FreeRadius around the world
Hi everyone!! I have a question really important for my personal researches. Do you know how many or which entreprises work today with freeRadius? Are there any banks or security entreprises? Thank you for your answers. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Fast
Hi, I would like to know if EAP FAST is accepted by freeRadius or if it's under development. If it is under development, when will it be available? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with OpenSSL functions
Hi, I would like to ask you (experienced people) something. I'm using freeradius 1.0.4 and I have a message of 48 bytes long (a premaster secret) generated with the random function of openssl. This message has to be "public_encrypted" and sent to a radius server. Nevertheless, when I use the RSA_public_encrypt() function this encrypts the message of 48 bytes and generates a 64 bytes encrypted message. Normally this functions like this; but as I sent this "encrypted message" to the server, the server responds me: "tls rsa encrypted value length is wrong". This means that the message is well generated but not well encrypted. Can any of you tell me please how can I fix this problem? Knowing that the RSA public key is 64 bytes long, is it normal that the encrypted message is 64 bytes long too? Do you know another openSSL function that "public_encrypts" a message? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS Question
Hi,
I'm using freeRadius 1.0.4 and I would like to know something about tls config.
When I launch radius en debug mode I get this messages:
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/juan/key.key"
tls: certificate_file = "/etc/raddb/certs/juan/cert.cert"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
but I would like to know how to change some parameters (like
rsa_key_exchange = yes) and, even more important, if the
rsa_key_length is given in Bytes or bits. Does it mean that the
certificate length changes in function of this rsa_key_length?
Thank you, Juan Daniel MORENO
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS establishment
Hi, It's me again with my little problem. I have freeRadius 1.0.4 and I work at this moment with PEAP protocol. I have generated a certificate with a 128 byte length key. This is the server's certificate. The certificate is sent by the server, with server hello end to establish the TLS. By my part I send a Client_Key_exchange and a finished message, but the server responds me that the length is wrong. The finished message (as you see) is 128 length (the size of the server's public key). Can anybody help me please? I am really lost with this!! The freeRadis -X responses: rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept:error in SSLv3 read client key exchange A 6918:error:1408B0EA:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:tls rsa encrypted value length is wrong:s3_srvr.c:1450: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
>Juan Daniel Moreno <[EMAIL PROTECTED]> wrote: >> Thank you Alan, but now I have a new problem. I have been reading the >> src/modules/rlm_eap/ to understand my problem but I don't find the >> issue. In TLS establishment, the public key in the server.cert is 128 >> bytes length. I generate a random string of 46 bytes and the protocol >> version (TLS 1.0 (0x03, 0x01)) and I use the SSL function >> RSA_public_encrypt() with server's public key to encrypt the >> PreMasterSecret. As a result I get a 128 length string. As I send this >> data to the server, I get a "tls rsa encrypted length is wrong: >> s3_srvr.c: 1450:" > I have no idea what the problem is, sorry. >Alan DeKok. Can you please tell me the client's exchange packet form the server is attempting? How is it calculated? Or, can you show me a typical byte suite from this message? (I hope you understand me) Tank you. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
>
> The protocol specification describes this. The implementation in
> src/modules/rlm_eap/ contains diagrams of the packets it expects to
> receive.
>
> Alan DeKok.
>
>
Thank you Alan, but now I have a new problem. I have been reading the
src/modules/rlm_eap/ to understand my problem but I don't find the
issue. In TLS establishment, the public key in the server.cert is 128
bytes length. I generate a random string of 46 bytes and the protocol
version (TLS 1.0 (0x03, 0x01)) and I use the SSL function
RSA_public_encrypt() with server's public key to encrypt the
PreMasterSecret. As a result I get a 128 length string. As I send this
data to the server, I get a "tls rsa encrypted length is wrong:
s3_srvr.c: 1450:"
Can anybody please tell me where can be my problem? Here is my code
for exemple.
