1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
|
Extensible Authentication Protocol (EAP)
INTRODUCTION
Extensible Authentication Protocol(EAP), rfc2284, is a general protocol
that allows network access points to support multiple authentication
methods. Each EAP-Type indicates a specific authentication mechanism.
802.1x standard authenticates wireless LAN users trying to access
enterprise networks.
RADIUS attribute used for EAP is EAP-Message, 79(rfc2869). RADIUS
communicates all EAP messages by embedding them in this attribute.
General Terminology
Supplicant/EAP Client - is the software on the end-user/client machine
(machine with the wireless card).
Authenticator/NAS/Access Point(AP) - A network device providing users
with a point of entry into the network.
EAPOL - EAP over LAN as defined in 802.1x standard.
EAPOW - EAP over Wireless.
+----------+ +----------+ +----------+
| | EAPOL | | RADIUS | |
| EAP |<------>| Access |<------>| RADIUS |
| Client | EAPOW | Point | (EAP) | Server |
| | | | | |
+----------+ +----------+ +----------+
The sequence of events, for EAP-MD5, runs as follows:
1. The end-user associates with the Access Point(AP).
2. The supplicant specifies AP to use EAP by sending EAP-Start.
3. AP requests the supplicant to Identify itself (EAP-Identity).
4. Supplicant then sends its Identity (username) to the AP.
5. AP forwards this EAP-response AS-IS to the RADIUS server.
(The supplicant and the RADIUS server mutually authenticate via AP.
AP just acts as a passthru till authentication is finished.)
6. The server sends a challenge to the supplicant.
7. The supplicant carries out a hash on the password and sends
this hashed password to the RADIUS server as its response.
8. The RADIUS server performs a hash on the password for that supplicant
in its user database and compares the two hashed values and
authenticates the client if the two values match(EAP-Success/EAP-Failure)
9. AP now opens a port to accept data from the end-user.
Currently, EAP is widely used in wireless networks than in wired networks.
In 802.11/wireless based networking, following sequence of events happen in
addition to the above EAP events.
10. RADIUS server and the supplicant agree to a specific WEP key.
11. The supplicant loads the key ready for logging on.
12. The RADIUS server sends the key for this session (Session key) to the AP.
13. The AP encrypts its Broadcast key with the Session key
14. The AP sends the encypted key to the supplicant
15. The supplicant decrypts the Broadcast key with the Session key and
the session continues using the Broadcast and Session keys until
the session ends.
References:
The Implementation of EAP over RADIUS is based on the following RFCs
rfc2869 -- RADIUS Extensions
rfc2284 -- PPP Extensible Authentication Protocol (EAP)
rfc2716 -- PPP EAP TLS Authentication Protocol
Following links help to understand HOW EAP works
www.ieee802.org/1/mirror/8021/docs2000/ieee_plenary.PDF
EAP CODE ORGANIZATION
EAP is implemented as a module in freeradius
and the code is placed in src/modules/rlm_eap.
All EAP-Types are organized as subdirectories in rlm_eap/types/.
Each EAP-Type, like types/rlm_eap_md5, contains a chunk of code that
knows how to deal with a particular kind of authentication mechanism.
To add a new EAP-Type then a new directory should be created as
rlm_eap/types/rlm_eap_XXXX, where XXXX is EAP-Type name
ie for EAP-Type like ONE TIME PASSWORD (OTP) it would be rlm_eap_otp
src/modules/rlm_eap -- contains the basic EAP and generalized interfaces
to all the EAP-Types.
rlm_eap/types -- contains all the supported EAP-Types
rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
rlm_eap/types/rlm_eap_ttls -- TTLS based authentication.
rlm_eap/types/rlm_eap_peap -- Windows PEAP based authentication.
rlm_eap/types/rlm_eap_sim -- EAP-SIM (GSM) based authentication
CONFIGURATION
Add the eap configuration stanza to the modules section in radiusd.conf
to load and control rlm_eap and all the supported EAP-Types:
For example:
modules {
...
eap {
default_eap_type = md5
md5 {
}
...
}
...
}
NOTE: You cannot have empty eap stanza. At least one EAP-Type sub-stanza
should be defined as above, otherwise the server will not know what type
of eap authentication mechanism to be used and the server will exit
with error.
All the various options and their associated default values for each
EAP-Type are documented in the sample radiusd.conf that is provided
with the distribution.
Since the EAP requests may not contain a requested EAP type, the
'default_eap_type' configuration options is used by the EAP module
to determine which EAP type to choose for authentication.
NOTE: EAP cannot authorize a user. It can only authenticate.
Other Freeradius modules authorize the user.
EAP SIM server
To configure EAP-SIM authentication, the following attributes must be
set in the server. This can be done in the users file, but in many cases
will be taken from a database server, via one of the SQL interface.
If one has SIM cards that one controls (i.e. whose share secret you know),
one should be able to write a module to generate these attributes
(the triplets) in the server.
If one has access to the SS7 based settlement network, then a module to
fetch appropriate triplets could be written. This module would act as
an authorization only module.
The attributes are:
EAP-Sim-Rand1 16 bytes
EAP-Sim-SRES1 4 bytes
EAP-Sim-KC1 8 bytes
EAP-Sim-Rand2 16 bytes
EAP-Sim-SRES2 4 bytes
EAP-Sim-KC2 8 bytes
EAP-Sim-Rand3 16 bytes
EAP-Sim-SRES3 4 bytes
EAP-Sim-KC3 8 bytes
EAP-SIM will send WEP attributes to the resquestor.
EAP CLIENTS
1. eapol_test, from wpa_supplicant.
2. Freeradius has an "radeapclient" that can do EAP-MD5 (passwords),
as well as EAP-SIM. It is in modules/rlm_eap/radeapclient.
