You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Kamal Ezzaki <ka...@gmail.com> on 2019/04/17 16:01:20 UTC
Guacamole+Radius+Eap-tls
Hello,
i want to make authentification with radius ( WIndows Server ) using
eap-tls, so this is what i did :
cp /etc/raddb/certs/client.p12 /usr/share/tomcat/.guacamole/
chmod 666 client.p12
# Copy the certificate request in the web certificat to generate one
cat /etc/raddb/certs/client.csr
download certnew.cer
mv certnew.cer certnew.pem
### Configuration file
radius-key-file: /usr/share/tomcat/.guacamole/client.p12
radius-key-type: pkcs12
radius-ca-file: /usr/share/tomcat/.guacamole/certnew.pem
radius-ca-type: pem
and it's not working , should i change something ?
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 25, 2019 at 6:39 AM drhy <dy...@huntergroup.co.nz> wrote:
> Hi Nick,
>
> thanks for the offer. But I'm reminded again that not having java skills
> severely limits my ability to backport, given that I am attempting to test
> tunneling of one protocol inside another (EAP-TTLS and say mschapv2).
>
> When I looked at the trace in catalina.out I saw that my ssl errors were
> caused by null pointer errors which made me realise that although I had
> backported the code for simple mschapv1 and mschapv2 including MD4, I
> didn't
> know how to do it for the EAP-TTLS code.
>
> Me thinks it better to wait for 1.1.0 and the redesigned radius provider
> when they are close to release.
>
I would agree that waiting for the 1.1.0 code to come out is a wise move,
or at least wait until the pull request is merged into the code and then
check out the code once that's done and build from there. That way you
don't have to worry about back-porting.
-Nick
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Hi Nick,
thanks for the offer. But I'm reminded again that not having java skills
severely limits my ability to backport, given that I am attempting to test
tunneling of one protocol inside another (EAP-TTLS and say mschapv2).
When I looked at the trace in catalina.out I saw that my ssl errors were
caused by null pointer errors which made me realise that although I had
backported the code for simple mschapv1 and mschapv2 including MD4, I didn't
know how to do it for the EAP-TTLS code.
Me thinks it better to wait for 1.1.0 and the redesigned radius provider
when they are close to release.
Sorry Kamal.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 25, 2019 at 12:27 AM drhy <dy...@huntergroup.co.nz> wrote:
> I have backported the 1.1.0 changes to radius in 1.0.0.
>
Since 1.1.0 is not released, yet, do you mean just the MD4 loading?
>
> I now have pap and mschapv2 successfully working with Microsoft Windows
> 2016/2019 Network Policy Server.
> chap and mschapv1 do not work.
>
"do not work" == ?
>
> When I try eap-ttls with my backported code I get the following error in
> the
> catalina.out log file:
> 16:20:08.712 [https-openssl-nio-443-exec-2] ERROR
> o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
>
> org.slf4j.helpers.MessageFormatter.format(Ljava/lang/String;Ljava/lang/Object;)Ljava/lang/String;
>
It would be useful to see this message in its context and what else occurs
around it.
-Nick
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
I have backported the 1.1.0 changes to radius in 1.0.0.
I now have pap and mschapv2 successfully working with Microsoft Windows
2016/2019 Network Policy Server.
chap and mschapv1 do not work.
When I try eap-ttls with my backported code I get the following error in the
catalina.out log file:
16:20:08.712 [https-openssl-nio-443-exec-2] ERROR
o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
org.slf4j.helpers.MessageFormatter.format(Ljava/lang/String;Ljava/lang/Object;)Ljava/lang/String;
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
Do you know any tuto to configure EAP-TLS in Windows server so i can test
it too?
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Sorry guys, I've tried downloading and using just the one file you pointed me
to Kamal, tried the git commands Nick (I couldn't get them to work), and
tried cloning/downloading all of the current 1.1.0. But I couldn't get a
maven compile to work with radius.
The only compile I can get to work is the vanilla 1.0.0 with radius.
