EAP-TLS testing, occasional errors
Hello All, I have configured a server to test EAP-TLS. Created the CA, a server and one client certificate. The same client certificate was then installed on three different devices; OSX, Windows 7 and an Android 4.2. All is well, all the devices can authenticate successfully, however, every now and again I can see similar entries in the log like the one below. A failure. Thu Mar 7 14:30:57 2013 : Error: TLS Alert write:fatal:handshake failure Thu Mar 7 14:30:57 2013 : Error: TLS_accept: error in SSLv3 read client certificate B Thu Mar 7 14:30:57 2013 : Error: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Thu Mar 7 14:30:57 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Thu Mar 7 14:30:57 2013 : Auth: Login incorrect (TLS Alert write:fatal:handshake failure): [wifiuser] (from client CiscoAP port 289 cli 10-68-3F-48-41-46) Then a success soon after from the same device (this is the Android one) Thu Mar 7 14:32:10 2013 : Auth: Login OK: [wifiuser] (from client CiscoAP port 291 cli 10-68-3F-48-41-46) Very occasionally the Android device would give up and not attempt to reauthenticate. The AP is set to reauthenticate clients every 10 minutes. (a rickety old Cisco Aironet 1200). Has anyone seen this before? Thanks in advance, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
277 realms to maintain
Hello All, In order to be able to use the home server pools and fail-over I had to create a list of 277 realms. There are now 277 entires similar to this: realm domain.com { auth_pool = my_auth_failover nostrip } Could I use an $INCLUDE statement here to maintain the list of realms in a separate file? That way it would be easier to automate the creation of the realms list. Is there a better way of doing this? Thank you, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT realm proxy fail over
Hello All, I would like to get help with the following. There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Thank you and best regards, Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd running config - is it possible to display
Hello All, Is it possible to display the running config of freeradius without having to capture the output of radiusd -X? Best regards, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy based on auth type?
Hello All, Another lame ass question. Is it possible to proxy requests based on Auth-Type? I now have a config which terminates PEAP locally and proxies through the inner-tunnel to an NPS using MSCHAP. This was my original goal. However, when I do a radtest to check what happens to an mschap request it fails locally instead of being proxied. There is a combination of peap and mschap requests coming to the server. If I uncomment suffix in sites-enabled/default then it's reversed, mschap gets proxied but PEAP requests doesn't get sent through the inner tunnel. In proxy.conf I have the DEFAULT realm set to our NPS and have nostrip set for each entry in clients.conf. The reason for this is that in the AD we have the user's email set as UPN and there are hundreds of email domains in use, the users's AD username cannot be determined based on the email address. Output of debug mode when plain mschap fails: *Ready to process requests.* *rad_recv: Access-Request packet from host 10.205.128.7 port 54292, id=242, length=154* *User-Name = bertalan.vo...@onedomain.com* *NAS-IP-Address = x.x.x.x* *NAS-Port = 0* *Message-Authenticator = 0x8402c1883262ac3e5a71b538490e1082* *MS-CHAP-Challenge = 0x9580349e1047ab7c* *MS-CHAP-Response = 0x0001ce764eb9fbdbfd3c66d06ecbfbf934845bfc12ed2a697dc4 * *# Executing section authorize from file /etc/raddb/sites-enabled/default* *+- entering group authorize {...}* *++[preprocess] returns ok* *[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'* *++[mschap] returns ok* *[eap] No EAP-Message, not doing EAP* *++[eap] returns noop* *Found Auth-Type = MSCHAP* *# Executing group from file /etc/raddb/sites-enabled/default* *+- entering group MS-CHAP {...}* *[mschap] No Cleartext-Password configured. Cannot create LM-Password.* *[mschap] No Cleartext-Password configured. Cannot create NT-Password.* *[mschap] Told to do MS-CHAPv1 with NT-Password* *[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.* *[mschap] MS-CHAP-Response is incorrect.* *++[mschap] returns reject* *Failed to authenticate the user.* *Login incorrect: [bertalan.voros**@onedomain.com**] (from client CiscoAP port 0)* *Using Post-Auth-Type Reject* *# Executing group from file /etc/raddb/sites-enabled/default* *+- entering group REJECT {...}* *[attr_filter.access_reject] expand: %{User-Name} - bertalan.voros**@ onedomain.com* *attr_filter: Matched entry DEFAULT at line 11* *++[attr_filter.access_reject] returns updated* *Delaying reject of request 11 for 1 seconds* *Going to the next request* *Waking up in 0.9 seconds.* *Sending delayed reject for request 11* *Sending Access-Reject of id 242 to 10.205.128.7 port 54292* *MS-CHAP-Error = \000E=691 R=1* *Waking up in 4.9 seconds.* *Cleaning up request 11 ID 242 with timestamp +13* *Ready to process requests.* Your help will be appreciated, -- Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on auth type?
