Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactly. On wifi they send hostname on LAN they send: host/hostname hostname is the Windowshostname from the systemsettings. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, Phil Mayers schrieb: We don't see that behaviour. We consistently see host/. Check you aren't mangling the hostnames in your FreeRADIUS config. Strange, but thanks for watching. We're not mangeling anything in FR. That's what I see, running FR in Debug-Mode. Maybe because we're running on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a machine-auth via exporting, textediting and importing the profile-xml of the specific LAN-interface, we're authenticating using EAP-TLS, CN of the cert is the hostname. Machine-auth via WLAN is done by a registry-change. Ok, I'll keep looking. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Phil Mayers schrieb: Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Mhh, I can check that again, it's an old Linksys-AP. I'll see if that happens also with the other more professional hardware we have. Have you verified that you really are receiving hostname instead of host/hostname? Verified with a reliable tool i.e. tcpdump on the RADIUS server? No, I just took the Debug-Mode from FR. But it's good to know, that the normal behaviour of windows is to use a unique Loginname for all kind of machine-based auth. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN the provided username ist hostname, if I do it via WLAN it is host/hostname. While we use host/ as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the hostname (i.e. host/ or something else) to unify the login for WLAN an LAN. So how or where can I change that? A hint will be really welcome. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Alan, thanks for your reply! Alan DeKok schrieb: host/ as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the hostname Don't. You will break EAP. That's not clear. Why would that break EAP if the workstations are sending a different Login? It already does, depending on LAN or WLAN Logins. I don't mean some kind of rewrite or redirect inside of Freeradius. Using Linux I can send whatever I want as the loginname. Find a better solution. Change your rules so that you're keying off of the correct data, and doing that only when you want. I have now a more or less complicated regex rule in the radsecproxy, but I thought it's more elegant to unify both logins. I thought doing it in the profile-xml-file of the LAN connection in Win, but unfortunately it's not the right place for it. At least all official ressources I can find from MS, are not pointing out how to do that. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Who processes VLAN information?
Hi, if I'am transmitting VLAN Information back to the supplicant, after an Acces-Accept (see below), who does this information use? Is it an information for the Switch, working an an Authenticator, to put the switchport into VLAN 22 or is it for the Supplicant/Client to enable VLAN tagging and send all packets with the VLAN 22 tag? Who is honouring these information? radtest -t mschap host/scit-beerchen test 127.0.0.1:1812 0 testing123 Sending Access-Request of id 16 to 127.0.0.1 port 1812 User-Name = host/scit-beerchen NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x315c8360df930d89 MS-CHAP-Response = 0x0001ebec6d1eb202859db7dcc8586ecc2469b8dae48d7aabb3ab rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=16, length=100 Tunnel-Private-Group-Id:0 = 22 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-CHAP-MPPE-Keys = 0x2066656e05c22f3a995ad9ecfed913d6 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Who processes VLAN information?
Hi Alan, thanks for the quick answer! It seems, the Linksys SRW switches support VLAN and RADIUS, but not an dynamic assignment of VLAN via RADIUS. That's all frustrating, why didn't I run a pedal boats shop on a greek beach... :-) bye Alex The switch. Maybe. It is free to ignore the VLAN information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't add a $ sign to the ldap search
Hi, I tried to change the ldap-searchfilter in the ldap module, to search for a username user and user$ in LDAP, if user is given. This is neccecary to authenticate my workstations and users via LDAP. This is my filter definition in the ldap module: filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$)) This ist what I get: [ldap] expand: (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}$)) - (|(uid=scit-beerchen)(uid=scit-beerchen)) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (|(uid=scit-beerchen)(uid=scit-beerchen)) [ldap] object not found But the $ sign is always ignored. I tried also \\$ and some other combinations. But none worked. So I'am doing it the wrong way. How do I add (or escape) the $ into my query? BTW: The query - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't add a $ sign to the ldap search
Hi, I tried to change the ldap-searchfilter in the ldap module, to search for a username user and user$ in LDAP, if user is given. This is neccecary to authenticate my workstations and users via LDAP. This is my filter definition in the ldap module: filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$)) This ist what I get: [ldap] expand: (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}$)) - (|(uid=scit-beerchen)(uid=scit-beerchen)) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (|(uid=scit-beerchen)(uid=scit-beerchen)) [ldap] object not found But the $ sign is always ignored. I tried also \\$ and some other combinations. But none worked. So I'am doing it the wrong way. How do I add (or escape) the $ into my query? BTW: The query (|(uid=scit-beerchen)(uid=scit-beerchen$)) works on the shell with ldapsearch. the ldap module itself works also. What's the problem? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't add a $ sign to the ldap search