Maybe I should try again when 1.1.0 is closer to finished.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
if it's work with EAP-TLS please let's me know
Le mar. 23 avr. 2019 à 09:25, Kamal Ezzaki <ka...@gmail.com> a
écrit :
> if you use guacamole-client-1.0.0 you can follow my steps , it's working
> fine for me
>
> Le mar. 23 avr. 2019 à 08:59, drhy <dy...@huntergroup.co.nz> a écrit :
>
>> Hi,
>>
>> I don't know my way around github or git, so I just downloaded the raw
>> RadiusConnectionService.java file, pasted in a licence header from another
>> radius file, and copied (cp -f) the file to
>>
>> /root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/
>>
>> When I ran: mvn clean package -Plgpl-extensions
>> I got the following error (excerpt):
>> [ERROR]
>>
>> /root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java:[23,7]
>> error: duplicate class: RadiusConnectionService
>>
>> Any ideas ?
>>
>> Thanks.
>>
>> -David
>>
>>
>>
>>
>> --
>> Sent from:
>> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>>
>
>
> --
>
> *EZZAKI Kamal*
> *Élève** ingénieur en **Administration Réseaux et **Systèmes* *à l'ENSEM*
> *Tél : +212 6 81 78 28 64*
> *Email : kamalezzaki1@gmail.com <ka...@gmail.com>*
>
>
>
--
*EZZAKI Kamal*
*Élève** ingénieur en **Administration Réseaux et **Systèmes* *à l'ENSEM*
*Tél : +212 6 81 78 28 64*
*Email : kamalezzaki1@gmail.com <ka...@gmail.com>*
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
if you use guacamole-client-1.0.0 you can follow my steps , it's working
fine for me
Le mar. 23 avr. 2019 à 08:59, drhy <dy...@huntergroup.co.nz> a écrit :
> Hi,
>
> I don't know my way around github or git, so I just downloaded the raw
> RadiusConnectionService.java file, pasted in a licence header from another
> radius file, and copied (cp -f) the file to
>
> /root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/
>
> When I ran: mvn clean package -Plgpl-extensions
> I got the following error (excerpt):
> [ERROR]
>
> /root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java:[23,7]
> error: duplicate class: RadiusConnectionService
>
> Any ideas ?
>
> Thanks.
>
> -David
>
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
--
*EZZAKI Kamal*
*Élève** ingénieur en **Administration Réseaux et **Systèmes* *à l'ENSEM*
*Tél : +212 6 81 78 28 64*
*Email : kamalezzaki1@gmail.com <ka...@gmail.com>*
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Hi,
I don't know my way around github or git, so I just downloaded the raw
RadiusConnectionService.java file, pasted in a licence header from another
radius file, and copied (cp -f) the file to
/root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/
When I ran: mvn clean package -Plgpl-extensions
I got the following error (excerpt):
[ERROR]
/root/guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java:[23,7]
error: duplicate class: RadiusConnectionService
Any ideas ?
Thanks.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
On Sun, Apr 21, 2019 at 7:08 PM drhy <dy...@huntergroup.co.nz> wrote:
> Hi Nick,
>
> I've extensively tested the communications between the Windows Server
> Network Policy Server and the Guacamole RADIUS module on CentOS using:
> CentOS Minimal ISO, release 7.6.1810 (Core)
> Java 1.8.0 (java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64)
> Tomcat 8.5.38
> gcc compiler version 7.3.0
> (in more detail:
>
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-1-0-0-with-Radius-and-MySQL-Step-by-step-for-Linux-newbies-td4748.html
> )
>
> In this environment the only successful authentication combination I've
> been
> able to get working between the RADIUS module and Windows Server Network
> Policy Server is PAP. In the catalina.out log the other combinations show
> either authentication failed messages or internal error messages, and
> sometimes an MD4 not available message.
>
> MD4 seems to be required for CHAP, MSCHAPv1 and MSCHAPv2. In addition, it
> appears that the more secure compound tunnels that NPS uses (for example,
> EAP-TLS) all still need CHAP in one form or another. MD4 is no longer
> included in the JDK hence anything requiring a variation of CHAP fails.
