
Permalink
Post by Alan DeKok
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh… what did you expect from a sysadmin who has been fighting against your documentation ? An answer on the same style.

Ok, let’s take an example :
- in your configuration file there are -ldap stanza…
- in your documentation where is the minus sign documented ?
- how do I find it if I don’t know ?

Ok let’s start :
- it’s found on a server configuration file so I go there :
https://wiki.freeradius.org/config/Configuration-files
Ok no syntax item… let’s dig Ohhh site configuration
https://wiki.freeradius.org/config/Sites-configuration
Ohh no syntax I have to go to virtual server
https://wiki.freeradius.org/config/Virtual-server
Ohhh still no syntax, some examples, none with the ‘-ldap’ stanza…

And nowhere to go… after more than an hour digging… still not found.

So… what do you expect from a sysadmin who has a lot of work and has to spend hours not to find the correct answer.


You know I’m a senior sysadmin, I have been dealing with hundreds of products and documentation for more than 25 years I KNOW what is a good documentation.
I have spoken with several colleague and they all say the same… so maybe you can learn to accept your users advice…

f.g.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
Alan DeKok
2018-10-31 10:42:16 UTC
Permalink
Post by Frédéric Goudal
Post by Alan DeKok
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh…
You expected that making snide comments would make us like you?
Post by Frédéric Goudal
what did you expect from a sysadmin who has been fighting against your documentation ? An answer on the same style.
Ah, you start off being rude, and when I point out this isn't appropriate, you double down on your rudeness. And blame me.

That shows a distinct lack of self-awareness.
Post by Frédéric Goudal
- in your configuration file there are -ldap stanza…
- in your documentation where is the minus sign documented ?
- how do I find it if I don’t know ?
Read the configuration files? Or read the debug output? Or ask on the mailing list?

Here's a normal question:

Q: I can't find anywhere what "-ldap" means. Can you guys tell me?

Here's your question:

Q: Your documentation sucks! Can you help me?

Which one motivates people to help you?
Post by Frédéric Goudal
So… what do you expect from a sysadmin who has a lot of work and has to spend hours not to find the correct answer.
Ask questions on the mailing list? If you've paid attention, you'll see that most questions are answered very quickly. i.e. in less than hours.

i.e. you don't bother asking questions, and then blame us for how long it took to get the answer.
Post by Frédéric Goudal
You know I’m a senior sysadmin, I have been dealing with hundreds of products and documentation for more than 25 years I KNOW what is a good documentation.
I have spoken with several colleague and they all say the same… so maybe you can learn to accept your users advice…
You get this product for free, and all you can do is shit on the people who wrote it. Wonderful.

FreeRADIUS has been going for about 20 years now. In that time, I've seen endless numbers of whiners who complain about the documentation. I can't think of a single one who has *contributed* something to make it better. You fall into the same camp.

Why would I accept advice from someone who isn't giving any advice? "Your documentation sucks" isn't a productive comment.

You didn't offer a patch to document the problem you had. Instead, you just made rude comments, and expected that we would be grateful.

I'll make it simple for you. If you ask good questions, we can answer them. If you contribute, your contributions will be reviewed and generally accepted. If you keep complaining on the list, you will be unsubscribed, and permanently banned.

Alan DeKok.


-
List info/subscribe/unsubscribe?
Frédéric Goudal
2018-10-31 12:08:25 UTC
Permalink
Post by Alan DeKok
Post by Frédéric Goudal
Post by Alan DeKok
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh…
You expected that making snide comments would make us like you?
Fact checking : I asked a question, you answered in a rude tone, than I answered you the same way.

Stop blaming others to behave like you do. You’re childish…

End of discution.






-
List info/subscribe/unsubscribe? See h
Alan DeKok
2018-10-31 12:16:30 UTC
Permalink
On Oct 31, 2018, at 8:08 AM, Frédéric Goudal <***@bordeaux-inp.fr> wrote:

More whining.

And, he's gone.

It's telling that the people who complain the most don't contribute anything, and get upset when told their comments are inappropriate.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.o
Matthew Newton
2018-10-31 13:08:21 UTC
Permalink
Post by Alan DeKok
It's telling that the people who complain the most don't contribute
anything, and get upset when told their comments are inappropriate.
And it's already documented in a whole section of the module README,
too.

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/README.rst

Probably could be mentioned in sites-enabled/default, but it's not
particularly hidden if people actually read the "README" files.
--
Matthew

-
List info/subscribe/uns
Loading...