void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short
*length, char *HandshakeMessages, unsigned short *length_Hndshk, char
*buff)
{
char *PreMasterSecret = (char*) _MEMORY_Allocate (58 ,
true);
char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128, true);
char *temp = (char*) _MEMORY_Allocate
(58 , true);
unsigned char *tmpCert= _MEMORY_Allocate
(ClientSSLData->certificate_len + 128, true);
_RANDOM_MakeCharString (temp, 46);
PreMasterSecret [0] = 0x03;
PreMasterSecret [1] = 0x01;
for (register int i = 0; i<46; i++)
{
PreMasterSecret[i+2]= temp [i];
ClientSSLData->PreMasterSecret[i] = PreMasterSecret[i];
}
for (i = 0; i < ClientSSLData->certificate_len; i++)
tmpCert[i] =(unsigned char) ClientSSLData->certificate[i];
//- OpenSSL Functions -
RSA *server_public_key;
X509 *cert = X509_new ();
EVP_PKEY *evp = EVP_PKEY_new ();
X509 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert,
(ClientSSLData->certificate_len) );
//- d2i_509 Function retrives tmpCert pointer advanced the number
of bytes read -
tmpCert = tmpCert - (ClientSSLData->certificate_len);
//- We get the public key from the Server certificate -
evp = X509_get_pubkey(cert);
server_public_key = (RSA *) evp->pkey.ptr;
int rsasize = RSA_size(server_public_key);
//- We get the PreMasterSecret encrypted -
int Encrypted_len = RSA_public_encrypt(48, (BYTE*) PreMasterSecret,
(unsigned char*)EncryptedPreMasterSecret, server_public_key,
RSA_PKCS1_PADDING);
ClientSSLData->bufferSSL[(*length)++] = 0x16; // Handshake
Message
ClientSSLData->bufferSSL[(*length)++] = 0x03; // Version
ClientSSLData->bufferSSL[(*length)++] = 0x01; // Version
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) / 256;
// Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) % 256;
// Length
ClientSSLData->bufferSSL[(*length)++] = 0x10; // Client key
exchange
ClientSSLData->bufferSSL[(*length)++] = 0x00;
// Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256;
// Length
ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256;
// Length
//- Public key exchange -
for (i = 0; i < Encrypted_len; i++)
{
buff[i] = EncryptedPreMasterSecret[i];
HandshakeMessages[(*length_Hndshk)++] =
EncryptedPreMasterSecret[i];
}
free (PreMasterSecret);
free (EncryptedPreMasterSecret);
free (temp);
free (tmpCert);
}
Thank you for your help. Juan Daniel MORENO
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL3_GET_CLIENT_KEY_EXCHANGE
Hi everyone, I have a problem and I would like to ask you what to do. My problem is with PEAP protocol when I send the Client_Key_Exchange. FreeRadius 1.0.4 server tells me: SSL3_GET_CLIENT_KEY_EXCHANGE: tls rsa encrypted value length is wrong: s3_srvr.c: 1450: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I am using OpenSSL libraries and everything seems to work (the key is found by the X509_get_pubkey). And I send all this data with RSA_public_encrypt(). I don't know what I'm doing wrong. Please help me! THANKS, JUAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Protocol
Hi everyone, I have a little problem with freeradius 1.0.4. It's maybe something I don't understand but I really need help. With PEAP protocol, I have a user test with its own password. The first 8 packets are fine but as I send the 9th, radius says Length in packet header doesn't match actual length. Does it means that the length in the first packet (when I send a two packets certificate) is greater or less than in second packet? Or is just the header length in this very packet? Thank you four your help. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Public_key_exchange padding
Hi, I am using a freeRadius 1.0.4 and I would like to know something about client_key_exchange(). Into this function it is necessary to specify a padding system that the server accepts. My question is, which of these paddings: RSA_PKCS1_PADDING RSA_PKCS1_OAEP_PADDING RSA_SSLV23_PADDING RSA_NO_PADDING is accepted by freeRadius 1.0.4? Thank you very much. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius PEAP protocol
Hi everyone, I am trying to create a client's interface for Radius PEAP protocol. The server has donne all I wonder it to do, but now I have a question about the finish handshake message I have to send. When I get the server's cetificate, I get a public key too. I have to "public-key-encrypt" a PreMasterSecret that is a vector of 46 random bytes and the tls version (1.0). My question is how can I do that. Am I obliged to get the ssl libraries to "public-key-encrypt" this packet? Thank you for any complemetary information. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP Protocol
Hi everyone, is me again!! I have a question about freeradius 1.0.4. With LEAP protocol, the last packet sent by the server has a "leap-session-key". Does anybody knows how this key is generated? Thank you very much!!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP TLS establishment and certificates
Hi everyone, I would like to configure a freeradius 1.0.4 with PEAP protocol and OpenSSL certificates. My first question is where should I place the generated certificates with Openssl? As I am developing a client's interface, can anybody tell me how to "create" the Client_Hello packet? Thank you very much!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP OTP
