Re: Question on logging EAP/PEAP authentication rejections
It's a section, just like any other section. This is documented in man unlang. You put modules or unlang rules there. This is documented in man unlang. Thanks!! That is exactly what I needed. I did not know to look in that man page. Awesome! If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. The documentation assumes some amount of independent thought. *This* is the cause of most of the contention on this list. Some people want to be spoon-fed every possible piece of information. They get testy when that doesn't happen. I get frustrated when people don't bother reading the documentation I wrote. I give direct opinions when they express how bad the documentation is... that they haven't read. Im sorry I upset you. I could have worded the last part better. Freeradius is so full of great features that sometimes the doc is not where you expect it which is why I needed help finding where this was documented. I did figure it out without it in the end anyways. The man unlang advice was exactly what I needed and the doc is very clear. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Well I eventually found and switched to using linelog to log access rejects since I can define my own variables that are logged. Oddly enough freeradius was showing a packet-type of Access-Request for eap authentication failures. Since I was calling linelog only from the post_auth_reject spot I just changed the Access-Request= definition to: Access-Request = Rejected access: %{User-Name} SSID: %{NAS-Port-Id} and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log (yep I could make a subsection to linelog with those changes but chose not to). So I am now logging username rejects as well as the SSID they are trying to connect to. Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Here is a paste of the text above that section. # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? -Josh On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner j...@remc1.org wrote: Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok. I did follow this advice: snip Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit snip What advice didnt I follow? Thats all the advice I was given. Put stuff in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log (which didnt log username) so after much trial I modified linelog. I couldnt find documentation even with searching online about what to put in there. I pretty much guessed in the end. If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. Thanks -Josh On Tue, Mar 20, 2012 at 4:27 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the reply_log section of ./modules/detail.log (I also enabled copy tunneled reply to the outer tunnel in eap.conf). In the logged rejections Im not getting the user-name though. I tried disabling the attr_filter.access_reject line in ./sites-enabled/default to see if the attributes were getting filtered but that didnt do anything as I expected. I know that Access-Reject logs are only supposed to have certain info (per attr_filter.access_reject doc). Is there a way to modify the reply_log to include the User-Name in the rejection or should I be using something other than reply_log? Thanks! -Josh On Fri, Mar 16, 2012 at 4:58 PM, Alan DeKok al...@deployingradius.comwrote: Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Along with enabling user_tunneled_reply=yes etc.. I am also updating the outer tunnel with the inner tunnel username like this: update outer.reply { User-Name = %{request:User-Name} } in ./sites-enabled/inner-tunnel Watching radius debug I can even see attr_filter.access_reject expand User-Name because it uses it as its key. I do have sql reject logging fine in other radius server setups. I read the short doc here: http://freeradius.org/radiusd/doc/Post-Auth-Type and have searched via google. Im sorry I just cannot figure this one out. I even see attr_filter. I cannot get Freeradius to log the username in eap/peap login rejects. Thanks again. -Josh On Fri, Mar 16, 2012 at 4:55 PM, Josh Hiner j...@remc1.org wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in eap.conf (need that to do group checking in the users file) but this does not seem to effect the issue of no rejected logins being logged. Searched this email list as well as online. Sorry to bother. Any info would be great. I appreciate your time. Thanks!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on logging EAP/PEAP authentication rejections
Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in eap.conf (need that to do group checking in the users file) but this does not seem to effect the issue of no rejected logins being logged. Searched this email list as well as online. Sorry to bother. Any info would be great. I appreciate your time. Thanks!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Perl instead of Auth-Type EAP?
On Sat, Feb 26, 2011 at 12:57 AM, Alan DeKok al...@deployingradius.com wrote: Josh Richard wrote: The FR server currently is using rlm_perl to handle authentication and Please, no. Authentication includes things like EAP. Doing EAP in Perl is not a good idea. I was not going to use EAP in Perl, but use Perl to handle additional logic to determine goodness or badness of a client MAC address in the event of an issue. Also being able to dynamically set the user VLAN is potentially useful. Perl is only being used to handle the auth. You are correct, using Radius native Proxying may be a better idea. Thanks. I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius to proxy the lookup to a different production FR server containing the set of all users. Neat. Uh... that is an incredibly bad idea. FreeRADIUS already does proxying. Why do it in Perl? You're going to get it wrong. Not wrong, just different. Again, loud and clear. Yes. See raddb/sites-enabled/inner-tunnel Do I need to overload anything in eap.conf? No. Thanks for the direction on the above. Combining both answers to this thread yields a TTLS/PAP solution which avoids challenge-response. But in general, this is a terrible idea. FreeRADIUS has proxying and DB plugins. Redoing all of that in Perl is asking for un-needed complexity. In general I agree it may be terrible, but there are aspects of this approach which may yield a more flexible solution... Again, thank you. -josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type Perl instead of Auth-Type EAP?
Hello list, After a bit of digging, I would like to ask a question to ensure this idea is even possible. :) I am running FR 2 on Debian. What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless SSID hook into the FR server above. The FR server currently is using rlm_perl to handle authentication and this does work with FR running with -x and a client test using radtest: Sending Access-Request of id 184 to ip port 1812 User-Name = jrichar4 User-Password = removed NAS-IP-Address = 127.0.1.1 NAS-Port = 10 rad_recv: Access-Accept packet from host ip port 1812, id=184, length=20 on the server I see: rlm_perl: Added pair User-Name = jrichar4 rlm_perl: Added pair User-Password = removed rlm_perl: Added pair NAS-IP-Address = 127.0.1.1 rlm_perl: Added pair NAS-Port = 10 rlm_perl: Added pair Crypt-Password = removed rlm_perl: Added pair Auth-Type = Perl I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius to proxy the lookup to a different production FR server containing the set of all users. Neat. I hope to use this server to flip VLANs using $RAD_REPLY{'Tunnel-Private-Group-ID'} based on an eventual db lookup to control wireless machine infections without mutzing with an existing server. When the SSID is wired in, we see this: [peap] Got inner identity 'jrichar4' # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel rlm_perl: Added pair User-Name = jrichar4 rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Crypt-Password = * rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 I would prefer the use Auth-Type = Perl in the EAP inner tunnel. Is this possible? I am hoping something simple is amiss as this is close to working! I have only: DEFAULT Auth-Type = Perl in users. In inner tunnel I have: authenticate { Auth-Type Perl { perl } ... eap } Do I need to overload anything in eap.conf? Thank you all and kind regards, Josh Richard University of Minnesota Duluth USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan assignment in radius reply when using eap/peap
Hello, I have working setups of mac authentication where I use mysql and use radgroupreply to hand out the appropriate vlans to my hp procurve switches based on what mac address is authenticating. I also have working setups for eap/peap where I use the mschapv2 module to auth off a samba server via ntlm_auth. What I'd like to do is hand out vlans in my eap/peap setup similar to how Im doing via mysql and mac-auth. How are others out there handing out vlans in your eap-peap setups? Thanks for any help and ideas! I use freeradius versions from 2.1.6 to 2.1.9. -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use
Hello, Quick question: how do I restrict simultaneous use on a user by user basis in the users file? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Run user defined scripts on client connect and disconnect
Hello, I looked at the included modules and read a lot of documentation, but I seem to be missing the general concept. Could someone please give me a detailed run down of which files to edit (and what to edit) in order to execute a shell script during accounting and post-auth? This would be greatly appreciated. Thank you, Josh Willmarth On Thu, Feb 4, 2010 at 11:34 PM, Alan DeKok al...@deployingradius.com wrote: Josh Willmarth wrote: I have a radius server setup with version 2.1.8. Is there a way that I can have custom scripts run each time a user successfully connects to and disconnects from my radius server? If so, what environment variables can be passed to these scripts? Sorry if I missed this in the documentation, but I was unable to find the exact answer I am looking for. See raddb/modules/exec Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Run user defined scripts on client connect and disconnect
Hello, I have a radius server setup with version 2.1.8. Is there a way that I can have custom scripts run each time a user successfully connects to and disconnects from my radius server? If so, what environment variables can be passed to these scripts? Sorry if I missed this in the documentation, but I was unable to find the exact answer I am looking for. Thank you, Josh Willmarth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to activate the certificate revocation list I created
Just wondering if anyone out there is able to provide any feedback on this? Sorry to bother. I just cant find any consistent documentation or examples out there. I have the crl created, just need to know how to implement the crl.pem correctly. Thanks! Hello, I have been searching for documentation on activating a certificate revocation list I just created with openssl. It is a crl.pem signed by my ca cert. I just need freeradius to reference it so that the one certificate I revoked gets denied on authentication. Here is what I have so far in my eap.conf (I am running freeradius 2.1.3 on REHL) crl_file = ${raddbdir}/certs/makecertificates/issued/crl.pem check_crl = yes CA_path = ${raddbdir}/certs/makecertificates/issued/ Are these lines correct? Are any lines I have up there unnecessary? Also, do I need to have my CA certificate in the same directory as the crl.pem file? It seems to hint towards that in the eap.conf file. Thanks for any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on proxying requests
Have a question on proxying requests in Freeradius. I know how to proxy requests to other radius servers via the proxy.conf based on domain etc.. I would like to have one radius server and authenticate off multiple domain controllers based on domain using ntlm_auth. Right now I see that you can only configure ntlm_auth in the mschapv2 module in /etc/raddb/modules. This works fine for one domain. But if a user from domain ISD wants to authenticate on our wireless, I want the radius server to authenticate on the ISD file server (its a samba server). If the user is in the HTN domain I would like the radius server to authenticate off the HTN domain controller. Or maybe ntlm_auth isnt the way to do this? Maybe I'm looking at this the wrong way? Any ideas to get this to work or any other better ideas? Thanks! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to activate the certificate revocation list I created
