Hi. George KNIGHT Here there are many people's experts.
I have an infrastructure as yours EAP, PEAP, WinCE with HANDHELD, WIN XP, WIN VISTA and Cisco. It's working very good in a two CentOS Servers, 1 master and 1 backup for redundancy. Alan Dekok sends you instructions but don't worry, if you have any questions and I can help you, I do it. Saludos! -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Martes, 29 de Abril de 2008 02:08 p.m. Para: [email protected] Asunto: Freeradius-Users Digest, Vol 36, Issue 173 Send Freeradius-Users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: can peap and ttls live together? (Sergio Belkin) 2. dot1x specification EAPOL-Logoff clarification (Arran Cudbard-Bell) 3. Re: dot1x specification EAPOL-Logoff clarification (Arran Cudbard-Bell) 4. HOWTO PEAP + FreeRadius + XP Client (George KNIGHT) 5. Re: HOWTO PEAP + FreeRadius + XP Client (Michael Schwartzkopff) 6. Re: SPAM-LOW: Re: EAP/TLS connection problem.. (Alan DeKok) 7. Re: HOWTO PEAP + FreeRadius + XP Client (Alan DeKok) ---------------------------------------------------------------------- Message: 1 Date: Tue, 29 Apr 2008 12:56:38 -0300 From: "Sergio Belkin" <[EMAIL PROTECTED]> Subject: Re: can peap and ttls live together? To: "FreeRadius users mailing list" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 2008/4/29 Ivan Kalik <[EMAIL PROTECTED]>: > That probably won't work in 2.0. Mapping to Cleartext-Password will. I am using 2.0.2 :) > > > Ivan Kalik > Kalik Informatika ISP > > > > Dana 29/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> pi?e: > > > > >2008/4/29 Ivan Kalik <[EMAIL PROTECTED]>: > >> You need to add the entry for Cleartext-Password. Something like: > >> > >> checkItem Cleartext-Password clrtxtPassword > >> > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> > >> > >> > >Hmmmm. I advanced and before of reading your answer I added: > > > >checkItem User-Password userPassword > > > >replyItem Tunnel-Type radiusTunnelType > >replyItem Tunnel-Medium-Type radiusTunnelMediumType > >replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId > > > >end of snip > > > >It worked! Anywat Is that right? > > > >-- > >-- > >Open Kairos http://www.openkairos.com > >Watch More TV http://sebelk.blogspot.com > >Sergio Belkin - > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - ------------------------------ Message: 2 Date: Tue, 29 Apr 2008 17:33:06 +0100 From: Arran Cudbard-Bell <[EMAIL PROTECTED]> Subject: dot1x specification EAPOL-Logoff clarification To: FreeRadius users mailing list <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi, Having some interesting issues with a HP ProCurve 2510 an Apple Mac Power Book running OSX 10.5.2, and MAC-Auth + EAP-Auth on the same wired port. I know this isn't strictly the list for this as this isn't really RADIUS, but i'm not sure where to post... Two questions: IEE802.1x-2004 8.1.3 EAPOL-Logoff When a Supplicant wishes the Authenticator PAE to perform a logoff (i.e., to set the controlled Port state to unauthorized), the Supplicant PAE originates an EAPOL-Logoff message (see 7.5.4) to the Authenticator PAE. As a result, the Authenticator PAE immediately places the controlled Port in the unauthorized state 1) It appears in the spec that there is no requirement or indeed method of the Supplicant PAE of confirming that the EAPOL-Logoff has been honoured. So the supplicant PAE could be in the unauthorised state while the Authenticator could be in the authorised state. Is this an over site of the dot1x spec, or is this meant to be handled at a higher level with EAP ? --- 2) On the termination of an EAP session, VLAN membership is usually altered, either to a MAC-Authorised VID a default unauthorised VID, or the port is blocked. Windows clients are pretty crap in terms of DHCP when this happens, and fail to renew their leases when moving between authorised and unauthorised states. Apple Mac clients however are very good in terms of DHCP dot1x integration. Unfortunately with EAP-Based and MAC-Based authentication transistions, DHCP renewal doesn't appear to work. This is what i've seen from the traces: FRAME 6436 - TS 212.482482 - Assumed VLAN 603 - Actual VLAN 603 - EAPOL Logoff FRAME 6440 - TS 212.484947 - Assumed VLAN Blocked (transistion) - Actual VLAN 603 - DHCP REQUEST FRAME 6443 - TS 212.487252 - Assumed VLAN Blocked (transistion) - Actual VLAN 603 - DHCP ACK (Answered by server on 603) FRAME 6454 - TS 212.529774 - Assumed VLAN 134 - Actual VLAN 134 - EAP Failure (Seems to denotate MAC