Hello everyone, I am interested in EAP protocols with OTP (one time password). I would like to configure my freeradius 1.0.4 to be able to authenticate passwords which has been created with Shawan's method and an external key. Can anybody help me? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Configuration
Hello, I am trying to configure PEAP protocol with my freeRadius 1.0.4. I have already configured PAP, CHAP, MS-CHAP v1, MS-CHAP v2, EAP-md5, LEAP but I really don't understand the documentations about it. Can anybody help me? Thanks a lot. JUAN DANIEL MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP and PEAP protocols
Hi everybody again, I would like to know if any of you has somme information about LEAP and PEAP protocols. Does any RFC about them exist? I find nothing in the net. Thanks you!!! Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message without subject. EAP-MD5
Sorry for my last message without subject. I've already repared my problem. I had put in my users file: "test" User-Password := password # Auth-Type = Local Reply-Message = "Hello, %u" and this Reply-Message (which is included in users file as an example) was the reason for my server to don't work. I've only commented this line and the server functions again. Thank you!!! I will ask you something about LEAP protocol soon . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
I am doing a client interface for radius authentication. To test my progress I have installed a freeradius 1.0.4 in a SuSe 9.3. I have configured almost all of the protocols (PAP, CHAP, MS-CHAPv1, MS-CHAPv2), but wen I tried to configure EAP-MD5 I had a lot of problems, like "not password found", etc. I changed somethings in my program, then I tested it with WinRadius and it functionned; but when I tested it with my freeradius it didn't function. I would like to know how to configure my freeradius 1.0.4 so it function with EAP-MD5. I send you the error messages in "./radiusd -xxyz -l stdout": rad_recv: Access-Request packet from host 192.168.2.63:1594, id=80, length=55 --- Walking the entire request list --- Cleaning up request 7 ID 97 with timestamp 42fb4a13 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = "test" EAP-Message = 0x025200090174657374 Message-Authenticator = 0x3ad1dba850a6555f55e323c808b2acd0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 users: Matched entry test at line 91 modcall[authorize]: module "files" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 82 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 80 to 192.168.2.63:1594 Reply-Message = "Hello, %u" EAP-Message = 0x015300160410f37740423ba2a90d29911e943424e5a3 Message-Authenticator = 0x State = 0x78773e2f34d4b5159977be0ef3156654 Finished request 8 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.2.63:1594, id=80, length=88 Waking up in 31 seconds... Thread 5 got semaphore Thread 5 handling request 9, (2 handled so far) User-Name = "test" EAP-Message = 0x0253001804105060ab97739328de2b67fa7930d8633e0008 State = 0x78773e2f34d4b5159977be0ef3156654 Message-Authenticator = 0x3ebc35a4d37c84a293d3a3d4eb0a21fb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 users: Matched entry test at line 91 modcall[authorize]: module "files" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 83 length 24 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 9 modcall: group authenticate returns reject for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request Thread 5 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 80 to 192.168.2.63:1594 EAP-Message = 0x04530004 Message-Authenticator = 0x Reply-Message = "Hello, %u" Cleaning up request 9 ID 80 with timestamp 42fb4a30THANK YOU! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP md5
Hi everyone, I'm having a problem with freeradius 1.0.4 configuration. I configured it to work with PAP, CHAP, MS-CHAPv1, and MS-CHAPv2. Now I would like to work with EAP-MD5 but I have always the same response: rad_recv: Access-Request packet from host 192.168.2.63:1108, id=65, length=88 Waking up in 31 seconds... Thread 1 got semaphore Thread 1 handling request 5, (2 handled so far) User-Name = "juan" EAP-Message = 0x025700180410b8c3ecb73fe2a82ab50152301561f65f0008 State = 0x36f19352ad8e53da9ad68e321a2a1a81 Message-Authenticator = 0x676a955991b9dcdee684a339aa8420c2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "juan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 87 length 24 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry juan at line 93 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Thread 1 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 65 to 192.168.2.63:1108 EAP-Message = 0x04570004 Message-Authenticator = 0x Reply-Message = "Hello, %u" I really don't know what to do. I'm almost sure it's the radiusd.conf or eap.con files. Can anybody help me?? Thank you!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
