Re: EAP TLS client
On 2/15/13, Stefan Winter stefan.win...@restena.lu wrote: Hi, I have configured freeradius to entertain EAP-TLS requests. And i am using the freeradius certificate (shipped with software). I got stuck at end, now i don't know how to send EAP-TLS request to server. I read man radeapclient, but it only support md5. Could you please tell me how could i send request to server using EAP-TLS authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 Thanks Stefan, for your answer. I preferred command line tooleapol_test. I also wpasupplicant from official website. But i have a problem, when I want to make eapol_test it give the follwoing error. /usr/bin/ld: cannot find -lnl collect2: ld returned 1 exit status make: *** [eapol_test] Error 1 Any idea about this error?// -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, official website. But i have a problem, when I want to make eapol_test it give the follwoing error. /usr/bin/ld: cannot find -lnl collect2: ld returned 1 exit status make: *** [eapol_test] Error 1 Any idea about this error?// compilation error due to missing libraries. however, this is NOT a freeRADIUS issue and the answer can be sought from the wpa_supplicant mailing list. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, I have configured freeradius to entertain EAP-TLS requests. And i am using the freeradius certificate (shipped with software). I got stuck at end, now i don't know how to send EAP-TLS request to server. I read man radeapclient, but it only support md5. Could you please tell me how could i send request to server using EAP-TLS authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IEEE 802.1x EAP-TLS Client Problems
Hi all, I am not able to authenticate a Client running openSUSE 11.2 against my Radius Server. Doing the same with an Ubuntu 9.10 live CD works. successfull authentication radius output: http://paste.debian.net/69138/ Here the radius output when I try to connect via opensuse with KNetworkmanager: http://paste.debian.net/69139/ the KNetworkmanager log says: http://paste.debian.net/69140/ Looks like the server gets not all messages from the client. I tried the same with wpa supplicant: http://paste.debian.net/69142/ and xsupplicant: http://paste.debian.net/69143/ No communication with the RADIUS server happened. I mean I got nothing on the Server side. I don't know what I should do next, I need it working with openSUSE 11.2, switching to ubuntu is no option. The log output does not say much (anything) to me. I hope someone can help me with this. Dirk -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IEEE 802.1x EAP-TLS Client Problems
Dirk Müller wrote: Here the radius output when I try to connect via opensuse with KNetworkmanager: IIRC, it's a bug in KNetworkmanager ... get_secrets_cb(): Couldn't get connection secrets: User refused to supply secrets. That's an issue with KNetorkmanager, and it has nothing to do with FreeRADIUS. No communication with the RADIUS server happened. I mean I got nothing on the Server side. Those logs show the supplicant receiving a failure. If there's no traffic to the server, then blame the access point. I don't know what I should do next, I need it working with openSUSE 11.2, switching to ubuntu is no option. The log output does not say much (anything) to me. I hope someone can help me with this. Try a different access point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP + EAP-TLS: client certificates
Hi, Sorry for the trivial questions but here I go: I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application. If I try to connect from a Windows client via a wireless AP WIFIAP1 with Active Directory user1 I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from Auth-Type = EAP and from via TLS tunnel? If connected via PEAP, authentication is secure. However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and cannot be sniffed. Does this data encryption depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
If I try to connect from a Windows client via a wireless AP WIFIAP1 with Active Directory user1 I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from Auth-Type = EAP and from via TLS tunnel? Can also be TTLS. If connected via PEAP, authentication is secure. However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and cannot be sniffed. Does this data encryption depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? Radius has nothing to do with that. If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. At least it does in the current version. If it doesn't - it probably isn't supported, so upgrade. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Ivan Kalik t...@kalik.net wrote: If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. Authorize section of inner-tunnel virtual server I think. Use unlang (update control ...). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
PS. No, default virtual server looks more like it. Won't hurt to try both. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Vieri rentor...@yahoo.com wrote: From: Vieri rentor...@yahoo.com Subject: Re: PEAP + EAP-TLS: client certificates To: freeradius-users@lists.freeradius.org Date: Thursday, October 22, 2009, 9:05 AM --- On Thu, 10/22/09, Ivan Kalik t...@kalik.net wrote: If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. If in eap.conf I have: peap { ... virtual_server = inner-tunnel } then maybe I should edit sites-available/inner-tunnel and add: server inner-tunnel { ... authorize { ... update control { ... EAP-TLS-Require-Client-Cert = Yes } } } Is this correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP - TLS Client Certification Stored Removable Media
