Re: malformed EAPOL-Key with LEAP and AEGIS Client
hi Thanks for the info about the EAPOL packets. I've installed the latest drivers both for the AP and the pcmcia card. It seems that the AP340 has a bug(?:( Is there any website of Cisco where I can post my question? i've been using an AP340 with the 12T release for a quite a while now and i don't have this problem. i'm using freeradius with EAP/TLS and rotating wep keys. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against /etc/shadow using ...
salut No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. so, there is no PAP for PEAP? You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. well, one thing is for sure: TTLS supports PAP as the inner authentication method. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: malformed EAPOL-Key with LEAP and AEGIS Client
hi I'm using WEP enabled mode where I get 2 EAPOL-Keys with the second malformed from the AP-340 !!! I use also AEGIS client in Windows XP Home. before you continue: do you use the latest versions of the firmware on both your AP _and_ your wifi card? I've attached the ethereal dumps to check what exactly I mean. I don't know if it is a bug in the AP or the freeradius, but I suspect that the freeradius doesn't construct well the second EAPOL-Key message and the AP forwards a malformed packet. freeradius does not construct any EAPOL frames at all. it only sends keys to the access point and those are used by the AP to derive all the rest. whatever freeradius might have done wrong with the key material which it provides to the AP, it can't EVER be the reason for a malformed EAPOL packet. only your AP and the card are speaking EAPOL. search there. ciao artur ps i didn't check your logs yet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius newbie questions
hi alan Put a page on the web, and mail the URL to the list. The EAP-TLS documents should really be included with the server, but they're large, and need minor updates... Alan DeKok. a propos, what happened to those example certificates i've once mailed you? are they by any chance included with the server now? if not: do you want me to recreate them with some other options? i really think it would be helpful for many people, just to do the first tests and to see: oh yes, it's not the freeradius going crazy, it's me, not being able to create five simple certificates... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: relovation error with yesterday's snapshot (freeradius-snapshot-20031110)
replying to my own post: the described error (s. below) does not occur when using GCC 2.95.xx. before, as i figured out, GCC 3.3 was installed and used. this provoked the error as described in my post. thanks, artur after the build of the freeradius-snapshot-20031110 on a completely fresh debian (unstable) i have problems starting radiusd (without even touching to its config): radiusd: FreeRADIUS Version 1.0.0-pre0, for host i686-pc-linux-gnu extract of radiusd -s -X: ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no ../../sbin/radiusd: relocation error: /usr/local/lib/rlm_eap-1.0.0-pre0.so: undefined symbol: eaptype_name2type but still ldd doesn't show any errors: wss:~# ldd /usr/local/lib/rlm_eap-1.0.0-pre0.so libnsl.so.1 = /lib/libnsl.so.1 (0x4000b000) libresolv.so.2 = /lib/libresolv.so.2 (0x4002) libpthread.so.0 = /lib/libpthread.so.0 (0x40033000) libc.so.6 = /lib/libc.so.6 (0x40084000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) i tried to put /usr/local/lib in the /etc/ld.so.conf and rebuilding cache, but that of course didn't change anything. what is wrong and what could i do? :-) thanks in advance, artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
relovation error with yesterday's snapshot (freeradius-snapshot-20031110)
hi after the build of the freeradius-snapshot-20031110 on a completely fresh debian (unstable) i have problems starting radiusd (without even touching to its config): radiusd: FreeRADIUS Version 1.0.0-pre0, for host i686-pc-linux-gnu extract of radiusd -s -X: ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no ../../sbin/radiusd: relocation error: /usr/local/lib/rlm_eap-1.0.0-pre0.so: undefined symbol: eaptype_name2type but still ldd doesn't show any errors: wss:~# ldd /usr/local/lib/rlm_eap-1.0.0-pre0.so libnsl.so.1 = /lib/libnsl.so.1 (0x4000b000) libresolv.so.2 = /lib/libresolv.so.2 (0x4002) libpthread.so.0 = /lib/libpthread.so.0 (0x40033000) libc.so.6 = /lib/libc.so.6 (0x40084000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) i tried to put /usr/local/lib in the /etc/ld.so.conf and rebuilding cache, but that of course didn't change anything. what is wrong and what could i do? :-) thanks in advance, artur -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: relovation error with yesterday's snapshot (freeradius-snapshot-20031110)
hi andreas thanx for your post, however, in my snapshot, the RLM_LIBS isn't even used. there is a CLIENTLIBS instead and it is set to exactly the value as Markus proposed it. well, i don't quite understand what i should set to what. anyway, i will take a deeper look to it, but i wanted to mention this problem to the developers... ciao artur Andreas Wolf wrote: see Markus Obermeier's post from 11/09, it worked for me. In the makefile there is the link to the newly introduced libeap missing, therefore the correct way to fix it is to add the following line instead RLM_LIBS = -Llibeap -leap to the Makefile.in as shown above. Do a 'clean', 'configure' and 'make' again. Regards, Markus -A On Nov 11, 2003, at 11:41 AM, Artur Hecker wrote: hi after the build of the freeradius-snapshot-20031110 on a completely fresh debian (unstable) i have problems starting radiusd (without even touching to its config): radiusd: FreeRADIUS Version 1.0.0-pre0, for host i686-pc-linux-gnu extract of radiusd -s -X: ... Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no ../../sbin/radiusd: relocation error: /usr/local/lib/rlm_eap-1.0.0-pre0.so: undefined symbol: eaptype_name2type but still ldd doesn't show any errors: wss:~# ldd /usr/local/lib/rlm_eap-1.0.0-pre0.so libnsl.so.1 = /lib/libnsl.so.1 (0x4000b000) libresolv.so.2 = /lib/libresolv.so.2 (0x4002) libpthread.so.0 = /lib/libpthread.so.0 (0x40033000) libc.so.6 = /lib/libc.so.6 (0x40084000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) i tried to put /usr/local/lib in the /etc/ld.so.conf and rebuilding cache, but that of course didn't change anything. what is wrong and what could i do? :-) thanks in advance, artur -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Andreas Wolf Apple Computer, Inc. Technologies, AirPort Engineering - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
hi kostas We clearly aren't understanding each other :-) And you didn't read what i asked you to, because you would find out it's exactly what you want. Evidently i _wasn't_ talking about Auth-Type but about EAP-Type. So please read the dictionary file for the values for EAP-Type. ok, sorry, i will take a look. That's exactly what the patch i sent will do (at least from my quick pass through the rlm_eap module code). ahem... you've sent a patch? where? :) ciao thanks, artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 0.9.2-1 (Proposed) Debian package uploaded
hi Paul just a thought to it: As far as I understand it, the boilerplate copyright notice and license at the end of all RFCs since somewhere in the 2200's is not DFSG-free. Quick simply, it fails rule #3, (http://www.debian.org/social_contract#guidelines) The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. with the following part of the boilerplate: However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Or at least, that's how I read it. It was discussed on the Debian developers mailing list a while ago, and the result was that this boilerpate is not DFSG-free, but the copyright on previous RFCs (which is in a different file, I really should include that in the Debian copyright file) _is_ DFSG-free. ok, i certainly do not want to kick on the discussion and i'm not an expert for IPR and licensies, but somehow it seems very dumb to me to want to modify the text of the standard track. IETF's standard tracks are free standards open for everybody (for implementations) but the standard text itself shouldn't be modified. Or, if you do so, you should understand that you are no more compliant to the latter. that's the whole idea of a standard anyway, whoever writes it down. so, in my opinion we have a misinterpretation here. the cited IETF note protects the standard as such and _not_ the copyrights of the authors, that's not the point. for debian, the most important thing is to be able to modify provided software source code and _not_ the standards it's based upon. why would you want to do that??? and: you can do so anyway and with every standard, there are no rules on this matter (if there were, the world would be so nice with everybody fully compatible, oh dear! :-)), you generally just lose your interoperability. what IETF says, is, you can't take this document, change some lines and say it's still IETF's RFC. that's ok for me. so, i personally still don't get it, but i understand that if debian policy has been defined such as not to accept the RFCs, we can't do much about it... well - we are not going to have a lot of up-to-date debian software soon, are we? kind of suicide statement for me. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
hi kostas :) We clearly aren't understanding each other :-) And you didn't read what i asked you to, because you would find out it's exactly what you want. Evidently i _wasn't_ talking about Auth-Type but about EAP-Type. So please read the dictionary file for the values for EAP-Type. ok, sorry, i will take a look. now i see why i misunderstood you. my dictionaries are so old, there is no EAP-Type attribute/value except for some microsoft VSAs. that's why i misinterpreted what you said before. i should get the newer ones. ahem... you've sent a patch? where? :) Hmm, typical :-) Ok included ah now :) nice, thanks. it's for the current RCS version, right? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP subtype as authorization
hi people do i ignore something or am i right in the assumption that it is currently not possible to define different EAP authentication methods on a per-user basis with the provided onboard configuration? (would be a nice feature to have john use PEAP during jack has to go for pure TLS, for instance...) or can it somehow be done by defining instances of the EAP module with different eap default types? (i obviously haven't tried it yet) ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 0.9.2-1 (Proposed) Debian package uploaded
hi paul i'm sorry to take your time (since it's not really freeradius related). while i believe to understand the minor differences between the GPL/OpenSSL licenses, i do not understand why and how e.g. the IETF standard tracks (like e.g. 2243 or 2289) do not comply to the DFSG? i do understand the difference to the informational IETF documents as e.g. rfc2869 which preserve the explicit rights of the author, but why the standard tracks? why wouldn't it apply to TLS e.g.? would you kindly explain this? thanks for your time artur * Deleted RFCs: 2243 2289 2433 2548 2618 2616 2620 2621 2719 2759 2809 2865 2866 2867 2868 2869 2882 2924 3162 from source tarball due to non-DFSG-free copyright. * Disabled PostgreSQL, x.99 token, EAP/TLS, Kerberos, LDAP and SNMP agent support due to OpenSSL/GPL conflict. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
hi kostas So you only need to set the EAP-Type attribute in the authorize section on a per user basis and i think it should work. so what value would i set the EAP-Type attribute to? i don't want the user X just to grab the EAP-method Y and freeradius to use it if it finds it in user's request. i want freeradius to impose _a_ certain EAP subtype (and to deny user if it's not the configured one). do i miss something? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
hi so what value would i set the EAP-Type attribute to? See the dictionary file for the values for the EAP-Type attribute no, i think we didn't understand each other. you are talking about Auth-Type := EAP which is set automatically by the EAP module in the authorize section. that's evident. what i want, is quite different _and_ quite necessary, given the potential generality of the EAP authentication methods. in the same manner like you can demand CHAP, PAP, MS-CHAP or whatever EAP on a per-user basis, i.e. reject EVERY request for this user NOT having the pre-defined (part of authorization) authentication type, you should be capable of defining which EAP subtype the user is trying to use. EAP can be potentially as simple as CHAP or based on certificates, kerberos or GSM-SIM cards. so, it's crucial to be able to control that. you don't want your users to freely choose the possibly weakest authentication method. you probably want to enforce ONE and only method per user. a propos, that was strongly recommended for all RADIUS servers. now if you enforce Auth-Type := EAP, you effectively do not enforce _anything_, since it can be almost everything. we should probably add a kind of Auth-Type := EAP/MD5 possibility and then, in the code fragment you posted, we should check if the provided EAP type matches the preconfigured one. if yes, the authentication can take place. if not, the reject should be sent. for example... i thought even, that it would be possible by defining instances of the eap module with different default_types. but then, the eap module should set the Auth-Type to the subtype and only if the provided EAP-Message includes this one, and the code you mentioned should check as described above... imho... perhaps alan could say something on this matter, i'm far from being freeradius configuration possibilities expert :-) i don't want the user X just to grab the EAP-method Y and freeradius to use it if it finds it in user's request. i want freeradius to impose _a_ certain EAP subtype (and to deny user if it's not the configured one). From a quick look at the rlm_eap sources i don't think that it is possible. that's exactly the problem. it's not. ciao thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Best Practices
hi I want to know if Mac filtering will be too much of a headache vs. having the AP proxy the authentication/association to a radius server? MAC authentication can be spoofed. EAP can't be. i completely agree. If I use Radius, can I make it so only the employee needs to authenticate? No, but I'm not sure you want to allow un-authenticated users onto your network. it depends on your APs, but you can. usually, if your AP supports multiple SSIDs, you can define security setting on the SSID basis. this would include 802.1X, RADIUS, etc. i.e. you can have an open SSID _and_ a closed SSID requesting authentication. now of course, it doesn't make any sense, if both lead to the same network. hence, the SSIDs have to be mapped to VLANs, which is a current practice. If I use 802.1x, I am thinking the Radius server back at the corporate location will be on their DMZ. Is the shared Secret in clear text between the AP/Router to the Radius server? The shared secret is never sent in any packet. alan is of course right, but if you have a more general doubt about the RADIUS internal security (like user privacy, etc.), you will have to add a local RADIUS server and to proxy the requests to your corporate RADIUS server. then, the both RADIUS servers could use e.g. IPSec and thus your RADIUS traffic leaving your local networks would be well protected. (the direct way, an AP which does IPSec, doesn't exist on the market on the moment) Is PEAP, the most logical choice here? Why wouldn't I use it? If PEAP works, you can use it. If you're running Linux clients, I'd recommend EAP-TTLS. :-) i don't even know why ms has started developping PEAP when the TTLS draft was already available since a year... ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)
ok
looking at your radiusd.conf file, i wonder if you have to add a preacct
section with a suffix module in it in order to look up the realms.
otherwise it seems ok to me.
ciao
artur
I made a mistake editing that mail last night.
