Re: more EAP/TTLS trouble
On 05/29/2012 10:28 PM, Steve Hopps wrote: So I'm confused, what's the right way to handle this situation? What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve Hopps wrote: But according to the configuration file: ... update control { Proxy-To-Realm := LOCAL } So I'm confused, what's the right way to handle this situation? Don't edit proxy.conf to delete the LOCAL realm? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. On May 30, 2012 2:43 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 05/29/2012 10:28 PM, Steve Hopps wrote: So I'm confused, what's the right way to handle this situation? What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/**documents/protocols/oracles.**htmlhttp://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve Hopps wrote: We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. This confuses me. Why use PAM when FreeRADIUS can use LDAP directly? IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's possible. It's easy. (a) configure FreeRADIUS to query LDAP directly (b) ensure that the passwords in LDAP are stored in a format compatible with MS-CHAP. If you can do both, then getting PEAP to work should be trivial. In 2.1.2, you can use radclient to send MS-CHAP requests to the server. Don't even THINK of trying to get PEAP to work until you have plain old MS-CHAP working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Hi, an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. its 100% possible natively if you expose either the plain text password, or HT-Hashed password to the server - eg with LDAP module. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
On 30/05/12 13:44, Steve Hopps wrote: IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap oracle like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: more EAP/TTLS trouble
Hi Steve Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and simply deployed method. I have personally used the freeradius peap mschapv2 pretty much out of the box. As far as the certificate error you saw earlier that was due to the nature of design of a modern secure authentication method which gave supported security feature like Server Certificate Validation enabled by default. If you just go through the net you will find tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours to the ones available for the authentication to work. Also if you are looking for ttls only you can test with the beta of windows 8 and become one of our early adopters when it releases. Thanx and Regards Aman Arneja Sent from my Windows Phone -- From: Steve Hopps Sent: 5/30/2012 6:23 PM To: FreeRadius users mailing list Subject: Re: more EAP/TTLS trouble We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. On May 30, 2012 2:43 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 05/29/2012 10:28 PM, Steve Hopps wrote: So I'm confused, what's the right way to handle this situation? What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/**documents/protocols/oracles.**htmlhttp://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help! On Wed, May 30, 2012 at 8:15 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 30/05/12 13:44, Steve Hopps wrote: IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap oracle like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Hi, The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help! Here's one more: many folks in eduroam have gone through the exact same considerations, and some indeed need TTLS-PAP. If it is unavoidable, there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older versions of Windows. I'm sure you can find it on the internet somewhere. Stefan On Wed, May 30, 2012 at 8:15 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 30/05/12 13:44, Steve Hopps wrote: IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap oracle like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve Hopps wrote: The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. Life is a series of compromises. Deal with it. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. I'll take that as adding more features in newer releases. Windows 8 is the first version which supports TTLS. While this should arguably have been done years ago, it's nice to have it now. And if you're arguing against upgrades, you can do the same for FreeRADIUS. Version 3.0 will support RadSec (RADIUS over SSL). Version 2.x will not. Ever. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? They have different priorities. FreeRADIUS is about making software that works. Microsoft is about money. Guess which one works well, and which one has more money? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
It's a frustrating situation because if Windows were to support all of the encryption features that their competition does, indeed, that my _phone_ supports, I would not need to compromise. I personally believe a company can deliver a top product without sacrificing their profit margin. Microsoft falls short of this, and here we have a perfect example of precisely how. I also think their tiered version method they introduced with Vista is dishonest, as a result of this. But we're getting off track. It's too bad the XSupplicant project is not yet to the point of stability with Windows 7 64-Bit. I haven't had an opportunity to test it with 32-Bit yet, I imagine it works okay with Windows XP, but many of our employees are using Windows 7 on newer laptops. If that app worked, this wouldn't be a problem. If you ask me, that is the nature of the beast when it comes to computers. It'll work in a month, or a year, or several years, but for now we just beat our heads against the wall. In quick response to Stefan, I'm not associated with eduroam, however, I have found the eduroam instructions to be very helpful in getting this working as far as I have. In particular, the iphone support. So thanks for that. :) On Wed, May 30, 2012 at 8:55 AM, Alan DeKok al...@deployingradius.com wrote: Steve Hopps wrote: The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. Life is a series of compromises. Deal with it. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. I'll take that as adding more features in newer releases. Windows 8 is the first version which supports TTLS. While this should arguably have been done years ago, it's nice to have it now. And if you're arguing against upgrades, you can do the same for FreeRADIUS. Version 3.0 will support RadSec (RADIUS over SSL). Version 2.x will not. Ever. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? They have different priorities. FreeRADIUS is about making software that works. Microsoft is about money. Guess which one works well, and which one has more money? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Hi, It's a frustrating situation because if Windows were to support all of the encryption features that their competition does, indeed, that my _phone_ supports, I would not need to compromise. I personally believe a company can deliver a top product without sacrificing their profit margin. Microsoft falls short of this, and here we have a perfect example of precisely how. I also think their tiered version method they introduced with Vista is dishonest, as a result of this. But we're getting off track. ...but whilst you worry about the server (which you can secure) you are happy with EAP-TTLs/PAP - which, whilst it lets you do your secure server stuff, means that you can have users with badly configured clients which dont do the required CA checking or RADIUS CN checking - who will then quite happily send me, running a nasty MiTM attack RADIUS server, their username+password. your worries seem to be at the wrong end of the security mix. where YOU control the security ecpsystem you can do other things...after all, your RADIUS server can quite happily log in clear text your secure things.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more EAP/TTLS trouble
The only computer in our office which causes certificate errors is a Windows 7 machine. So I attempted to connect using EAP/TTLS and MSCHAPv2 using my linux machine and my Android phone. Now I get a different error. I also tried using PEAP on my Android phone, and received no certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? ++[pam] returns invalid or [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid log follows server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 cli B4-07-F9-F2-99-F6) Using Post-Auth-Type Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve Windows is trying to validate the server Cert. By default we have server Cert Validation enabled. You can disable this from the properties. Regards Aman Arneja On Wed, May 30, 2012 at 1:47 AM, Steve Hopps steve.ho...@gmail.com wrote: The only computer in our office which causes certificate errors is a Windows 7 machine. So I attempted to connect using EAP/TTLS and MSCHAPv2 using my linux machine and my Android phone. Now I get a different error. I also tried using PEAP on my Android phone, and received no certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? ++[pam] returns invalid or [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid log follows server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 cli B4-07-F9-F2-99-F6) Using Post-Auth-Type Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Hi, certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? authentication is between the client and the server - mediated over 802.1X by the Access point. thats why your client has a supplicant on it.. Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? Win7 will be EAP-PEAPv0/MSCHAPv2 ++[pam] returns invalid user/pass in pam? WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. thats kind of a big clue. dont do that. it breaks things. just define the realm in proxy.conf with no place eg realm whatever.com { } rlm_pam: Attribute User-Password is required for authentication. you've forced the server to use PAM? MSCHAPv2 doesnt provide 'User-Password' so wont work. what ARE you trying to do? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
But according to the configuration file: # The suffix module takes care of stripping the domain # (e.g. @example.com) from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL } So I'm confused, what's the right way to handle this situation? On Tue, May 29, 2012 at 4:00 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? authentication is between the client and the server - mediated over 802.1X by the Access point. thats why your client has a supplicant on it.. Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? Win7 will be EAP-PEAPv0/MSCHAPv2 ++[pam] returns invalid user/pass in pam? WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. thats kind of a big clue. dont do that. it breaks things. just define the realm in proxy.conf with no place eg realm whatever.com { } rlm_pam: Attribute User-Password is required for authentication. you've forced the server to use PAM? MSCHAPv2 doesnt provide 'User-Password' so wont work. what ARE you trying to do? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more EAP/TTLS trouble
I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated Log follows, with secure bits edited out: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = -removed- shortname = localhost } -EDITED: Client entries removed- radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module exec from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module expr from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module expiration from file /etc/freeradius/radiusd.conf expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating module logintime from file /etc/freeradius/radiusd.conf logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /etc/freeradius/radiusd.conf pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module chap from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_pam Module: Instantiating module pam from file /etc/freeradius/radiusd.conf pam { pam_auth = radiusd } Module: Linked to module rlm_eap Module: Instantiating module eap from file /etc/freeradius/eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /etc/ssl/private/-removed-_generic.key certificate_file = /etc/ssl/certs/-removed-_generic.crt CA_file = /etc/ssl/certs/-removed-_ca.crt dh_file = /etc/freeradius/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /etc/freeradius/certs/bootstrap cache { enable = no
Re: more EAP/TTLS trouble
Steve Hopps wrote: I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated This is pretty definitive: [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
The log shows the client is using PEAP and is failing at the certificate level - does the client have the CA for your server installed? You're also using 2.1.10 which is old and has bugs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
On 23/05/12 16:16, Alan DeKok wrote: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. For what it's worth, it would be *really* handle to be able to trigger a log message (with controllable format) when this happened; possibly a trigger? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html