Support for EAP Radius Authentication

[marin]

Hi,

We're trying to make a few OPNsense 20.1 boxes authenticate users against a FreeRADIUS instance with EAP. The FreeRADIUS instance is also an OPNsense 20.1 box. While server-side EAP is enabled, it seems none of our boxes are actually using it. Below is the debug output from FreeRADIUS after one of the box tried to authenticate. Authentication succeeded while EAP-TTLS was enabled server-side with an invalid self-signed certificate. Debug messages show that EAP was not used (search for line (0) eap: No EAP-Message, not doing EAP)

Code: [Select]

Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
(0) Received Access-Request Id 31 from 192.168.1.241:23849 to 192.168.1.249:1812 length 84
(0)   User-Name = "someuser"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "5e8049ad39eb5"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "SomePassword"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "someuser", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=someuser)
(0) ldap: Performing search in "cn=users,cn=accounts,dc=local,dc=domain,dc=tld" with filter "(uid=someuser)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tls"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     if ((ok || updated) && User-Password) {
(0)     if ((ok || updated) && User-Password)  -> TRUE
(0)     if ((ok || updated) && User-Password)  {
(0)       update control {
(0)         Auth-Type := LDAP
(0)       } # update control = noop
(0)     } # if ((ok || updated) && User-Password)  = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "someuser"
(0) ldap: Using user DN from request "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=someuser,cn=users,cn=accounts,dc=local,dc=domain,dc=tld" was successful
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ipa-00.core.local.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [someuser] (from client dnsr-00.local.domain.tld port 0)
(0) Sent Access-Accept Id 31 from 192.168.1.249:1812 to 192.168.1.241:23849 length 0
(0) Finished request

Could someone confirm that I'm not missing something ? If not, I think it would be valuable:

• To write explicitly in the documentation that EAP will not be used for Radius authentication even when available on the remote server
• To plan to add EAP support to OPNsense authentication
• To add an option to the FreeRADIUS plugin to disable non-EAP (fallback) mechanisms when EAP is enabled

Many thanks,

Marin