realm dimapel.com.br {
type= radius
authhost= 200.180.55.65:1812
accthost= 200.180.55.65:1813
secret = teste
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
hi These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID no, your AP wants the attributes Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID and the VALUEs should be as you say. there is no need to change the dictionaries for that. vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) that doesn't prove anything. 10 is a perfect string. jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher ...without success. please always post the server debug output (radiusd -s -X) as requested by the FAQ. btw.: auth-type shouldn't be explicitly set to eap ... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #2413 - 4 msgs
i don't think so. well, the final answer depends on your configuration and your PKI usage. but, if you are using your PKI basically only for 802.1X access control, it would be a madness to deploy CRL control because it will demand some kind of online-certificate control at the connection time. why bother? you already have an online access control at the connection time - this IS radius. so, don't bother, forget the certificate and block the user in the radius configuration. this doesn't demand ANY effort from your part: change the user configuration to be an explicit REJECT and let him in your config file till his certificate expires. in terms of complexity it's a better solution. what's the difference which protocol you use for the online validity control - that of the CRL or radius? you should only be aware of one thing: for the moment there is a security flaw in freeradius: it is possible to use an arbitrary UserName along with _some_ valid certificate. however, it shouldn't be difficult to add an additional check: the UserName should be equal to the CN in the certificate. ciao artur Michael Griego wrote: What you SHOULD do is consider the private key compromised and revoke the certificate. A patch was added a while back to incorporate CRL checking in the EAP-TLS module. This is really more of a PKI issue. --Mike On Thu, 2003-10-16 at 08:54, arniel wrote: hi guys, I am implementing Free Radius EAP-TLS on my network, all my wireless clients are issued with a certificate. What I am trying to do is to block a particular wireless client from accessing my network even if the certificate is still valid or has not expired. This is in anticipation if the lap top has been stolen. Is there something that I can do on my Free Radius Server in blocking the wireless client w/o hampering other users who are using the wireless network? I tried deleting the clients name at the raddb/users file, but to no avail. I also tried deleting the clients certificate /etc/keys/client.p12 still to no avail. Thanks in advance... arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #2413 - 4 msgs
hi mike Your solution is not very useful in situations where the username must remain the same due to outside account status checking. Why should I force the user to change his username? What about situations where changing the username is *not* an option. For instance, say we check the CN against the username in an LDAP database to make sure the user has not been disable for some reason. And yes, I have actually patched my FR server to make sure the UserName attribute matches the CN in the cert. I can make this patch available to anyone who wants it, but I'd like to change how its done before submitting a full blown server patch. In this case though, changing the username would be the *harder* option, and impossible in many cases as our usernames are tied to a LOT of other information. well, i suppose it's a question of a point of view. for me, the real identity is always the certified one. the user name is only a pseudo for it, since it doesn't have a proof. if you rely so much on the username, you should not only block the certificate but also create a new user and block the old one everywhere: that user is very likely to store passwords and stuff on a stolen laptop. well, it depends. however, this has nothing to do with CRLs and so on. the patch you are talking about: just change it to check if the CN is REJECTed and not the username, then you can use your username unchanged. still you won't need a CRL repository. what i don't want are the problems around CRLs and CRL checking. and i don't see why radius shouldn't do what it was designed for: online user access control. the people dealing with the CRLs spend monthes trying to resolve the problem with invalid identities, realize that they can't possible achieve anything without online checking and end up by producing a new online certificate check protocol... thanks, i can do that with radius since years, except that i don't need new software, i don't need to change every client and every server, i don't need a new always-up server and so on. Certificate revokation *is* the real answer in this case. It allows me to keep the affected laptop from gaining access to the network while allowing the true user to regain access *with the same username*. :-) well, for me certificate revocation is not an answer to anything, it's more a challenge. and, it is one of the reasons why PKIs still hardly exist. there are a LOT of unanswered problems in the CRL area, one of which is the online validation protocol: neither of those is standardized so far, so they basically don't exist. steady CRLs aren't a general option (i can explain you why, but it's out of scope for this list). as soon as we have a standardized protocol (if ever), we will be able to use it and in case of radius we will face the following: at the connection time the user will be verified by radius, then radius will verify the certificate, asking online the CRL server. so, you depend on at least two machines that have to be running all the time and you use two different protocols and you have two different user databases, one with the usernames, the other with certificates... CRL aware software hardly exists... ppp... to be brief: you will keep two infrastructures up and running: AAA and PK. in my proposition the AAA infrastructure is the only one to be up - but in this case it _is_ anyway (for 802.1X). the PK is basically reduced to (RA/VA and) CA and it doesn't have to be online. As to which online validity control to use, RADIUS should (and does) make use of all available information to decide whether or not to allow a user, including whether or not a user is valid, is who he says he is, and the certificate he's attempting to use is valid or not. i don't think we understood each other here... i was trying to compare the online certificate check protocols with RADIUS: i know, it's a little bit far, but if you take an abstract look on what is happening - the idea is the same. anyway mike, it's more a point of view than a discussion base, so... i would completely agree that it depends on the network and on its PKI usage (that's what i tried to mention in my previous mail). regards artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi see Alan's answer for the rest. just some unanswered things here: I don't see an EAP-Identity value in my server debugging. What does XP send for that value? The name of the cert, or the machine identification? you do. it's in the first Access-Request message arriving at your server. it's content is translated to the User-Name attribute and copied untouched to the EAP-Message attribute along with the rest of the EAP packet. all this is done by your AP. XP puts the CN in the EAP-Identity if not said to do something different. i.e. if your CN is Walter Smith the user name will be that. I wasn't aware a patch was needed, but I've just downloaded it. The 1200 is up-to-date; it shipped with VxWorks and I updated it with the latest update image from Cisco. ok, without XP WPA patch it can't work. so, does it work now? That was my concern. I don't mind everyone using the same credentials to access the wireless network, but I didn't want the shared encryption environment we currently have with WEP. ok, just pay attention to what i said in my other email. virtually, it's still all the same user. it will be a little bit more difficult to identify sessions, see the accounting unique module options for this. True. We're currently using MAC authentication to track users back to devices, and control access. We could still do that with EAP; the certificate would be the replacement for the shared WEP key, but the per-user encryption would be better. yes, you could still do it, also take a look at this unique accounting feature. I still think PEAP is a better route, without having to put any certificate on the user machine, but I guess that's not an option right now. as Alan said, TTLS is the same idea which besides a) was developped earlier than PEAP and b) apparently much more properly than the other one and c) providing more opportunities for tunneled auth ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi CVS builds support TTLS and MSCHAPv2, but there's no documentation on this. Does eap-mschapv2 work as PEAP? What's the status with this? (Or should I be using TTLS, and is there a good free XP client for that?) no, PEAP is a different protocol. you could use TTLS with whatever EAP method tunneled in it. The EAP-TLS seems to work regardless of what I put in the users file. If the client certificates match against the server one, it gives access. How do you give finer control than that? I don't think we'll do that in our environment, but I'm curious. (ie: the User-Name supplied in the client certificate wasn't even in my users file, but access was still allowed.) you still have DEFAULT values in your users file, right? if you explicitly reject the user, he will NOT be authenticated. however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) The AP is configured with TKIP + WEP 128bit cipher encryption, with open authentication (with EAP) and network EAP support. There is no Authentication Key Management (WPA optional/mandatory was an option here, but if I enabled it XP couldn't connect. I thought XP had WPA i didn't try WPA yet, but do you have the XP WPA-patches? i suppose you have *sigh* perhaps also the newest firmware for 1200. support...) My question is, if I just use one client certificate and distributed it to everyone in our group, will the individual connections still be secure? (ie: is the per-session encryption tied to the certificates involved, or some session-specific bit of randomness even when authenticated with the same cert?) Or do I really need to generate each users own certificate? the per-session keys (PMKs sent to the APs and the derived TKIP keys) will be different since they are derived from the TLS master which is based upon random numbers chosen by the peers during the authentication process, so with high probability different for every session. however, virtually it would all be one person for you, ie all users connecting is the one and the same - normal, since you have ONE certified identity. unless you want to use the bug in the server, described above (User-Name/EAP-Id don't have to match CN) by activating the XP option 'use a different user name on connection' and typing in the desired name. however, be assured that then every user could type ANYTHING he wants and probably he would. so, i wouldn't call it secure, unless you have full trust in your co-workers :-) but it will be still difficult to break your links from outside, almost as difficult as when you used different certificates - thanks to TLS. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
i understand, but if you do that, you can't proxy requests anymore. AND: this does not solve the problem of user-name being NOT the same as certificate. e.g. if you me and i we both have the complete certificate (you in the LDAP), i could still use some other User-Name thus faking the accounting. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi kostas ok, now i get it :-) but with your approach you have to put the user certificate into the server's LDAP (which it doesn't necessarily has), i.e. you have to put all certificates on the server AND on clients. it's a bit more difficult, especially if you don't run any kind of certificate repository. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. well, you are right. (however, we have a more complicated thing here, we check locally and then proxy only the authorization, i.e. is this user still valid to the remote host. with this, we don't need to proxy complete TLS exchages (quite big auth delay), we do not need CRLs or other central depositories ... and we do not need user certificates in _all_ visited domains... but i suppose, it's not quite usual though perfectly legal.) But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ok, with the limitations mentioned above. sorry, i didn't get it first. still, i would prefer a more traditional method: why would the server need to have all user certs installed? it should be quite simple to compare the User-Name to the configured field in the certificate by using regular expressions and similar. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ EAP-TLS against 0.8.1
Ian i think you have to pay thousands to enter the open industry alliance, namely the wifi alliance (www.wifialliance.com). they are responsible for WPA and they have some white papers on this matter on their site. however, it does NOT go very deep. regarding jeremy's remark about TKIP, key rotation, MIC and 802.1X i would agree that WPA is kind of sum of these loosely coupled features. WPA is also a roadmap from local WEP to centralized authentication with AES encryption, however it aims to be interoperational and thus does not enforce AES for the beginning. i would say, what Cisco does is more or less WPA. there are some good points though. the problem with all this WEP and 802.1X interconnect is as always the interfacing. you will find documents and standards on EAP, EAP-subtypes, RADIUS and 802.1X (i.e. basically EAPOL). however, there are no _standards_ on HOW a central radius server gives the key material to the AP (which radius attributes and which format), what this key material is exactly derived from (since that would depend on the used EAP method) on supplicant and radius and how, by whom, when and how often a reauthentication should be triggered. imho, that is something to be standardized by WPA but as i said earlier, you'll hardly get access to the documents... ciao artur Ian Pritchard wrote: Hi Alan, From: Alan DeKok [EMAIL PROTECTED] Subject: Re: WPA w/ EAP-TLS against 0.8.1 Date: Thu, 02 Oct 2003 22:52:50 -0400 Ian Pritchard [EMAIL PROTECTED] wrote: I've read the responses to this and to the TLS/TTLS thread... tried to find somewhere in the Funk client where I might be able to control some kind of reauthentication interval (there's a setting on the AP), but no luck there unfortunately. It's set by the RADIUS server, via Session-Timeout. Yeah, got that one, but just wondered if there was also something in the supplicant to do this independently, other than resetting the connection or pulling the PCMCIA card out of the laptop Given that WPA is the 802.11 security protocol suite of the future, I guess it might be quite important regardless of which EAP flavour is used... ;-) Many EAP methods such as LEAP, TLS, and TTLS include dynamic WEP keys. That would appear to be incompatible with WPA. Okay, that's interesting. My impression was that WPA w/RADIUS was supposed to be fully retro-compatible with 802.1x (at least in terms of EAP flavours and the way they operate). Does anyone know where WPA is actually defined? I mean, is there a definition document widely available? Does it go down to a technical level? Or do you have to pay thousands to join an open industry forum to have access to the standard? Also, if the WPA standard includes RADIUS authentication, what does it mean by RADIUS - whose RADIUS servers have been tested? Jeremy, interesting what you said about your Cisco AP 1200 - I think the implementation there is 802.1x and not WPA, right? The SMC AP we tried seemed to be the same - when you turn on WPA w/TKIP it didn't work against for our supplicants against FreeRADIUS, but when you just turned on 802.1x authentication it worked fine. So, if dynamic WEP is incompatible with WPA, is that the fault of (and should the fix happen on) the EAP method, the AP, the supplicant or FreeRADIUS? Thanks, Ian _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.