>
As far as I can tell, MD4 is not required for plain (non-MS) CHAP. This is
according to the JRadius code that I'm using to implement the RADIUS
authentication provider. It should only be required for MS-CHAP v1 and
v2. Based on the code in the repo, the only thing that MD4 is used for in
MS-CHAP is hashing the NT password. CHAP should still work fine without
MD4.
Also, as Kamal mentions, I've submitted a pull request to correct this:
https://github.com/apache/guacamole-client/pull/392
This should be corrected in the master branch before too long. You can
test per my previous instructions - if you're able to that would be great,
as I don't have a RADIUS server supporting MS-CHAP available, so it's hard
for me to verify it works. Sounds like Kamal has tested it successfully,
but with a previous version of the changes, so testing on the most recent
version would be great.
Also, as I've mentioned before, from a security perspective, MS-CHAP (with
MD4) may be more secure than plain text, but the reason MD4 was removed
from Java is because MD4 is not secure - it can be relatively easily
cracked (https://en.wikipedia.org/wiki/MD4#Security - "in a few
microseconds"). So, if security is of any reasonable concern to you
between Guacamole and your RADIUS server, I would not rely upon MS-CHAP - I
would use EAP-TLS or EAP-TTLS. PEAP might be acceptable, too, but there's
a bug in JRadius that has not been addressed, yet, that renders PEAP
useless, so it currently will not work.
-Nick
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
# copie the file in joined files into
guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/
cp -f RadiusConnectionService.java
guacamole-client-1.0.0/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/
mvn clean package -Plgpl-extensions # to regenerate the radius extension
# copie the radius extension to your guacamole_home extension folder and
make radius extension first in alphabet trie ( change the name to
guacamole-auth-aradius)
cp
guacamole-client-1.0.0/extensions/guacamole-auth-radius/target/guacamole-auth-radius-1.0.0.jar
/usr/share/tomcat/.guacamole/extensions/guacamole-auth-aradius-1.0.0.jar
# restart the service
service tomcat restart
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Garanti
sans virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Apr 22, 2019 at 5:49 AM drhy <dy...@huntergroup.co.nz> wrote:
> Hi Kamal,
>
> I just try all options on the Windows NPS Server :-) Takes a little time
> but
> is no problem.
>
> My big problem is I don't know how to pull the changed guacamole radius
> files into my maven build. I am very new to Linux so need very detailed,
> line by line, instructions. If you can provide those, then I will build and
> test this weekend, and pass on the resulting NPS Configuration.
>
# git fetch origin pull/392/head:test/392
# git merge --no-ff test/392
# mvn -Plgpl-extensions clean package
This should merge the changes over and compile everything - you'll have to
enter a commit message after step 2.
Please be advised that this is a work-in-progress, so you should only use
it for testing - in particular, I know you're publishing some guides for
others to use for configuring Guacamole in certain ways, and I would not
advise making this part of those guides. It's also possible the code will
change before it actually gets merged. The code review should be done
before long and merged into the git master branch, and will be a little
more firm at that point (though still unreleased).
-Nick
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Hi Kamal,
I just try all options on the Windows NPS Server :-) Takes a little time but
is no problem.
My big problem is I don't know how to pull the changed guacamole radius
files into my maven build. I am very new to Linux so need very detailed,
line by line, instructions. If you can provide those, then I will build and
test this weekend, and pass on the resulting NPS Configuration.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
hi drhy,
for MS-CHAPv1, MSCHapv2 they already fix this bug(MD4 problem)
https://issues.apache.org/jira/browse/GUACAMOLE-774 via the following
changes: https://github.com/apache/guacamole-client/pull/392
using EAP-TLS i have no idea in how to configure WIndows server for EAP-TLS
, if you have any useful information about how can you help please
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Garanti
sans virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Hi Kamal,
As I mention, Microsoft Network Policy Server (NPS) seems to want some type
of CHAP in almost almost all of the Radius Requests, except PAP. CHAP,
MS-CHAP and MS-CHAPv2 have been attacked:
https://blogs.technet.microsoft.com/srd/2012/08/20/weaknesses-in-ms-chapv2-authentication/
http://itsecgames.blogspot.com/2012/09/attacking-ms-chap-v2.html
They all use MD4, which has also been attacked and has now been "retired" as
a standard":
https://tools.ietf.org/html/rfc6150
However, as you have also commented, NPS's more secure EAP-TLS protocol
still needs to tunnel CHAP and MD4. I found this:
https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/classes/sun/security/provider/MD4.java
It would be useful for MD4.java to be included in the Radius Authentication
Provider to support secure communication with NPS, but I don't know how to.