Hi Phil, filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$)) Don't do that. Instead try: filter = (uid=%{mschap:User-Name}) Hm, this is not working. I also don't get the point, why the username in mschap is mangled to have a $ or not? The Windows-Worstation query their name as host/workstation, which is workstation$ in my ldap. My Users are coming in as user, so where else doing the lookup than in ldap module? The host/ realm is stripped off before. I made now a workaround with ...%{User-Name}}*)) This will match workstation and workstationWHATEVER. Not very elegant, but I assume a bug in the ldap-module, because every other char works, just $ not. If you could explain your point, I might look through it. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using LDAP with EAP-TLS
Hi, I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host scit-beerchen is in the WLAN-User Group. What could I do? Please have a look on my Debug-Output: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) - FALSE ++? if (notfound) - FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 0 ID 0 with timestamp +1034 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files]
Re: Using LDAP with EAP-TLS
Hi Phil, Phil Mayers schrieb: You've broken the default configs by adding in modules you don't need and don't understand. Go back to the default configs. Then *just* configure LDAP, and things will work. Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert on FR 1.1) but conversation is ended without Access-OK. Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. I've added ntlm_auth to authorize requests from NT4-Users, didn't know that this is a NoGo. :-) Here's my debug: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) - FALSE ++? if (notfound) - FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.48.244.28 port 3079 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xe9291e9ae928135b6c752006f18ad076 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=240 Cleaning up request 0 ID 0 with timestamp +22 WARNING: !! WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 State =
Re: Using LDAP with EAP-TLS
Hi Alan, Alan DeKok schrieb: You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. I didn't want that, now after kicking out ntlm_auth things work, even the cert has been accepted. I assume the problem I had was, that the time of the radius-machine was not synchrone to the network and the signal for Wlan was to low. After fixing both, the conversation worked an I got an Access-Accept. Thanks to you and Phil for the help. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: More than one searchfilter
Hi, just one other question, how is it possible to have (or control) more than one filter in the ldap module? I use our LDAP to have access via PEAP or EAP-TLS, this works, thanks to this list. The problem now is, that workstations are stored as WORKSTATIONNAME$ (with a $ ath the end, thanks to Samba) and the user is stored with it's username. Unfortunately, the workstations come in their Radius-Request without the $ sign, just the name. So if I want to lookup a workstationname I have to add a $ sigh to every request, or LDAP won't find it. Otherwise the $ shouldn't be added while looking for a username. Is there an idea how to control the ldap filter for this? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
Hi Folks, the question makes sense, I think I wrote it not understandible enough. 1. What I already do is: 1.1. Authenticating via EAP-TLS Computers/Workstations against my Switches 1.2. Users are authenticated with PEAP and Cleartext-Passwords in $RADDB/users 2. What I want to do is: 2.1. Upgrade to 2.1 2.2. Use my LDAP to collect and control authentification of Workstations and Users 3. What I have is: 3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords). 3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain). 4. Question is: 4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access? 4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP? I hope it's clear enough now. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
Hi Phil, Phil Mayers schrieb: Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. Great! Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject) Thanks, I'll start to do this. Machine account name should work for me. Any hints, or how to do this? Is there somewhere an example availlable to start with? I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + EAP-TLS + LDAP
Hi, with my FR 1.x installation I'am authenticating via EAP-TLS Computers against my Switches. User are authenticated with PEAP, all are held in the users-textfile in $RADDB/users But with rising number of PCs and Users the edit of the users file is a bit uncomfortable. I want to upgrade everything to FR 2.1 on my Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs in my OpenLDAP (for the use of Samba). I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP and no crypted passwords. If I read here, I have the impression that this is something what some people already do. I like to authenticate PCs with EAP-TLS, which are in the LDAP List by name, there is no need to extract an cert from the LDAP-Tree. Just check the name and if the cert matches to the server-cert the access is granted. As I already do now. The users should be checked by uid and the password should be checked, but I have of course no cleartext-password in my LDAP, they are all crypt or MD5 (depends on tree). Is this possible or not? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP/TLS with XP SP3 since End December