hi Antonia Kujundzic wrote: There is a free Windows client for EAP-TTLS. www.alfa-arriss.com I've used it with Cisco client and it worked fine. hey, thanks, excellent! they really still produce freeware out there? :) (small correction to the link, it is actually www.alfa-ariss.com). ciao artur ps the size of the whole 85k. another proof for alan's statement about the the straightforward easy TTLS implementation. otherwise they would hardly give it for free :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
*?* Michael Brown wrote: sorry, that's still wrong. they either support EAP or not. it is completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or whichever EAP scheme might EVER come out one day in the future, they support it already. nice, he? My point is EAP pass-through not the type! (So we agree but you do not see...) Such nitpicking. I did not mention md5 because it is IRRELEVANT to me! NOT ALL AP's PROVIDE EAP PASS-THROUGH FOR AUTH. That was my point. once again: we do not agree, i.e. what you say is wrong. you say: your AP supports EAP/TLS but it doesn't support some other EAP type. so, the first half of your presumption obliges the support of 802.1X in the AP and the second relies uniquely on the usage of 802.1X in the AP. this is obviously a contradiction. it's not the question of type at all, it's the question of EAP support in the AP (which you call EAP pass through) which is ALWAYS general i.e. type-independent and which is called 802.1X. conclusion: if your AP supports EAP/TLS, it also supports ALL other EAP types which exist and which will EVER come out in the future. that's what i say, not more and not less. now, if your AP doesn't support 802.1X, it does not support ANY EAP type, not EAP/TLS and not any other. ok? it isn't nitpicking, since you don't understand that by conceptdesign all the EAP types are the same for the AP. ciao artur ps thanks for the proposition but i personally don't need any DLink+ Access Points :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi Shon i took a look at your log. for what concerns the server, your TTLS is working correctly and you are getting the Access-Accept sent out to the client. you even have accounting coming up for your TTLS user. modcall: group authenticate returns handled TTLS: Got tunneled reply RADIUS code 2 EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler TTLS: Freeing handler for user barney modcall[authenticate]: module eap returns handled modcall: group authenticate returns handled Sending Access-Accept of id 17 to xxx.xxx.xxx.xxx:1204 MS-MPPE-Recv-Key = 0xdc375f3020c56c6d8486b0925a07e931c7a1dd27585d5f481dc614455c714de0 MS-MPPE-Send-Key = 0x8aa9578d6cec57fb0c5b9ceec8bbbf449309dc2961107c66751fa715f1c75c8b EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = anonymous Finished request 16 so you can see that your server sends the Accept. you even have accounting, that is the ports on the AP are open. rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:1205, id=18, length=86 Acct-Status-Type = Start User-Name = anonymous Acct-Session-Id = 000181890002 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Acct-Authentic = RADIUS NAS-Identifier = xxx Acct-Delay-Time = 0 Conclusion: if you encounter problems with your TTLS users, it has nothing to do with the server (server sends Accept) and probably not even of your AP (since it provides Accounting infos, thus it should think that the session is open for the user). Perhaps you have some problems at your client. i can't see it out of the provided log. ciao artur Nixon, Anthony S. wrote: Sorry for the out of list email, but I did not want others to see some of the info in the logs. It can be found at: x Please let me know what you think. -- Shon -Original Message- From: Artur Hecker shortened i personally think that the problem is the client-server interaction. something is wrong and your client is not responding and you don't know why, so you suppose it's the AP but it's not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi Of course they do: whether they SUPPORT (act as a pass-through device for) these auth schemes or not. sorry, that's still wrong. they either support EAP or not. it is completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or whichever EAP scheme might EVER come out one day in the future, they support it already. nice, he? I KNOW they have nothing to do with the actual auth beside that fact, but you can't use EAP-TLS or TTLS with just any old AP, now can you? of course you can, as long as it supports 802.1X. Such nitpicking. no, sorry. you've just never understood why EAP has been developped. so, you suggest that the problem could be a 802.1X aware AP which is - in your opinion - the problem for TTLS not passing through. that's _completely_ wrong, so the guy having problem has been put on the wrong way, i've only corrected this mistake, be it important or not. ciao artur hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi i don't think it's correct unless you have some dumb option to explicitly block TTLS. you should post some server logs in order to prove that nothing is coming. let me explain myself: in _EACH_ EAP method the first packet incoming at the RADIUS server will be either EAPOL Start OR EAP Response/Identity message. i want to see a log file, where the Response/Identity of the TLS is arriving and the response identity of the TTLS is not - knowing that the both packets are exactly the same. i don't see, why the following packets wouldn't be forwarded to the server. prove it. i personally think that the problem is the client-server interaction. something is wrong and your client is not responding and you don't know why, so you suppose it's the AP but it's not. ciao artur Nixon, Anthony S. wrote: Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ EAP-TLS against 0.8.1
hi Guy! how can you change the session time in windows? thanks, artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ian, I've seen something like this when doing MAC authentication. It was actually a feature of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy -Original Message- From: Ian Pritchard [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 11:42 To: [EMAIL PROTECTED] Subject: WPA w/ EAP-TLS against 0.8.1 Hi, We're running FreeRADIUS version 0.8.1, and have been trying out authentication using a couple of WPA-capable 802.11 APs and PCMCIA cards on laptops, with EAP-TLS and certs. We've tried a matrix of the following: Laptops - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client - WinXP - EAP-TLS certs installed PCMCIA cards - Linksys WPC54G - SMC2635W APs - Linksys WRT54G - SMC2804WBR - Cisco AP340 All devices running latest possible drivers. Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth patch, plus XP. Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, via the Linksys WRT54G AP, we see behaviour where the AP initiates access request to the FreeRADIUS server, the process runs through as normal, the access accept is sent to the AP, but it then immediately starts authentication again, and you run through the whole process repeatedly, starting again immediately after the accept is sent. Nothing seems abnormal if running FreeRADIUS in debug mode. With the Funk Odyssey client running on Win2K the behaviour is the same. Using the SMC AP, things are more interesting. The SMC AP's web-based control interface has a security main menu, with 802.1x as a sub-menu. If you turn the main security to WPA/TKIP w/ RADIUS, then the behaviour is as with the Linksys above. However, if you turn it to No Encryption (so not even WEP enabled according to its interface), but leave the enable 802.1x turned on in the sub-menu, authentication takes place as normal. The SMC client card has client manager software, and if you turn on WPA on the AP, then the client manager shows a key symbol (presumably denoting some kind of security) next to the AP, but if you turn off encryption and leave 802.1x turned on, the key goes away. The Cisco AP doesn't have WPA but will do 802.1x as before. We're having trouble reaching a conclusion here (partly because it's difficult to tell what's happening), and certainly don't think we've got any WPA AP/client combination working with WPA/Radius. We had thought that, from an authentication perspective, there was no difference between 802.1x and WPA. Has anyone else managed to get WPA APs and clients running against FreeRADIUS using EAP-TLS? Many thanks, Ian _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ EAP-TLS against 0.8.1
that is the response i kind of feared. sorry, that's nonsense. in that case the whole story has nothing to do with the respective supplicant, since it simply NEVER gets in touch with Radius attributes. that would be the problem of the AP and NOT of the supplicant as you pointed out. ciao artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Artur, You don't :-) You set the session-timeout in the RADIUS reply. Regards, Guy -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 12:56 To: [EMAIL PROTECTED] Subject: Re: WPA w/ EAP-TLS against 0.8.1 hi Guy! how can you change the session time in windows? thanks, artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ian, I've seen something like this when doing MAC authentication. It was actually a feature of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy -Original Message- From: Ian Pritchard [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 11:42 To: [EMAIL PROTECTED] Subject: WPA w/ EAP-TLS against 0.8.1 Hi, We're running FreeRADIUS version 0.8.1, and have been trying out authentication using a couple of WPA-capable 802.11 APs and PCMCIA cards on laptops, with EAP-TLS and certs. We've tried a matrix of the following: Laptops - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client - WinXP - EAP-TLS certs installed PCMCIA cards - Linksys WPC54G - SMC2635W APs - Linksys WRT54G - SMC2804WBR - Cisco AP340 All devices running latest possible drivers. Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth patch, plus XP. Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, via the Linksys WRT54G AP, we see behaviour where the AP initiates access request to the FreeRADIUS server, the process runs through as normal, the access accept is sent to the AP, but it then immediately starts authentication again, and you run through the whole process repeatedly, starting again immediately after the accept is sent. Nothing seems abnormal if running FreeRADIUS in debug mode. With the Funk Odyssey client running on Win2K the behaviour is the same. Using the SMC AP, things are more interesting. The SMC AP's web-based control interface has a security main menu, with 802.1x as a sub-menu. If you turn the main security to WPA/TKIP w/ RADIUS, then the behaviour is as with the Linksys above. However, if you turn it to No Encryption (so not even WEP enabled according to its interface), but leave the enable 802.1x turned on in the sub-menu, authentication takes place as normal. The SMC client card has client manager software, and if you turn on WPA on the AP, then the client manager shows a key symbol (presumably denoting some kind of security) next to the AP, but if you turn off encryption and leave 802.1x turned on, the key goes away. The Cisco AP doesn't have WPA but will do 802.1x as before. We're having trouble reaching a conclusion here (partly because it's difficult to tell what's happening), and certainly don't think we've got any WPA AP/client combination working with WPA/Radius. We had thought that, from an authentication perspective, there was no difference between 802.1x and WPA. Has anyone else managed to get WPA APs and clients running against FreeRADIUS using EAP-TLS? Many thanks, Ian _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo GSmsMRRmN+Cj5MnwYPgSpJce =9E/H -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com - List info/subscribe/unsubscribe? See http
Re: (no subject)
sorry, but ... LOL Direct: 0701 741 4258 Office: 0870 765 4258 Fax: 0870 765 4259 This email is confidential and may be privileged; it is for use by the named recipient only. If you have received it in error, please notify us immediately; please do not copy or disclose its contents to any person or body, and delete it from your computer systems. - there is nothing confidential in this mail otherwise it would be really dumb to send it out to a archived world-readable list! since i didn't send it, i don't want to know that it is supposed to be confidential. for me it is not and whoever claims the contrary is being foolish - there is no way to know who IS the named recepient since it could be changed by ANYbody - there is no way to know if i receive it in error. if error is to be defined by me, then i probably do receive it in error. in this case i would like to know who actually is us, how i can contact those guys and how in hell i could probably be sure that i'm really contacting those and not some others? - but my personal favorite is still the last sentence: whoever invented this sentence about not copying the email and deleting it from computer systems must have been a full complete ass since he's never really understood how email works in the first place. remark: such disclaimers are completely irrelevant and not accepted by any known legislation. greetings artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database encryption
hi paolo (alan :-)) people often misunderstand security as weirdly encrypting and signing stuff, the more the better... security is much more about management - management of the security associations. so, basically i would agree with alan's point. i.e. it's pretty useless, in the global sense it IS useless. however, alan's sentence below I don't see why. The server will have access to the password/key for the database, and therefore so will any attacker. should be extended to who succeeded in attacking the radius server. that also can be the only reason to do such things: you establish the single point of entry and thus can be sure that whoever entered the system, he had to pass over the radius server. Questions about encrypting databases would best be asked on database lists. once again: i agree :) i think that to achieve the above you shouldn't encrypt the whole database. databases store DATA, not information. there is thus no use to encrypt it for data security makes no sense at all :) instead encrypt what you WRITE into your database. e.g. create a new rlm_sql_ * driver which will take anything coming from rlm_sql, encrypt it according to its configuration and write it into the DB in a usual way, e.g. by using rlm_sql_mysql. in any case, you DON'T want the DB to decrypt the information or to check the provided encryption key, etc. since you would lose your single point of entry. ciao artur ps alan, what about those neat certificates i sent to you? have you by any chance managed to put those things somewhere so folks can test them? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP/TLS problem
i can't say you what the problem is, but it looks like it is NOT linked against the correct library, since the function which is not found is NOT part of the 0.9.6 openssl BUT of the 0.9.7b. you probably compiled with the good version (otherwise it wouldn't compile in the first place) but the runtime is loading the old version. try an explicit LD_PRELOAD ciao artur [EMAIL PROTECTED] wrote: Hello everybody, my Radius server crashes everytime when the supplicant is trying to authenticate. I use Freeradius 0.9.1 on a Linux (Redhat8 Kernel 2.4.20) machine. The supplicant is also installed on a Linux machine (Xsupplicant 0.7), the authentication protocol is EAP-TLS. The access point is a workstation with HostAP. After starting FreeRadius I get this sequence of messages: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/1x/r/cert-srv.pem tls: certificate_file = /etc/1x/r/cert-srv.pem tls: CA_file = /etc/1x/r/root.pem tls: private_key_password = whatever tls: dh_file = /etc/1x/r/dh tls: random_file = /etc/1x/r/random tls: fragment_size = 1750 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile =
Re: Wi-fi hotspot
hi But we want some sort of standardized secure login for windows users ? -I only see PEAP here. or ttls, it depends on available clients. but peap is more microsoft... you are probably right. Another solution would be the Portal approach: users will have to authenticate on a https webpage which starts a script and changes firewall rules (like NoCat). yes, but it's not really wifi authentication. My preference would be to have a central authentication system, with only the access points out in the field (not the radius/portal servers), and NOT having to use VPNs to connect the access points to a central gateway (portal). This would allow the use of simple dynamically (IP Addr) connected Aps. well, radius is a centralized auth system. and only the aps are out in the field. and it has nothing to do with a portal. you only need fixed IPs for the APs because of some simple restrictions, i'm sure you could patch a radius server to accept whatever incoming request, as long as the shared secret is ok. you should be clear about the identity of your APs though... the problem with what you propose is that you NEED a trust relationship between your auth system (whichever it would be) and your APs, because otherwise everybody would be served. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lrad_rand()
/dev/urandom perhaps, if it exists? ciao artur Alan DeKok wrote: Michael Richardson [EMAIL PROTECTED] wrote: Short of opening /dev/random and seeding it myself, is there something that is more strongly seeded already present in the tree? No. I would suggest opening /dev/random, but that blocks, which is bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP Postgresql
try putting it in radgroupcheck and usergroup should assign a group to
each user.
that's how i use it with mysql
ciao
artur
[EMAIL PROTECTED] wrote:
Hi,
I'm currently configuring a Freeradius 0.9.1 with EAP-TLS support and
Postgresql.
If I put in 'users' file
DEFAULT Auth-Type := EAP
Everything works find, but if someone gets a certificate he can logs in.
I want to permit only user using postgresql. What should I put into radcheck,
radreply and usergroup table to permit that.
log said that sql module returns ok
but my Auth-Type attribute is not handled, here is some table content:
radius=# select * from radcheck;
id | username | attribute | op | value
+--+---++--
6 | greg | Auth-Type | := | EAP
(I don't know If I should put Auth-Type here)
radius=# select * from radreply;
id | username | attribute | op | value
+--+---++---
5 | greg | Auth-Type | := | EAP
(I don't know If I should put Auth-Type here)
raddb/users :
DEFAULT Auth-Type := Reject
Reply-Message = high, low
here is the query I use :
authorize_group_check_query = SELECT gct.id, gct.GroupName, gct.Attribute, gct.Value, gct.Op
FROM ${groupcheck_table} gct, ${usergroup_table} ugt
WHERE ugt.Username = '%{SQL-User-Name}'
AND ugt.GroupName = gct.GroupName
ORDER BY gct.id
authorize_group_reply_query = SELECT grt.id, grt.GroupName, grt.Attribute, grt.Value, grt.Op
FROM ${groupreply_table} grt, ${usergroup_table} ugt
WHERE ugt.Username = '%{SQL-User-Name}'
AND ugt.GroupName = grt.GroupName
ORDER BY grt.id
Note: theses are not the default one but they are verified to work ;p and tests were
performed with both (default and mine)
That's all, in many tests I've delete the Auth-Type attribute from tables and it
didn't change
anything, the result was the same, the MATCHED was the one found in the users file.
