Freeradius how to block EAP-MD5 when not used with EAP-TTLS?

i’m new in freeradius and i’m trying to block the MD5 authentification when it is not used in the tls tunnel from eap-ttls. I still want to enable the MD5 authentification as a inner method with TTLS.

I tried something that works but I would like to know if it is the correct way to do it, I dont want to break something that will bring bugs in the future.

I created a symbolic link with the inner-eap module so i can use it in the mods-enabled file
(https://i.stack.imgur.com/Hm6e2.png).

Then I changed the default authentification to md5 in the inner-eap module
I commented the MD5 section in the eap module (not the inner one).

In sites-enabled/inner-tunnel I commented theses lines concerning eap, remplacing them by inner-eap.

authorized {
  inner-eap{
    ok = return
  }
#default conf
  #eap {
  #  ok = return
  #}
}

authenticate {
  #eap
  inner-eap

}

When i’m doing tests, it seems that MD5 cannot be used outside the eap-ttls method as intended.
I get this from freeradius :

(4) Received Access-Request Id 184 from X.X.X.X:X to X.X.X.X:X length 156
(4)   User-Name = "Anonymous"
(4)   Called-Station-Id = "XX-XX-XX-XX-XX-XX"
(4)   Calling-Station-Id = "XX:XX:XX:XX:XX:XX"
(4)   NAS-Identifier = "XX-XX-XX-XX-XX-XX"
(4)   NAS-IP-Address = XXX.XXX.XXX.XXX
(4)   NAS-Port = 5
(4)   Framed-MTU = 1500
(4)   NAS-Port-Type = Ethernet
(4)   State = 0x2f4dfb6f2f4fee7b659f82a7ed5ceb4d
(4)   EAP-Message = 0x020200060304
(4)   Message-Authenticator = 0xfa4f0a59e609bde52b1ef4494d429350
(4) Restoring &session-state
(4)   &session-state:Framed-MTU = 994
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /../ ) {
(4)         if (&User-Name =~ /../ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /.$/)  {
(4)         if (&User-Name =~ /.$/)   -> FALSE
(4)         if (&User-Name =~ /@./)  {
(4)         if (&User-Name =~ /@./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 2 length 6
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4)     [eap] = updated
(4)     [files] = noop
(4)     [expiration] = noop
(4)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4)     [pap] = noop
(4)   } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Finished EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Previous EAP request found for state 0x2f4dfb6f2f4fee7b, released from the list
(4) eap: Peer sent packet with method EAP NAK (3)
(4) eap: Peer NAK'd asking for unsupported EAP type MD5 (4), skipping...
(4) eap: ERROR: No mutually acceptable types found
(4) eap: Sending EAP Failure (code 4) ID 2 length 4
(4) eap: Failed in EAP select
(4)     [eap] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> Anonymous
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 182 from X.X.X.X:X to X.X.X.X:X length 44
(1)   EAP-Message = 0x04020004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(4) Sending delayed response
(4) Sent Access-Reject Id 184 from X.X.X.X:X to X.X.X.X:X length 44
(4)   EAP-Message = 0x04020004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 181 with timestamp +42 due to cleanup_delay was reached
(1) Cleaning up request packet ID 182 with timestamp +42 due to cleanup_delay was reached
(3) Cleaning up request packet ID 183 with timestamp +42 due to cleanup_delay was reached
(4) Cleaning up request packet ID 184 with timestamp +42 due to cleanup_delay was reached
Ready to process requests

And here when i’m using EAP-TTLS/MD5 :