In the meantime I'm using CentOS's built-in IPsec and the Windows Server
L2TP/IPsec capability.
https://www.thomasmaurer.ch/2018/05/how-to-install-vpn-on-windows-server-2019/
https://www.myip.io/how-to-details/configure-l2tp-centos
and/or
http://spottedhyena.co.uk/centos-67-ipsecl2tp-vpn-client-unifi-usg-l2tp-server/
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by drhy <dy...@huntergroup.co.nz>.
Hi Nick,
I've extensively tested the communications between the Windows Server
Network Policy Server and the Guacamole RADIUS module on CentOS using:
CentOS Minimal ISO, release 7.6.1810 (Core)
Java 1.8.0 (java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64)
Tomcat 8.5.38
gcc compiler version 7.3.0
(in more detail:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-1-0-0-with-Radius-and-MySQL-Step-by-step-for-Linux-newbies-td4748.html
)
In this environment the only successful authentication combination I've been
able to get working between the RADIUS module and Windows Server Network
Policy Server is PAP. In the catalina.out log the other combinations show
either authentication failed messages or internal error messages, and
sometimes an MD4 not available message.
MD4 seems to be required for CHAP, MSCHAPv1 and MSCHAPv2. In addition, it
appears that the more secure compound tunnels that NPS uses (for example,
EAP-TLS) all still need CHAP in one form or another. MD4 is no longer
included in the JDK hence anything requiring a variation of CHAP fails.
Is there any way that I can include MD4 in my JDK or in the build of the
RADIUS module ?
Thanks.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 18, 2019 at 5:21 AM Kamal Ezzaki <ka...@gmail.com> wrote:
> i see that's windows server 2012 R2 not supporting EAP-TTLS , so i have
> only one option EAP-TLS
>
Yes, so, as I asked previously:
Can you defined "it's not working" a bit better:
- What error are you getting?
- Is there anything in the log files (Tomcat catalina.out)?
- Have you tested the EAP-TLS authentication with some other RADIUS client
(radtest, etc.), to make sure RADIUS is working properly?
-Nick
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
i see that's windows server 2012 R2 not supporting EAP-TTLS , so i have
only one option EAP-TLS
Re: Guacamole+Radius+Eap-tls
Posted by Kamal Ezzaki <ka...@gmail.com>.
do you know how can i use EAP-TTLS to creates a secure tunnel that allows
other protocols (chap, pap..) to be used securely. please i m using Windows
Server 2012, i have already create a certificat , but i m don't see
EAP-TTLS listed in Radius authentification methods, please is there
anything you know i can do and will help me
Re: Guacamole+Radius+Eap-tls
Posted by Nick Couchman <vn...@apache.org>.
>
> i want to make authentification with radius ( WIndows Server ) using
> eap-tls, so this is what i did :
> cp /etc/raddb/certs/client.p12 /usr/share/tomcat/.guacamole/
> chmod 666 client.p12
>
> # Copy the certificate request in the web certificat to generate one
> cat /etc/raddb/certs/client.csr
> download certnew.cer
> mv certnew.cer certnew.pem
>
> ### Configuration file
> radius-key-file: /usr/share/tomcat/.guacamole/client.p12
> radius-key-type: pkcs12
> radius-ca-file: /usr/share/tomcat/.guacamole/certnew.pem
> radius-ca-type: pem
>
>
> and it's not working , should i change something ?
>
Yes, if it's not working, presumably you need to change something ;-).
Can you defined "it's not working" a bit better:
- What error are you getting?
- Is there anything in the log files (Tomcat catalina.out)?
- Have you tested the EAP-TLS authentication with some other RADIUS client
(radtest, etc.), to make sure RADIUS is working properly?
-Nick