Really thanks, I'm sure I've missed something but I don't see what ;]
The final purpose of this is to be able to remove access for someone just by
updating the good field containing the Auth-Type attribute to REJECT or to put
a specific user in a reject group...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP Postgresql
i know what you want to do :-) but alan is right. don't set EAP manually. rather do the following: - let the EAP module in the authorization section. put the sql module in the authorization section as well. - create an sql group with Auth-Type := Reject. - create an sql group with Auth-Type := Local. (both in radgroupcheck) - put good users in the second and bad users in the first (in usergroup). somehow make DEFAULT be a bad guy (in order to reject everything else). - put eap in authentication. try. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about 802.1x and Radius
hi 1.In 802.1x , is the user/password transmitted from the Supplicant to the Authenticator ? 2.If so what is the messages used for the same? Is it sent in Request and Response ,message or is it encrypted in the MD5-challenge Response from the supplicant? the information requested by you is not part of 802.1X. 802.1X only defines the protocol to exchange whatever authentication information. the real protocol is defined in the resp. EAP specification and thus highly depends on the latter. you want to read www.freeradius.org/doc/EAP-MD5.html ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Dossier 3648426 Intel(r) Pro 5000 Access Point]
i ask myself what they possibly could have broken so badly that only IAS is supported wondering artur Fabrice Beauvir wrote: Here is Intel answer about using Intel Prowireless 5000 as Acces Point. It is not able to receive EAP/TLS messages (execpt those sen by Microsoft IAS radius) . Dear Mr Beauvir, it is not possible actually to connect to a Freeradius EAP/TLS. It may be possible in the future So, don't by Intel AP for the moment. Original Message Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Chere M. Beauvir Je regrette que ce n'est pas possible au moment de faire une connection avec Freee Radius EAPS TLS. Cela va etre peut etre possible a l'avenir. cordialement Mike L. Intel Customer Support (EMEA) The information you give may be used, stored or processed by Intel Corporation and it's subsidiaries in the United States and in Europe. The information may be processed by Third Party service providers to provide technical support and to ensure quality of the support on behalf of Intel. Emails may also be monitored for quality and training purposes. * Other names and brands may be claimed as the property of other - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 question
hi I would like some help configuring my Freeradius. I just started with Freeradius and i am not that familiar with wireless/certificates so i thougt to start with EAP/MD5 isof EAP/TLS. your EAP/MD5 is working but check www.freeradius.org/doc/EAP-MD5.html At this moment it looks like i can authenticate with my WinXP wireless client with Radius. not on wireless if your WinXP is SP1 (or later)... After this first step, i believe WEP keys need to be negotiated, but i think i have that part missing/wrong. no, no WEP keys are EVER negotiated in EAP/MD5. sorry, you have to set those manually - the same in the AP and the STA. My AP is configurable for 64 / 128 / 256 keys incombination with Radius. Also no ip adress is provided, wich normally is dhcp. I guess this only starts after WEP is enabled correctly. that's correct. and it doesn't work if something is wrong. 256 bit keys are not standard. your card should be from the same vendor then. I tried several options from the documentation / newsgroup but i could not find a satisfactory answer. Most use use EAP/TLS. because of dynamic WEP keys which are possible with EAP/TLS Log from Dlink950+ : Sep 10 08:52:23 accesspoint Wireless PC connected 00-06-25-A8-1A-41^M Sep 10 08:52:23 accesspoint EAP-Request/Identity ^M Sep 10 08:52:27 accesspoint EAP-Request/Identity ^M Sep 10 08:52:28 accesspoint EAP-Response/Identity test^M Sep 10 08:52:28 accesspoint EAP-Success 00-06-25-A8-1A-41^M Sep 10 08:52:28 accesspoint Authentication success 00-06-25-A8-1A-41^M your EAP/MD5 is working. Sending Access-Accept of id 6 to 192.168.1.50:1208 Service-Type = Framed-User Framed-IP-Address = 192.168.1.60 EAP-Message = 0x03020004 Message-Authenticator = 0x Finished request 1 idem. - set the WEP keys ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server is sending Reject packet :((
take a look at the modules in your authenticate {} section in
radiusd.conf and on their configuration. put the user 'test' into the
'users' file:
test Auth-Type := Local User-Password == test
ciao
artur
rad_recv: Access-Request packet from host 127.0.0.1:32923, id=214, length=56
User-Name = test
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module chap returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module eap returns noop
rlm_realm: No '@' mailto:'@' in User-Name = test, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok
modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
modcall[authenticate]: module unix returns notfound
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't recall making a change, but FR is not working the same way anymore...
hi Tom a dumb question looking on your log: Tue Sep 2 12:13:57 2003 : Auth: Login OK: [higleys] (from client higleyscoffee port 0 cli 00-04-E2-07-EC-31) Tue Sep 2 15:48:04 2003 : Auth: Login OK: [higleys] (from client higleyscoffee port 0 cli 00-04-E2-07-EC-31) = this should have been denied who told you that the first session already used up all the 900secs??? if not, why should the second be denied then? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 0.9.0 and Proxim Orinoco AP-2000 Help
you could log in into the AP and see what happens in there if this is supported. you mean the AP sends the Request, gets the challenge but never answers? ciao artur David Middleton wrote: Yes I can. I also traced it and it is getting there. It's almost like the AP is ignoring the packets being sent to it. David --- Ulrich Walcher [EMAIL PROTECTED] wrote: Sounds like a routing problem. Can you ping the ap? Am Fre, 2003-09-05 um 17.30 schrieb David Middleton: ---SNIP --- The radius server and the ap are on different networks, but there is no firewall between them. Any assistance would be appreciated, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need some help configuring freeradius - openssl problem (EAP)
Hi madhusudan! if you look at the mail list archives, i posted a manually edited Makefile for the eap_tls module a while ago. ciao artur Alan DeKok wrote: Madhusudan Singh [EMAIL PROTECTED] wrote: I tried what you suggested. Downloaded freeradius-snapshot-20030830. No go. I still get : checking for openssl/ssl.h... no checking for DH_new in -lcrypto... no ... Try looking at the logs from 'configure'. If that doesn't help, edit the Makefiles. Each 'Makefile' for the modules is about 10 lines. The 'configure' scripts are there only as an easy short-hand, in 99% of the normal cases. If 'configure' is too hard to use, edit the 'Makefile' by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WLAN SSID to VLAN mapping
hi almost nothing to do with freeradius, but...has anyone ever tried to configure a WLAN-SSID to VLAN mapping? some APs offer this interesting possibility but my tests with AP350 (12.03T) basically weren't very successful. e.g. when i activate the double SSID, i have to map the SSIDs to the VLANs which i've previously defined. however, even if i can connect to the SSID, the AP stops sending accounting information to the radius server. then, i have general difficultier to connect to both defined SSIDs, since it works from time to time. does anyone has any experiences with it? would like to hear your comments. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
hi sylvain i have to admit that i don't really understand the first part of your question. but, in the case you are using EAP/MD5 try to read the FAQ under http://www.freeradius.org/doc/EAP-MD5.html and look for Reply-Message. Could it be this kind of problem? for the second part, it's interesting - i didn't try it but, as alan, i asked myself if it is possible some time ago and i promptly came up with a solution which i'm not sure about. Alan: what do you think, if freeradius assigned an ip-address to the user in a corresponding radius attribute and the client (AP) would use it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER message, could it work? I'm not an expert in BOOTP/DHCP, but do you think something like this would be possible? ciao artur Alan DeKok wrote: =?iso-8859-1?q?Sylvain=20Masnada?= [EMAIL PROTECTED] wrote: I'd like to know why the reply-message attribute is sent by freeradius in a access-reject packet. I use this attribute to welcome people who connected themselves on my wireless network. But with xsupplicant, this access-reject disconnects my user, who reconnects immediately and is disconnected and reconnected and ... I don't think that the Reply-Message has anything to do with it. If the user is rejected, they can try again immediately. After some number of retries, the AP will deny them access. See the AP configuration for details. I'd like to know if my AP which is a cisco AP350 can cause me troubles when I try to assign an ip to the users. So far as I know, it can't be done. The users are authenticating to the AP (and then FreeRADIUS) through the EAP protocol, which doesn't support setting the IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errors when starting in debug mode
make sure the module's got built in the first place. see the output of
your ./configure script and add the mysql-dev libs if necessary.
ciao
artur
juan wrote:
i´m having problems when starting the server, with mysql.
here are some lines im getting,
-*---
HERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in
the search path of your system's ld.
radiusd.conf[14]: sql: Module instantiation failed.
[EMAIL PROTECTED] freeradius-0.9.0]#
what should i do?
thanks!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
hi alan your answers always appear before the oirignal questions, which is a little bit suprising :-) e.g. to my email originally written at 20:50 +02:00 you answered at 11:06 -04:00. evidently it's not possible, provided that we have the same reference point. do you make reference to GMT or what? then, to your email: i would like to test it with AP340/250. which is the attribute to put into the user configuration in order to get assigned an ip by the radius server? :-) ciao artur Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: Alan: what do you think, if freeradius assigned an ip-address to the user in a corresponding radius attribute and the client (AP) would use it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER message, could it work? I'm not an expert in BOOTP/DHCP, but do you think something like this would be possible? It should be possible, but I don't know off-hand if any AP's work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #2201 - 12 msgs
hi right, the EAP/Identity and User-Name must be the same, that's the job of the client, and we could thus verify only one, completely ignoring the other. however, the rlm_eap_tls currently authentifies the _certified_ name, which does not have to match either of the both... the bug i mentioned refers to the missing comparison of one of the both (from here on i will use the term User-Name) to the certified name (CN in the certificate). as i already explained twice on this list, the problem is that the both do not HAVE to be strictly string-equal: e.g. in the case of proxying the User-Name is likely to have a suffix which the CN of the certificate is very unlikely to have in practice. thus, as i proposed before, there should be a definable equivalence (e.g. in the tls-module options) or even better a regular expression (or an external handler) which specifies exactly when the both can be considered equal. ciao artur Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: that's right, you don't. eap module will authentify independently. it can be seen as a bug, since the authentication is not very consistent. everything else in the server - e.g. the accounting - is based on the user-name... Further, the RFC's say that if an EAP client has a user name, it MUST include that in the EAP-Identity, and also in the User-Name of a RADIUS packet. The latest CVS snapshot is a little more forgiving, in that it allows *SOME* EAP authentication types without a User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Amount of data
hi that's difficult to answer precisely without having more details. if i understood correctly, _you_ will be authentifying your users. so, the exact amount of data merely depends on the authentication method chosen for user authentication between you and your user and on the number and type of the authorization tokens included in your answer (radius-attributes). depending on the authentication method, it can be just one Access-Request - Access-Accept exchange involving 1 UDP packet in each direction. however, other authentication methods (and it's not the question of user-name or password length) could require further challenges sent by your server and the number of exchanges can practically rise up to 5-6 and more (i.e. 5-6 UDP packets in each direction). also the packet length would change depending on the kind of challenges and responses sent. now, depending on the authorization tokes included, some of the packets sent by your server will be bigger or smaller, too. i don't know which parameters have to be included according to your politics. what i'm trying to say, is that the best man to answer this question is you. decide, what exactly you want to do, which limitation and rights you want to grant and how you want to authentify. then, grab the radius base RFC and count the bytes (analytic approach). alternatively, try a test authentication and record the data exchanged on the interface (simulative approach). regards, artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring eap-tls using version 0.9
-IP-Addre
ss, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 172.28.10.222:1645, id=24,
length=135
User-Name = everything
Framed-MTU = 1400
Called-Station-Id = 0002.8a78.b76c
Calling-Station-Id = 0007.50ca.f48e
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0x559ad0c76f3ada1c49ab476c7312c8ef
EAP-Message = 0x0205000f0165766572797468696e67
NAS-Port-Type = Virtual
NAS-Port = 8
Service-Type = Login-User
NAS-IP-Address = 172.28.10.222
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP packet type notification id 5 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated
rlm_realm: No '@' in User-Name = everything, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched everything at 154
modcall[authorize]: module files returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 5 length 15
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 24 to 172.28.10.222:1645
EAP-Message = 0x010600060d20
Message-Authenticator = 0x
State =
0x8a72e6e82a8f36e597ee10ce669bf1047eaf3c3f5baafeac546001236e4968
37139d135a
Finished request 0
Going to the next request
--- Walking the entire request list ---
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: X9.9 Auth-Type
i'm not sure, but it looks like this module has an authorize section. perhaps you should leave the auth-type := local and put the x99 instance in the authorize section of the config file so it can set it automatically?? did you try it? ciao artur Alex Dron wrote: Hi, I wonder how to configure X99 authentication (i.e. for Cryptocard). What I suppose to set in Auth-Type in users file for such user? In comments to x99.conf I see next: (Auth-Type := x99_token) However, there is no such type in the Dictionary... and server refuses to start. The only suitable type I found in the dictionary is ActivCard. Is that it? I don't have any hardware token, but I want to test Challenge/Response logic for one particular RADIUS client. I understand that rlm_x99_token is that what I have to use. I have set up radiusd.conf to use x99.conf, and x99passwd for some user of type cryptocard-d8-rs. Now I guess I have to add this user to users, but what I should specify for auth-type? I'm using 0.9.0 on Linux RH 7.3, and have the latest OpenSSL libraries. Thanks, Alex -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file not using multiple directives
