EAP TEAP support

.gitignore

@@ -37,6 +37,7 @@ conf/template_switches.conf
 conf/uploads/*
 conf/radiusd/eap_profiles.conf
 conf/radiusd/fast.conf
+conf/radiusd/teap.conf
 conf/radiusd/ocsp.conf
 conf/radiusd/tls.conf
 conf/radiusd/radiusd_cli.conf

conf/radiusd/eap.conf.example

@@ -847,6 +847,59 @@ eap [% key -%] {
 		#  identify it.
 #		identity = "FreeRADIUS"
 	}
+[% ELSIF eaptype == "TEAP" %]
+	#  EAP-TEAP
+	#
+	#  The TEAP module implements the EAP-TEAP protocol
+	#
+	teap {
+		#  Point to the common TLS configuration
+		#
+		tls = [% eap.$key.teap_config.tls %]
+
+		#  If 'cipher_list' is set here, it will over-ride the
+		#  'cipher_list' configuration from the 'tls-common'
+		#  configuration.  The EAP-TEAP module has it's own
+		#  over-ride for 'cipher_list' because the
+		#  specifications mandata a different set of ciphers
+		#  than are used by the other EAP methods.
+		#
+		#  cipher_list though must include "ADH" for anonymous provisioning.
+		#  This is not as straight forward as appending "ADH" alongside
+		#  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+		#  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+		#
+		#cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+
+		#pac = no
+		#  PAC lifetime in seconds (default: seven days)
+		#
+		# pac_lifetime = 604800
+
+		#  Authority ID of the server
+		#
+		#  If you are running a cluster of RADIUS servers, you should make
+		#  the value chosen here (and for "pac_opaque_key") the same on all
+		#  your RADIUS servers.  This value should be unique to your
+		#  installation.  We suggest using a domain name.
+		#
+		authority_identity = [% eap.$key.teap_config.authority_identity %]
+
+		#  PAC Opaque encryption key (must be exactly 32 bytes in size)
+		#
+		#  This value MUST be secret, and MUST be generated using
+		#  a secure method, such as via 'openssl rand -hex 32'
+		#
+		pac_opaque_key = [% eap.$key.teap_config.pac_opaque_key %]
+
+		#  Same as for TTLS, PEAP, etc.
+		#
+		virtual_server = "packetfence-tunnel-fast"
+
+		copy_request_to_tunnel = yes
+
+		use_tunneled_reply = yes
+	}
 
 [% ELSIF eaptype == "FAST" %]
 	## EAP-FAST

conf/radiusd/eap_profiles.conf.defaults

@@ -9,3 +9,4 @@ tls_tlsprofile = tls-common
 ttls_tlsprofile = tls-common
 peap_tlsprofile = tls-common
 fast_config = default
+teap_config = default

