Thank you very much. > > Tzvika Gelber wrote: > > I created a new user with the MAC address of the client as the user and > > password : > ... > > 00C0CA32A157 Cleartext-Password := "00C0CA32A157" > ... > > User-Name = "00c0ca32a157" > > User-Password = "00c0ca32a157" > > You do realize that they are different, right? > > The comparisons in the users file are case-sensitive. > > Alan DeKok. > > > ------------------------------ > > Message: 3 > Date: Sun, 9 Dec 2012 09:38:03 -0600 > From: Dan Letkeman <[email protected]> > To: FreeRadius users mailing list > <[email protected]> > Subject: Re: computer authentication > Message-ID: > <CAPY== > [email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Thank you Matthew for the clarification I could successfully get the > windows 7 client to try and make a request (you defiantly need to have the > certs imported into exactly the correct spots). But now my debug log says > that its failing. This is a default 2.1.12 install with the switch added > to the clients.conf file. > > > rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204, > length=180 > User-Name = "host/[email protected]" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "9C-AF-CA-F4-40-10" > Calling-Station-Id = "64-31-50-7D-72-DE" > EAP-Message = > 0x0201001a01686f73742f75736572406578616d706c652e636f6d > Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b > NAS-Port-Type = Ethernet > NAS-Port = 50016 > NAS-Port-Id = "GigabitEthernet0/16" > NAS-IP-Address = 10.11.200.73 > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] Looking up realm "example.com" for User-Name = "host/ > [email protected]" > [suffix] Found realm "example.com" > [suffix] Adding Stripped-User-Name = "host/user" > [suffix] Adding Realm = "example.com" > [suffix] Proxying request from user host/user to realm example.com > [suffix] Preparing to proxy authentication request to realm "example.com" > ++[suffix] returns updated > [eap] Request is supposed to be proxied to Realm example.com. Not doing > EAP. > ++[eap] returns noop > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop > WARNING: Empty pre-proxy section. Using default return values. > Sending Access-Request of id 231 to 127.0.0.1 port 1812 > User-Name = "host/user" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "9C-AF-CA-F4-40-10" > Calling-Station-Id = "64-31-50-7D-72-DE" > EAP-Message = > 0x0201001a01686f73742f75736572406578616d706c652e636f6d > Message-Authenticator = 0x00000000000000000000000000000000 > NAS-Port-Type = Ethernet > NAS-Port = 50016 > NAS-Port-Id = "GigabitEthernet0/16" > NAS-IP-Address = 10.11.200.73 > Proxy-State = 0x323034 > Proxying request 0 to home server 127.0.0.1 port 1812 > Sending Access-Request of id 231 to 127.0.0.1 port 1812 > User-Name = "host/user" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "9C-AF-CA-F4-40-10" > Calling-Station-Id = "64-31-50-7D-72-DE" > EAP-Message = > 0x0201001a01686f73742f75736572406578616d706c652e636f6d > Message-Authenticator = 0x00000000000000000000000000000000 > NAS-Port-Type = Ethernet > NAS-Port = 50016 > NAS-Port-Id = "GigabitEthernet0/16" > NAS-IP-Address = 10.11.200.73 > Proxy-State = 0x323034 > Going to the next request > Waking up in 0.9 seconds. > rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231, > length=171 > User-Name = "host/user" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "9C-AF-CA-F4-40-10" > Calling-Station-Id = "64-31-50-7D-72-DE" > EAP-Message = > 0x0201001a01686f73742f75736572406578616d706c652e636f6d > Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd > NAS-Port-Type = Ethernet > NAS-Port = 50016 > NAS-Port-Id = "GigabitEthernet0/16" > NAS-IP-Address = 10.11.200.73 > Proxy-State = 0x323034 > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "host/user", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 1 length 26 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = EAP > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group authenticate {...} > [eap] Identity does not match User-Name, setting from EAP Identity. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> host/user > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 1 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 1 > Sending Access-Reject of id 231 to 127.0.0.1 port 1814 > Proxy-State = 0x323034 > Waking up in 4.9 seconds. > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231, > length=25 > Proxy-State = 0x323034 > # Executing section post-proxy from file /etc/raddb/sites-enabled/default > +- entering group post-proxy {...} > [eap] No pre-existing handler found > ++[eap] returns noop > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> host/ > [email protected] > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Sending Access-Reject of id 204 to 10.11.200.73 port 1645 > Finished request 0. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 1 ID 231 with timestamp +14 > Cleaning up request 0 ID 204 with timestamp +14 > Ready to process requests. > > > > On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <[email protected]> > wrote: > > > On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote: > > > Sorry, I was not clean with my setup information. We do not have a > > domain, > > > these are stand alone windows 7 devices. We also have some tablets and > > > some linux boxes. Concern right now is the Windows 7 devices. I > didn't > > > know that you cannot do machine authentication without a domain.... > > > > You can, but you'll need to handle the certificates on the hosts > > manually. That's usually such a pain that the only real solution > > is to use AD. If you've got a small number of devices, or can > > write some other automated method of deploying certs, then it can > > be possible to handle. > > > > What you /can't/ do is both User auth (mschap - username + > > password) *and* Computer auth (certificates - EAP-TLS) in the same > > connection, as the default Windows supplicant, like most, doesn't > > support client certificates with PEAP (and user auth - mschap - > > needs to be inside PEAP). > > > > > User authentication in my environment is just not an option because all > > of > > > the devices need to have a connection to the network at all times even > if > > > nobody is logged in. Should I be using PEAP/EAP-TLS instead? > > > > There are no good reasons for doing PEAP/EAP-TLS unless you want > > to use SoH. PEAP adds overhead to the auth, with no added benefit. > > > > > If so do you know of any good setup documentation for that? > > > > I wrote up how to do PEAP/EAP-TLS a while back - you can find it > > here: http://q.asd.me.uk/pet > > > > That said - your connection is trying to do PEAP, so you've > > configured your client for either 'certifiates' or mschap inside > > PEAP. I forget the exact options in the interface, but you need to > > choose 'certificates' rather than 'PEAP', then select the client > > certificate that you want to auth with - which will be one that is > > signed by the same CA that the CA_file option in your FreeRADIUS > > eap.conf file points to. Make sure it's set to 'Computer' auth, > > not 'User' or 'User + Computer'. > > > > In theory, you'll then find that it Just Works. But the Windows > > config interface takes a bit of head scratching to get around > > until you understand what it's doing under the hood. > > > > Cheers > > > > Matthew > > > > > > -- > > Matthew Newton, Ph.D. <[email protected]> > > > > Systems Architect (UNIX and Networks), Network Services, > > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > > > For IT help contact helpdesk extn. 2253, <[email protected]> > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/7f5912b8/attachment.html > > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > End of Freeradius-Users Digest, Vol 92, Issue 21 > ************************************************ >
-- ____ Sometimes you just glow in the dark...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