nothing to do with your post except for one detail: like alan i asked myself what a stack trace could be? i thought about some special network sniffer device or even some jargon talking about switches (perhaps from baystack?) etc. :-) funny, i've always been subconsiously defining strace as system call trace or something like that because that is what it does - under linux. as a matter of fact debian defines it this way in its man-page: strace - trace system calls and signals. history out of the man page: The original strace was written by Paul Kranenburg for SunOS and was inspired by its trace utility. The SunOS version of strace was ported to Linux and enhanced by Branko Lankester, who also wrote the Linux kernel support. Even though Paul released strace 2.5 in 1992, Branko's work was based on Paul's strace 1.5 release from 1991. In 1993, Rick Sladkey merged strace 2.5 for SunOS and the second release of strace for Linux, added many of the features of truss(1) from SVR4, and produced an strace that worked on both platforms. In 1994 Rick ported strace to SVR4 and Solaris and wrote the automatic configuration support. In 1995 he ported strace to Irix and tired of writing about himself in the third person. simultaneously, SunOS 5.9 defines it as strace - print STREAMS trace messages. i am not familiar with SunOS but a fast look to man strace seemed to explain that it doesn't actually do the same thing. others? ciao artur Michael Komitee wrote: yes, i didnt need the stack trace, i've been running it in debug mode all along, and never noticed the incorrect ip til i ran the strace.. which i agree wasnt necessary. i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, which i obviously have not included in my huntgroup. I changed the radtest script to send the right IP, and everything seems to be working now. --thanks. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. stack trace? What about debugging mode? That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. The NAS-IP-Address is set to whatever is in the RADIUS packet. Debugging mode will show this. Run 'tcpdump' to see it in another format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problems... The last mail 4/4
hi Alan Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: i think that what you receive at your radius server is nor the EAP Identity neither EAP Start, apparently it is a Notification message. The AP sends notifications to your Radius server, and the latter tries to send challenges back (to Alan, WHY?) From what I can tell of looking at the EAP-Messages going back and forth, the AP is not sending an EAP-Notification. So that message might be wrong, but the server appears to be OK. ok, but the EAP module said that. So, at least the EAP module message is wrong. To Alan : the following messages are really not very consistent. Could you improve it so that the defined EAP message type appears in the same manner and the reason is given? E.g. the third line is ambiguous and the first and the second lines are not consistent. The first line is wrong. The third line is correct. ah ok. anyway, only of those should be in the log :-) and please add something like Recognized EAP Identity message or similar... Also the last line is not user-friendly :-) It's a debugging message, there for debugging purposes. I'll take a look, but I would rather have MORE information than less. i know! in my proposition I only ADDED but never removed information, so ... ciao artur -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS with LDAP - radtest
:-) the usage of MAJ LETTERS is usually understood as yelling in Usenet. that's all about netiquette. if you happen not to get an expected response, it doesn't mean that nobody wants to answer; it probably means that nobody can answer - for different reasons. you *can* try reposting some time later but try also to see if your original mail really clearly pointed to the problem. read archives and faq, supply server logs, etc. - as always. it's like with the medicice: first read the instructions, then take the pill. do not complain about red points all over your face if you didn't read it :) if you see the doctor, explain what you did, do not yell about the red points, it's not his fault. and: it has nothing to do with nationalities neither. ciao artur Octavio Ramirez Rojas wrote: Hi, I don't try to make one frenchification of your name. In order to begin I am not french, I study in a French University, that is different. I'm not yelling at us. I was reading the documentation and I made the things just as it is. I'm beginner in LDAP/RADIUS server. I sent you the files so that you confirm what I tried to explain. Thanks for your advice. Cordially, Octavio Le lun 11/08/2003 à 15:32, Oliver Graf a écrit : On Mon, Aug 11, 2003 at 02:37:00PM +0200, Octavio Ramirez Rojas wrote: Hi Olivier, frenchification of my name is not an option. Le lun 11/08/2003 à 14:05, Oliver Graf a écrit : On Mon, Aug 11, 2003 at 01:44:18PM +0200, Octavio Ramirez Rojas wrote: YES, I TRIED WITH THE MAN PAGE LIKE THIS: your caps-lock seems to be struck. I don't have caps-lock problems. So, you are yelling at us because you want that we ignore your mail? SOMEBODY CAN HELP ME TO SOLVE THIS ERROR? I SEND YOU CONFIGURATION FILES THAT I HAVE. Can you stop yelling around and start reading the documentation? Sending default configuration files to the list normally results in lots of people deleting your mail. Try to: - read and understand the config and the examples - google the archives of this list - don't write capslock sentences - send only your minimal config, not the whole commented config (just copy the original config files so you still have them for reference) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication-Request
yes, why don't you change the port in the radius configuration of your AP 350? obviously it tries to connect to the port which your server uses for something else: probably a typo of you. it should be (udp)1812 unless you changed something. ciao artur Kent Hansen wrote: Hi! Get this error when my wireless client try to join the Cisco 350/FreeRadius: Error on freeradius: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, length=159 Authentication-Request sent to a non-authentication port from client rtest:1024 - ID 0 : IGNORED --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1025, id=1, length=159 Authentication-Request sent to a non-authentication port from client rtest:1025 - ID 1 : IGNORED The wireless client try to access the network with a username and password, i have setup on the freeradius. Whats wrong? Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Personal certificate usage problem
hi When I open the Personal certificate and select Details tab-Edit properties I have to select Enable only the following purposes and deselect all but Client Authentication. Doing this Windows 2000 finds the certificate and EAP/TLS authentication goes OK. But if I don't do this it says unable to find certificate. interesting, so windows 2000 wants the certificate to be a pure Client Auth certificate? why not, it would still work for you, right? I can't use the EKU described in Ken Roser's document because if I use it Windows 2000 says that the certificate has a non-valid digital signature. Does the EKU work only in XP? The detail tab shows only Client authentication as authentication method on the Personal certificate as I need though. oups? perhaps i don't understand something, but in my case the Client Authentication IS mentioned under the Extended Key usage uncritical extension with the value of 1.3.6.1.5.5.7.3.2. i don't get about which client authentication you are talking otherwise. the only one i have is in the EKU. and: windows 2000 can't say it's not valid because of EKU, this extension is not critical, so it does not need to be there from the certification point of view. it's my understanding... I tried editing the openssl.cnf file and setting nsCertType = client, server (because it give this type to client and server certificate using the script). Then I removed the extensions bits from CA.all and made the certificate. sorry, i don't know what nsCertType is, looks like netscape to me. and i don't use CA.all, i use the openssl commands, one after another. The Personal certificate still shows all the possible usages for the certificate and I have to pick the Client authentication to make it work. yes, the only usage i have is checked and this is client authentication. unfortunately it's part of the EKU. Installing the two certificates is relatively easy. But if you have to start MMC--Add Snap-in--Go to Personal certificate and enable only the client authentication purpose it gets a lot more complicated. i think you can achieve the same result by just clicking on certificates. you chose the destination repository only for the root certificate. otherwise supply a .reg file, perhaps it will work in this way. Any idea how to edit CA.all, OpenSSL.cnf, CA.pl or any other place to give the client certificate purpose to only function as client certificate so Windows 2000 would find it? hmm, i don't think you need any of those. i never edited openssl.cnf and i didn't use ca.all nor ca.pl. i didn't use windows 2000 neither :-) but it can't be that different. if you want i'll produce you two bogus certificates and you can test those on your 2000. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS Invalid ACK received
try to check if your certificates are ok. under windows try to disable check server certificate for testing. ciao artur Jason Coutermarsh wrote: I'm using the latest CVS build. The great news is that the new State changes are working correctly with my Netgear ME103! Now I'm having another, hopefully small, issue. Here's the error I get: auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack default rlm_eap_tls: Invalid ACK received: 22 eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP type 13 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. I'm not sure where the ACK was supposed to be received from. The access point? The client? I apologize if I'm jumping the gun on something that's currently being worked on, since I am using the CVS build. In regards to some previous posts about EAP/TLS, I also get the EAP Start not found message, but it does not seem to hurt anything, and it sails right past that point. Thanks for your help on this issue, and a big thanks to all the developers for working on a great piece of software! Jason Coutermarsh [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still short certificate problem
hi Antti Mattila wrote: Yes. Don't set the client to validate the server certificate. The server does not currently send its certificate to the client. i think it's wrong. The TLS howtos also say not to verify the server certificate. yes, but only for testing. Thank you! Very good to know. But how come in Ken Roser's Freeradius and XP supplicant on page 5 the picture is with Validate server certificate and it doesn't say anything about Freeradius not sending its certificate to the client. Should I email Roser to add that information? no, because it's nonsense. in my case windows even asks if i want to accept an unknown server certificate which can not be validated, etc., just like with SSL Web. disabling server certificate validation lets you concentrate on the problem, that's all - for debugging. the final solution should imho verify the certificate because mututal authentication is extremely important. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
that's why i'm trying to reassure you. it probably has nothing to do with the version of openssl. every suite has to produce compliant certificates. the certificate format is mandated by its form. just verify all the certificates you installed. it's a small error somewhere. ciao artur Antti Mattila wrote: you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto FreeRadius --Cisco350 --client win98/2k/xp
www.freeradius.org/doc/EAPTLS.pdf Kent Hansen wrote: Hi Is there anyone who can tell me howto setup a freeradius with a cisco 350 client, and clients on the ap authentication to the wireless network with a username and password on the freeradius server. Example: Client with xp, wants to join the wireless network, and they need to type in username and password, then OK, and at the end, they are joined the network. How do i setup the freeradius server to do this, and the cisco ap 350. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication request hacking
hmmm, if i understood you correctly, by authentication request you mean the RADIUS Access-Request. in that case, what you do would be a violation of the RFC. why don't you specify your authentication scheme by using a VSA (or EAP-subtype) and specifying a module to handle it? it would be much easier and your server would remain inter-functional. except, there is a misunderstanding in what you say. Access-Requests are not sent by users, they are sent by NASes. perhaps you should read ftp://ftp.rfc-editor.org/in-notes/rfc2865.txt . unless i'm completely misunderstanding what you are saying, you are about to do something very ugly :-) ciao artur Hans Jorgensen wrote: Dear list. I am trying to implement my own request type, with its own request number (100), queries etc. I have copied and based the code on auth.c, because I will like the users to authenticate them selves, when sending the request. But the authentication does not work. If I change the request number to 1 (authentication request), the code works. This is the case with both CHAP-Password and User-Password. Is the encryption algorithm using the request number when encrypting the password? Thanks in advance. Hans _ Få gode tilbud direkte i din mailbox http://jatak.msn.dk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur Antti Mattila wrote: I tried certificates from Adam Sulmicki's cert.tgz packet. I set the server date to 28.2 and on the laptop to 28.2. (the certificate is valid from and expires on that day). And the EAP/TLS authentication worked! I finally got: Sending Access-Accept of id 50 to 194.142.202.102:6001 MS-MPPE-Recv-Key = 0x60b16b18235e7a9fde64aabf7ddb3248540cb7dcaff967454af4c39270ae1607 MS-MPPE-Send-Key = 0x7236809f4cc3667478644304136783a2604a5a3607d9215f279aa97edcfeac2c EAP-Message = 0x03090004 Message-Authenticator = 0x But the certificate problem still remains. The certificate generated with the script which came from Freeradius package says on the w2k machine(on the certificate path):The certificate has a non-valid digital signature I think this is the problem. The Adam's certificate seems fine on the computer. We will try different OpenSSL versions (we used the versions required in Ken Roser's guide, the SNAP was of course newer) but if this doesn't work we'll try to generate the certificates with Novell Certificate server that we are using. If it doesn't produce certificate files needed for Freeradius we need to buy somebody to make the certificates with OpenSSL for us. Fortunately the certificates must be generated only once. So if we get a working certificate set we don't have to buy a consultant to do the stuff ever again. Best regards: Antti Mattila - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inquiry
i can't give you the final detail for this answer but the principle is the following: windows can login either as computer or as a user. that depends on where you put the client certificates in the xp repository. being admin you can verify this with mmc. the certificates should be computer certificates. in the 802.1X authentication tab you can also check the box authenticate as computer. if i understand this correctly, this will make windows authenticate and establish the wireless link even without a user logon i.e. before ctrl-alt-del. that's what you want. ciao artur arniel wrote: Hi Guys, Just want to ask something regarding user authentication of freeradius. I am implementing wireless EAP-TLS, with CISCO Aironet 350, my certificates are generated from my LINUX BOX. So I am getting the cer-clt.p12 and root.der and install it to my clients PC. We also have a Microsoft 2000 domain controller and at the same time DHCP server, my problem right now is that my XP workstation and MS 2000 Pro cant logon to the domain. As what I understood, upon PC boot up you have to press cntrl-alt-del and choose either to logon to a domain or this computer At this point, the PC is not yet certified to access the network because the re-certification will take place after you logon. If choosing domain, my workstation cant logon but if choosing this computer its OK only I can not run a script to MAP to the domain server. And if I am going to access the server from Network Places its going to ask me the domain username and password which is expected coz I did not logon to the domain in the first place. How can I configure the freeradius to authenticate first before the ctrl-alt-del window comes up. How can I configure my radius.conf or my radius in such a way that it is going to ask the user to input the password from the Linux radius first and after successful verification its going to ask the domain password. For sure in this way we can now logon to the domain. The typical boot up procedure for windows 2000 PRO and XP is that you have to click or press ctrl-alt-del to logon and you can either choose this computer or a certain domain and after it its going to check the certificate. Can we reverse the process? Can we verify the certificate first before domain logon option? Please help... Has anyone have tried Freeradius EAP-TLS with Microsoft Domain logon integrated? Thank you... Arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLANs + other