conf/radiusd/mschap.conf.example

@@ -375,6 +375,191 @@ mschap chrooted_mschap {
 
 	# An optional retry message.
 #	retry_msg = "Re-enter (or reset) the password"
+}
+
+	mschap chrooted_mschap_mppe {
+	#
+	#  If you are using /etc/smbpasswd, see the 'passwd'
+	#  module for an example of how to use /etc/smbpasswd
+
+	# if use_mppe is not set to no mschap will
+	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+	#
+	use_mppe = yes
+
+	# if mppe is enabled require_encryption makes
+	# encryption moderate
+	#
+	require_encryption = yes
+
+	# require_strong always requires 128 bit key
+	# encryption
+	#
+	require_strong = yes
+
+	# The module can perform authentication itself, OR
+	# use a Windows Domain Controller.  This configuration
+	# directive tells the module to call the ntlm_auth
+	# program, which will do the authentication, and return
+	# the NT-Key.  Note that you MUST have "winbindd" and
+	# "nmbd" running on the local machine for ntlm_auth
+	# to work.  See the ntlm_auth program documentation
+	# for details.
+	#
+	# If ntlm_auth is configured below, then the mschap
+	# module will call ntlm_auth for every MS-CHAP
+	# authentication request.  If there is a cleartext
+	# or NT hashed password available, you can set
+	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+	# and the mschap module will do the authentication itself,
+	# without calling ntlm_auth.
+	#
+	# Be VERY careful when editing the following line!
+	#
+	# You can also try setting the user name as:
+	#
+	#	... --username=%{mschap:User-Name} ...
+	#
+	# In that case, the mschap module will look at the User-Name
+	# attribute, and do prefix/suffix checks in order to obtain
+	# the "best" user name for the request.
+	#
+	# Call ntlm_auth through the logging wrapper. Make sure to preserve the -- separator to distinguish between
+	# the args to the wrapper and those to the ntlm_auth executable itself
+	ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -p [% statsd_port %] -a %{PacketFence-NTLM-Auth-Host} -t %{PacketFence-NTLM-Auth-Port} -- \
+	        --request-nt-key --mac=%{%{Calling-Station-Id}:-''} --username=%{%{control:AD-Samaccountname}:-%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+
+	# The default is to wait 10 seconds for ntlm_auth to
+	# complete.  This is a long time, and if it's taking that
+	# long then you likely have other problems in your domain.
+	# The length of time can be decreased with the following
+	# option, which can save clients waiting if your ntlm_auth
+	# usually finishes quicker. Range 1 to 10 seconds.
+	#
+	ntlm_auth_timeout = 3
+
+	# An alternative to using ntlm_auth is to connect to the
+	# winbind daemon directly for authentication. This option
+	# is likely to be faster and may be useful on busy systems,
+	# but is less well tested.
+	#
+	# Using this option requires libwbclient from Samba 4.2.1
+	# or later to be installed. Make sure that ntlm_auth above is
+	# commented out.
+	#
+	#	winbind_username = "%{mschap:User-Name}"
+	#	winbind_domain = "%{mschap:NT-Domain}"
+
+	#
+	#  Information for the winbind connection pool.  The configuration
+	#  items below are the same for all modules which use the new
+	#  connection pool.
+	#
+	pool {
+#  Connections to create during module instantiation.
+#  If the server cannot create specified number of
+#  connections during instantiation it will exit.
+#  Set to 0 to allow the server to start without the
+#  winbind daemon being available.
+start = ${thread[pool].start_servers}
+
+#  Minimum number of connections to keep open
+min = ${thread[pool].min_spare_servers}
+
+#  Maximum number of connections
+#
+#  If these connections are all in use and a new one
+#  is requested, the request will NOT get a connection.
+#
+#  Setting 'max' to LESS than the number of threads means
+#  that some threads may starve, and you will see errors
+#  like 'No connections available and at max connection limit'
+#
+#  Setting 'max' to MORE than the number of threads means
+#  that there are more connections than necessary.
+max = ${thread[pool].max_servers}
+
+#  Spare connections to be left idle
+#
+#  NOTE: Idle connections WILL be closed if "idle_timeout"
+#  is set.  This should be less than or equal to "max" above.
+spare = ${thread[pool].max_spare_servers}
+
+#  Number of uses before the connection is closed
+#
+#  0 means "infinite"
+uses = 0
+
+#  The number of seconds to wait after the server tries
+#  to open a connection, and fails.  During this time,
+#  no new connections will be opened.
+retry_delay = 30
+
+#  The lifetime (in seconds) of the connection
+#
+#  NOTE: A setting of 0 means infinite (no limit).
+lifetime = 86400
+
+#  The pool is checked for free connections every
+#  "cleanup_interval".  If there are free connections,
+#  then one of them is closed.
+cleanup_interval = 300
+
+#  The idle timeout (in seconds).  A connection which is
+#  unused for this length of time will be closed.
+#
+#  NOTE: A setting of 0 means infinite (no timeout).
+idle_timeout = 600
+
+#  NOTE: All configuration settings are enforced.  If a
+#  connection is closed because of "idle_timeout",
+#  "uses", or "lifetime", then the total number of
+#  connections MAY fall below "min".  When that
+#  happens, it will open a new connection.  It will
+#  also log a WARNING message.
+#
+#  The solution is to either lower the "min" connections,
+#  or increase lifetime/idle_timeout.
+}
+
+passchange {
+# This support MS-CHAPv2 (not v1) password change
+# requests.  See doc/mschap.rst for more IMPORTANT
+# information.
+#
+# Samba/ntlm_auth - if you are using ntlm_auth to
+# validate passwords, you will need to use ntlm_auth
+# to change passwords.  Uncomment the three lines
+# below, and change the path to ntlm_auth.
+#
+#		ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
+#		ntlm_auth_username = "username: %{mschap:User-Name}"
+#		ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
+
+# To implement a local password change, you need to
+# supply a string which is then expanded, so that the
+# password can be placed somewhere.  e.g. passed to a
+# script (exec), or written to SQL (UPDATE/INSERT).
+# We give both examples here, but only one will be
+# used.
+#
+#		local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
+#
+#		local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
+}
+
+# For Apple Server, when running on the same machine as
+# Open Directory.  It has no effect on other systems.
+#
+#	use_open_directory = yes
+
+# On failure, set (or not) the MS-CHAP error code saying
+# "retries allowed".
+allow_retry = no
+
+# An optional retry message.
+#	retry_msg = "Re-enter (or reset) the password"
 }
 
 mschap chrooted_mschap_machine {

conf/radiusd/teap.conf.defaults

@@ -0,0 +1,5 @@
+[default]
+tls = tls-eap-teap
+authority_identity = 1234
+pac_opaque_key = 0123456789abcdef0123456789ABCDEF
+