Thanks Alan, It did fix the problem perfectly. On 1 February 2013 14:33, Alan DeKok al...@deployingradius.com wrote: Bertalan Voros wrote: Is it possible to proxy requests based on Auth-Type? Yes, but you don't want to do that. If I uncomment suffix in sites-enabled/default then it's reversed, mschap gets proxied but PEAP requests doesn't get sent through the inner tunnel. You need to *conditionally* run the suffix module then. In the sites-enabled/default, do: authorize { ... if (!EAP-Message) { suffix } ... } That should solve the problem quite nicely. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bertalan Voros m: 07932858025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
Hello All, Could someone tell me if it is possible to terminate PEAP on a freeradius server then proxy the request to an NPS server using MSCHAPv2? Thenk you and best regards, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
Hi Phil, Thanks a lot for the quick response. The reason I was attempting this is because I have to provide a service for roaming users and I was having issues with obtaining a certificate for the NPS server. Does this mean that I could use a self signed certificate for the NPS that is recognized by the freeradius and have a commercial certificate on the freeradius that is then recognized by the clients? So it's kept EAP-MSCHAPv2 all the way. Is this correct? Sorry for the lame questions but I am reasonably new to freeradius have only been using it to blindly proxy requests to the NPS. On 25 January 2013 13:45, Phil Mayers p.may...@imperial.ac.uk wrote: On 01/25/2013 01:19 PM, Bertalan Voros wrote: Hello All, Could someone tell me if it is possible to terminate PEAP on a freeradius server then proxy the request to an NPS server using MSCHAPv2? Yes. Simply set Proxy-To-Realm in inner-tunnel/authorize, and FreeRADIUS will proxy the packets. server inner-tunnel { authorize { ... update control { Proxy-To-Realm := NPS } ... } However, personally I would strongly recommend you proxy the inner as EAP-MSCHAPv2, rather than using the magic turn into plain mschapv2 code i.e. you *should* set in eap.conf: eap { ... peap { ... proxy_tunneled_request_as_eap = yes ... } } If you set this option to no the proxied packet will be changed into plain MSCHAP, but that code path is complex and has had problems in the past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Bertalan Voros m: 07932858025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
The clients are employees of a fairly loose network of companies, each on their own AD, some doesn't even have ad. A frustrating mixture of Windows and OSX. We maintain a central AD with all the user accounts in it but there are no machines associated with that AD. The self signed certificate works but people get prompted to accept it and we were asked if it was possible for that to not happen. The most likely users of this service would be the VIP types, it is expected to just work so here I am. Self signed or commercial makes no difference as the certificate is only used for server authentication. The only difference is users having to manually trust a cert or not. Unless I am wrong. On 25 January 2013 14:23, a.l.m.bu...@lboro.ac.uk wrote: Hi, The reason I was attempting this is because I have to provide a service for roaming users and I was having issues with obtaining a certificate for the NPS server. whats wrong with just using your current FR certificate on the NPS box? Does this mean that I could use a self signed certificate for the NPS that is recognized by the freeradius and have a commercial certificate on the freeradius that is then recognized by the clients? what are your clients/userbase? why do you have to use a commercial certificate for your server? if the clients authenticating are your clients then they can have the required private CA installed - the authentication is a closed loop. if you use a commercial cert eg thawte, verisign etc and only use that as trust then anyone can get a cert signed by that commercial CA as a first point to subverting your security alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bertalan Voros m: 07932858025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
Hi Alan, Thanks for your insight, you are absolutely correct regarding the issues. I will have to find a compromise that is acceptable by everyone. We maintain a central AD with all the user accounts in it but there are no machines associated with that AD. any reasons for proxying to the NPS rather than binding the FR system into the AD and authenticating locally? Only that the FR site mentioned it to be complicated and we already have an NPS that we are otherwise happy with. Looks like this would be the best option. The self signed certificate works but people get prompted to accept it and we were asked if it was possible for that to not happen. some clients may prompt for the RADIUS or CA certificate anyway. The most likely users of this service would be the VIP types, it is expected to just work so here I am. ah...the VIP types who 'just want it to work!' - and thus decide that security requirements are superfluous and get in the way. fine, you need to demonstrate the issue with a classic man in the middle attack - a couple of easy to boot systems exist which do that. Self signed or commercial makes no difference as the certificate is only used for server authentication. correct. The only difference is users having to manually trust a cert or not. Unless I am wrong. I would seriously advise that you look to having the right security in place and avoid users/clients having to configure their systems - ie an 802.1X deployment tool (such as XpressConnect from CloudPath) which will do all the work/configuration and installation of a CA for you as per your requirements - multi-platform and will do wireless and wired. (there are alternatives but none that are as feature-rich and support as many clients) Will definitely look into that. The difficulty is that some of the users are so remote from us that our only encounter with them is seeing a log entry. This is a global solution very removed from the local tech team, only used to let roaming users on the wireless network. We are providing a radius so they don't have to maintain a full copy of all the users in the network (network of companies). It's a continuous headache for us. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bertalan Voros m: 07932858025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html