Hello, I have been searching for documentation on activating a certificate revocation list I just created with openssl. It is a crl.pem signed by my ca cert. I just need freeradius to reference it so that the one certificate I revoked gets denied on authentication. Here is what I have so far in my eap.conf (I am running freeradius 2.1.3 on REHL) crl_file = ${raddbdir}/certs/makecertificates/issued/crl.pem check_crl = yes CA_path = ${raddbdir}/certs/makecertificates/issued/ Are these lines correct? Are any lines I have up there unnecessary? Also, do I need to have my CA certificate in the same directory as the crl.pem file? It seems to hint towards that in the eap.conf file. Thanks for any help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_perl
On Apr 21, 2009, at 5:21 AM, t...@kalik.net wrote: I think I may have found a bug in rlm_perl? No, you broke it. #The following line cleans two of the slashes \\ out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why. $RAD_REQUEST{'User-Name'} =~ s/^$domain\\/ $domain/; Extra slashes are escaping slashes in the username. Leave them alone. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Ok, but if I do not filter out the extra slashes then after the perl module returns, freeradius gives the error that the User-Name field does not match the peap identity. Then it shows the User-Name with too many slashes (four slashes). If, in my perl module, I filter out two slashes then everything works fine except for usernames that begin with t. If I just use regular usernames (without the domain name ISD\\) then the perl module works fine. Since windows XP machines send the domain with the username by default, I must find some way to cope with the slashes. My perl module is very short. If I eliminate everything but a simple return_ok I STILL get the error that the User-Name does not match the eap identity. So, if I simply enter the module and immediately return and still get an error that user-name does not match the eap identity is this still me? I always must filter out the extra slashes ONLY if the username contains a domain. Thanks! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in rlm_perl
I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module. Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a t it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash. I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with t I always get User-name does not match eap identity failure. Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented. -Josh --- Successful attempt ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later - End snip of successful attempt - - Failed attempt from user who's username begins with a t (tbraun) - ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE --- End of snip of failed attempt --- Begin paste of perl script -- #!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constant
Re: Possible bug in rlm_perl
Josh Hiner wrote: I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module. Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a t it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash. I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with t I always get User-name does not match eap identity failure. Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented. -Josh --- Successful attempt ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later - End snip of successful attempt - - Failed attempt from user who's username begins with a t (tbraun) - ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE --- End of snip of failed attempt --- Begin paste of perl script -- #!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use
Re: Help checking group membership with FreeRadius
Chris Li, thanks a ton for your help. I can get this working for eap TLS but with eap-PEAPv0 I get this error: [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { PEAP: Setting User-Name to ISD\josh Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ISD\\josh State = 0xa686dd06a78cc76c35334009429a07b1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [IPASS] No '/' in User-Name = ISD\josh, looking up realm NULL [IPASS] No such realm NULL ++[IPASS] returns noop [suffix] No '@' in User-Name = ISD\josh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm ISD for User-Name = ISD\josh [ntdomain] Found realm ISD [ntdomain] Adding Stripped-User-Name = josh [ntdomain] Adding Realm = ISD [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = josh [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = josh [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 8 to 172.17.10.108 port 1033 EAP-Message = 0x010b00261900170301001b3604d13d0348525fc0da7fb57847a2e3e7c0995ef64dc26d03e5f3 Message-Authenticator = 0x State = 0x18eefc7e11e5e513bc32a3648b8a8dfe Finished request 9. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1033, id=9, length=223 User-Name = ISD\\josh NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:83:b9 NAS-Port = 2 Called-Station-Id = 00-1F-41-3A-83-B9:CCISD-REMC1 Calling-Station-Id = 00-0E-35-B6-74-AF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020b00261900170301001bf8693c66e10727a640fdd7d4432aba5afcb58462b98042741be971 State = 0x18eefc7e11e5e513bc32a3648b8a8dfe Message-Authenticator = 0x406f661f705976d392674ede06796d3c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [IPASS] No '/' in User-Name = ISD\josh, looking up realm NULL [IPASS] No such realm NULL ++[IPASS] returns noop [suffix] No '@' in User-Name = ISD\josh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm ISD for User-Name = ISD\josh [ntdomain] Found realm ISD [ntdomain] Adding Stripped-User-Name = josh [ntdomain] Adding Realm = ISD [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 11 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 2 cli 00-0E-35-B6-74-AF) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 9 to 172.17.10.108 port 1033 User-Name = josh MS-MPPE-Recv-Key = 0x9a9849388930a1ee1c9295db2e44143488cf68c70f335118b63ec9b9c8c34572 MS-MPPE-Send-Key = 0x3e38a97b67776c1fefba416dc6256ad27eeb7983a76f666bb1ed10985fe03cd0 EAP-Message = 0x030b0004 Message-Authenticator = 0x Finished request 10. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 255 with timestamp +41 Cleaning up request 1 ID 0 with timestamp +41 Cleaning up request 2 ID 1 with timestamp +41 Cleaning up request 3 ID 2 with timestamp +41 Cleaning up request 4 ID 3 with timestamp +41 Cleaning up request 5 ID 4 with timestamp +41 Cleaning up request 6 ID 5 with timestamp +41 Cleaning up request 7 ID 6 with timestamp +41 Cleaning up request 8 ID 7 with timestamp +41
Help checking group membership with FreeRadius
Currently we have a radius server that performs authentication off our samba domain controller for wireless users. This works great. I would like to limit users so they must be a member of the wireless group in order to connect. Since the /etc/group file is on a different server I believe I cannot use the etc_group module. Also, in order to use that module the user must have a valid account on the radius server as well. Any ideas on checking group membership? I use ntlm_auth in the mschap module for authentication in Freeradius ver 2.1.3-1. Here is the string in the users file to limit to the wireless group (its all on one line, email may wrap it): DEFAULTCalled-Station-Id =~ CCISD-REMC1, Group != wireless, Auth-Type := Reject here is my ntlm_auth line: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=ISD --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} thanks for any help =D *** This Email was sent by a system administrator in REMC #1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some help with the Users file
I want to make it so that users who use eap-peapv0 have to be in the wireless group to logon. I have this set in the users file: DEFAULTCalled-Station-Id =~ CCISD-REMC1, Group != wireless, Auth-Type := Reject This works great buuut I have successfully setup eap-tls. What is the appropriate way to continue to limit users to be in the wireless group to connect? I have the common name of the certificate set to the users login so if a user logs in with the username josh then that is the common name of the certificate. Will Freeradius use this same username to check against the wireless group? I dont want to break eap-tls with the above DEFAULT statement. Any advice would be appreciated. Thanks for your time!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help setting up machine auth with peap
a.l.m.bu...@lboro.ac.uk wrote: Hi, I do see the Exec-Program output: Must change password (0xc224) which to me means the computer account password has expired? I tried removing and re-adding the computer to the domain but get the same error. you are right - the password needs changing - this is MS proprietary code so what you need to do it let this client talk to the AD/doamin - ie put it on normal network and let it do its thing. once the clientand domain are in sync, this will work. I have done this, I even took a fresh laptop and joined it to the domain. Moved it to wireless and get the same results =(. Just wondering if anyone had any ideas or has run into this before? I have a samba PDC. Is that what you have too? Thanks! Any ideas? Anyone else successfully doing peapv0 auth with machine accounts and ntlm_auth? yes, thanks - it works fine. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help setting up machine auth with peap
Have a radius box setup and am using ntlm_auth to authenticate peapv0 with mschapv2 in the inner tunnel off a samba pdc. All normal users authenticate fine. When I try to authenticate using the machine account I get this: eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for host/cc2 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} - --username=cc2$ [mschap] setting NT-Domain to same as machine name [mschap] expand: --domain=%{mschap:NT-Domain:-ISD} - --domain=cc2 [mschap] mschap2: bc [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=857e792244c9e024 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0e44e0288f3f64004f58718f93e09c629670ab97d1e997bf Exec-Program output: Must change password (0xc224) Exec-Program-Wait: plaintext: Must change password (0xc224) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [host/cc2] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 71 to 172.17.10.108 port 1033 EAP-Message = 0x010900261900170301001b34bc45f7fbc2e102f7ec6da756ce808f27d99f1074294fb3b5b69c Message-Authenticator = 0x State = 0xb410f68ebc19efa88b187555f468f0ff Finished request 18. I do see the Exec-Program output: Must change password (0xc224) which to me means the computer account password has expired? I tried removing and re-adding the computer to the domain but get the same error. Any ideas? Anyone else successfully doing peapv0 auth with machine accounts and ntlm_auth? Thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls configuration not running...
The same thing happens to me. I have peapv0 and ttls working but eap-tls refuses to work with XP. t...@kalik.net on the list was very helpful in finding that XP was ignoring the challenge because it could not find an acceptable client cert even though one was present with the correct OID's. We never came to a resolution though as I most likely got busy. I was signing the client cert with the CA etc... I even sent my CA and cert to tnt and nothing was wrong. Good luck, and let me know if you have success. -Josh Alan DeKok wrote: fabien.cret...@novelis.com wrote: My server is now accepting the eap authentication, but is sending after this accept an access challenge to the client. It seems that the client ignores the access challenge sent by the server !! Any idea ?? Have you tried reading the FAQ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating machine accounts off smbpasswd using the passwd module.