Alexandros Gougousoudis schrieb: (after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one. Thanks for all replies. It turned out, that neither the server nor the client was the problem. It seems we had an MTU-Problem in our MPLS-VPN, which corrupted the conversation between Authenticator and Radius-Server. Our provider fixed it and since then I have again no problems with Radius. Most other services in the net worked, some not, so I got suspicous and asked our MPLS provider. Ubuntu worked because the Client, Authenticator and Server were alltogether in the same LAN (in that segment we have no Windows). It was a good riddle for the new year, can I have another one? :-) Good thing is, that I started to use FreeRadius 2.10 on Lenny for testing. :-) ciao Dros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No EAP/TLS with XP SP3 since End December
Hi, I had a working FreeRadius 1.1.6 installation and running XP Pro SP3 with EAP/TLS on an Ethernet-Port. I use Linksys switches as authenticators. I think since end December (after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one. I made a debug with radiusd -X -A. The conversation looks normal, but at the end, I miss the Login OK Statement, it looks like the conversation is not finished and falls asleep. I don't see an error. Can anyone look over it please to give me a hint, where to look? TIA Alex Debug: rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=101 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = host/hfs-080806-02 EAP-Message = 0x0217001701686f73742f6866732d3038303830362d3032 Message-Authenticator = 0xcd421dbdb5fcc2e7692fe75fcbfd5892 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_eap: EAP packet type response id 23 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module files returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x011800060d20 Message-Authenticator = 0x State = 0x793054942f9417f5a0886c08dd4a0e4e Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=183 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = host/hfs-080806-02 State = 0x793054942f9417f5a0886c08dd4a0e4e EAP-Message = 0x021800570d80004d1603010048014403014d219685836869e950cfbb8e7ae7a18a95c8871d059171695d24fd163d12cec61600040005000a000900640062000300060013001200630105ff01000100 Message-Authenticator = 0x714b3ff58781c8329f0cebcbf99bc3e2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_eap: EAP packet type response id 24 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module files returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0048], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0ed5], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message =
Re: No EAP/TLS with XP SP3 since End December
Alan DeKok schrieb: See if your certificate has expired. Nope, that was the first I've checked. Server and client-cert are still valid. It seems, that no XP client (even some old SP2 clients) can logon anymore, Ubuntu can. Is there some possibility to force a Login OK as a Default-Action in the users-file? That could take out the pressure here. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP/TLS with XP SP3 since End December
Hi Phil, Phil Mayers schrieb: To be clear, all windows clients fail? But other clients succeed? Exactly, Ubuntu can authenticate, all XP not. It is possible a windows update has removed the intermediate certificate from the client(s). IIRC Microsoft have done this in the past, expecting the intermediate CA to be provided during TLS negotiation. In this case, you need to have the correct CA (chain) at the FreeRadius side. Have you got this configured correctly? Yes, Server cert/key and Client cert/key origin from the same CA, which is also present at the radius-server. At least that wasn't a problem since 2 years, after I worked out how to use Radius with XP SP3. It won't help running such an old version of FreeRadius. Yes, but it was enough for us, since we don't need Vista and Win 7 support. I'am working currently on Debian Lenny to make the 2.10 coming over lenny-backports work. But it's not easy and I don't know if it fixes the problem. I think an MS security-update killed the radius authentification. Is anyone having a working auth with Freeradius und a fully patched XP Pro SP3? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP/TLS with XP SP3 since End December
Hi JDL, that's a good point, I didn't think about that. But it's not my problem, I have 4096 keylength. It should be ok. thx Alex JDL schrieb: December. My understanding was that this was only to affect new certificates, however, since certificates are involved in the EAP process, you may want to add this information to your investigation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution (SOLVED)
Hi, just to give an update on my efforts to make XP SP3 work with EAP-TLS. Machine based EAP-TLS authentification works for WIRED connections fine, as I wrote in the last mail. BUT that doesn't mean that it works for wireless connections. :-) Before SP3 there wasn't a problem with that, with this alphaversion of service pack, it's not working. First of all, the things you need to do with the network-adapters profiles, using the netsh command aren't working in XP with wlan profiles, simply because the netsh command doesn't know netsh wlan ... (you get an error), Vista knows that context, XP SP3 not. So there is a Freeware utility zwlancfg here http://www.engl.co.uk/products/zwlancfg/index.html Get that and you can export and import the wlan profiles. But setting the authentification to authModemachine/authMode as with wired connections, won't work. You always get a no certificate found error (the cert which is ok for wired connections!) and no connection. If the tool zwlancfg is setting up the connection manually, you get an illegal authmode error. So you need to have setup the connection to an machineOrUser authmode. It seems there is no machine authmode in XP SP3 anymore. As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx This element is optional. When authMode is not specified in a profile, a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless LAN API for Windows XP with SP2: *This element will be ignored if it is present in a profile But stop! It's not that easy. :-) Because it's