Authentication succeeding) So it appears after the supplicant sends the EAPOL-Logoff, the DHCP client attempts to get a lease very quickly; so quickly in fact that the switch hasn't altered the state of the port. The result being that the DHCP request is acked by the DHCP server on the dot1x authorised VLAN, the VLAN transistion *then* occurs, but as the DHCP client has satisfied itself that it has a valid lease for the PAE unauthorised state it doesn't renew the lease until it expires... Should I be shouting at HP to get their switches to register the state change faster, or shouting at Apple to make their DHCP timings less agressive ? Many Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 ------------------------------ Message: 3 Date: Tue, 29 Apr 2008 17:50:14 +0100 From: Arran Cudbard-Bell <[EMAIL PROTECTED]> Subject: Re: dot1x specification EAPOL-Logoff clarification To: FreeRadius users mailing list <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Arran Cudbard-Bell wrote: > Hi, > > Having some interesting issues with a HP ProCurve 2510 an Apple Mac > Power Book running OSX 10.5.2, and MAC-Auth + EAP-Auth on the same > wired port. > > I know this isn't strictly the list for this as this isn't really > RADIUS, but i'm not sure where to post... > > Two questions: > > IEE802.1x-2004 > 8.1.3 EAPOL-Logoff > When a Supplicant wishes the Authenticator PAE to perform a > logoff (i.e., to set the controlled Port state to > unauthorized), the Supplicant PAE originates an EAPOL-Logoff > message (see 7.5.4) to the Authenticator > PAE. As a result, the Authenticator PAE immediately places the > controlled Port in the unauthorized state > > 1) It appears in the spec that there is no requirement or indeed > method of the Supplicant PAE of confirming that the EAPOL-Logoff has > been honoured. So the supplicant PAE could be in the unauthorised > state while the Authenticator could be in the authorised state. Is > this an over site of the dot1x spec, or is this meant to be handled at > a higher level with EAP ? Sorry. Looking at the diagrams in 8-5 it appears my suspicion is correct. Unless a re-auth timer is implemented by the Authenticator PAE, this mismatched authentication state could persist indefinitely. The EAPOL-LOGOFF frame is *not* retransmitted to the Authentication server... and the Authenticator PAE does not respond to EAPOL-LOGOFF frames, it just alters it's state. So if the EAPOL-LOGOFF frame was lost in transit... damn, why no EAPOL-LOGOFF-CONFIRMATION packet ... In every other part of the EAP/dot1x spec a request *should* always be answered by a response... but not here... are these guys idiots, or am I being dense ?! See this would solve the issue in question 2 perfectly. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 ------------------------------ Message: 4 Date: Tue, 29 Apr 2008 14:14:16 -0400 From: "George KNIGHT" <[EMAIL PROTECTED]> Subject: HOWTO PEAP + FreeRadius + XP Client To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hello everyone, Before I write my question here, I just want to let all of you know that I did lots of searching in both google and this email list. But couldn't find anything to get the answer. My question is I have been looking for a HOWTO paper for a beginner to set freeradius as an AAA server in a wireless environment to Windows XP SP2 clients. I will use Windows' own PEAP client. Is there such a paper someone can give me the link? I'm very frustrated to find out that there is no information available for a setup from the scratch. I wrote papers like that before for various topics such as subversion implementation for a multiple OS environment, VoIP implementation with a Linux based open sources S/W etc. I have intention to write such a paper for how to set up PEAP implementation with freeradius as well. But for that, I'm hoping someone can give me a good start. OK, here is my network settings and needed information; I have a SUSE SLES 10 server to be used as an AAA server. This server is called store-AAA and also acts as a DHCP server for the clients. I have a few of Cisco 1242 AP as an authenticator. Clients are going to be computers with WinCE as their OS and they will contact to the LAN wirelessly. What I want to achieve is authenticating this clients with server-AAA using PEAP before letting them use the other network resources. Thank you in advance for your time and effort. George Knight -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008042 9/ab4e6bcc/attachment-0001.html> ------------------------------ Message: 5 Date: Tue, 29 Apr 2008 20:28:44 +0200 From: Michael Schwartzkopff <[EMAIL PROTECTED]> Subject: Re: HOWTO PEAP + FreeRadius + XP Client To: FreeRadius users mailing list <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 George KNIGHT schrieb: > Hello everyone, > Before I write my question here, I just want to let all of you know that I > did lots of searching in both google and this email list. But couldn't find > anything to get the answer. > > My question is I have been looking for a HOWTO paper for a beginner to set > freeradius as an AAA server in a wireless environment to Windows XP SP2 > clients. I will use Windows' own PEAP client. Is there such a paper someone > can give me the link? > > I'm very frustrated to find out that there is no information available for a > setup from the scratch. I wrote papers like that before for various topics > such as subversion implementation for a multiple OS environment, VoIP > implementation with a Linux based open sources S/W etc. I have intention to > write such a paper for how to set up PEAP implementation with freeradius as > well. But for that, I'm hoping someone can give me a good start. For everyone who can create good google expressions: http://www.wi-fiplanet.com/tutorials/article.php/3557251 http://www.linuxjournal.com/article/8095 http://www.rinta-aho.org/docs/wlan/wlan.html http://ubuntuforums.org/showthread.php?t=478804 http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html http://www.greatnorthcomputing.com/2008/03/using-freeradius-with-both-eap-pe ap.html and about 100.000 more. order of apperance at google, not related to relevance. Greetings, Michael. ------------------------------ Message: 6 Date: Tue, 29 Apr 2008 20:49:41 +0200 From: Alan DeKok <[EMAIL PROTECTED]> Subject: Re: SPAM-LOW: Re: EAP/TLS connection problem.. To: FreeRadius users mailing list <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 Johan Nyman wrote: > I have not edited the debug "a lot"! You posted a small portion of the debug output. There is a lot more available during an EAP-TLS session. > What information, from what .log files do you want/need? The output of radiusd -X? > Perhaps you are referring to another debug file? > > That information I posted is directly from the "Radiusd -X" console. Yes, I know that. Please understand that posting a *tiny* portion of it doesn't help. Posting *all* of it helps. Alan DeKok. ------------------------------ Message: 7 Date: Tue, 29 Apr 2008 21:03:10 +0200 From: Alan DeKok <[EMAIL PROTECTED]> Subject: Re: HOWTO PEAP + FreeRadius + XP Client To: FreeRadius users mailing list <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 George KNIGHT wrote: > Before I write my question here, I just want to let all of you know that > I did lots of searching in both google and this email list. But couldn't > find anything to get the answer. > > My question is I have been looking for a HOWTO paper for a beginner to > set freeradius as an AAA server in a wireless environment to Windows XP > SP2 clients. I will use Windows' own PEAP client. Is there such a paper > someone can give me the link? $ ./configure $ make $ make install $ radiusd -X - Un-check "verify server certificate" in Windows (ONLY for testing). - Add a user to the database (username/password, example in the FAQ) That's it. > I'm very frustrated to find out that there is no information available > for a setup from the scratch. Part of the problem is that in 2.0, there is so little to do... > I wrote papers like that before for > various topics such as subversion implementation for a multiple OS > environment, VoIP implementation with a Linux based open sources S/W > etc. I have intention to write such a paper for how to set up PEAP > implementation with freeradius as well. But for that, I'm hoping someone > can give me a good start. The EAP-TLS "howtos" contain additional documentation: http://freeradius.org/doc/ > Clients are going to be computers with WinCE as their OS and they will > contact to the LAN wirelessly. What I want to achieve is authenticating > this clients with server-AAA using PEAP before letting them use the > other network resources. Install 2.0, start the server. See also raddb/certs/README. You can create "real" certificates, and import them into WinCE. There is very, very, little to change in order to get PEAP to work. Alan DeKok. ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 36, Issue 173 *************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