I am trying to setup machine authentication via peapv0. I have authentication working if I use a regular username and password stored in /etc/samba/smbpasswd. When I check the authenticate as computer box in the windows XP supplicant and run radiusd in debug mode, windows sends the machine username as host\machinename. I setup a host\ realm to strip off the host part but then I noticed that all machine accounts in /etc/smbpasswd are in full capitalization regardless of the capitalization of the machine name. For instance. The machine name of the computer is cc2 but the machine account is stored in smbpasswd as CC2! So I manipulated the entry to be lower case to see if that would authenticate the machine. Nope, Freeradius reads the last value in the machine account entry in the smbpasswd file as the account control entry (which is correct) and the mschap module says the account is disabled or a special account (which it is) and fails authentication. My question is... can I authenticate machines using the passwd module and the smbpasswd file? I cannot use the ntlm_auth method. I am running freeradius on the same server as the domain controller and for some reason ntlm_auth cannot find a domain controller when run on the same machine. It can if ran on a separate box. Running freeradius on a separate box is not an option so I must use /etc/smbpasswd. Thanks! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to have eap-peapv0 connect before xp shows logon box?
So, I was going to use eap-tls to have the windows xp workstations sign into the wireless network before the user logs on (by assigning a cert to the machine account) but tls is not working for users or machines and I would like to have a backup. I have eap-peopv0 and eap-ttls working fine but they require a client username and password to connect and those are not supplied until the user logs in. We have many clients here on roaming profiles, so their profiles time out if I set them to peap or ttls since the wireless doesnt fire up in time after they log in. Is there a way to get peap or ttls (with ttls I use the SecureW2 client) to connect before the user logs on? I know that sounds lame because peap and ttls need a username and password... but maybe we can assign it statically in the background to the machine account or something? What are others doing? I really dont want wpa2-aes with a psk. Thanks for any ideas. Hopefully I can get the eap-tls thing sorted out with help but would like a backup plan. -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ Re: eap-ttls failing]
t...@kalik.net wrote: list. I would think that what I am doing is fairly popular? Why are more people not complaining? This is too bad and if true, very poor. Can you post the eapol.log and wzctrace.log for the same attempt. I'll dig through that and see if I can find what is going on. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ivan, can I send the email directly to your email address. lists.freeradius.org is rejecting my email because the body of the message exceeds 100k (it is 536k with the log attachments). It says it is waiting for a moderator to approve the post but its been about 8 hours with no approval. Let me know, and thanks for your help! -josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls failing
Josh Hiner wrote: I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls. No you are forcing Auth-Type Reject in users file: [files] users: Matched entry DEFAULT at line 226 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an OK for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help. -Josh Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ. thanks -Josh Server is happy, supplicant isn't. Enable tracing and read the eapol.log: http://support.microsoft.com/kb/894568 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Once again, thanks for the help. It was indeed the supplicant. -Josh Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept to kind of see if I was missing somthing. Do I need anything in the /etc/raddb/users for eap-tls? On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate. I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this. I turned off Verify Certificate Authority in the windows XP eap-tls setup to see if that would help. It did not. Would this broken cert chain cause the issue I am having of authentication just stopping? As far as I can see, I've followed all instructions on making the certs, verifying the right oid's in each cert, and configuring FreeRadius? Here is another radiusd debug just in case anyone can see anything else. I cannot see an error. I have turned debugging on for the windows xp wireless supplicant but really cannot see anything in there that points to a clear answer. I also tried a few laptops with different cards but also using windows xp as the wireless client. Same thing so I must be missing something. thanks for any help Here is the debug: Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=19, length=172 User-Name = josh NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 2 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-16-B6-5C-AC-DD Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0209016a6f7368 Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = josh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = josh, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap
Re: eap-ttls failing
Josh Hiner wrote: t...@kalik.net wrote: Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else. On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate. I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this. That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The cure is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening. Ivan Kalik Kalik Informatika ISP I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error: openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'caclient.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1 I dont need to re-do my CA and server cert prior to making the client certs do I? Ha, never mind. My index.txt file was messed up. -josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls failing
t...@kalik.net wrote: Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else. On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate. I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this. That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The cure is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening. Ivan Kalik Kalik Informatika ISP I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error: openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'caclient.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1 I dont need to re-do my CA and server cert prior to making the client certs do I? Here is my client.cnf. Its almost as if it doesnt understand that it needs to take the values from [ CA_default ] [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE= $dir/.rand name_opt= ca_default cert_opt= ca_default default_days= 7300 default_crl_days= 30 default_md = sha1 preserve= no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match localityName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] prompt = no distinguished_name = client default_bits= 2048 input_password = hidden output_password = hidden [client] countryName = US stateOrProvinceName = Michigan localityName= Hancock organizationName= REMC1 emailAddress= supp...@remc1.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ Re: eap-ttls failing]
Original Message Subject:Re: eap-ttls failing Date: Tue, 27 Jan 2009 11:58:54 -0500 From: Josh Hiner j...@remc1.org To: Josh Hiner j...@remc1.org References: o6ukdvry.1233065929.9664600@kalik.net 497f230b.1050...@remc1.org 497f237c.7020...@remc1.org Josh Hiner wrote: Josh Hiner wrote: t...@kalik.net wrote: Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else. On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate. I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this. That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The cure is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening. Ivan Kalik Kalik Informatika ISP I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error: openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'caclient.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1 I dont need to re-do my CA and server cert prior to making the client certs do I? Ha, never mind. My index.txt file was messed up. -josh Ok, made new client cert and now it shows valid and displays Provides your identity to a remote Computer as the intended purpose and on the Details tab displays the correct info etc... The Certification Path displays valid. Still same problem though (exact same problem) of just sitting there at Attempting to authenticate. Here is what just loops over and over: Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=66, length=172 User-Name = josh NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-16-B6-5C-AC-DD Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02050009016a6f7368 Message-Authenticator = 0x864461492a35fa412e30d0f27ea0cbf3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = josh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = josh, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 66 to 172.17.10.108 port 1027 EAP-Message = 0x010600060d20 Message-Authenticator = 0x State = 0xca0fec0fca09e1323ddcba98066d48ce Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=67, length=261 User-Name = josh NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-16-B6-5C-AC-DD Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message
Re: [ Re: eap-ttls failing]
:50:047: ElWriteCompletionRoutine sent out 19 bytes with error 0 [1504] 13:41:50:047: ElWriteCompletionRoutine: pPCB= 000E7E38, RefCnt = 3 [1504] 13:41:50:047: EapolReceiveDataPacket: receive 55 bytes [1504] 13:41:50:047: ProcessReceivedPacket entered, length = 51 [1504] 13:41:50:047: ProcessReceivedPacket: EAP_Packet [1504] 13:41:50:047: ProcessReceivedPacket: EAPOLSTATE_CONNECTING [1504] 13:41:50:047: TIMER: Restart PCB Time: 2097148 [1504] 13:41:50:047: FSMAcquired entered for port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport [1504] 13:41:50:047: TIMER: Restart PCB Time: 30 [1504] 13:41:50:047: ElEapEnd entered [1504] 13:41:50:047: ElEapBegin entered [1504] 13:41:50:047: ElEapBegin done [1504] 13:41:50:047: ElEapWork: EapolPkt created at 000E3E40 [1504] 13:41:50:047: ElEapMakeMessage entered [1504] 13:41:50:047: ElParseIdentityString: DisplayString = Please enter your login name [1504] 13:41:50:047: ElParseIdentityString: LocalIdString = [1504] 13:41:50:047: ElParseIdentityString: LocalIdString Length = 28 [1504] 13:41:50:047: ElParseIdentityString: Identity string does not contain tuples [1504] 13:41:50:047: ElGetIdentity: Userlogged, Prev !Machine auth [1504] 13:41:50:047: ElGetIdentity: Userlogged, Maxauth, Prev !Machine auth: !MD5 [1504] 13:41:50:047: ElGetUserIdentity entered [1504] 13:41:50:057: ElGetEapUserInfo: Error in RegOpenKeyEx for base key, 2 [1504] 13:41:50:057: ElGetCustomAuthData: SSIDLen=11, EapTypeId=13, Offset=52/106, dwAuthData=42 [1504] 13:41:50:057: ElGetCustomAuthData: SSIDLen=11, EapTypeId=13, Offset=52/106, dwAuthData=42 [1504] 13:41:50:518: ElGetUserIdentityOptimized: Got identity = josh [1504] 13:41:50:518: ElGetUserIdentity: ElGetUserIdentityOptimized got identity without user module intervention [1504] 13:41:50:518: ElGetUserIdentity completed with error 0 [1504] 13:41:50:518: ElGetIdentity: Userlogged, Maxauth, Prev !Machine auth: No Error: User Auth fine [1504] 13:41:50:518: Identity sent out = josh [1504] 13:41:50:518: ElWriteToPort entered: Pkt Length = 15 [1504] 13:41:50:518: ElWriteToPort: pPCB = 000E7E38, RefCnt = 4 [1504] 13:41:50:518: ElWriteToInterface entered [1504] 13:41:50:518: ElWriteToInterface completed, RetCode = 0 [1504] 13:41:50:518: Authentication Started on port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport using User credentials [1504] 13:41:50:518: Setting state ACQUIRED for port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport [1504] 13:41:50:528: FSMAcquired completed for port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport [1504] 13:41:50:528: ProcessReceivedPacket: Reposting buffer on port {B123A337-9DAB-45CD-B148-7A2E8A53AAED} [1504] 13:41:50:528: ElReadFromPort entered, pPCB = 000E7E38 [1504] 13:41:50:528: ElReadFromPort: pPCB = 000E7E38, RefCnt = 5 [1712] 13:41:50:528: EAPOLQueryGUIDNCSState: For Port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport returning 12 [1504] 13:41:50:528: ProcessReceivedPacket: pPCB= 000E7E38, RefCnt = 4 [1504] 13:41:50:528: ProcessReceivedPacket exit [1504] 13:41:50:528: ElWriteCompletionRoutine sent out 27 bytes with error 0 [1504] 13:41:50:528: ElWriteCompletionRoutine: pPCB= 000E7E38, RefCnt = 3 [1504] 13:41:50:528: EapolReceiveDataPacket: receive 28 bytes [1504] 13:41:50:528: ProcessReceivedPacket entered, length = 24 [1504] 13:41:50:528: ProcessReceivedPacket: EAP_Packet [1504] 13:41:50:528: ProcessReceivedPacket: EAPOLSTATE_ACQUIRED [1504] 13:41:50:528: TIMER: Restart PCB Time: 2097148 [1504] 13:41:50:528: FSMAuthenticating entered for port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport [1504] 13:41:50:528: TIMER: Restart PCB Time: 30 [1504] 13:41:50:528: ElEapWork: EapolPkt created at 000E3E40 [1504] 13:41:50:528: ElEapMakeMessage entered [1504] 13:41:50:528: ElMakeSupplicantMessage entered [1504] 13:41:50:528: EAPSTATE_Initial [1504] 13:41:50:528: ElEapDllBegin called for EAP Type 13 [1504] 13:41:50:528: ElEapDllBegin: Not Setting GUEST flag [1504] 13:41:50:528: EAPSTATE_Working [1504] 13:41:50:528: ElEapDllWork called for EAP Type 13 [1504] 13:41:50:958: EAP Dll returned Action=EAPACTION_Send [1504] 13:41:50:958: ElEapDllWork finished for EAP Type 13 with error 0 [1504] 13:41:50:958: ElWriteToPort entered: Pkt Length = 86 [1504] 13:41:50:958: ElWriteToPort: pPCB = 000E7E38, RefCnt = 3 [1504] 13:41:50:958: ElWriteToInterface entered [1504] 13:41:50:958: ElWriteToInterface completed, RetCode = 0 [1504] 13:41:50:958: Setting state AUTHENTICATING for port Wireless-G Notebook Adapter with RangeBooster - Packet Scheduler Miniport [1504] 13:41:50:958: WZCNetmanConnectionStatusChanged: Entered [1504] 13:41:50:958: QueueEvent: CoCreateInstance succeeded [1504] 13:41:50:958
