Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote: If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. I'm still hoping I'll be able to use the outer and inner TLS for privacy reasons and because right now the radius configuration is doing what I want and merging default and inner-tunnel servers would make the configuration even uglier then it already is:-) Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. Yes, all our users have a certificate issued for our internal wifi so that's not a problem. I'm actually hoping to phase out passwords for network logons. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. We don't have control over the client devices. We just have to hope that the users know what to do and what their devices are doing. The main problem is that I'm currently not allowed to go on with a migration to 802.1x until the mschap problem is solved. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote: On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. And that solved the problem:-) I had the fragment size the same in both configs, now it's working just like the EAP-TTLS/EAP-TLS. Thank you so much. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. -- Sent from my phone with, please excuse brevity and typos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/13 23:44, Chris Parker wrote: Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. Well, as I explained in my other email, mschap == challenge/response, modules/ntlm_auth != challenge/response. To reiterate, modules/ntlm_auth is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting modules/mschap working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 22/08/13 10:54, Alan Buxey wrote: TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no bare MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. The EAP methods are all a pile of crap; it's truly disappointing how many hoops you have to jump through just because Microsoft gifted us a crappy EAP method, and everyone else slavishly implemented it. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Phil Mayers wrote: PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no bare MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( Pretty much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User get after few minute
Sokphak TOUCH wrote: I have issue with configure radius. I have one Juniper MX80 for doing as LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there is successful connected log to radius but after around 1mn it connect again and again. I have check in MX80 but has no any significant log. Below is the full log in debug mode of radius during connect. Please advice Read your NAS documentation. The NAS is hanging up the connection, not FreeRADIUS. You may need to add a Session-Timeout attribute to the reply. Again, read your NAS documentation to see which attributes it needs in the Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Thank you for setting me on the right track; I have followed the directions on
http://deployingradius.com/documents/configuration/active_directory.html (the
bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per
those directions.
When I run the ntlm_auth command manually, it works find / as does running
wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xe07a375bed09f1f7
MS-CHAP-Response =
0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: %{User-Name:-None} - wyse1
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=wyse1
[mschap] mschap1: e0
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=e07a375bed09f1f7
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed!
(0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
I'm not quite grasping.
Well, as I explained in my other email, mschap == challenge/response,
modules/ntlm_auth != challenge/response.
To reiterate, modules/ntlm_auth is almost certainly not what you want, and
is not intended to be used as-is. I would unconfigure it and concentrate on
getting modules/mschap working.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl issue
An interesting one for the list ...
We are installing a Palo Alto firewall and it has a way to pass Username/IP
mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by
the firewall.
The method employed is to use a Perl module (PAN::API), which has a simple API,
basically:
$var = PAN::API::UID-new( ip of server );
$var-add( type login/logout, username, Framed-IP-Address );
$var-submit();
which is added in the sub preacct () of the perl module...
then call this in preacct {}
There are a couple of issues with this module that I am going to try and
address:
1) Connections
new only instantiates an empty object
add adds the values to a hash
submit opens an TCP SSL connection, sends the hash as XML, then
closes the connection.
With all the work being done in submit you have to create and tear down an
SSL TCP connection for EVERY accounting record! Which is a lot at my site!
2) Errors
If the socket set-up fails, the PAN::API module calls croak(), which on
my system terminated FreeRADIUS, which seems like what would happen?
Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module =
/etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at
/etc/raddb/perl.pl line 474
Socket setup failed I am guessing because of all the open/close socket
activity? Looks like the Windows 2008R2 server either blocked this as a
suspected DOS or the agent failed to cope with this kind of TCP activity?
Obviously for problem 1, a better model would be to implement new methods on
the object to open and close the SSL connection, then use a pattern like:
{ # Static block start
my $object = PAN::API::UID-new( IP );
$object-connectssl();
sub preacct {
$object-add( params );
$object-submit();
}
}
closing the SSL would not be needed in effect as we run forever, and I
wouldn't know where to place it as there is no function called on an rlm_perl
module when FreeRADIUS is about to terminate, unless I am missing something.