conf/radiusd/tls.conf.defaults

@@ -17,3 +17,13 @@ ecdh_curve = prime256v1
 tls_min_version = 1.2
 tls_max_version = 1.2
 ocsp=default
+
+[tls-eap-teap]
+certificate_profile=radius
+dh_file = ${certdir}/dh
+ca_path = ${cadir}
+cipher_list = ALL:!EXPORT:!eNULL:!SSLv2
+ecdh_curve = prime256v1
+tls_min_version = 1.2
+tls_max_version = 1.2
+ocsp=default

debian/packetfence.conffiles

@@ -82,6 +82,7 @@
 /usr/local/pf/conf/radiusd/eap_profiles.conf
 /usr/local/pf/conf/radiusd/eduroam.conf
 /usr/local/pf/conf/radiusd/fast.conf
+/usr/local/pf/conf/radiusd/teap.conf
 /usr/local/pf/conf/radiusd/ldap_packetfence.conf
 /usr/local/pf/conf/radiusd/load_balancer.conf
 /usr/local/pf/conf/radiusd/mschap.conf

docs/installation/eap_teap.asciidoc

@@ -0,0 +1,43 @@
+// to display images directly on GitHub
+ifdef::env-github[]
+:encoding: UTF-8
+:lang: en
+:doctype: book
+:toc: left
+:imagesdir: ../images
+endif::[]
+
+////
+
+    This file is part of the PacketFence project.
+
+    See PacketFence_Installation_Guide.asciidoc
+    for authors, copyright and license information.
+
+////
+
+
+//== PacketFence Certificates (for v11.2 and later)
+
+=== Introduction
+
+==== Context and Objectives of the Documentation
+
+Since PacketFence v14.2, we introduced EAP TEAP support, EAP-TEAP is considered as a faster and next generation of EAP PEAP.
+
+
+==== Important notes before starting
+
+EAP TEAP is supported only with PacketFence v14.2 or later.
+EAP TEAP is supported on Windows 10 (20H2) or later.
+
+==== Enable TEAP in PacketFence
+To use TEAP, you'll need to enable TEAP.
+1. Go to *Configuration* -> *System Configuration* -> *RADIUS* -> *EAP Profiles*
+2. In EAP Profiles you are using, in *EAP Authentication types*, adds "TEAP" and click save.
+
+==== TEAP Limitations
+1. EAP TEAP is widely supported on Windows platform, however, it's not widely supported on other platforms, such as MacOS, iOS or Android.
+1. There's a limitation on domain joined machines to enable EAP TEAP if your Domain Controller is running Windows 2019 or earlier. They will not be able to do EAP chaining. But you can still configure TEAP on your wired or wirless network.
+1. To use EAP chaining on a domain-joined machine, you'll have to make sure the Domain Controller is running a Windows Server 2022 or later.
+

html/pfappserver/lib/pfappserver/Form/Config/Radiusd/EAPProfile.pm

@@ -15,6 +15,7 @@ use warnings;
 use HTML::FormHandler::Moose;
 use pf::ConfigStore::Radiusd::TLSProfile;
 use pf::ConfigStore::Radiusd::FastProfile;
+use pf::ConfigStore::Radiusd::TeapProfile;
 extends 'pfappserver::Base::Form';
 with qw(pfappserver::Base::Form::Role::Help);
 ## Definition
@@ -30,7 +31,7 @@ has_field default_eap_type => (
     label    => 'Default EAP Type',
     options  => [
         map { { value => lc($_), label => $_ } }
-          qw(GTC MD5 MSCHAPv2 LEAP PEAP FAST TLS TTLS)
+          qw(GTC MD5 MSCHAPv2 LEAP PEAP FAST TLS TTLS TEAP)
     ],
 );
 
@@ -56,7 +57,7 @@ has_field eap_authentication_types => (
     multiple => 1,
     options  => [
         map { { value => $_, label => $_ } }
-          qw(GTC MD5 MSCHAPv2 LEAP PEAP FAST TLS TTLS)
+          qw(GTC MD5 MSCHAPv2 LEAP PEAP FAST TLS TTLS TEAP)
     ]
 );
 
@@ -72,6 +73,11 @@ has_field fast_config => (
     options_method => \&options_fast,
 );
 
+has_field teap_config => (
+    type => 'Select',
+    options_method => \&options_teap,
+);
+
 sub options_tls {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::TLSProfile->new->readAllIds};
 }
@@ -80,6 +86,10 @@ sub options_fast {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::FastProfile->new->readAllIds};
 }
 
+sub options_teap {
+    return  map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::TeapProfile->new->readAllIds};
+}
+
 =head1 AUTHOR
 
 Inverse inc. <[email protected]>