Hello Aydiin Do let me know if things have started working for you... Actually I would assume that in order to use a smart card on the client you would not need to make any changes on the radius server configuration. just that the application which is reading certificates on the client should be configured to use the correct CSP. I am assuming the certificate in the smart card is from the CA configured on the freeradius server. I hope I understood your question correctlly!!! Cheers!! Suraj - Original Message From: Aydın KOÇAK [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tuesday, 4 November, 2008 9:48:38 PM Subject: EAP - TLS Client Certification Stored Removable Media Hello All; I have a question about EAP - TLS . How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? My system running with EAP - TLS authentication and LDAP authorization and clients are use 802.1x ... Thank You For Your Relation, Aydin Kocak, TURKOM. - List info/subscribe/unsubscribe? See http://www.freeradius..org/list/users.html Connect with friends all over the world. Get Yahoo! India Messenger at http://in.messenger.yahoo.com/?wm=n/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP - TLS Client Certification Stored Removable Media
Hello All; I have a question about EAP - TLS . How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? My system running with EAP - TLS authentication and LDAP authorization and clients are use 802.1x ... Thank You For Your Relation, Aydin Kocak, TURKOM. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP - TLS Client Certification Stored Removable Media
On Tue, Nov 4, 2008 at 11:18 AM, Aydın KOÇAK [EMAIL PROTECTED] wrote: Hello All; I have a question about EAP - TLS . How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? This is a question specific to the client OS. Specifically, you are relying on functionality provided by middleware (and OS hooks). Also, let's be clear here, you're talking about a USB *token* not a USB flash drive. While similar in technology, very different in many ways. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP - TLS Client Certification Stored Removable Media
I have a question about EAP - TLS . No, you don't. How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? My system running with EAP - TLS authentication and LDAP authorization and clients are use 802.1x ... This is implemented in a hospital I work for: http://www.gemauth.com/ You want something like that. Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP - TLS Client Certification Stored Removable Media
Aydın KOÇAK wrote: Hello All; I have a question about EAP - TLS . How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? This is an issue for the local OS, not for RADIUS. See the OS documentation for how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP - TLS Client Certification Stored Removable Media
Hello ; Thank you for your replays... You are rigth it isn't related radius... I can do it but it is take a time... Thank You, Aydin KOCAK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: getting updated CRLs via cron for use with check_crl = yes option for EAP-TLS client-authN
Hi, here is a pointer to a useful script I use to fetch updated CRLs for client-certificate issuing CAs from their http CDPs via cron. http://dist.eugridpma.info/distribution/util/fetch-crl/ Just add a restart for the radiusd to make it aware of new CRLs. -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius EAP-TLS client/server certificate
Hi This question is rather a certificate question but ... How does EAP-TLS certificate authentification work? As I know the server sends his certificate first with his public key to the client. The client sends his certificate to the radius server. I had first the username of the client (identity string of EAP) in the users file. My client is authorized. Than I deleted the user and the client is still accepted. How can I restrict the clients? Does it mean that every generated certificate which is not revoked can be used i.e. is authorized? The same is for the server side. How can I guaranty I'm on the right server if I don't have the server certificate on the client (supplicant) side? In the wpa_supplicant config file there are talking about Phase1 (outer authentication) and Phase2 (inner authentication) but only for EAP-PEAP or EAP-TTLS and it says Following certificate/private key fields are used in inner Phase2 I'm really confused. Is there any good beginner docu about certificate authentification and EAP-TLS works. But please not rfc 2246 ... I'm working with freeradius-1.0.2, wpa_supplicant-0.3.8 as Supplicant and a Linsys WRT54G as NAS. Thanks a lot Beat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Client certificate revoke
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hello, i have a problem with the crl list in the EAP-TLS auth EAP-TLS works with my user certs if check_crl = yes in the eap.conf all certs a reject - -log- modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 02e1], Certificate - -- verify error:num=3:unable to get certificate CRL chain-depth=0, error=3 - -- User-Name = note1 - -- BUF-Name = note1 - -- subject = /C=DE/ST=Sachsen-Anhalt/L=Halberstadt/O=Neue Medien und Netzwerke GbR/CN=note1/[EMAIL PROTECTED] - -- issuer = /C=DE/ST=Sachsen-Anhalt/L=Halberstadt/O=Neue Medien und Netzwerke GbR/OU=Funklan CA/CN=Funklan CA/[EMAIL PROTECTED] - -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 19229:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2010: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 192.168.0.15:49152 EAP-Message = 0x010500110d8715030100020230 Message-Authenticator = 0x State = 0x50f4f705a040bb56d46013697986ce24 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.0.15:49152, id=1, length=171 User-Name = note1 NAS-IP-Address = 192.168.0.15 Called-Station-Id = 00-01-CD-0B-26-AE Calling-Station-Id = 00-02-2D-4A-DB-7E NAS-Identifier = HFL-APC-GWS1 NAS-Port = 0 Framed-MTU = 1492 State = 0x50f4f705a040bb56d46013697986ce24 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020500060d00 Message-Authenticator = 0xb6fae714f40c757bb2457ed05bf07f08 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = note1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 5 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 1 to 192.168.0.15:49152 EAP-Message = 0x04050004 Message-Authenticator = 0x - log the cacert.pm and the crl.pem are same directory -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org iEYEARECAAYFAkFIDOcACgkQnNdYap7KChnsVgCeIMNUgZv92i7sCAabSWTkW8KU XawAoMPrTQi+UZ8KQEaZWecja3Aoa2WV =ysbZ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html