Re: [ Re: eap-ttls failing]
t...@kalik.net wrote: Ok, made new client cert and now it shows valid and displays Provides your identity to a remote Computer as the intended purpose and on the Details tab displays the correct info etc... The Certification Path displays valid. But windows was unable to find a certificate to log you on .. [1180] 13:42:16:415: ElWZCCfgUpdateSettings: Error in RegOpenKeyEx for base key, 2 [1180] 13:42:16:415: ElWZCCfgChangeHandler: ElWZCCfgUpdateSettings HKCU failed with error (2) which you say is rubbish. Did you install .p12 version of client certificate? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes the cert is there, does report the correct oid etc.. etc.. Attached is the client certificate I am using. I even went into the configuration and made it so XP asks me to select my certificate manually. I select the certificate manually and it still gives the same error as above (Error in RegOpenKeyEx for base key, 2) etc.. Maybe there is still a problem with the certificate but it all looks fine to me. Can you peak at the cert for me? This is happening on all machines so there must be a problem with it? When I install the cert it asks me for the cert password which I type in (I use the password I put in the client.cnf file). There should be an input and output password in client.cnf correct? I'm at a loss. Thanks -Josh caclient.p12 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ Re: eap-ttls failing]
On Tue, 2009-01-27 at 23:05 +0100, t...@kalik.net wrote: Yes the cert is there, does report the correct oid etc.. etc.. Attached is the client certificate I am using. I even went into the configuration and made it so XP asks me to select my certificate manually. I select the certificate manually and it still gives the same error as above (Error in RegOpenKeyEx for base key, 2) etc.. Maybe there is still a problem with the certificate but it all looks fine to me. Can you peak at the cert for me? This is happening on all machines so there must be a problem with it? When I install the cert it asks me for the cert password which I type in (I use the password I put in the client.cnf file). There should be an input and output password in client.cnf correct? I'm at a loss. It is most likely a deliberate undermining of self-signed certificates. It looks wery much like this bug reported for machine certificates (user certificates weren't affected at the time). http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/ceaf827d-3cff-4a5f-a8e0-d32ac2bf9ea9/ Ivan Kalik Kalik Informatika ISP Ug! For such a problem, I am not seeing anything come across the mailing list. I would think that what I am doing is fairly popular? Why are more people not complaining? This is too bad and if true, very poor. -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls failing
t...@kalik.net wrote: I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls. No you are forcing Auth-Type Reject in users file: [files] users: Matched entry DEFAULT at line 226 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an OK for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help. -Josh Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=243, length=182 User-Name = joshhiner NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-0E-35-B6-74-AF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020e016a6f736868696e6572 Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = joshhiner, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = joshhiner, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 243 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x2378b52b2379b8326de9be9acd701ac8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=244, length=266 User-Name = joshhiner NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-0E-35-B6-74-AF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100500d8000461603010041013d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d1600040005000a000900640062000300060013001200630100 State = 0x2378b52b2379b8326de9be9acd701ac8 Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = joshhiner, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = joshhiner, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] TLS 1.0 Handshake [length 03c4], Certificate [tls] TLS_accept: SSLv3
Re: eap-ttls failing
Josh Hiner wrote: t...@kalik.net wrote: I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls. No you are forcing Auth-Type Reject in users file: [files] users: Matched entry DEFAULT at line 226 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an OK for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help. -Josh Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ. thanks -Josh Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=243, length=182 User-Name = joshhiner NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-0E-35-B6-74-AF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020e016a6f736868696e6572 Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = joshhiner, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = joshhiner, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 243 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x2378b52b2379b8326de9be9acd701ac8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=244, length=266 User-Name = joshhiner NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 1 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-0E-35-B6-74-AF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100500d8000461603010041013d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d1600040005000a000900640062000300060013001200630100 State = 0x2378b52b2379b8326de9be9acd701ac8 Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = joshhiner, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = joshhiner, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] TLS 1.0 Handshake [length 0041], ClientHello [tls
Re: eap-ttls failing
t...@kalik.net wrote: Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ. thanks -Josh Server is happy, supplicant isn't. Enable tracing and read the eapol.log: http://support.microsoft.com/kb/894568 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Once again, thanks for the help. It was indeed the supplicant. -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls failing
I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls. Maybe someone could point me in the right direction. Also, something is putting host/ in front of the User-Name field. In the certificate, I have the common name as joshhiner not host/joshhiner. Wonder if the zone director is mangling eap? Also, the wireless card is a mini-pci broadcom in a compaq 6710b. Thanks -Josh Error: Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=186, length=192 User-Name = host/joshhiner NAS-IP-Address = 172.17.10.108 NAS-Identifier = 00:1f:41:3a:82:f9 NAS-Port = 2 Called-Station-Id = 00-1F-41-3A-82-F9:CCISD-REMC1 Calling-Station-Id = 00-21-00-41-AE-4F Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x021301686f73742f6a6f736868696e6572 Message-Authenticator = 0x5a46b20a893c5d940dfacf2c35c1bd83 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/joshhiner, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = host/joshhiner, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 226 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - host/joshhiner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 186 to 172.17.10.108 port 1027 Waking up in 4.9 seconds. Cleaning up request 2 ID 186 with timestamp +373 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote: Josh Hiner wrote: Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. Ok I did upgrade, please see my post below =D. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. Ok I do see this now but am still getting the same error. Please see below. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = HTN\josh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm HTN for User-Name = HTN\josh [ntdomain] Found realm HTN [ntdomain] Adding Stripped-User-Name = josh [ntdomain] Adding Realm = HTN [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 1 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[etc_smbpasswd] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for josh with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = \001E=691 R=1 EAP-Message = 0x04010004 Message-Authenticator = 0x [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user HTN\josh [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh Ok well once again, the answer was in the debug output. Since it was sending back Stripped-username instead of Username, I had to create a 2nd smbpasswd module. In this module I mapped stripped-user instead of username. This worked. This does work. Is this a good and acceptable solution? I'd still be interested in hearing other solutions if there are any out there. Thanks again! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some help with etc_smbpasswd auth and eap ttls
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. Finally I simply added the username and password I was testing to the users file. It works there. My default realm strips the domain, proxies it back to localhost, authenticates of the users file and is successful. Arrg what Im I doing wrong. I really need to use the etc_smbpasswd module as I cant get ntlm_auth to work. It says no logon servers found. I think its because I am running it on the actual samba server I want to auth off of. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Here is the /usr/sbin/radiusd -X output. Sorry its long. Below that I will put the relevant lines of config. Thanks a ton for any help. -Josh [r...@file raddb]# /usr/sbin/radiusd -s -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = ttls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb
service-type passed in response
I am having a problem configuring management users for Cisco WLC. Here's my basic users file: DEFAULT Service-Type = NAS-Prompt-User, cisco-avpair += shell:priv-lvl=2, Fall-Through = 1 test User-Password == Service-Type = Administrative-User, cisco-avpair += shell:priv-lvl=15 The problem I am having is that when user test logs in, the access-accept packet passes the DEFAULT Service-Type Value (along with all other attributes in DEFAULT). I only want the default Service-Type value to be passed if I don't otherwise have one assigned in the individual users' entries. Any Assistance here would be much appreciated! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine auth without cert - EAP-PEAP/MSCHAPV2
Hi Ryan, What you're trying to do is impossible. MS-CHAPv2 is a mutual authentication protocol, meaning that FreeRADIUS needs to demonstrate knowledge of the password to the machine. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Ryan Kramer Sent: 25 February 2008 21:05 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Machine auth without cert - EAP-PEAP/MSCHAPV2 I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of host/mymachine.mydomain.com, and no password, and in my users file I have host/mymachine.mydomain.com Cleartext-Password=, Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = WIRELESS-USER, Fall-Through = 0 but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions? Ryan JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
Yes - although only as a tunelled method inside EAP-PEAP (I think, I may be wrong). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:31 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 Does freeradius support eap-mschapv2 ? JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