For problem 2, are there rules about what you should not do in an rlm_perl
module? I would have thought exit(), die(), croak() etc are all bad and that
returning quietly, optionally setting an error code, would be better? Then back
in sub preacct () you could check the error and log with radiusd::radlog()
and do a return RLM_MODULE_NOOP?
Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?
Anyone want to throw in 2 cents/pennies worth to this?
Thanks in advance, as always, for your time ...
Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Sorry for the individual emails, but I got things working with MSCHAP (w/
ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching
and there's the potential that the freerad user did not have access to pipe
named: /var/run/samba/winbindd
That pipe is owned as follows:
drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/
That being the case, you need to add the user freerad to that group, so it can
execute with the right privileges.
Sending Access-Request of id 52 to 127.0.0.1 port 1812
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9
MS-CHAP-Response =
0x0001941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84
MS-CHAP-MPPE-Keys =
0xd22b3a1df401aa61a721c8a31ba91082
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Now, is it safe to disable modules (by commenting them out of the sites-enabled
files) that aren't related to the MSCHAP process? This is just in passing
curiosity.
On Aug 22, 2013, at 10:14 AM, Chris Parker cparke...@me.com wrote:
Thank you for setting me on the right track; I have followed the directions
on http://deployingradius.com/documents/configuration/active_directory.html
(the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as
per those directions.
When I run the ntlm_auth command manually, it works find / as does running
wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111,
length=113
User-Name = wyse1
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
MS-CHAP-Challenge = 0xe07a375bed09f1f7
MS-CHAP-Response =
0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap] expand: %{User-Name:-None} - wyse1
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=wyse1
[mschap] mschap1: e0
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=e07a375bed09f1f7
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed!
(0xc001)): [wyse1/via Auth-Type = mschap] (from client localhost port
1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
Re: ntlm_auth not respected
On 22/08/13 15:14, Chris Parker wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket directory, specifically that the freeradius daemon user can access it; this is usually at: /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue
On 22/08/13 16:46, Dean, Barry wrote: Anyone want to throw in 2 cents/pennies worth to this? Yep, don't do it like this. Instead, write the user/ip entries to a file using the linelog module, and use a long-running perl process to tail the file (using File::Tail) and post them to the PAN. This will likely be more performant and avoid the hassles of a random module interfering with FreeRADIUS. You probably want to write a timestamp to the file, and have the long-running process ignore lines X old, in case it lags behind e.g. because it hangs, gets shutdown and restarted much later, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote: Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. We've been doing it for ~18 months now. Works fine (when the fragment sizes have been set up correctly) so we get domain managed certs and soh. Just a shame you can't do user auth as well at the same time. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Escaping regex + character
Hi All,
Just a quick question - I've compiled FR3 with pcre regex libraries
and it's working ok. I just can't get it to escape plusses ( + ) though
I've tried between 0 and 6(!) backslashes but all result in:
ERROR: Failed compiling regular expression: bad range inside [] at
offset 10
(0) ERROR: Condition evluation failed because the value of an operand
could not be determined
It's the + in the character class I'm trying to escape. This is with two
backslashes (what I'd expect to work as it does with dots - \\.
(0)? if (%{Email-Address} =~
/^[a-z0-9_-\+]+(\.[a-z0-9_-\\\+])*@[a-z0-9_-\\\+]+(\.[a-z0-9_-\\\+]+)*(\
.[a-z]{2,4})$/)
(0) expand: %{Email-Address} - 'a...@c.de'
ERROR: Failed compiling regular expression: bad range inside [] at
offset 10
(0) ERROR: Condition evluation failed because the value of an operand
could not be determined
The regex works ok without the plusses, if not including them in the
subject..
Thanks
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