(10) Received Access-Request Id 211 from X.X.X.X:X to X.X.X.X:X length 217
(10)   User-Name = "Anonymous"
(10)   Called-Station-Id = "X-X-X-X-X-X"
(10)   Calling-Station-Id = "X:X:X:X:X:X"
(10)   NAS-Identifier = "X-X-X-X-X-X"
(10)   NAS-IP-Address = X.X.X.X
(10)   NAS-Port = 5
(10)   Framed-MTU = 1500
(10)   NAS-Port-Type = Ethernet
(10)   State = 0xb09f6f25b5987ab45a49d44c79fdc272
(10)   EAP-Message = 0x0207004315001703030038c6adbb5c16c6c563e2d83bf6c77dbeea42301a1860182204dbf2239a4b934c9f79824ceea2bf5bb725fc7f8576a7deddf907300e0a52bb0e
(10)   Message-Authenticator = 0x1a63f12a15f8031ce35ebd7c8732aed7
(10) Restoring &session-state
(10)   &session-state:Framed-MTU = 994
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10)   &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /../ ) {
(10)         if (&User-Name =~ /../ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))   -> FALSE
(10)         if (&User-Name =~ /.$/)  {
(10)         if (&User-Name =~ /.$/)   -> FALSE
(10)         if (&User-Name =~ /@./)  {
(10)         if (&User-Name =~ /@./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 7 length 67
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0xf1a81cfaf3ac0960
(10) eap: Finished EAP session with state 0xb09f6f25b5987ab4
(10) eap: Previous EAP request found for state 0xb09f6f25b5987ab4, released from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) EAP Done initial handshake
(10) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(10) eap_ttls: Got tunneled request
(10) eap_ttls:   EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_ttls: Sending tunneled request
(10) Virtual server inner-tunnel received request
(10)   EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10)   FreeRADIUS-Proxied-To = 127.0.0.1
(10)   User-Name = "bob"
(10)   State = 0xb9681c83b969189d0d90e6d70aad92ec
(10) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(10) server inner-tunnel {
(10)   session-state: No cached attributes
(10)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     authorize {
(10)       policy filter_username {
(10)         if (&User-Name) {
(10)         if (&User-Name)  -> TRUE
(10)         if (&User-Name)  {
(10)           if (&User-Name =~ / /) {
(10)           if (&User-Name =~ / /)  -> FALSE
(10)           if (&User-Name =~ /@[^@]*@/ ) {
(10)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)           if (&User-Name =~ /../ ) {
(10)           if (&User-Name =~ /../ )  -> FALSE
(10)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))  {
(10)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))   -> FALSE
(10)           if (&User-Name =~ /.$/)  {
(10)           if (&User-Name =~ /.$/)   -> FALSE
(10)           if (&User-Name =~ /@./)  {
(10)           if (&User-Name =~ /@./)   -> FALSE
(10)         } # if (&User-Name)  = notfound
(10)       } # policy filter_username = notfound
(10)       [chap] = noop
(10)       [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "bob", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)       [suffix] = noop
(10)       update control {
(10)         &Proxy-To-Realm := LOCAL
(10)       } # update control = noop
(10) inner-eap: Peer sent EAP Response (code 2) ID 1 length 22
(10) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
(10)       [inner-eap] = updated
(10) files: users: Matched entry bob at line 87
(10) files: EXPAND Hello, %{User-Name}
(10) files:    --> Hello, bob
(10)       [files] = ok
(10)       [expiration] = noop
(10)       [logintime] = noop
(10) pap: WARNING: Auth-Type already set.  Not setting to PAP
(10)       [pap] = noop
(10)     } # authorize = updated
(10)   Found Auth-Type = inner-eap
(10)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     authenticate {
(10) inner-eap: Expiring EAP session with state 0xb9681c83b969189d
(10) inner-eap: Finished EAP session with state 0xb9681c83b969189d
(10) inner-eap: Previous EAP request found for state 0xb9681c83b969189d, released from the list
(10) inner-eap: Peer sent packet with method EAP MD5 (4)
(10) inner-eap: Calling submodule eap_md5 to process data
(10) inner-eap: Sending EAP Success (code 3) ID 1 length 4
(10) inner-eap: Freeing handler
(10)       [inner-eap] = ok
(10)     } # authenticate = ok
(10)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     post-auth {
(10)       if (0) {
(10)       if (0)  -> FALSE
(10)     } # post-auth = noop
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10)   Reply-Message = "Hello, bob"
(10)   EAP-Message = 0x03010004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = "bob"
(10) eap_ttls: Got tunneled Access-Accept
(10) eap: Sending EAP Success (code 3) ID 7 length 4
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(10)   post-auth {
(10)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(10)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(10)     update {
(10)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(10)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(10)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(10)     } # update = noop
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(10)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(10)   } # post-auth = noop
(10) Sent Access-Accept Id 211 from X.X.X.X:X to X.X.X.X:X length 177



Is it the correct way to do it ? If not how do you do it ?

I would like to add that i get this “(10) WARNING: Outer User-Name is not anonymized. User privacy is compromised.” in the last log. Should I take it seriously ? The supplicant should be anonymized because i’m using a anonymous identity to connect.

Thanks

New contributor

rad is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa Dịch vụ tổ chức sự kiện 5 sao Thông tin về chúng tôi Dịch vụ sinh nhật bé trai Dịch vụ sinh nhật bé gái Sự kiện trọn gói Các tiết mục giải trí Dịch vụ bổ trợ Tiệc cưới sang trọng Dịch vụ khai trương Tư vấn tổ chức sự kiện Hình ảnh sự kiện Cập nhật tin tức Liên hệ ngay Thuê chú hề chuyên nghiệp Tiệc tất niên cho công ty Trang trí tiệc cuối năm Tiệc tất niên độc đáo Sinh nhật bé Hải Đăng Sinh nhật đáng yêu bé Khánh Vân Sinh nhật sang trọng Bích Ngân Tiệc sinh nhật bé Thanh Trang Dịch vụ ông già Noel Xiếc thú vui nhộn Biểu diễn xiếc quay đĩa Dịch vụ tổ chức tiệc uy tín Khám phá dịch vụ của chúng tôi Tiệc sinh nhật cho bé trai Trang trí tiệc cho bé gái Gói sự kiện chuyên nghiệp Chương trình giải trí hấp dẫn Dịch vụ hỗ trợ sự kiện Trang trí tiệc cưới đẹp Khởi đầu thành công với khai trương Chuyên gia tư vấn sự kiện Xem ảnh các sự kiện đẹp Tin mới về sự kiện Kết nối với đội ngũ chuyên gia Chú hề vui nhộn cho tiệc sinh nhật Ý tưởng tiệc cuối năm Tất niên độc đáo Trang trí tiệc hiện đại Tổ chức sinh nhật cho Hải Đăng Sinh nhật độc quyền Khánh Vân Phong cách tiệc Bích Ngân Trang trí tiệc bé Thanh Trang Thuê dịch vụ ông già Noel chuyên nghiệp Xem xiếc khỉ đặc sắc Xiếc quay đĩa thú vị
Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa
Thiết kế website Thiết kế website Thiết kế website Cách kháng tài khoản quảng cáo Mua bán Fanpage Facebook Dịch vụ SEO Tổ chức sinh nhật