Post the debug ouput (radiusd -X). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:36 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 I am using freeradius to test the eap-mschapv2. According to specs To the access-challenge reply radius should sent a access-success with the mppe keys. But what I see is to the reply radius is sending the access-challenge request again with mschap-success similar to the Eap-tls. I am not sure if I missed any configuration. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled Sending Access-Challenge of id 3 to x.x.x.x port 1812 MS-CHAP2-Success = 0x01533d46393635324645444542423338354535333743303338333739 41393735313330363134413336 EAP-Message = 0x010200331a0301002e533d4639363532464544454242333835453533 374330333833373941393735313330363134413336 Message-Authenticator = 0x State = 0xabe2000baae01ac677bcdaf79192ae6c Finished request 1. That looks like a bug to me. It's a violation of RFC2548: 2.3.3. MS-CHAP2-Success Description This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets. It might be worth checking the logic in the eap-mschap module; it should be pretty obvious to see where it is going wrong. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Notification
That's certainly a feature of some Cisco WAPs. If anyone knows of a supplicant that does anything *useful* with EAP-Notification (like, you know, notify the user) then that would be interesting to hear :-) josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Arran Cudbard-Bell Sent: 03 January 2008 12:50 To: FreeRadius users mailing list Subject: EAP Notification Hi, Running a packet capture of an EAP TTLS session against FR cvs head, noticed EAP Notifcation packets are being sent. The type-data appears to match that of the Reply-Message. Is this a feature of rlm_eap that I missed before, or is the NAS being clever about it's interpretation of the Access-Accept packet, and encapsulating the Reply-Message attribute in an EAP-Request Notification packet ? Either way it's pretty cool, and the message gets logged in /var/log/system.log (On Mac OS X) which has the potential to be useful for debugging... Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and active directory
Using Ntlm_auth from the samba server is not an option. I want to access the AD with the ldap protocol for compatibility reasons. You can't. Next, I want to place the logged on user is a specific VLAN. So I have to retrieve the user's vlan from the AD. Is there any way to configure freeradius to do so? Yes, see the docs. Can you please provide me with the necessary steps to accomplish this? Ditto. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and AD
See proxy.conf. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Dave Gibelli Sent: 11 December 2007 14:30 To: freeradius-users@lists.freeradius.org Subject: Freeradius and AD Hi I am testing Freeradius within an 802.1x environment. I want to send authentication request to 4 different AD DC's depending on the Domain sent from the client to the Authenticator. Can Freeradius forward request in this way? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius support eap-fast?
In other news... I've added EAP-TNC. It's a little rough, but the concept is there. I saw this :-). I had a question: EAP-TNC is intended to be bound to any tunneled EAP method but the last time I looked at the code the FreeRADIUS EAP state machine did not appear to support binding consecutive EAP methods in sequence to an arbitrary tunneled EAP method. Does this EAP-TNC implementation therefore require the use of a specific tunneled EAP method, or have there been some improvements to the EAP state machine to support this flexibility? josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius support eap-fast?
Alan wrote: Josh Howlett wrote: I saw this :-). I had a question: EAP-TNC is intended to be bound to any tunneled EAP method but the last time I looked at the code the FreeRADIUS EAP state machine did not appear to support binding consecutive EAP methods in sequence to an arbitrary tunneled EAP method. I'm not sure what that means... Does EAP-TNC go inside of a tunneled method, or does it tunnel other methods? It normally tunnels inside other methods. If it goes inside of a tunneled method, then there's no problem. PEAP and TTLS already support tunneling EAP types. Sure, but do the FreeRADIUS PEAP and TTLS implementation support running an EAP method for AuthN followed immediately by EAP-TNC within the same tunnel? The original EAP RFC (2284) didn't explicitly prohibit method sequencing. However, this was obseleted by RFC 3748 which does prohibit sequencing authentication methods (where this is defined as Type 4, excepting Notification). Of course, an EAP method itself is free to do what it likes; so both PEAP and TTLS support sequencing (although this isn't implemented much). The difficulty that I saw when I looked at the code, IIRC, is that FreeRADIUS re-uses the same functions (and therefore the same assumptions of what is permitted and what isn't) for the 'outer' EAP session as it does for the 'inner' session. Did that make sense :-) ? Does this EAP-TNC implementation therefore require the use of a specific tunneled EAP method, or have there been some improvements to the EAP state machine to support this flexibility? If EAP-TNC can go only inside of TTLS/PEAP, then the code likely needs to be updated to check for that, and enforce that requirement. That's not a requirement, but a likely deployment scenario. EAP-TNC has no transport security, and depends on the transport layer for confidentiality, etc. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. FreeRADIUS does not support Cisco NAC. It works perfectly with ACS. This is because it is a Cisco proprietary protocol. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
But you are just using FreeRADIUS for authentication. I didn't realise it was possible to separate posture assessment from authentication in Cisco NAC. Interesting to hear that you can. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dorota Kupis Sent: 31 October 2007 18:50 To: FreeRadius users mailing list Subject: RE: FreeRadius and Clean Access Manager Hello Josh, Actually I give another try just after I wrote to the group and I succeeded. I don't talk about TACACS+ here. Cisco Clean Access can have several authentication servers defined. I do confirm it works with FreeRadius as well. Dorota -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Wednesday, October 31, 2007 11:35 AM To: FreeRadius users mailing list Cc: Josh Howlett Subject: RE: FreeRadius and Clean Access Manager Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. FreeRADIUS does not support Cisco NAC. It works perfectly with ACS. This is because it is a Cisco proprietary protocol. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
Hi, But you are just using FreeRADIUS for authentication. I didn't realise it was possible to separate posture assessment from authentication in Cisco NAC. Interesting to hear that you can. ..i guess we are all looking at development of EAP-TNC with interest.. You betcha! josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to triger an application after a authentication done
rlm_exec See radiusd.conf for examples. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ram Sent: 26 October 2007 07:50 To: FreeRadius users mailing list Subject: How to triger an application after a authentication done Hi iam trying to make some iptables rules to trigger after authentication done with Radius Server here is my setup userBRAS--Freeradius---Gateway Router(Linux+iptables)--Internet when the user intiate pppoe with BRAS, bras send the request to Radius Radius checks the authentication and send to the user for the authorisation. when use authenticated and authorised. and same time i want to trigger the script to open a Iptable rules and his bandwidth with TC can some one give me suggestion how can i achieve this ? ram JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proposed Freeradius - Kerberos authentication
David, I've been reading the FAQs, the man pages, and going over mailing list archives, and also the info at deployingradius.com. I thought I should start by checking that I'm heading in the right direction before trying building stuff. I'm proposing that we use Freeradius to authenticate the connections to the wireless APs using the MIT Kerberos server. If this is possible, would it be done using EAP-TTLS from the clients, and the Auth-Type would need to be defaulted to Kerberos so that the rlm_krb5 module would be used? I'm basing this on the Protocols page in conjunction with a thread from earlier in October about EAP-TTLS and Kerberos. You're heading in the right direction. Note that if the synced passwords all exist in the AD, you can also consider the use of EAP-PEAP; the principal advantage being the use of the Windows native supplicant; this does not support EAP-TTLS without the use of third-party tools. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mutual Authentication with EAP-TTLS/MSCHAPv2
1. Does EAP-TTLS with MSCHAPv2 considered as a mutual authentication method? It is probably best if you read RFC4017 for a full discussion of mutual authentication in the EAP context. FWIW, the short answer is yes, it can be used in this way. 2. I understand that the TTLS itself can be mutual, meaning: a. The client authenticates the server (via server certificate) Yes. b. A secured tunnel is created c. The server authenticates the client (via client certificate) Yes, this is possible but not necessary, because as you say... d. The client authenticates itself again using MSCHAPv2. e. The server also authenticates itself using MSCHAPv2. A challenge-response is piggy-backed on the MSCHAP exchange. Does FreeRadius support this kind of Authentication? Yes. 3. I received a root-certificate and I want to create trusted certificates. a. Which software can I use sign a certificate with the root-certificate I received? I doubt you received a root CA certificate. You probably got issued with a certificate signed by the root or an intermediate CA. However, I'm speculating - it is probably best to ask whomever provided the certificate directly. It is essential to understand precisely what is going on, because it is very easy to make mistakes with PKI... best regards, josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Vista Authentication
Ensure that you're using a recent version of samba. Search the list for a value of 'recent'. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 23 September 2007 14:26 To: FreeRadius users mailing list Subject: Re: Vista Authentication Iain Ellis wrote: Are there any known gotcha's concerning Vista clients authenticating? Not that I know of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS and iODBC
What is the question? There was no question :-) If I find out how to do something that is poorly - or not - documented I post it to the mailing list so that it can be indexed by Google, for the benefit of other people in the future who might have the same problem. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RFC 3579 and Access-Accepts
Hi Stefan, Whereas RFC 3579 , chapter 2.6.5 says: An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. I think this is a case of mis-reading the (confusing?) notation used by the RFC. What the RFC is saying is that you are not permitted to include a Notification within an EAP-Request within an EAP-Message within an Access-Accept. It's not saying you're not allowed to include an EAP-Message attribute _per se_. FWIW, I don't think it would be possible to implement a compliant EAP method without including an EAP-Message in the Access-Acccept; you need to return an EAP-Success or EAP-Failure, and IIRC you can't do that in an Access-Challenge. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Windows Vista
Make sure you're using a recent version of samba. Many distros still shib with older versions that won't work. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 19 September 2007 17:09 To: FreeRadius users mailing list Subject: Re: Freeradius and Windows Vista Neal Bullins wrote: I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. Authentication from XP works flawlessly and from what I have been able to tell from, with these versions I should be able to have Vista do PEAP/MSChapv2 authentication via Freeradius. However, it still seems that Vista stops the authentication process before the ntlm_auth call is made. Am I missing something obvious here? Nope. Vista *should* work, other people have it working with similar configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and iODBC
You must use a DSN of 'radius' in odbc.ini when using the iodbc SQL module. You can't use any other name. I have this working against MSSQL. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Network Printers with freeradius? Anyway?