Microsoft, it always works a little, but never 100%. If no user is logged in (= Loginscreen), the connection is established (seen in the Radius log). If a user logs in, the connection is dropped and you get a no cert error. If the machine cert is included in the users context, using the cert-mgr, the connection is again established. So I have to install the machine cert for each user, which will login into the computer. And, hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, despite the MS information? It's definately not an Freeradius problem, but most people will look here to solve the problem. After a lot of googleing I found, that I must be the only one with that combination and problems. So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista! I'll post my solution here either. If someone likes to give me a hint, I'll be happy. cu Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution
Hi Ivan, Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added make caclient.pem to produce client certificates and cleanca to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well. Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). The CA is of course imported into the trusted authorities branch. The CN ist the Computername (because I'am doing a machine-based auth). The certmgr in XP says it's a valid and trusted cert. That's how it worked in SP2. I compared your example-cert with my cert and I can't see a significant difference. Look here for my client-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 127 (0x7f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de Validity Not Before: Jan 16 14:24:44 2009 GMT Not After : Jan 15 14:24:44 2014 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=HFS-PA-140109-2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea: [...] 39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78: 6f:94:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailaddress=sc...@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc...@kh-berlin.de X509v3 Subject Alternative Name: DNS:HFS-PA-140109-2 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9: [...] f7:80:cc:0f:42:db:b3:fd Don't know what to do. Have you tried a machine-based EAP-TLS with SP3? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution (SOLVED)
Hi Thiebault, you saved me. AGAIN! :-) That was the clue, not including the Email in the DN, just saying no in TinyCA was the first step to the solution. XP SP3 took then the cert for auth. @Ivan: Thanks for your reply, but it's not an TinyCA issue. Second step was, that 2000/XP = SP2 converted the Computername to lowercase (mine are uppercase), so I had all entries in the users file in lowercase. SP3 sends the computername in uppercase (also in the client-cert). So after your hint I got Mon Jan 26 13:29:11 2009 : Auth: Login incorrect: [host/HFS-PA-140109-1] (from client hfs-schneller port 24) showing that XP accepted the cert. After changing the hostname to uppercase in the usersfile i got: Mon Jan 26 13:49:20 2009 : Auth: Login OK: [host/HFS-PA-140109-1] (from client hfs-schneller port 24) And of course don't forget to assign the right profile XML to the LAN Adapter for machinebased auth. Your CA cert's DN includes the emailAddress, though this was not exactly the issue I had (mine was related to the client certs), I would recommend not adding this emailAddress to the DN and test again. Thanks! cu Alex (who hates Microsoft for changing important things silently) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution
Hi Ivan, t...@kalik.net schrieb: You should upgrade to the latest version. If that doesn't cure it, try making client certificate signed by the CA and not server certificate. I had 2.1.3 running a week ago, but it didn't work also. But I wasn't sure about the configs. Unfortunately the documentation is bad. Any hints? Someone on this list recommended me to upgrade to 1.1.7 to make it work (wasn't it you? :-) ), but it doesn't work. The certs shouldn't be the problem. On the clients I have a client cert with right extended-usage and the server has a server-cert with the right attributes. In XP the certmgr says it's for Clientauthentification. They worked with SP2. But I also tried to install a server-cert with client-extended-usage, also no success. I'am a bit worried about the registry-errors in the logs I've posted. I can't believe that I'am the first one who tried to authenticate an XP SP3 machine with EAP-TLS to Freeradius. I mean, XP has a market-domincnce of 95% and this problem should also occur if you authenticate via WLAN. So there must be a solution and I'am doing something terrebly wrong. I'd like to hear from at least one person that it works. At the moment I believe XP SP3 is incompatible to Freeradius. Thanks Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP-TLS with XP SP3 ?
Hi Alan, a.l.m.bu...@lboro.ac.uk schrieb: if you had a working 1.1.0 system then you could upgrade quickly to 1.1.7 - same config etc etc - and then spend 'offline-time' getting I thought it's working, but it isn't. I upgraded to 1.1.6 from 1.1.0, same setup, but XP SP3 doesn't authenticate against Freeradius. Though I don't think it's a problem of Freeradius, because radiusd -X shows no requests from the XP machine. We had that a couple of years ago, when XP couldn't determine which certificate to use. But using the right extended-usage keys solved the problems. The new 802.x service is of course set to automatic and it's running. If I downgrade my machines to SP2, radius works immediately. So I think the cert creation differs from old XP. Are there any hints about it? I googled for Vista and Freeradius or SP3, but most information is not for eap-tls, not for machinebased authentification or prior Vista or SP3. Is XP SP3 somewhere running with EAP-TLS (machine based authentification)? What can I do? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP-TLS with XP SP3 ?
