Cisco WLC - FreeRadius - Parameter Missing
205 views
Skip to first unread message
Step Han
Apr 27, 2016, 2:03:20 PM4/27/16
to privacyidea
Hey,
today I played round with the PrivacyIdea environment and freeradius.
I installed all packets on my ubuntu 14.04 LTS system.
I made a standard setup with a user (user) and a totp token and made a test with the radclient tool - it works!
Now I started to connect my cisco wifi controller (wlc) to the freeradius.
I setup a SSID with a 802.1x authentication and tried to connect from my windows client with username/password.
I used the mschapV2 end EAP to connect to the WiFi and for the authentication at the radius.
No i get a rlm_perl: Added pair Reply-Message = ERR905: Missing parameter: 'pass' -- oh ???
I saw at the logs that the rlm_perl modul can't saw the "User-Password" property at the request - this makes sense because the mschap is a challenge response protocol (?).
Now my question - is it possible to deploy such a infrastructure ? Client -> AP -> WLC -> FreeRadius -> PrivacyIdea ?
Can rlm_perl handle the request and forward the "challenge" to the privacyIdea to authenticate the user?
The logs from freeradius are attached!!
Thank you !!!
today I played round with the PrivacyIdea environment and freeradius.
I installed all packets on my ubuntu 14.04 LTS system.
I made a standard setup with a user (user) and a totp token and made a test with the radclient tool - it works!
Now I started to connect my cisco wifi controller (wlc) to the freeradius.
I setup a SSID with a 802.1x authentication and tried to connect from my windows client with username/password.
I used the mschapV2 end EAP to connect to the WiFi and for the authentication at the radius.
No i get a rlm_perl: Added pair Reply-Message = ERR905: Missing parameter: 'pass' -- oh ???
I saw at the logs that the rlm_perl modul can't saw the "User-Password" property at the request - this makes sense because the mschap is a challenge response protocol (?).
Now my question - is it possible to deploy such a infrastructure ? Client -> AP -> WLC -> FreeRadius -> PrivacyIdea ?
Can rlm_perl handle the request and forward the "challenge" to the privacyIdea to authenticate the user?
The logs from freeradius are attached!!
Thank you !!!
Cornelius Kölbel
Apr 27, 2016, 5:21:37 PM4/27/16
to priva...@googlegroups.com
Hello StepHan,
at the moment rlm_perl and also privacyidea does not support mschapv2.
You can understand the error message about the missing "pass" parameter,
since the User-Password attribute is expected in the RADIUS request.
https://github.com/privacyidea/FreeRADIUS/blob/f6fa2ac72b77a82c7d232f96128524b3b192461c/privacyidea_radius.pm#L282
Supporting mschapv2 is a bit tricky, since the challenge is mangled with
the hash of the password.
To calculate the hash of the password on the backend (privacyidea) side,
this is the tricky part. Since the OTP PIN is saved in a hashed way by
default, we can not calculate the
HASH(otppin + otpvalue)
since it is not equal to
HASH(otppin) + HASH(otpvalue)
This means, we would have to save the OTP PIN in an encrypted way, to be
able to decrypt the OTP PIN.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b38986ad-fe59-4567-8880-a4acaeb21c3b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
at the moment rlm_perl and also privacyidea does not support mschapv2.
You can understand the error message about the missing "pass" parameter,
since the User-Password attribute is expected in the RADIUS request.
https://github.com/privacyidea/FreeRADIUS/blob/f6fa2ac72b77a82c7d232f96128524b3b192461c/privacyidea_radius.pm#L282
Supporting mschapv2 is a bit tricky, since the challenge is mangled with
the hash of the password.
To calculate the hash of the password on the backend (privacyidea) side,
this is the tricky part. Since the OTP PIN is saved in a hashed way by
default, we can not calculate the
HASH(otppin + otpvalue)
since it is not equal to
HASH(otppin) + HASH(otpvalue)
This means, we would have to save the OTP PIN in an encrypted way, to be
able to decrypt the OTP PIN.
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b38986ad-fe59-4567-8880-a4acaeb21c3b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Reply all
Reply to author
Forward
0 new messages