hi berndt Radius is now running with EAP/TLS (thanks for the great help for it). But now a few last questions. We are using Enterasys Access Points and they also offer the possibility to assign clients to vlans dynamically. I have searched a lot but found no information about it (for example which attribute to use). Has someone experience with this kind of problem? that's interesting: do they really offer this possibility? or do they merely map SSIDs to VLAN-IDs? if they do, the radius server probably has to send a Enterasys VSA back to the AP, this has nothing to do with freeradius list, you should ask at Enterasys. Is it possible to disengage a certificate from users so that the radius server will not accept it any more. One possible solution of disabling an account is to set Auth-Type to Reject but an other user can still use the certificate so I don`t like it really. this is out of scope, too. you've aswered your own question: in radius, it's much easier to disable the user account (e.g. by authorization), whatever authentication method is used. if you want to devaluate the certificate, you will need a PKI with CRL support. this is basically completely out of scope, BUT remember that using CRL you will probably do the following: (-install and manage a CRL) - put an invalid user's certificate in the CRL that means that each process using certificates will have to be updated in order to check the CRL in the first place. that's more complicated than it sounds, since the most software doesn't care about CRLs (freeradius doesn't e.g.) at the moment. also, the CRL management is complicated (in general). for each process, you will have to change the configuration, too (which CRL repository, what to do, how often). - when you finally applied all this, you will have to decide the following: do you want to check the CRL regularly (how often?) or do you want to do an online check of the CRL? the advantage of the first is that the CRL (~PKI) doesn't have to be online at the moment of the verification (which so often has been advertised as a main advantage of PKIs). however, you have a problem: in which intervals should the CRL be contacted by the process? the processes will have to store the obtained CRL locally etc and so changes propagate slowly through network (e.g. you cancel a certificate, but the user can still log on till to the next CRL download). this is far from optimal, so you will probably decide to ask your CRL at the login time - this is the state of the art in the PKI research. however, with CRL being online (and thus always available, the main PKI advantage gone...) you will have to use some protocol to ask the CRL about the validity. first: those protocols are still all in development, there is no accepted standard. second: since a CRL is a central repository, the procedure will increase your login delay (which can be an issue). third: what happens, if the CRL is not available (things happen...)? this is a problem, since normally CRL will only contain few certificates compared to the user-number, so blocking all users if the CRL is not available seems exaggerated, no? however, if you don't, invalid users can login... and finally, having all this set up, you'll see that basically it is exactly the same principle as with radius, only one level higher. now, radius (and every other service) will have to ask some central authority if somebody can login. why bother? my opinion: set Auth-Type:=Reject in radius. logically, i would defend this position as following: when your security agent at the entrance blocks a user because he doesn't know him, he doesn't try to cancel his ID card. in contrary, he accepts his ID and THUS prohibits entrance. why shouldn't the radius server simply do the same? let the certificate be the (abstract) identity and then we'll see if we let him enter. if he can't, we don't need to follow him and take away his identity. in this model, you probably don't want to certify real names of users. rather certify their abstract logins or their email adresses etc. for the duration of their studies at your school or for a year (semester, etc.) of studies. Our Access Point also support EAP-TTLS. Will freeradius support this in future? no, your access point doesn't support EAP-TTLS and never will. your access point supports 802.1X and thus EAPOL and EAP in RADIUS. the truth is that the Access Point doesn't know *anything* about TLS, TTLS or whatever other EAP method you use. an AP can't support something like that because there is nothing to support in the first place. i think, there is some development work on EAP/TTLS in freeradius, likewise for PEAP. And a last question! We are a school with about 2000 pupils. Has someone experience with the distribution of certificates and what you should care about it? The problem is we are using openssl to build our certificates. So we have to program something to make it easy for our
Re: EAP/TLS problems
On my AP there is: Access requests: 2 Access Retransmissions: 6 Timeouts: 8 apparently, your AP thinks that it never got answers back. why? be sure, the message sent by the server arrives at the AP and is recognized as an answer. you can do so by using other auth types for debugging purposes in order to exclude the possibility that the whole NAS is not accepted/ not working properly e.g. I have been proud to be able to get it working for LDAP and other password methods. Just not TLS. with the same AP? that would be strange. I understand that Alan is overworked with the development and all the stupid questions but you could be little nicer. Thanks for the Artur Hecker for a nice informative reply which gives me a new direction to look for the problem. A new direction on the problem solving is something I need. alan says it isn't notification, so it probably isn't since he knows what the rest of the messages means. but, obviously what is sent by the server is not accepted/recognized/received/whatever at the AP. verify that. ciao artur -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problems... The last mail 4/4
3f314099 Nothing to do. Sleeping until we see a request. Sorry but e-mail client didn't allow mails that long... Thanks for replys in advance: Antti Mattila -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 and User-Password
hi An entry for an EAP user can look like this (say): joe Auth-Type := eap, User-Password == hello Session-Timeout = 300 (side note: is the Auth-Type := eap part really necessary? I would expect not since the eap module apparently adds the Auth-Type attribute to the config list regardless of what's included in the user entry) it's not. set it to system or local before. it's more correct to let it be set by authorize section. eap module in authorize will do so if it finds relevant eap-message included. The users file man page says this about the == operator (applied to the User-Password attribute above): Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item. And RFC 2269 says : [Note 1] An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attributes MUST NOT contain more than one type of those four attributes. I take this to mean that the EAP-Message attribute and User-Password attribute are mutually exclusive, i.e. you can never have a User-Password attribute in a request if it has an EAP-Message attribute. yes, they are: in the access-request. that's logical: user-password as an attribute is only necessary when you use PAP. if CHAP is used, CHAP-Password attribute is used instead, when EAP is used, EAP-Message is used (since the method can contain more than just a password), etc. that's so far very consistent. the only problem you have is that you are generally confusing User-Password check item in the user configuration with the attributes sent in the Access-Request (which is not further suprising, since the names are the same). The fact is that the Radius server never sends Access-Requests except for proxying and the User-Password never appears in the Access-Requests containing EAP-Message since it is only used locally. thus, the both can not appear in the Access-Requests at the same time, which is perfectly RFC conform. now, for the probable reason: in EAP/MD5 you as a server receive the EAP/Identity and issue the EAP/MD5-Challenge (both contained in the EAP-Message attribute). then you get the answer back and this has to be verified against some shared secret. you CAN probably stock this secret in some special file, some new check item or something else. the guys simply re-used User-Password. remark: CHAP-Password would have been perhaps more logical since EAP/MD5 is almost identical to CHAP with MD5 *BUT* unfortunately CHAP-Passwords *are* sent in the Access-Replies and are thus not local check items. that's my understanding of the whole story. they just needed place where to put the password in. The above user profile does indeed work on 0.8.1 for EAP-MD5. But it shouldn't work, as far as I can see, since we have a check item (User-Password) which does not technically match any attribute in the request (User-Password isn't even present, since the request contains an EAP-Message). The request should not make it past the authorization stage. Any comments? it doesn't match any attributes in the request. BUT: the EAP-Message is present and thus the message is treated by EAP-module (the Auth-Type is explictly set to := EAP if EAP-Message is found). the latter happens to look for the password in the User-password check item of the user configuration. now, try to find an RFC which prescribes where EAP-Message verificator gets the user's password from. you probably won't since it's an implementation issue and IETF is all about protocols. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5
hello does it make sense to have a users file with MD5 passwords and try to authenticate XP wireless clients ? (configuration is 801.x wireless LAN 3com client, 3COM Access Point and linux freeradius server). almost. the users file has to contain clear text passwords, because otherwise no verification is possible. and: the XP 802.1X client does not support EAP/MD5 for wireless links anymore... if it does what should be the values of the attributes Auth-Type and User-Password in the entry associated with the login name in the users file ? (login name and MD5 encrypted password doesn't work) you should take a look at the EAP-MD5 howto at http://www.freeradius.org/doc/EAP-MD5.html ... MD5 encrypted password _can't_ work. ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5
not after SP1 Mauricio Rocael García Ocaña wrote: xp, XP 802.1X client support EAP/MD5 for wireless links, only need you, setup this, in authentication, we try att. Mauricio - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 11:29 AM Subject: Re: EAP/MD5 hello does it make sense to have a users file with MD5 passwords and try to authenticate XP wireless clients ? (configuration is 801.x wireless LAN 3com client, 3COM Access Point and linux freeradius server). almost. the users file has to contain clear text passwords, because otherwise no verification is possible. and: the XP 802.1X client does not support EAP/MD5 for wireless links anymore... if it does what should be the values of the attributes Auth-Type and User-Password in the entry associated with the login name in the users file ? (login name and MD5 encrypted password doesn't work) you should take a look at the EAP-MD5 howto at http://www.freeradius.org/doc/EAP-MD5.html ... MD5 encrypted password _can't_ work. ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius demo
hi it depends on what you want to demonstrate. do you want to demonstrate radius or do you want to demonstrate FREEradius? in order to demonstrate the radius functionality you will probably need some kind of service which a user tries to get access to. radius is supposed to provide aaa services and usually deals with some service. so, if you try to set up an impressive demonstration you should first think about that, than get yourself a service access point which is radius-enabled and demonstrate the whole, like e.g. most classic use of radius (how it was conceived in the first place) for a dial-up access: user---nasradiusserver. if the people know what radius is and want to see what freeradius is, then you should demonstrate the extensibility of freeradius, its vast configuration options, its modular principle and the function in full debug mode, etc. in any case, i don't see what you want to do with a windows machine. the whole is principally independent of the operating system. freeradius runs on the majority of unixes and with a little luck under some unix-environment of win32. ciao artur [EMAIL PROTECTED] wrote: hi, i am a student and have to make an essay about radius. the problem is that i want to demonstrate how it works, but i dont have any idea how i should do it?! i thought about to use a vm on my laptop (xp) with linux on it and another vm with w2k server... then i want to use radtest with a user account from the ads on the w2k server? but how does it work? is this the proxy feature? greetings knut [i use freeradius 0.5 on a suse 8.1 machine.] -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius demo
hi primary i want to demonstrate the functionallity of radius, but the possibilities to demostrate it are restricted (i have just my notebook for this)... no problem, all instances can run on the same machine. why windows? i thought that it is one benefit of radius that you have centralized authentication there?! so i thought it would be an idea to demonstrate how the radius server authenticates a user from the w2k ads and another user from the unix passwd file? well, you have centralized authentication but that has nothing to do with the fact that some radius implementation can use active directory and others password files. that is principally independent of the protocol definition. perhaps you can tell me about a good tutorial or another ressources where the features of radius are explained or demonstrated!? you should definitely begin by reading the base radius rfc. then you'll see what's radius in the first place and also what it is not. ietf does not define where you get your information from or how you store it; in the most cases ietf only defines how two hosts can exchange some data, i.e. the protocol somehow related to ip. radius IS before all such a protocol. there is a concept behind it. the intentions are described in the rfc. so read it. then, there is a book too. in order to understand the concept, look for explanations on AAA e.g. on the web www.google.com ciao artur -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unique WEP's without LEAP
Tracy, John wrote: Hi, I'm actually wanting the per-user WEP key to stay static accross a user's sessions. So I want per-user weps, but not rotating them. Does this make any sense? Thanks, John no, because you want the wep key(s) to be created/delivered by freeradius at least once. from this point on, it does not make any difference if you do it daily or only once in a lifetime. the problem is the key management. and giovanni is basically right that without using a key management you can't have one in the first place. you have to use EAP. the best for what you want to do, is something which wouldn't oblige you to deploy complicated things on the user equipment. that basically throws EAP/TLS out of competition. if you use cisco equipment, try LEAP. it is supported by freeradius and is basically user+password. client software from cisco runs under each windows version. peap or ttls would be nice too. i don't think they are already supported by freeradius though, but it seems to be in development. ciao artur [EMAIL PROTECTED] wrote on 06/12/2003 09:53:20 AM: In a nutshell, can a Cisco Aironet 350 Access Point accept a per- user WEP key from Freeradius (and can Freeradius serve it one)? Well, you're trying to re-invent EAP without actually using EAP. Can't get there from here; if you want the security of per user rotating WEP keys, you _have_ to do some form of eap (leap, peap, eap-tls, etc.). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unique WEP's without LEAP
hi Actually I don't want Freeradius to create the keys or deliver the WEP keys to the end user. The end user will have already entered in her unique WEP key manually. Free- ok, in your first post you didn't precise that. radius just needs to authenticate based on MAC, and tell the access point which WEP key to use when talking with that client. All of the WEPs would be created in advance, and entered into the client's configuration and into a database/file which is readable by Freeradius. so, you want the WEP keys being delivered out of some file based on the MAC address. while i agree that this is possible and theoretically different than to deliver the keys to the user, this is not supported by freeradius. (besides, practically, the keys are delivered encrypted to the access point and the access point delivers at least some of them encrypted to the user; the interface between AP and user is defined in the 802.1X document, i.e. AP has to be set in the EAP enabled mode). in the most general case key delivery means key management and key management should be bound to the authentication. that brings you back to eap, unfortunately for you :-) that's how freeradius does it right now. you will have to patch freeradius in order to do fixed key delivery without previous authentication. this is definitely feasible, but you will also have to take a closer look on your AP and see if it can install WEP keys dynamically without EAP. then, AP will have to send the broadcast key to the user, you will have to verify how it is going to encrypt it and who is going to decrypt it on the user side. all in all, your problem is rather practical, theoretically it would work. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unique WEP's without LEAP