Hi, I tried to compile the 1.1.7 OpenSUSE 10.1. But I get the following error at the end: Processing files: freeradius-dialupadmin-1.1.7-0.suse1010 Processing files: freeradius-devel-1.1.7-0.suse1010 Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-1.1.7-build error: Installed (but unpackaged) file(s) found: /etc/raddb/postgresqlippool.conf RPM build errors: Installed (but unpackaged) file(s) found: /etc/raddb/postgresqlippool.conf I have no /etc/raddb/postgresqlippool.conf file. Don't know why the programs complaines about that. FR 2.1.3 compiled without errors. Any ideas? TIA Alex if you had a working 1.1.0 system then you could upgrade quickly to 1.1.7 - same config etc etc - and then spend 'offline-time' getting - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP-TLS with XP SP3 ?
Hi solved it. Must be a bug in 1.1.7. I used 1.1.6 and all works fine (inkl. XP SP3). cu Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No EAP-TLS with XP SP3 ?
Hi, I have a lot of problems doing an EAP-TLS authentification with Freeradius 2.1.3. We're doing a machine-based authentification with certs, using EAP-TLS with 802.1x capable Linksys switches (cable based). We had NO problems at all with Freeradius 1.1.0 and Windows 2000 SP4 and XP SP2 and Linux. We're using no Vista machines at all. With XP SP3 the auth failed, I googled that FR 1.1.0 is not capable to do this, because SP3 is realizing the same 802.1x engine as Vista does. So I upgraded to 2.1.3 and compiled it on OpenSuse 10.1 without errors and the software runs without problems. But the auth still doesn't work. I'am a bit confused about the new inner-tunnel and a few options I'am not aware of from my FR 1.1. setup. Is there somewhere a walk-thru published to make XP SP3 work with FR again? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on WPA-EAP with Linux
Hi, I'am having trouble to authenticate my linux workstations with wpa_supplicant to Freeradius (1.1). The Windows Stations are working fine, but linux is making trouble. The AP is a Linksys WLAN Accesspoint, as said WPA Radius works, because all Windows Notebooks can login. I'am doing a WPA over EAP. And my Error is: Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request After switching on my debug I see this: rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select Which is most certanly the reason why the auth fails. But I'am far away from knowing the solution. Can you help please? Below the complete Log of the conversation: rad_recv: Access-Request packet from host 10.48.244.28:3073, id=1, length=131 User-Name = scit-acer NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 0016cfab64e4 NAS-Identifier = 0016b64f44cc NAS-Port = 43 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e01736369742d61636572 Message-Authenticator = 0x8b86db463306f78257b8e03600912a5b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry scit-acer at line 14 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 1 to 10.48.244.28 port 3073 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xb2f2a1559ef1683126762202eeec3974 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.28:3073, id=1, length=141 User-Name = scit-acer NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 0016cfab64e4 NAS-Identifier = 0016b64f44cc NAS-Port = 43 Framed-MTU = 1400 State = 0xb2f2a1559ef1683126762202eeec3974 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060300 Message-Authenticator = 0x9a1a879ecba47ab01f2f3410625ceabc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry scit-acer at line 14 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [scit-acer] (from client khb-buehring port 43 cli 0016cfab64e4) Delaying request 1 for 1 seconds Finished request 1 TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem on WPA-EAP with Linux
Hi, sorry for the repost, I simply wanted to add, that I'am doing an EAP-TLS conversation and have all certs installed. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: W2K doesn't ask FreeRadius with EAP
Hi me, Alexandros Gougousoudis schrieb: But there are two W2K clients which doesn't want to register over radius, the radius server even doesn't get a request. It seems the problem was, that the netbios name of the PC was to long (16 characters). I took a short one and it worked immediately. Windows always complained, that it could not find its cert. But the cert was there and valid. After shorten the name and issuing a new cert, it works. Sorry to be a little off-topic, but I assume people looking here first if having trouble with Windows and FR, rather than a Windows group or list. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
Hi, it works now. Thanks Thibault, you saved my day, again! :-) - the extension SubjectAltName must contain the Netbios name of the PC (I think) This had no meaning in my tests. Anyway, there must be chosen a type of that field. Did you take DNS-Name, Email or Raw? I took now DNS-Name, but in another case there was an email in that field and the systems authetifies without problems. So I think you can leave this field out. I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ? Yupp, this was the mistake. It is somehome on by default. I switched it off and created new certs as you wrote and the XP Machine works now too. Hell, I gonna print your mail and hang it in front of me. This is ok, but are the certificates _exactly_ generated in the same way ? Obiously not. As I made the same mistake over and over again. I have now only the problem of one W2K Machine, not even asking the Radius-Server. I assume it's some kind of inkompatibilty of drivers or NIC. Thanks for your help: Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