TESTING
You will find several test cases in src/tests/ for the EAP-SIM code.
HOW DO I USE IT (FAQ/Examples)
1. How can I enable EAP-MD5 authentication ?
In radiusd.conf
modules {
...
eap {
default_eap_type = md5
md5 {
}
...
}
...
}
# eap sets the authenticate type as EAP
authorize {
...
eap
}
# eap authentication takes place.
authenticate {
eap
}
# If you are proxying EAP-LEAP requests
# This is required to make LEAP work.
post-proxy {
eap
}
2. My Userbase is in LDAP and I want to use EAP-MD5 authentication
In radiusd.conf
modules {
...
eap {
default_eap_type = md5
md5 {
}
...
}
...
}
# ldap gets the Configured password.
# eap sets the authenticate type as EAP
authorize {
...
ldap
eap
...
}
# eap authentication takes place.
authenticate {
...
eap
...
}
3. How can I Proxy EAP messages, with/without User-Name attribute
in the Access-Request packets
With User-Name attribute in Access-Request packet,
EAP-proxying is just same as RADIUS-proxying.
If User-Name attribute is not present in Access-Request packet,
Freeradius can proxy the request with the following configuration
in radiusd.conf
# eap module should be configured as the First module in
# the authorize stanza
authorize {
eap
... other modules.
}
With this configuration, eap_authorize creates User-Name attribute
from EAP-Identity response, if it is not present.
Once User-Name attribute is created, RADIUS proxying takes care
of EAP proxying.
4. How Freeradius can handle EAP-START messages ?
In most of the cases this is handled by the Authenticator.
Only if it is required then, in radiusd.conf
authorize {
eap
... other modules.
}
With the above configuration, RADIUS server immediately responds with
EAP-Identity request.
NOTE: EAP does not check for any Identity or maintains any state in case
of EAP-START. It blindly responds with EAP-Identity request.
Proxying is handled only after EAP-Identity response is received.
5. I want to enable multiple EAP-Types, how can I configure ?
In radiusd.conf
modules {
...
eap {
default_eap_type = tls
md5 {
}
tls {
...
}
...
}
...
}
The above configuration will let the server load all the EAP-Types,
but the server can have only one default EAP-Type, as above.
Once EAP-Identity response is received by the server, based on the
default_eap_type, the server will send a new request (MD5-Challenge
request incase of md5, TLS-START request incase of tls) to the supplicant.
If the supplicant is rfc2284 compliant and does not support the
EAP-Type sent by the server then it sends EAP-Acknowledge with the
supported EAP-Type. If this EAP-Type is supported by the server then it
will send the respective EAP-request.
Example: If the supplicant supports only EAP-MD5 but the server
default_eap_type is configured as EAP-TLS, as above, then the server
will send TLS-START after EAP-Identity is received. Supplicant will
respond with EAP-Acknowledge(EAP-MD5). Server now responds with
MD5-Challenge.
INSTALLATION
EAP, EAP-MD5, and Cisco LEAP do not require any additional packages.
Freeradius contains all the required packages.
For EAP-TLS, EAP-TTLS, and PEAP, OPENSSL, <http://www.openssl.org/>,
is required to be installed.
Any version from 0.9.7, should fairly work with this module.
EAP-SIM should not require any additional packages.
IMPLEMENTATION (For Developers)
The rlm_eap module only deals with EAP specific authentication mechanism
and the generic interface to interact with all the EAP-Types.
Currently, these are the existing interfaces,
int attach(CONF_SECTION *conf, void **type_arg);
int initiate(void *type_arg, EAP_HANDLER *handler);
int authenticate(void *type_arg, EAP_HANDLER *handler);
int detach(void **type_arg);
attach() and detach() functions allocate and deallocate all the
required resources.
initiate() function begins the conversation when EAP-Identity response
is received. Incase of EAP-MD5, initiate() function sends the challenge.
authenticate() function uses specific EAP-Type authentication mechanism
to authenticate the user. During authentication many EAP-Requests and
EAP-Responses takes place for each authentication. Hence authenticate()
function may be called many times. EAP_HANDLER contains the complete
state information required.
HOW EAP WORKS
as posted to the list, by John Lindsay <jlindsay@internode.com.au>
To make it clear for everyone, the supplicant is the software on the
client (machine with the wireless card).
The EAP process doesn't start until the client has associated with
the Access Point using Open authentication. If this process isn't
crystal clear you need to go away and gain understanding.
Once the association is made the AP blocks all traffic that is not
802.1x so although associated the connection only has value for EAP.
Any EAP traffic is passed to the radius server and any radius traffic
is passed back to the client.
So, after the client has associated to the Access Point, the
supplicant starts the process for using EAP over LAN by asking the
user for their logon and password.
Using 802.1x and EAP the supplicant sends the username and a one-way
hash of the password to the AP.
The AP encapsulates the request and sends it to the RADIUS server.
The radius server needs a plaintext password so that it can perform
the same one-way hash to determine that the password is correct. If
it is, the radius server issues an access challenge which goes back
via to the AP to the client. (my study guide says client but my
brain says 'supplicant')
The client sends the EAP response to the challenge via the AP to the
RADIUS server.
If the response is valid the RADIUS server sends a success message
and the session WEP key (EAP over wireless) to the client via the
AP. The same session WEP key is also sent to the AP in the success
packet.
The client and the AP then begin using session WEP keys. The WEP key
used for multicasts is then sent from the AP to the client. It is
encrypted using the session WEP key.
ACKNOWLEDGEMENTS
Primary author - Raghu <raghud@mail.com>
EAP-SIM - Michael Richardson <mcr@sandelman.ottawa.on.ca>
The development of the EAP/SIM support was funded by
Internet Foundation Austria (http://www.nic.at/ipa).
|