Do your printers support 802.1x? josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sérgio Kojima Sent: 05 September 2007 18:58 To: freeradius-users@lists.freeradius.org Subject: Network Printers with freeradius? Anyway? Hello all. Finaly my FreeRADIUS 2.0.0-pre2 is running with Samba PDC + OpenLdap and foundry/dot1x switchs. Very well... Now, the next level is the printers. How to configure my network printers with freeradius? No solicitation does not arrive when i run radiusd -X. Printers are using DHCP. See you! = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Database Population problem with mysql
(42000) at line 15: Invalid default value for 'AcctStartTime' Try using a valid value for this. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Database Population problem with mysql
Post mysql.sql to the list. josh. -Original Message- From: ram [mailto:[EMAIL PROTECTED] Sent: 21 August 2007 16:29 To: FreeRadius users mailing list Cc: Josh Howlett Subject: Re: Database Population problem with mysql On 8/21/07, Josh Howlett [EMAIL PROTECTED] wrote: (42000) at line 15: Invalid default value for 'AcctStartTime' Try using a valid value for this. Hi what is the correct value for that record as per the document iam populating iam using mysql mysql Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2 on debian any suggestions ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Database Population problem with mysql
Not sure why this is failing; FWIW, according to the MySQL docs: The DATETIME type is used when you need values that contain both date and time information. MySQL retrieves and displays DATETIME values in '-MM-DD HH:MM:SS' format. The supported range is '1000-01-01 00:00:00' to '-12-31 23:59:59'. josh. -Original Message- From: ram [mailto:[EMAIL PROTECTED] Sent: 21 August 2007 16:29 To: FreeRadius users mailing list Cc: Josh Howlett Subject: Re: Database Population problem with mysql On 8/21/07, Josh Howlett [EMAIL PROTECTED] wrote: (42000) at line 15: Invalid default value for 'AcctStartTime' Try using a valid value for this. Hi what is the correct value for that record as per the document iam populating iam using mysql mysql Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2 on debian any suggestions ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM Radius
Hi Sayan, I think I have tried this previously, and it was possible (on Linux/glibc anyway - YMMV with other unices). TBH, I don't really see the point in using RADIUS when you'll (probably) want to use LDAP anyway for nss resolution, so you might as well just use LDAP for PAM. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Sayan S Sent: 20 August 2007 14:04 To: FreeRadius users mailing list Subject: Re: PAM Radius Thanks Alan for the quick response. I am referring to realm here, as RADIUS support realms, and we are using RADIUS to authenticate the users to Linux, so seems like we need to have all users contained in the same realm. Is having username in [EMAIL PROTECTED] form a valid unix format? I was thinking the first part of the [EMAIL PROTECTED] should be the unix username though the radius request is sent as [EMAIL PROTECTED] Otherwise we need to have a comprehensive [EMAIL PROTECTED] to Unix-userid mapping. regards, sayan Alan DeKok [EMAIL PROTECTED] wrote: Sayan S wrote: Greetings, I am very new to RADIUS and PAM RADIUS. I am trying to configure PAM Radius to authenticate users on a Linux host. I would like to know, how to configure PAM Radius to authenticate users from different realms, as the current configuration doesn't seem to take realm. You don't use realms in Unix logins. please help me with this as I have configured users to be part of different realms on radius server and now want to authenticate all those users to the same Linux host. You just login as [EMAIL PROTECTED]. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://us.rd.yahoo.com/evt=48246/*http://autos.yahoo.com/gree n_center/; _ylc=X3oDMTE5cDF2bXZzBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDZ 3JlZW4tY2VudGVy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ipsec EAP_TLS
Does the current implementation of free radius provides capability that these keys can be securely transfererred to the VPN gateway ? No. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to capture wireless EAP packets on Windows XP?
I usually find it simplest to use tcpdump on the RADIUS server, although I've used Wireshark in the past on Windows supplicants. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Clark J. Wang Sent: 25 July 2007 03:48 To: freeRadius Mailing List - users Subject: How to capture wireless EAP packets on Windows XP? I'm testing FreeRADIUS's PEAP-EAP-MSCHAPv2 functionality with a wireless USB adapter (D-Link AirPlus G DWL-G122) on Windows XP (SP2). I tried to capture the EAP packets using Wireshark 0.99.6a but I failed. Anyone can help? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PEAP
What you're attempting to do is impossible because MS-CHAP is a mutual authentication protocol. If the RADIUS server does not demonstrate knowledge of the password to the supplicant, a well-behaved the supplicant *should* refuse the connection. (I also wouldn't be surprised if the RADIUS server barfs because it can't get a valid user-password in order to construct the authentication response but I can't comment authoritatively on this). Finally, you can't authenticate MS-CHAP against /etc/passwd or /etc/shadow; MS-CHAP requires access to the cleartext password or its NTLM hash. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Adrienne Rau Sent: 03 July 2007 19:30 To: freeradius-users@lists.freeradius.org Subject: RADIUS PEAP I am configuring a wireless network with EAP Authentication. I can connect successfully with the following line in my users file. testuser User-Password == testing I would like to be able to authenticate with ANY password. I tried using the != operand, but that causes an MS-CHAP incorrect response error. Is there any way to make EAP authenticate with any password. If not, how can I have it authenticate against the /etc/passwd and /etc/shadow files? Thank you for your help, Adrienne Rau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Shared secret is incorrect - but it is identical!
Hi Ken, What happens if, using radtest, you specify the username *without* the realm from the remote machine? josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of ken Sent: 03 July 2007 22:02 To: FreeRadius users mailing list Subject: Shared secret is incorrect - but it is identical! I'm trying to get FreeRadius working on a Fedora Core 6 server with a view to eventually using it to authenticate against Windows Active Directory via ntlm_auth for the Janet Roaming Service. The first attempts at configuring it failed rather drastically so I went back to the beginning and I'm doing things one step at at time, making one-line changes to configs then using radtest and/or radclient to ensure it still works. I can now authenticate a users defined in users file, or in the Unix passwd file, from radtest on local machine. (i.e. the same one the server is running on). Next step is to check that I can use FreeRadius over the network by trying radclient on another machine. It doesn't work from the networked machine. I see the invalid signature (err=2)! (Shared secret is incorrect.) message. Debug log says to double check the shared secret on the server. I have more than double checked it. I'm using the same shared secret on both machines. I know the shared secret is correct because it works from the local machine. But obviously it isn't! Because the encrypted password can't be read on the server. What can I do to make sure the shared secret truly is correct? The definitions for both hosts are identical in the clients.conf file. At one point I manually edited them to swap the names of servers while leaving the secrets the same, just in case there was some hidden unprintable character - but the new local one still worked, proving that the two entries in the clients.conf file are in fact identical. The shared secrets used in the radtest command are identical. I'm cutting and pasting the *same* radtest command in, not retyping it. To test for sure I put radclient commands in scripts on the remote machine, where they failed. Then I ftped them from the machine they failed on to the other one - where they worked! So it *has* to be the same! And if I alter it in any way there then radtest fails so its not getting a free passage just because its local. I have a horrid fear I've missed something totally obvious about how radclient works and that I'm doing something really really stupid stupid - but I can't see what. And I've been stuck here for over a week now. Any clues? From the local machine I get: === [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 121 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Accept packet from host server.IP.addr:1812, id=121, length=20 === But when I try from the remote machine I get: === /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 184 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=184, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 246 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=246, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 7 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=7, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) == I strongly suspect that I am doing something stupid on the client side, because the same request
RE: Sending CA certificate during EAP-TLS
Hi Reimer, How do you check if FreeRadius is actually sending the chain? I find Wireshark useful for this. It re-assembles the fragmented TLS handshake, which makes it much easier to understand... josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [meta] admin tools and utilities
-Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Phil Mayers Sent: 29 June 2007 10:35 To: FreeRadius users mailing list Subject: Re: [meta] admin tools and utilities On Thu, 2007-06-28 at 12:16 -0500, Hugh Messenger wrote: Forgive me if meta-discussions are frowned upon. I was just wandering what tools and utilities (not shipped with freeradius) people find useful in day to day admin and testing. eapol_client from the wpa_supplicant distro was invaluable for testing EAP I found I agree with Phil, this is an invaluable tool for testing EAP; although it's really called eapol_test :-) josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Banning users in a nice way...