Hi, Thibault Le Meur schrieb: Alexandros do you confirm that you are not trying to authenticate the user, but only the host at boot time ? Exactly. The hosts need to be authentified, we simply do that to protect the Ethernetports of the switch. Our students plug in their equipment otherwise (like an WLAN-AP) and danger our net. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
Hello Alan, Alan DeKok schrieb: No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem. Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks. Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it. On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the trusted certification centers tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs. The APs are Linksys Switches and they do what they should. For PEAP and TTLS, there *is* no client cert. I use EAP-TLS for machine-authentication (In Windows the Smartcard or Certificate Authentification). It means also that in my authorize section (Auth-Type := EAP) Can you explain why you're doing this? All of the server documentation, and many posts on this list say it's wrong. Because if I do only a machine-authentication, every machine which has a valid cert can connect to the network. If I write the explicit hostname in the users file, I have more control over the single clients connecting. If they are not in the list, they're not allowed to connect, regardless if they have a valid cert or not. I think it could be done more elegant using crls, but I'am not yet at this point. I try to understand why one PC can connect and the other one can not, although I did the same procedure. Thanks for your help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What kind of error in client-cert using EAP?
We've got the same error here... but it's not terminal But I don't get this error on a conversation which leads to an Access-Accept. I think because you're doing a username/password login for your Wireless-Clients, you need to use as written PEAP and MSCHAPV2. Usernames and passwords have for us no meaning, because we use Radius to protect our Ethernet-Ports, so that only approved (by us) computers can be connected. I don't care about the user logging into that PC. Thats why I don't need a passphrase. it's also not needed. so you can ignore the error if you use eap+tls (peap - mschapv2 + user/pass) i did use Auth-Type := eap , and it does work with our server so, dunno why you have to leave this out. The server creates over and over again an access-challenge in the authorize section. Unfortunately I'am ill and not at work today and tomorrow . I'll post a log from a W2K client connecting wihtout problems and one with problems. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What kind of error in client-cert using EAP?
Hi, I have trouble with one XP-SP2 client, using a certificate to make 802.1x Auth over EAP-TLS. The cert is a machine cert. On the serverside I get this (using -X -A) in authenticate: modcall: entering group authenticate for request 33 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0ef8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 33 modcall: leaving group authenticate (returns handled) for request 33 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0125040a0dc0100e1[...] Which indicates that there is a problem in the client-cert. Can it be more detailed? I exported the cert and the key now 4 times in different manners (as p12, as der) and the errors is still there. Extended attribute is also included. The funny thing is, that I already have 5 XP machines running in my network, doing an EAP-TLS auth over the switch. It means also that in my authorize section (Auth-Type := EAP) I can get a Access-Accept Message. On the server I get the Access-Requests, create a Access-Challenge and thats all. Theres nothing coming back from the client. Please help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems in EAP-TLS in new Windows XP clients
Hi Jose, On the last month I'm having problems making new Windows XP clients connect to the network, even when old instalations of Windows XP SP2 are working good so far. The OEM Windows XP on the thats interessting, because I posted the error on the list a couple of minutes ago. After viewing your logs, it seems that you got a client certificate error, as I got. This is a part of your linked log: modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0800], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00fb], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) I have this problem on a new XP Home (SP1 and SP2). I still don't know what the real problem is, but I'll try to find it out and post to the list. Please do so also, if you find the solution. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
W2K doesn't ask FreeRadius with EAP
Hi, I got a very strange problem and I don't know where to look else. Maybe one of you have an idea what could be wrong. I've setup (with a lot of the lists help) a Freeradius server, based on certificated, doing a machine authentification over our linksys switch as AP. The clients are using EAP-TLS and for the most clients it works. But there are two W2K clients which doesn't want to register over radius, the radius server even doesn't get a request. I took a freshinstall W2K with SP4, put on all updated, put on IE6 and the necessary certs and registry patch, started the wireless service, configured network settings, rebooted. If I connect the networkcable to secured ethernet port I get in Windows Couldn't logon to the network (in german). I have 2 other W2K machine working without a problem (even on the same Switch port). I had a Realtek NIC in that PC, put on new drivers, no effect. Put in an older 3com NIC, no effect. It's like the AP doesn't forward the request to the Freeradius server. With other W2K no problem, with XP no problem with this AP. Something I could do, beside throw the pc out of the window? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi, You can view what is done in the Debian/rules file Yupp, it works now! My mistake was to use the little bit broken 1.1.0 deb package a few months ago. Source-Build didn't work. If I take the sources of the official tar.gz I can build now all without problems under unstable. Great. Don't like Suse... Thanks Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi Alan, Alan DeKok schrieb: They (and the main web page) point to EAP howto's on the main web site, which include screenshots for configuring Windows for wireless, Thats true, but as a beginner it is not clear what is important to set up. Most people simply want to connect their notebook over WLAN to their network, other go more into detail with LDAP, SQL whatever. Knowledge about EAP-PEAP, EAP-TLS, MSCHAPv2 is still not developed. As you and others reply on questions of people on the list is very often like tell us in detail what you want to do... is not what many people seek, I think most expect to be told what is important and what they should do. As always in IT-Business, the customer doesn't know what he needs, but it must be nice and fancy when it is ready. :-)) FR is a great program, thanks a lot to all who work on this! The server includes a debian directory, whixch is used to build debian packages. I tried that with source-install of the deb, but compilation fails on sarge and unstable, bug list is full on debian.org, so I'am not the only one who had this problem. I think at least the eap module relies on some lib which is not GPL and not included into Debian and they try to move around it. But FR without EAP is at least for me useless. I did not try the debian dir of the official tar of freeradius.org, I will do that soon, because Suse 10.1 sucks. cu Alex P.S: I look for a good book, covering all about radius and especially FR. As an overview and as a reference. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi Alan, It looks like it is doing machine authentication, in which case the Correct. certs (both client and server) need the machine authentication OIDs, I read that again and again, but I already have these OID in the certs. Here a dump of my server-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED] Validity Not Before: Aug 10 09:33:43 2006 GMT Not After : Aug 10 09:33:43 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=radius.verwaltung.kh-berlin.de/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 42:A9:4A:9F:04:88:71:B1:78:D4:1A:5D:00:A5:66:8E:78:C0:45:FF X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED] serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED] X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Extended Key Usage: critical TLS Web Server Authentication !! Signature Algorithm: sha1WithRSAEncryption [...] Isn't that exactly what it should like? And here the client: Certificate: Data: Version: 3 (0x2) Serial Number: 42 (0x2a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED] Validity Not Before: Sep 1 11:18:32 2006 GMT Not After : Sep 1 11:18:32 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=vinfo-t1/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: C0:72:0A:91:71:D9:E7:A9:73:CC:B4:B0:AD:17:B4:ED:61:AF:06:B9 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/[EMAIL PROTECTED] serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED] X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication ! Signature Algorithm: sha1WithRSAEncryption [...] What else could be a problem? How do you guys handle the host/netbiosname problem? Could that brake the cert? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, K. Hoercher schrieb: No, you don't. from Alan's post: # 1.3.6.1.4.1.311.17.2 and TLS Web Client Authentication is 1.3.6.1.5.5.7.3.2 Hm, with Alans OID there is no communication between Radius and the client. If I use the OID indicated in most HowTOs (like http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOWTO.html) there is a conversation between them. Ok the authentification fails at last. To write it again, I use W2k not XP, maybe the problem is somewhere in there, but I doubt it, because menus and functions are the same as in XP. you don't check for the CN. Afaik you might strip it by using the with_ntdomain_hack directive. I've seen that directive, but exactly where should it be enabled in the config? I think it can't be set in the eap.conf, where it makes the most sense. Further changes changes depend on the eap type you want to use. I have already asked about that. I didn't understand that question. I want to make a machine-based authentification based on certificates on the clients. If the cert is ok, the Ethernet-Port will be switched through. AFAIK this is done with Windows-CLients using EAP-TLS. Thats all auth I need, the user at the client must not be checked, even the clients name must not be checked against an sql or ldap (maybe later). The HowTO says AuthType := EAP would be right. Ok, here on the list everybody says Don't use AuthType, but nobody says what to use else... :-) TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, I can't even remotely unstand why you seem to look for help on one hand, but on the other one keep declining answers to questions put to you and insisting on false assumptions. That's why I might not understand what you're asking. :-) -- verify error:num=9:certificate is not yet valid rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate I