ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0006101ClearOSapp-radius - RADIUS Serverpublic2015-11-12 08:562016-04-27 18:42
Reporteruser2 
Assigned Todloper 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.1.0 
Target Version7.2.0 UpdatesFixed in Version7.2.0 Updates 
Summary0006101: Complete RADIUS app in ClearOS 7
DescriptionSee subject. Also see forum post:

https://www.clearos.com/clearfoundation/social/community/working-radius-configuration-for-clearos-7 [^]
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-11-12 08:56user2New Issue
2015-11-12 08:56user2Assigned To => dloper
2015-11-12 08:56user2Statusnew => assigned
2015-11-12 09:07dloperNote Added: 0002101
2015-11-22 20:40user2Target Version7.1.0 Updates => 7.2.0 Updates
2016-04-19 17:43dloperNote Added: 0003101
2016-04-20 13:09dloperNote Added: 0003111
2016-04-21 12:51user2Statusassigned => resolved
2016-04-21 12:51user2Fixed in Version => 7.2.0 Updates
2016-04-21 12:51user2Resolutionopen => fixed
2016-04-22 08:44dloperNote Added: 0003121
2016-04-27 18:42user2Statusresolved => closed

Notes
(0002101)
dloper   
2015-11-12 09:07   
For more info, see: https://www.clearos.com/clearfoundation/social/community/radius-server-not-starting#reply-89321 [^]
(0003101)
dloper   
2016-04-19 17:43   
The file /etc/raddb/mods-available/ldap uses an older convention for its format. Should be more like this:



ldap {
    server = "localhost"
    identity = "cn=manager,ou=Internal,dc=system,dc=lan"
    password = odt6Xj4EvVrY3ocj
    base_dn = "dc=system,dc=lan"
    update {
        control:Password-With-Header += 'userPassword'
    }
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
    group {
        base_dn = "${..base_dn}"
        filter = "(objectClass=posixGroup)"
        membership_attribute = "memberOf"
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=frClient)'
        attribute {
            identifier = 'radiusClientIdentifier'
            secret = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }

    options {
        chase_referrals = yes
        rebind = yes
        timeout = 10
        timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
        start_tls = no
    }
    pool {
        start = 5
        min = 4
        max = ${thread[pool].max_servers}
        spare = 3
        uses = 0
        lifetime = 0
        idle_timeout = 60
    }
}
(0003111)
dloper   
2016-04-20 13:09   
For the EAP tunnel, it would be best to run it through MSCHAP rather than the older process of looking up the hashes directly in LDAP and then comparing the hashes. To make this change we merely do the following:

usermod -a -G wbpriv radiusd

This allow radius to submit ntlm_auth requests to the winbind socket at /var/lib/samba/winbindd_privileged/pipe

Then you need to turn on the ntlm_auth with the following patch:

--- /etc/raddb/mods-available/mschap.orig 2016-04-19 19:24:49.194497463 -0400
+++ /etc/raddb/mods-available/mschap 2016-04-20 15:03:55.731673388 -0400
@@ -56,6 +56,7 @@
     # the "best" user name for the request.
     #
 # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
 
     # The default is to wait 10 seconds for ntlm_auth to
     # complete. This is a long time, and if it's taking that

Making these changes, and the change prior, allows for EAP authentication from windows workstations to a wireless access point running WPA-Infrastructure mode against RADIUS.
(0003121)
dloper   
2016-04-22 08:44   
base_dn in /etc/raddb/mods-available/ldap is improperly rendered as 'basedn'

ntlm_auth parameter in /etc/raddb/mods-available/mschap is not set. Should be:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

Instead of:

# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"