look, you take a card and a linux pc, you install a patched AP emulation and you run it. it WOULD work - theoretically. in my mail i explained why it would'nt practically. but his idea is basically not so wrong. ciao artur Frank Cusack wrote: On Thu, Jun 12, 2003 at 07:58:05PM +0200, Artur Hecker wrote: all in all, your problem is rather practical, theoretically it would work. It won't work. No AP vendor in their right mind would implement such a thing. Then again, no vendor in their right mind would implement static unchanging keys! ;-) The difference, though, is that WEP is a standard whereas what the OP is proposing is not. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: roadwarriors using smart cards
hi norbert i didn't get the following points: 1. why would you do need PPP _after_ IPSEC at all? -and- 2. why is the PPP auth type important if the underlying connection is already using IPSEC? you can use PAP if you want, it will be encrypted anyway - it is what you seem to do currently. so where is the problem? besides, i would like to know which smartcards you use under windows and if the driver is native in windows or provided by the smartcard manufacturer. and finally: i don't see how it is related to radius. the answer from the radius point of view could be to give you the list of supported PPP authentication protocols: - PAP - CHAP - MSCHAP (v1 and v2 for as far as i know) - EAP: - EAP/MD5 - EAP/TLS - LEAP did i forget something? ciao artur Norbert Wegener wrote: Sorry for this crossposting, but I think this question touches more than one list. We are using rp-l2tp+pppd+freeradius+freeswan for a while to setup l2tp/ipsec roadwarrior connections. The ipsec connection is authenticated via certificates, the l2tp/ppp connection via login/password and freeradius. Configuring those connections on the windows side, you can easily choose to use certificates on smart cards to authenticate the l2tp/ppp connection instead of using login/password. Starting such a connection first the ipsec tunnnel is setup up, then rp-l2tp starts pppd which does not seem to know how to do EAP-TLS authentication against freeradius. I suppose, there is no code available in pppd to do EAP-TLS authentication. Nevertheless: Is there any other known method to use smart cards instead of login/password for l2tp/ipsec connections? Regards Norbert -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://corina-cert.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Definition of the users in freeradius
hi eap/md5 is no more available for wireless connections under windows xp since sp1. win2k i don't know, it's probably the same. that is principally independent on the DLINK driver. on the other hand, peap is not yet supported by freeradius for as far as i know. you can use eap/tls and cisco leap instead (proprietary cisco client supplied with cisco cards). tls faq document is linked from the freeradius site. ciao artur Jean-Guillaume LALANNE wrote: Hi all, I am quite a newbie in the freeradius administration. I managed to install it on a freebsd box (version 0.8.1) but I have quite a few problem to understand how it works. I have installed the 802.1x patch for win2K on my laptop and the driver for my DWL 950+ (WIFI card DLINK). On another hand, I have my DWL 1000AP+ that is configured on the use of my freeradius (IP,port,secret + encryption 128 lifetime 30 minutes). When I set up my wlan network on win2K for using 802.1x authentication, it proposes me 2 choices : certificate or PEAP ... But not EAP/MD5 challenge. I suppose that DLINK driver is only able to deal with these 2 above cases. I set PEAP. when I activate my connexion, I get in my freeradius logs, the following error message : ... Auth: Login incorrect : [mywindow_domain\\mywindow_login/no User-Password attribute] (from client private-network-1 port 0 cli my_mac_adress ... I suppose that I failed to set up my user in freeradius. I use mysql as storage for freeradius. I put : groupname = toto user = mywindowlogin password=mywindowpassword belongs to toto. auth-type = EAP Is it enough or exact ? Has anyone an idea of my problem ? Any help would be nice. Thank in advance, Best Regards Jean-Guillaume - Original Message - From: Mark Lowe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 2:57 PM Subject: Re: :rlm_eap: Failed to link EAP-Type/md5 yeah i cottoned on to --disable-shared not working, despite a couple of posting saying it did (perhaps 10.1). usual deal with apple's dynamic linking etc. If/when i find a solution i'll post it to this group.. meanwhile i'm just installing on linux as i was only really looking at installing it on 10.2 for development. cheers mark On Wednesday, Jun 11, 2003, at 13:07 Europe/London, Paul Hampson wrote: From: Mark Lowe Sent: Tuesday, 10 June 2003 11:38 PM I'm trying to get free radius running on osx 10.2.6 I've read the archives and found some references to similar problems. Everything builds, it bails at run time complaining of a failed link and file not found . ./configure --with-mysql-lib-dir=/Library/MySQL/lib --disable-shared make make install radiusd -X pukes this Module: Loaded eap eap: default_eap_type = leap eap: timer_expire = 60 rlm_eap: Failed to link EAP-Type/md5: file not found radiusd.conf[596]: eap: Module instantiation failed. I'm looking through the configure script and make logs but if anyone's has solved this then i'd appreciate the pearls of wisdom. If I remember correctly, this was usually solved by disabling EAP. I _think_ it doesn't work in --disable-shared mode, since it relies on having shared libraries. I could be very wrong, but no-one else seems to have answered yet, so I thought I'd throw it out there. :-) -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] The Creation of the Universe was made possible by a grant from Texas Instruments. -- PBS - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using /dev/random with EAP-TLS defunct
i've noticed the same in my case. i think that /dev/random is generally too slow, because it searches the random numbers on the fly, one after another, so radius waits till it gets enough numbers. rather use /dev/random from time to time offline to produce fixed files which you can define for radius usage (e.g. per cron dd from /dev/random into a file). ciao artur Sepp Rudel wrote: Hi, when trying to use /dev/random (on Linux) as random_file and dh_file in EAP-TLS config, radiusd hangs forever during start up while initializing tls module. Should this work? Would it make anything more secure if I could use /dev/random instead of some static file? __ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
hi Pascal
as Alan already advised you, try to read the EAP/MD5 faq. what you keep
on posting is NOT an error. there CAN'T be any user-password attribute
with EAP/MD5 or CHAP methodes.
thanks,
artur
Pascal PELONI wrote:
My mistake : this is the good extract of the log file :
Auth: Login incorrect: [tst1/no User-Password attribute]
At 17:24 03/06/2003 +0200, you wrote:
I forget to say that :
1. the authentication works well with radtest !
$ radtest tst1 pp 127.0.0.1 1 test
Sending Access-Request of id 68 to 127.0.0.1:1812
User-Name = tst1
User-Password =
\323\366\273\363\371Z\250]\231(w\265?\346G\253
NAS-IP-Address = localhost
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=68, length=20
2. with my AP I have the following output in radius.log :
Auth: Login incorrect: [pelo/no User-Password attribute]
Thanks.
At 16:58 03/06/2003 +0200, you wrote:
I've already read the FAQ and the README's, but it still doesn't work.
Here is part of my config :
radiusd.conf
modules {
eap {
default_eap_type = md5
md5 {
}
}
}
authorize {
eap
}
authenticate {
eap
}
client.conf
---
client localhost {
secret = test
nastype = other
shortname = test
}
huntgroups
--
TESTNAS-IP-Address == 127.0.0.1, NAS-Port-Id == 0-3
users
-
DEFAULT Huntgroup-Name == TEST
Framed-IP-Address = 192.168.1.11+
tst1User-Password == pp
tst2Auth-Type := Local, User-Password == pp
Could someone help ?
Thanks, PP.
At 09:31 30/05/2003 -0400, you wrote:
Pascal PELONI [EMAIL PROTECTED] wrote:
The problem is that when I try to authenticate with my AP W2K, it
doesn't
work :
# less /var/log/radius.log
Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/no User-Password
attribute] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C)
Read the FAQ and the README's.
Read the FAQ and the README's.
Read the FAQ and the README's.
Read the FAQ and the README's.
Did I mention I *really* meant that you should read the FAQ and the
README's?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/Wireless Lan
hi Tiago Jose Goncalves Lages wrote: In my WLAN I use the Orinoco AP2000 Access Points, and they are configured to do the authentication with a freeRadius Server using the 802.1x protocol. The Access Point clients are WinXP and authenticate themselves with chap password. This authentication is always rejected by the server. When debbuging the freeRadius I get the following message: ok, what are you talking about? 802.1X does not know ANYTHING about CHAP. CHAP is a protocol written and defined for PPP whereas 802.1X defines methods in order to be able NOT to use PPP over local area networks. 802.1X only defines transport for EAP, which is much more general and represents a kind of alternative for CHAP. Do you mean EAP/MD5? In the example you've provided, you seem to use EAP/MD5 whether you are aware of it or not. EAP-Message = \002\206\000\n\001steve Message-Authenticator = 0x7cdb58060b48171b109623c2173416ac modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched steve at 80 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 176 for 1 seconds Finished request 176 if you want to use EAP/MD5, you should configure the eap module in the authorize and authenticate sections, see the EAP/MD5 FAQ on www.freeradius.org/doc/EAP-MD5.html ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
hi ian WAP is a standard of the wifi consortium, trying to improve 802.11 security without hardware modifications. so, first of all, WEP is replaced by something slightly different but based on the same cryptographic bricks (so, answering to one of your questions: no, no AES so far). then, they added signed message integrity code (MIC) and 802.1X authentication (instead of WEP based authentication called SKA) and perhaps some other things i don't remember right now (you need to go to the consortium site and download the whitepaper, if interested). all that WPA stuff is a considerable improvement compared to the raw 802.11 methods and can be achieved in the most hardware on the market (and already sold out) by simple firmware updates. that's the deal. the real upgrade (including AES) is expected for the late summer 2003 and is called 802.11i. now, answering to the remaining questions: 802.1X doesn't prescribe any special EAP procedure, why should WPA - which simply integrates 802.1X - do so in your opinion? to give you one argument for this choice: just think that even EAP/MD5 is actually better than unhappy SKA... and if you want dynamic keys you will naturally need something different. in fact, the whole idea of 802.1X is based upon the assumption that it remains extensible by using EAP and does not imply the usage of whatsoever real auth method. the real and simple reason however is that the 802.1X-authentication does not need to be implemented in the WiFi hardware - i.e. neither in the wi-fi cards nor in the wifi access points, so it is completely out of scope of the WPA specification. hope this helps. greetings artur Ian Pritchard wrote: Hi, I saw the following announcement that Windows XP has a patch that will allow it to support WPA: http://support.microsoft.com/?kbid=815485 As far as I understand it, WPA includes 802.1x. The document states: For environments with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS is supported. It also says: 802.1x authentication is required in WPA However, I can't find anything there or in the WPA documentation which specifies which EAP flavours are required. Will EAP-TLS be mandatory, or TTLS, MD5 or one of the other flavours? What about AES? Thanks, Ian _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
hi - replying to myself... i mentioned the whitepaper before but didn't say where it can be found. shame on me! so, update here. and another thing to think about: WPA defines a new mixed mode, meaning that WEP and WPA can be used at the same AP simultaneously. please be concsious that in such case ALL hardware will run in the less secure classic WEP mode if only ONE device demands WEP. so, you have to upgrade EVERYTHING if you want to use WPA reasonably. so, here is the whitepaper: http://www.wifialliance.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf it's a little bit commercial and sometimes even wrong but it's official :-) wrong is for example that: citation Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, Wi-Fi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs mutual authentication so that the wireless user doesnt accidentally join a rogue network that might steal its network credentials. /citation the 802.1X framework DOES NOT employ mutual authentication. in contrary, EAP methods *can* provide mutual authentication (like EAP/TLS does), but 802.1X itself is one-sided (client is authenticated) and has been much critisized for (client never sends Requests, only Responses). but well, be it... anyway, most important citation: citation Wi-Fi Protected Access and IEEE 802.11i Comparison Wi-Fi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. Wi-Fi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing Wi-Fi CERTIFIED products as a software upgrade. The main pieces of the 802.11i draft that are not included in Wi-Fi Protected Access are secure IBSS, secure fast handoff, secure de-authentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003. /citation so, as I said: no AES (despite what has been said on the list). more information can be found at http://www.wifialliance.com/OpenSection/secure.asp#resources ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
hi Ian 1. Wi-Fi Alliance certified Access Points will very shortly be required to be WPA-capable. yes, it's intended to include WPA in the verification process. 2. You will be able to turn WPA on or off (at least initially). yes, plus mixed mode. 3. When WPA is turned on, there will be two modes available: i) Pre-Shared Key (PSK) mode for Home/Soho use with no RADIUS server. ii) RADIUS mode with EAP. I can't see from the literature if being able to do *both* of these modes is mandatory, or if there will be APs shipping with just the first one for the SoHo market. What's your impression? well, the second comprises the first, so the real question is, will there be any hardware with SoHo only? i would say yes, since they can hardly dictate the implementation of RADIUS clients on all APs and, let's be honest, it's far too complicated for a home user... so, i think they will perhaps write something like SoHo under the logo or i don't know what. in the case of doubt, such hardware will be available without the WiFi logo... there is nothing to verify anyway: today, all 802.11 hardware is based above the same bunch of chipsets (3 or 4) which cooperate quite well. Either way, it's good news for freeradius, right? If both WPA modes are on all APs, then you will be able to point any Wi-Fi certified AP at Freeradius and use EAP to authenticate. well, it improves the security. additionally, TKIP and all other WPA methods are implemented by some manufacturers since some time now... so, it's perhaps logical to define it and to test those one against another. i only hope, that it won't produce too much disorder (WEP/WPA/802.1X/802.11i - puhhh - you don't need to study in order to run a two nodes network, right?) for the corporate market though i think that 802.11i is still necessary. 802.11i is often seen as a too big deal but we shouldn't forget that the per packet usage of a stream cipher over unreliable media (RC4 in WEP) was probably one of the most misunderstood cryptographic proposals ever... it has to go away, sooner or later. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
:-) why is it crazy? i didn't take a look yet, but it seems to me that it's not the first time you mention it :-) regards, artur Alan DeKok wrote: Ian Pritchard [EMAIL PROTECTED] wrote: Either way, it's good news for freeradius, right? If both WPA modes are on all APs, then you will be able to point any Wi-Fi certified AP at Freeradius and use EAP to authenticate. There's also 802.11f, which allows roaming between AP's, and re-authentication. It's crazy, and it'll be painful to implement, because of that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + EAP-MD5 +WindowsXP supplicant ERROR!