Has anyone got any ideas ? I'm assuming theres no way to do it.. Not that I can think of. You shouldn't be able to coax a supplicant onto a network by munging authentication (this is a *good* thing). josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Gah, my message bounced owing to change of email address... Arran wrote: Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ? Correct. And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to be able to extract the User-Name string and write it into the Access-Request packet ? Nope; see RFC 3579 for the gory details: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute The use of anonymous is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of). An interesting tangent: note that end-user identity hiding is simply a requirement of RFC 4017 (EAP Method Requirements for Wireless LANs), which I think is a shame. So although the NAS must send an EAP-Identity-Request when the client connects it's not required to understand the EAP-Identity-Response ? For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminating EAP tunnels, proxy and realms
Nope; see RFC 3579 for the gory details: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute See thats what I suspected, else how could the User-Name attribute be populated in the access requests... And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. Unless I missed something ? No, that's correct. For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. I'm surprised at that, IIRC (and I did write the code originally :-) the tests use the same name for inner and outer. Still, it would probably be best if you raised a ticket with JANET Customer Services as this is a bit OT for this list. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem.
I have a feeling that the answer is blindingly obvious, but I can't figure it out... The 'users' file consists of: DEFAULT Auth-Type = Accept Simultaneous-Use := 1 In radiusd.conf I also have: session { sql } authorize { radius-user-auth } 'radius-user-auth' is an rlm_exec instance that invokes a script used to authenticate users. It works fine, but the 'session' section never gets processed. Why? josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote: I have a feeling that the answer is blindingly obvious, but I can't figure it out... The 'users' file consists of: DEFAULT Auth-Type = Accept Simultaneous-Use := 1 Because Simultaneous-Use is in the wrong place. Make it a check item and the session section should be processed. That fixed it. As I thought, blindingly obvious; a case of needing another pair of eyes... Thanks, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PHP issues with PHP 4.3.9 and dialup_admin
On 6/16/07, Josh Howlett [EMAIL PROTECTED] wrote: Ethan, Have you got the freeradius-mysql RPM installed? I don't know if I remembered to post a followup or not, but, undefined constant messages aside (which are caused by a change to how PHP requires single quotes), my real problems with dialup_admin not working at all (blank screens), was caused by a missing rpm related to PHP and a reported/documented feature that if you call a PHP function that does not exist, you get no feedback in the way of error messages - just total silence. You were probably missing php-mysql, as I was. PHP does normally return sensible error messages of the kind you mention, so I had the some confusion as you. I'm not sure if there is an new option in php5 to enable these, or if something has changed in dialup_admin to suppress them... josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PHP issues with PHP 4.3.9 and dialup_admin
Ethan, Have you got the freeradius-mysql RPM installed? josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Ethan Dicks Sent: 20 March 2007 21:00 To: freeradius-users@lists.freeradius.org Subject: PHP issues with PHP 4.3.9 and dialup_admin I've been digging around all day and I've seen other people describe the same symptoms I'm having, but the follow-ups typical asy Oh, I fixed it, but don't describe the fix. It seems that something resembling my symptoms goes back to the version of dialup_admin that shipped with freeRADIUS 1.0.1, so I am not convinced what I'm seeing is _specifically_ a PHP 4.3 problem, but given the changes with registers_global from 4.1.0 to 4.2.0, I thought it would be prudent to mention that. My setup is... CentOS 4.4.2 (RHEL 4 without the RedHat trademarks and graphics) Apache 2.0.52 PHP 4.3.9 mysql 4.1.20 freeRADIUS 1.1.5 dialup_admin ? (CVS snapshot 20070320) firefox 1.5.0.10 I have freeRADIUS installed and working with users stuffed into a flat file, verified with 'radtest'. I can get the main page of dialup_admin to come up, but I get blank screens and lots of PHP errors logged when I try to invoke nearly any button. My radius database has tables, but no rows, since I was trying to set up dialup_admin to start inserting users and groups. I have set PHP's registers_global to 'on' via /etc/php.ini and verified that it's on with phpinfo(), and I still get dozens of errors per mouse-click... Here's a typical example - the output is generated when clicking on the 'new group' button: a long list of 'undefined constant', 'undefined variable', and 'undefined index' following the warning that there's no prefix on a function call to say what its namespace is. I'm putting the error dump at the bottom to keep it from creating a huge gulf between sections of this query. I know it must look familar because I've found several references to errors that look just like this in the mailing list archives. What's lacking is the solution. Am I just missing a setup step somewhere? Am I running servers and packages that are just too new and untested? Thanks, -ethan [client 127.0.0.1] PHP Notice: import_request_variables(): No prefix specified - possible security hazard in /usr/local/dialup_admin/conf/config.php3 on line 8, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_use_session - assumed 'general_use_session' in /usr/local/dialup_admin/conf/config.php3 on line 66, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 73, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 76, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_username_mappings_file - assumed 'general_username_mappings_file' in /usr/local/dialup_admin/conf/config.php3 on line 86, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_username_mappings_file - assumed 'general_username_mappings_file' in /usr/local/dialup_admin/conf/config.php3 on line 87, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_use_session - assumed 'general_use_session' in /usr/local/dialup_admin/conf/config.php3 on line 106, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: show in /usr/local/dialup_admin/htdocs/group_new.php3
RE: Run 2 FreeRadius simultanously
Hi Jaume, Can my machine run 2 FreeRadius at the same time? Each FreeRadius in a diferent IP but simultanously in the same CPU and O.S.? Somebody tell me thats possible if each radius is reading from a diferent PATH... Thanks for any documentacion, link or kind of help. $ man radiusd ... -d config directory Defaults to /etc/raddb. Radiusd looks here for its configuration files such as the dictionary and the users files. You can start another instance of freeradius and point it to another config directory. Jaume, trying to start eduRoam in Peru! Excellent! There are plenty of other eduroamers on this list too :-) josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRS Service configurations + Wiki
Alan D, Would you mind having configuration documents for 3rd party services like JRS on the FreeRADIUS wiki ? Alan B, Would JANET mind having configuration documents for JRS on the FreeRADIUS wiki ? It is meant to be a repository for everything FreeRADIUS after all ... and it's easier if all this stuff is in one place. personally I would prefer such configuration to be on the JRS support / UKERNA document site. What should be on the main FR wiki is the fundamental 'how to proxy' and 'how to attribute filter' type documents. I believe that special service cases could otherwise overrun the freeradius site (as they do the freeradius users list) While UKERNA would have absolutely no problem with this, I empathise with Alan B's view that such documentation might be 'clutter' on the FreeRADIUS Wiki and might be better located on a JRS-specific website. It might also be more visible to JRS participants. Perhaps a link from the Wiki to the JRS website might be more appropriate? If you'd like to contribute some JRS documentation formally, then please get in touch with me directly! We're particularly interested in documentation covering the 'complete solution' (auth db, radius, WAPs, PR, etc). This is obviously a lot of work, but we should be able to compensate your Institution for this effort. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Long Access time
The packets are making it to the supplicant, so I don't think there's a problem with the AP or anything else. It's a supplicant issue. The strange problem is that the long authentication time are about the same for Win XP build-in supplicant and MAC OS X supplicant. What kind of changes can i made in supplicant configuration to try to minimize authentication time? The requests aren't being proxied, so proxy.conf doesn't affect anything. Ok, but could I improve the system performance setting up in appropriate way those attribute : retry_delay dead_time retry_count ? As always, thanks a lot Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Long Access time
eapolclient[243]: eapmschapv2_success_request: successfully authenticated May 8 10:37:45 Macintosh eapolclient[243]: eapmschapv2_success_request: successfully authenticated May 8 10:38:16 Macintosh eapolclient[243]: eapmschapv2_success_request: successfully authenticated May 8 10:38:47 Macintosh eapolclient[243]: eapmschapv2_success_request: successfully authenticated May 8 10:38:53 Macintosh configd[35]: posting notification com.apple.system.config.network_change May 8 10:38:53 Macintosh lookupd[1983]: lookupd (version 369.6) starting - Tue May 8 10:38:53 2007 Thanks! Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Long Access time