fixed that problem. The time on the certificate issueing server, the radius server and the client was different. So the cert wasn't valid, because the create-time was in the future. I've put all now in my NTP-server. The check_cert_cn was a test to check if the username has something to do the failing certs and is disabled now again. I found, if the certs are valid, the username is not important. I used the OIDs mentionend in the HowTOs, not Alans. And while it doesn't cause any problem for now, would you please get rid of the host/vinfo-t1 and vinfo-t1 stanzas in your users file The idea of that was to control the logon of already authorized clients, i.e. to not accept a client with a valid cert. This could be done more elegant with the CRL of SSL, but for now it's easier to maintain in the users file. Of course passwords are useless if nothing like PEAP is done (this entry was for testing). I conclude, it works now with W2K SP4. The main problem were different times on all participating computers. If confs and certs are done according to the ealier mentioned HowTo it'll work. Although the setting of the users file still stays unclear for me, because I don't know how to handle the acceptance of the clients, if the client can not be described via AuthType in the users file. Maybe somebody could enlighten me. I still have to check, if I really need the registry hack ( Set the HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode value to '2) mentioned by Thibault LeMeur earlier on the list. Next I'll try to check the clients name against our LDAP-Database (for the samba domain) in the users file to allow only these clients, which are in our domain. Thanks for help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, Stefan Winter schrieb: this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about Nope, the cert has this extension. I checked that again and again. Server is in DNS and the CN of the cert is the FQDN of the server. The CN of the PC is the netbios-name. Both certs have their extenstion (Webserver and Client). Maybe it's something else? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, K. Hoercher schrieb: 1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html Thanks to your reply. The problem is, there are now a lot of partial howtos in the net, but not even one covers all. I did that, because it was in an howto... I'll try something else. and finally what the supplicant sends. What is host/vinfo-t1 supposed to be? vinfo-t1 is the netbiosname of the client, the realm(?) host/ comes from Windows or the AP, I don't know. Probably it breaks the cert, because the name differs and this bothers EAP/TLS. But I don't know how to handle or shorten this. Maybe somebody has a good idea to handle that. TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Everything lookslike it works, but PC is not authentified
EAP-Message = 0x020102020900890d6f61ac0ce005300d06092a864886 Message-Authenticator = 0x State = 0x9a47ab7f9de113ebbe793cdba4b8eac5 Finished request 2 [...] Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 3 User-Name = host/vinfo-t1 State = 0x02e56d8de12a870049b3b02e1f4ad162 EAP-Message = 0x021100060d00 Message-Authenticator = 0x8a9e680cc21b98a2835861c9ef08faea Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 rlm_eap: EAP packet type response id 17 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 13 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module files returns ok for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d80 Message-Authenticator = 0x State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 13 ID 0 with timestamp 44cbfc94 Nothing to do. Sleeping until we see a request. -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused with FreeRadius + Win2000 + Linksys + EAP + Certs
Hi, I'am working on a FreeRadius Setup für our network since 3 weeks and I get more and more confused, even after days of RTFM. If someone could help me, I'd owe you a beer. :-) This is what I want to do: We have a Linksys Switch which can be an AP for Radius. If a PC is authenticated the Port of the Switch will work. I want to install a certificate on every PC in our network. The Supplicant should contact the AP using eap and the AP the Radius-Server (I use freeradius 1.1.0 on Suse 10.1). So the PC should have access to the network, regardless of the user which will work on it. I configured Freeradius' eap.conf to use TLS, did all certificates and installed it on the client and server. radiusd -X -A does't report an error. All Servers and Clients are in the DNS. The problem is, if I setup the authentification with EAP-Type Smartcard or Certificate in W2K simply nothing happens, there is no request coming to the radius server, nor an error message on the client. If I configure on the client PEAP with protected Password (and say that it should not use the Windows-Logonname in the EAP-MSCHAPv2 Dialog) I get a logon-screen and can authentify the computer (I've put a dummyuser in users files) and I see the conversation in the server-debug. If I say it should use the Windowslogonname, again nothing happens to the radius server (there is even no request to that server). I even took SecureW2 to test, with the same result. I'm doing something terribly wrong, but what could it be? Every hint is welcome! In the future I want to check also in our LDAP-Directory (we have a Samba-Domain there) if the computer exists in the domain and only then accept the certificate for authentification. But I'am lightyears away from it, did anybody do this before? thanks in advance Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst Busch. Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html