hi summarizing: - freeradius authenticates the user - windows XP thinks that it is authenticated, so it has received the EAP Success message right? then, except your AP implementation is broken or some incompatible L2 features are activated on the two ends of your L2-link, your L2 link should be established. thus, any further problems should be L3 problems: incorrect address, dead DHCP, wrong routes, i don't know what. anyway, make sure the above assumptions are true. windows sometimes shows connected symbol although it DOES NOT think that it is authenticated correclty. the status of the authentication can be found in your Network device list. if the assumptions are true, then let me put it this way: - EITHER your AP is broken or your link improperly configured - OR your network/windows XP are not IP-configured correctly choose one... for troubleshooting: can you connect without problems when no EAP is activated? deactivate EAP on your access point *without touching anything else* and see if you can connect with your windows. if not you have identified your problem. it is difficult to deduce more from what we know so far... ciao artur Israel Cardenas Romero wrote: Hi, i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. I've configured it to work with EAP-TLS and it work's fine with the Windows XP supplicant. But if I configure it to work with EAP-MD5, it seems not to work: - the Windows XP client is configured with EAP-MD5 - it takes login and password from user - FreeRADIUS seems to validate him correctly (here is the log): rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, length=231 User-Name = Nombre2 Apellido2 NAS-IP-Address = 192.168.49.222 NAS-Port = 1 Called-Station-Id = 00-50-C2-10-92-82:SecureAP Calling-Station-Id = 00-0B-46-26-1B-E2 Framed-MTU = 2304 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = \002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 Apellido2 State = 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for Nombre2 Apellido2 radius_xlat: '(uid=Nombre2 Apellido2)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=Nombre2 Apellido2) rlm_ldap: Added password izadisan in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 11 op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user Nombre2 Apellido2 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Accept of id 3 to 192.168.49.222:1029 EAP-Message = \003\004\000\004 Message-Authenticator = 0x Finished request 30 Going to the next request Waking up in 6 seconds... - Windows XP client thinks itself it's authenticated, because don't try to login more - but the network is not accesible for the client... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + PEAP
hi ok, now i know what was the problem with MD5. Windows XP after SP1 does not support MD5 for wireless devices. however, i ask myself how you could activate it because it is not available as a type for wireless devices. answering to your question: no, PEAP is not yet implemented in freeradius. ciao artur Windows XP 802.1x supplicant seems to support only EAP-TLS and PEAP(-MSCHAP) authentication methods. EAP-TLS is built in FreeRADIUS, and I've tested and it works fine. But, how about PEAP? It's supported by FreeRADIUS? If not, it's supported by another 'free' RADIUS system? -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encryption...
hi When you use edit the clients list in Radius there is a key or password test123 per clients, what does this really do? you should perhaps simply download and read the current RADIUS RFC, would you? I understand that it can provide a simple auth for the NASes, but does it not provide encryption? Again I don't mean to question you, but just a learning process. Without question one can't progress in the learning process. Any information and advice would be greatly appreciated. all this is nicely described in the RFC, just read it. http://www.ietf.org/rfc/rfc2865.txt ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius AP on same physical machine. Possible?
of course it's possible, where is the problem? Nikhil Chauhan wrote: Hello: Is it possible that freeRadius and AP functionality (on a WLAN NIC card) be on the same physical machine... Comments appreciated. Regards, Nikhil. -- Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 authentication problem!
hi what you've sent is the following: eap response identity md5 challenge then new eap response identity and new challenge issued by the server take a look at the EAP-Message attribute to approve this. so, from the server's point of view there was no problem. however, it never received the necessary response to its challenges. thus, the problem is either on your radius client (access device) or at your user (winXP). what are you trying to do exactly? ciao artur Narasimha Reddy Gujja wrote: Hi Artur Iam sending the server debug output file. Iam trying to authenticate wireless users with XP system. My userbase is in LDAP. Any suggestion will be great. Thanks in advance. radiusd -X -A* Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 138.47.102.110:6001, id=13, length=119 User-Name = Bob NAS-IP-Address = 138.47.102.110 Called-Station-Id = 00-02-2d-47-23-58 Calling-Station-Id = 00-02-2d-50-a3-f3 NAS-Identifier = RadiusAP Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = \002\002\000\010\001Bob Message-Authenticator = 0x108ee1364eaf6d73afd4fca020f4ce04 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated users: Matched Bob at 3 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 13 to 138.47.102.110:6001 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1750 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = \001\r\000\026\004\020HU\235\272in;q~\373)$\304*\360 Message-Authenticator = 0x State = 0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce59c2 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 13 with timestamp 3e8118e4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 138.47.102.110:6001, id=14, length=119 User-Name = Bob NAS-IP-Address = 138.47.102.110 Called-Station-Id = 00-02-2d-47-23-58 Calling-Station-Id = 00-02-2d-50-a3-f3 NAS-Identifier = RadiusAP Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = \002\002\000\010\001Bob Message-Authenticator = 0x2b66e939f74c34a4a996282607247b8d modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated users: Matched Bob at 3 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 14 to 138.47.102.110:6001 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1750 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = \001\016\000\026\004\020J\347\0236\344K\371 \277y\322u.#H\030\245 Message-Authenticator = 0x State = 0x8c23059409e8141abbacc10527ed7c20ec18813e310778ff5bce1ea5c9149793b998df93 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 14 with timestamp 3e8118ec Nothing to do. Sleeping until we see a request. Thanks Reddy [EMAIL PROTECTED] - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 authentication problem!
please provide server debug output.
we can't help you without.
read http://www.freeradius.org/doc/EAP-MD5.html
ciao
artur
Narasimha Reddy Gujja wrote:
Hi All
I have enabled MAC based authentication for my wireless network using RADIUS
and LDAP. Now I want to authenticate using EAP.
I have serveral doubts.
I configured my client machine to use 'EAP/MD5' and i configure the Access
Point to use '802.1x'.
My problem is that the client(read XP system) machine is not authenticated by
the server, it stays on asking to enter
username and password, but is not authenticated.
Please look into my conf files and log and help me out.
Also how can i check for password in LDAP, instead in the users file.
It will be a great help and thanks for your patience.
***
***users
Bob Auth-Type := EAP, User-Password = public
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1750,
Framed-Compression = Van-Jacobsen-TCP-IP
**radiusd.conf
modules{
eap {
#default_eap_type = md5
# Supported EAP-types
md5 {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 authentication problem!
hi
that's not very correct. eap/md5 is still supported for wired links for
as much as i know. please provide input on that topic.
ciao
artur
Marco Teixeira wrote:
Do you have Service Pack 1 on XP ? If you do,
you should know that after XP SP1, microsoft
no longer supports EAP/MD5. Instead you should use
PEAP/MSCHAP i guess. There's a good tuturial on this
at the freeradius site.
Best regards
Marco
-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Em nome de
Narasimha Reddy Gujja
Enviada: terça-feira, 25 de Março de 2003 17:57
Para: [EMAIL PROTECTED]
Assunto: EAP/MD5 authentication problem!
Hi All
I have enabled MAC based authentication for my wireless
network using RADIUS
and LDAP. Now I want to authenticate using EAP.
I have serveral doubts.
I configured my client machine to use 'EAP/MD5' and i
configure the Access
Point to use '802.1x'.
My problem is that the client(read XP system) machine is not
authenticated by
the server, it stays on asking to enter
username and password, but is not authenticated.
Please look into my conf files and log and help me out.
Also how can i check for password in LDAP, instead in the users file.
It will be a great help and thanks for your patience.
**
*
***users
Bob Auth-Type := EAP, User-Password = public
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1750,
Framed-Compression = Van-Jacobsen-TCP-IP
**radiusd.conf
modules{
eap {
#default_eap_type = md5
# Supported EAP-types
md5 {
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Réf. : Re: radius / winxp troubles
sorry for the delay. I've tried to install the certificate in the local machine store. It worked for the Certificate Authority Root, but I don't know where to install the private key certificate. I've tried to put it in the Personal store. It works when I'm loging as a local admin, but it still doesn't work as an network user. I think it's a matter of acces right to the certificates database, or maybe that the system don't access to the local certificates base when it's trying to log on the network. So I'm still stucked with that matter. i don't know exactly, this is an XP configuration problem... basically, you have to put the certificates into the user certificate store and not into the machine cert store... use mmc in order to do so. you can also demand password usage for every private key access, so you will know when exactly the certificate is touched. i wanted to do the same here, just in order to test it, but i don't have much time... je n'avais pas vu que vous étiez enseignant à l'enst paris. Je suis étudiant à l'enst bretagne, en première année par alternance. voilà oui, je l'ai compris grace a votre adresse email :) moi, je suis doctorant en fait... ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication and Certificate Revocation List
which has to exist anyway. why would i introduce more protocols, more signaling and more traffic? how dumb would it be to check the user, to give him EAP/TLS auth, to do the whole deal of TLS authentication, to recheck his/her certificates, to check all the CRLs (could be distant), to see that it's in the CRL and finally to block the access instead of just blocking the access in the first place on the first request? Personally, I think we'd be much better off without CAs. I envisage a system whereby client and server auto-generate their own public/private keys (unsigned by any CA) - like SSH does, use them to connect to each other securely (i.e. encryption), then pass off the authentication request to an auth server (such as RADIUS). None of the overhead of a CA and relies on WELL KNOWN, STANDARD, TRIED AND TESTED MECHANISMS OF ACCOUNT MANAGEMENT. now we speak the same language. i completely agree with you in this point. let's only clarify that RADIUS has to be dumped one day and replaced by something which does not have IESG notes on poor performance right in the first paragraph of its own RFC... Unfortunately, that doesn't cover the main usage of https today - to let the client know that have really connected to their bank - and not some hacker's faked site... Only a CA can do that. Gotta pass that buck ;-) one moment, sir! before we were talking about Apache and mod_ssl, it has NOTHING to do with the client checking it's bank certificate. hardly anybody uses client certificates, so, what's the deal with all this complex (and theoretically incorrect) CRLs installed and checked on and by the servers? what are those good for? and what's with the client side? does netscape check something like this? explorer? opera? mozilla? something else? finally, the HTTP and Web are really NOT the glory of the internet, though some tend to errorneously think so. it's the biggest shame anyway. i always said never let a physicist develop your IT system but nobody would ever listen to me :) ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS and Windows 98
of course it works!!! the authorization section will describe which authentication method to use. AuthType := System is perfect (personally i would take Local, sounds more logical to me :)) as long as you have some authorization section module telling to use something different. For EAP such a module will be EAP itself, it will inspect the incoming packet and change the AuthType to EAP automatically. take a look at the EAP-MD5 howto, probably you don't have the EAP module in the autz section. ciao artur L. Jacob wrote: Alan, Thank-you for the response, I've taken your advice and searched for Auth-Type := System (in file users). I have changed the default Auth-Type := System to Auth-Type =: EAP. I am suprised, however, I thought if FreeRADIUS loads EAP (both md5 and tls modules) correctly, and in the users file if a user specifies something like: adam-ctlAuth-Type := EAP I thought it would override the default system and tell FreeRADIUS to use eap, for this one user/instance. (A learning experience...) Again, thank-you for your help Alan, Len Jacob Alan DeKok wrote: L. Jacob [EMAIL PROTECTED] wrote: The FreeRADIUS server itself IS loading TLS module, yet is using Auth-Type System (further down in the output) is this right? Shouldn't it be using Auth-Type EAP? Not if you told it to use Auth-Type := System, which is the way it comes by default. modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 Check out that line. That's what you missed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS for WinCE/PocketPC
hi i'm sorry, it's a bit out of topic, but somebody recently told me on this list that there is an evaluation version of an EAP/TLS client for WinCE. i was too dumb to save the email and now i can't find it in the archives (tried wince, tls, pocketpc etc.) could this person kindly repost the URL? ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS certificates and server questions
hi Thanks to the EAP/TLS Howto, I was able to setup the radius server and get all the authentification I needed going. Now the script, which creates the root certificate, generates root.pem with a lifetime of 30 days. After that authentification doesn't work, OK. Last month I recreated everything. That's a pain... - How can I extend them? Reuse them? What's the deal? no reuse. you have to set another expriration date. take a look at the scripts. I have the second box, with software up and running. But again, the certificates: - My first attempt - just copying them - didn't work. OK, just a try. why? what exactly did you copy and what exactly did you certify? - Second, since the certs are tied to hostname, I recreated them - guess what... well, you have to look at what you are doing. are you sure that your certificates are tied to the host address? because mine are not. and i doubt that this is verified anyway. the server simply has a pair of keys and both are signed and one of them (the private) is encrypted. the posession of the decryption key enables the usage. ciao artur -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Xsupplicant EAP-MD
i don't know exactly what happens but it's clearly not a correct
response to the issued challenge:
Sending Access-Challenge of id 57 to
192.168.2.205:1091
EAP-Message =
\001%\000\026\004\020\361\003\026,\tt\t\273{\035\247\314,\200\361
Message-Authenticator =
0x
State =
0x9b7b487b9b29a9bd2949c0104895a2b63e89783e32c85da841d50ca2346d6116c074cd80
rad_recv: Access-Request packet from host
192.168.2.205:1092, id=58, length=187
User-Name = toto
Cisco-AVPair = ssid=access_point
NAS-IP-Address = 192.168.2.205
Called-Station-Id = 0040965b1dc6
Calling-Station-Id = 000b46bd5909
NAS-Identifier = AP350-5b1dc6
NAS-Port = 38
Framed-MTU = 1400
State =
0x9b7b487b9b29a9bd2949c0104895a2b63e89783e32c85da841d50ca2346d6116c074cd80
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = \002%\000\006\003\r
Message-Authenticator =
0x4e478a7a91d21542bb065660cbaade88
take a look at the EAP message, it's NEVER a challenge response - way
too short. i'm not familar with xsupplicant though...
ciao
artur
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