On 5/8/07, Alan DeKok [EMAIL PROTECTED] wrote: Perhaps you could explain what you mean by that. What's a long access time? Excuse my english. I mean the time that passed between the user sends login information and the success authentication by the supplicant. Which doesn't include the debug output from the server. rad_recv: Access-Request packet from host 192.168.181.1:32806, id=241, length=134 User-Name = luca.tar EAP-Message = 0x0212016c7563612e74617264656c6c61 Message-Authenticator = 0x52d025161d172ba39e1692bef02ef0af Calling-Station-Id = 00-1B-63-00-0C-DE Called-Station-Id = 00-13-D4-CF-C5-1B NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 0.0.0.0 NAS-Identifier = 14 Tue May 8 10:29:53 2007 : Debug: Processing the authorize section of radiusd.conf Tue May 8 10:29:53 2007 : Debug: modcall: entering group authorize for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 497 Tue May 8 10:29:53 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 497 Tue May 8 10:29:53 2007 : Debug: modcall[authorize]: module chap returns noop for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 497 Tue May 8 10:29:53 2007 : Debug: modcall[authorize]: module mschap returns noop for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 497 Tue May 8 10:29:53 2007 : Debug: rlm_realm: No '@' in User-Name = luca.tar, looking up realm NULL Tue May 8 10:29:53 2007 : Debug: rlm_realm: Found realm NULL Tue May 8 10:29:53 2007 : Debug: rlm_realm: Adding Stripped-User-Name = luca.tar Tue May 8 10:29:53 2007 : Debug: rlm_realm: Proxying request from user luca.tar to realm NULL Tue May 8 10:29:53 2007 : Debug: rlm_realm: Adding Realm = NULL Tue May 8 10:29:53 2007 : Debug: rlm_realm: Authentication realm is LOCAL. Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 497 Tue May 8 10:29:53 2007 : Debug: modcall[authorize]: module suffix returns noop for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 497 Tue May 8 10:29:53 2007 : Debug: rlm_eap: EAP packet type response id 0 length 18 Tue May 8 10:29:53 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 497 Tue May 8 10:29:53 2007 : Debug: modcall[authorize]: module eap returns updated for request 497 Tue May 8 10:29:53 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 497 Tue May 8 10:29:53 2007 : Debug: users: Matched entry DEFAULT at line 154 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: Entering ldap_groupcmp() Tue May 8 10:29:53 2007 : Debug: radius_xlat: 'ou=stat,dc=univ,dc=il' Tue May 8 10:29:53 2007 : Debug: radius_xlat: '(uid=luca.tar)' Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: performing search in ou=stat,dc=univ,dc=il, with filter (uid=luca.tar) Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue May 8 10:29:53 2007 : Debug: radius_xlat: '(|((objectClass=GroupOfNames)(member=cn\3dLuca tar\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstat\2cdc\3duniv\2cdc\3dil))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dLuca tar\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstat\2cdc\3duniv\2cdc\3dil)))' Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: performing search in ou=stat,dc=univ,dc=il, with filter ((cn=professor)(|((objectClass=GroupOfNames)(member=cn\3dLuca tar\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstat\2cdc\3duniv\2cdc\3dil))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dLuca tar\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstat\2cdc\3duniv\2cdc\3dil Tue May 8 10:29:53 2007 : Debug: rlm_ldap: object not found or got ambiguous search result Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue May 8 10:29:53 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue May 8 10:29:53 2007 : Debug:
Re: Long Access time
: leaving group authenticate (returns ok) for request 505 Tue May 8 10:29:54 2007 : Auth: Login OK: [luca.tar/no User-Password attribute] (from client chilli port 0 cli 00-1B-63-00-0C-DE) Sending Access-Accept of id 249 to 192.168.181.1 port 32806 Service-Type == Framed-User Filter-Id = 98 MS-MPPE-Recv-Key = 0xf3e32519ac70611ad1e77ff451de9cbd1b505f0107bc55a34a6fca9b8a295bf4 MS-MPPE-Send-Key = 0x4b66b29e9f0570d621bd6e059e447ce157b2f6290a4a3cdfdf90f8f1f1bd0458 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = luca.tar Tue May 8 10:29:54 2007 : Debug: Finished request 505 Tue May 8 10:29:54 2007 : Debug: Going to the next request Tue May 8 10:29:54 2007 : Debug: Waking up in 5 seconds... I don't know why this would be happening. I haven't seen it happen on various MAC's I have access to. :) Best regards. Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to send the accounting messages
Also can you please tell me how to send different accounting messages. Consult your NAS documentation. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PAP, upgrading from 1.1.3
I figured this out. I had to use {sha} instead of {sha1}. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PAP, upgrading from 1.1.3
Hi everyone, I'm having a hell of a time upgrading from 1.1.3 to 1.1.4 due to PAP. First of all, leaving my settings as they are doesn't work at all. I'm beginning to wonder if my 1.1.3 configuration shouldn't work at all yet somehow magically does what I want it to. I currently (1.1.3) don't have a *-Password attribute. The table has a password field in it that I use in a crazy SQL query. It fakes a row with the User-Password attribute. The passwords are all SHA1 hashed. This is what happens when using the 1.1.3 config (encryption_scheme = sha1): rad_recv: Access-Request packet from host 192.168.0.10:54288, id=46, length=56 User-Name = test User-Password = qwertyuiop1 NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' ... modcall[authorize]: module sql returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: No password configured for the user. Cannot do authentication modcall[authenticate]: module pap returns fail for request 1 modcall: leaving group PAP (returns fail) for request 1 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 1) This is where I get lost, radiusd.conf: modules { pap { encryption_scheme = sha1 } ... } ... authorize { sql } authenticate { Auth-Type PAP { pap } } I know the rlm_pap man page talks about putting pap into authorize{}, so maybe that is what is preventing it from working, though it does seem to get to into rlm_pap above. Adding the header onto the password in the DB doesn't help (though I didn't expect it to). So at this point I tried making things the way they should be: modules { pap { #encryption_scheme = sha1 auto_header = yes } ... } Didn't work with non-prefixed password (duh). This is what I get after prepending {sha1} to the password: Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Okay, so it didn't pick up the header, so I put pap into authorize{} after sql as the man page says and now I get: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' ... modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found unknown header {{sha1}}: Not doing anything rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Now it says unknown header {{sha1}}. I dunno what this means, maybe it wasn't compiled correctly, or I'm specifying the header wrong? I have {sha1}ar3h8ir4r4a3r... in the field. I tried skipping this (according to my understanding of the man page) by changing User-Password to SHA1-Password, but that breaks my SQL driver: rlm_sql: Failed to create the pair: Unknown attribute SHA1-Password rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user I'm kinda lost now. I'm guessing that if the header was known, things would work, but for some reason it doesn't understand the {sha1} prefix... Thanks, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simple EAP flow support!
You will need to modify the code. josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Diameter K Sent: 07 March 2007 18:53 To: freeradius-users@lists.freeradius.org Subject: Simple EAP flow support! Hi All, I want to configure free-radius to handle a simple EAP described below. 1. Radius receives a IDENTITY message. The IDENTITY message contains a encrypted certificate. 2. The server decrypts and validates the Certificate and send out a EAP-Success or EAP-Failure. Is there any way i can configure freeradius to achieve this flow or would i have to modify the code. As i understand the standard flows are much more complicated(with challenge), which i dont want. Thanks Regards, Shiv - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange random disconnection (Lost-Carrier)
Hello, some of my users have a strange problem; randomly, they have been disconnected after a few minutes get authenticated. Searching in log file, i've seen that the problem is Lost Carrier Wed Feb 28 09:16:24 2007 : Debug: Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.181.1:32919, id=227, length=184 Acct-Status-Type = Stop User-Name = user1 Calling-Station-Id = 00-0A-1D-18-61-B5 Called-Station-Id = 00-23-F7-F2-C1-1C NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Port-Id = NAS-IP-Address = 0.0.0.0 NAS-Identifier = 20 Framed-IP-Address = 192.168.182.41 Acct-Session-Id = 45e53a51 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 531 Acct-Terminate-Cause = Lost-Carrier Searching onf FreeRADIUS ML I have found that the Lost-Carrier is a problem between the NAS and the user, so the problem is between the Access Point and the Supplicant. Could be a signal problem (note that the distance between the AP and the NAS is short) or there could be other things that cause this disconnection? Thanks for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On IEEE 802.1x roaming
Hello, I'm using FreeRADIUS with Coova Chilli in proxy mode with IEEE 802.1Xauthentication (PEAP auth. method to be more specific). In my network there are 6 Access Point that use TKIP as security protocol. Now I need that the Supplicants can do roaming between the Access Points. The IEEE 802.1X asserts that can be used two mechanisms to obtain roaming : - PMK Caching - Pre Authentication I would to know how I could implement this mechanisms in my system. Are requested special configuration of FreeRADIUS or to implement roaming I must only configure the Access Point (If so, how I can do this)? Note that Access Point are all on the same subnet. Thanks for all Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing Free radius 1.1.4 on Server Running Centos 4.4
$ yum install freeradius Josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of dataHosting Support Sent: 19 February 2007 07:28 To: freeradius-users@lists.freeradius.org Subject: Installing Free radius 1.1.4 on Server Running Centos 4.4 Is there an easy step by step guide for beginners on installing Free Radius 1.1.4. on Centos 4.4? Have setup new Centos Server and now wanting to install Free Radius. Regards, David Willis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The EAP Saga continues.
If you choose to use EAP-PEAP/MS-CHAPv2 you need 4 items: 1. A server certificate, signed by a Cert Authority serverCA ...not forgetting the relevant OID extensions peculiar to EAP-PEAP :-) Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expert Help Required
Hi Guys, Currently i am using cistron radius This is the FreeRADIUS list; you might have more luck at the Cistron list :-) Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LAN accounting
I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? It means that i use them without dialing? the name dialup_admin is a bit misleading. You can as well manage LAN users with them. It's a generic user management system. agree if RADIUS is used to authenticate users, but they're asking about accounting. Besides there's no way to prevent connection to LAN switches with RADIUS Yes - 802.1x and restrict internal communication between local hosts. Kinda - Dynamic VLAN allocation. Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
(I'll bite to save Alan the déjà vu) An attacker sets up a captive portal system that looks exactly the same as yours (spoof). Users can't distinguish between the two captive portals, and so some users inevitably enter their credentials into the spoof portal. These credentials can be used by the attacker to gain network access through the authorised portal, or whatever else they're authorised for. josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Tas Dionisakos Sent: 23 January 2007 21:55 To: FreeRadius users mailing list Subject: Re: a freeradious/wireless solution for a school Please elaborate on how the system can be circumvented? Tas. [EMAIL PROTECTED] wrote: Hi, * Apache * Freeradius * Chillispot * Mysql though note that captive portals are easy to mitigate/spoof and circumvent alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary's College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html