EAPOL with WinXP SP2 - long delay till Authentication starts off
Hi, I'm using EAP-TLS machine certificates for authentication and VLAN-determination against freeradius 1.0.2 over HP 2524 Cisco 2950 as authenticator. When connecting XP-Clients with machine certificates installed it takes up to 60sec or so till authentication starts. The delay with 2000SP4 is slower, with XSupplicant there is no delay. I remember to have read a Registry-Tweak to this XP-delay-problem, but can't find the source again, even with google ;-) Thank you, Mark Wasmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HP 2524 won't use the VLAN-ID, why ???
mark at baeckerei-wasmer.de writes: --snip--users-File-- #testuser Service-Type == Framed-User # Tunnel-Media = IEEE-802,a # Tunnel-Private-Group-Id = 5, # Tunnel-Type = VLAN testuserService-Type == Framed-User Tunnel-Type += 13, Tunnel-Media += 6, Tunnel-Private-Group-Id += 5, Whops, simply used the wrong syntax in the users-File, this works now : testuser Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius documentation
And how about freeradius configuration and function description? This remembers me the response of the CA-Tool TinyCA when klicking on the help-button - the following popup say Your are kidding, are you?? ;-) There is none - why don't start something like a Wiki (such as mediawiki.org) for this purpose ? I set up one for my internal use becaus i'm doing a educational projekt like you with FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
some trouble EAP-TLS with v1.0.2 on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello FreeRADIUS-users, According to http://wapu.org/projects.php?id=freeradius-eaptls i have built my own FreeRADIUS-debs from 1.0.2-Sources, but : - --Snap Output freeradius -X-- ~ rlm_eap: Loaded and initialized type gtc ~ tls: rsa_key_exchange = no ~ tls: dh_key_exchange = yes ~ tls: rsa_key_length = 512 ~ tls: dh_key_length = 512 ~ tls: verify_depth = 0 ~ tls: CA_path = (null) ~ tls: pem_file_type = yes ~ tls: private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ tls: certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ tls: CA_file = /etc/freeradius/certs2/radiustest-cacert.pem ~ tls: private_key_password = ~ tls: dh_file = /dev/urandom ~ tls: random_file = /dev/urandom ~ tls: fragment_size = 1024 ~ tls: include_length = yes ~ tls: check_crl = no ~ tls: check_cert_cn = (null) ~ 7681:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r') ~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: ~ 7681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: ~ rlm_eap_tls: Error reading Trusted root CA list ~ rlm_eap: Failed to initialize type tls ~ radiusd.conf[9]: eap: Module instantiation failed. - --snap eap.conf-file-- ~ tls { ~ private_key_password = ~ private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ CA_file = /etc/freeradius/certs2/CA/radiustest-cacert.pem ~ dh_file = /etc/freeradius/certs2/DH ~ random_file = /etc/freeradius/certs2/random ~ fragment_size = 1024 ~ include_length = yes ~ # check_crl = yes ~ # check_cert_cn = %{User-Name} ~ } - --snap users-file-- ~ testuser1 Service-Type == Framed-User ~ Tunnel-Type += 13, ~ Tunnel-Media += 6, ~ Tunnel-Private-Group-Id += 10, ~ testuser2 Service-Type == Framed-User ~ Tunnel-Type += 13, ~ Tunnel-Media += 6, ~ Tunnel-Private-Group-Id += 99, I've created the certificates several time according to http://www.ccc.de/congress/2004/fahrplan/ files/100-sicherheit-fuer-hostap-wlans-paper.pdf with TinyCA - they also used FreeRADIUS with EPA-TLS. Thanky you very much for every help! ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCSEkErUtz+gVmmXsRAujWAJ9kzDT4V4fgwjJht+UWRfXWSogCXACfRA6+ QQBw1HhFGJP6KuOdr2fSyo4= =futB -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
some trouble EAP-TLS with v1.0.2 on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello FreeRADIUS-users, According to http://wapu.org/projects.php?id=freeradius-eaptls i have built my own FreeRADIUS-debs from 1.0.2-Sources, but : - --Snap Output freeradius -X-- ~ rlm_eap: Loaded and initialized type gtc ~ tls: rsa_key_exchange = no ~ tls: dh_key_exchange = yes ~ tls: rsa_key_length = 512 ~ tls: dh_key_length = 512 ~ tls: verify_depth = 0 ~ tls: CA_path = (null) ~ tls: pem_file_type = yes ~ tls: private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ tls: certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ tls: CA_file = /etc/freeradius/certs2/radiustest-cacert.pem ~ tls: private_key_password = ~ tls: dh_file = /dev/urandom ~ tls: random_file = /dev/urandom ~ tls: fragment_size = 1024 ~ tls: include_length = yes ~ tls: check_crl = no ~ tls: check_cert_cn = (null) ~ 7681:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r') ~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: ~ 7681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: ~ rlm_eap_tls: Error reading Trusted root CA list ~ rlm_eap: Failed to initialize type tls ~ radiusd.conf[9]: eap: Module instantiation failed. - --snap eap.conf-file-- ~ tls { ~ private_key_password = ~ private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED] ~ CA_file = /etc/freeradius/certs2/CA/radiustest-cacert.pem ~ dh_file = /etc/freeradius/certs2/DH ~ random_file = /etc/freeradius/certs2/random ~ fragment_size = 1024 ~ include_length = yes ~ # check_crl = yes ~ # check_cert_cn = %{User-Name} ~ } - --snap users-file-- ~ testuser1 Service-Type == Framed-User ~ Tunnel-Type += 13, ~ Tunnel-Media += 6, ~ Tunnel-Private-Group-Id += 10, ~ testuser2 Service-Type == Framed-User ~ Tunnel-Type += 13, ~ Tunnel-Media += 6, ~ Tunnel-Private-Group-Id += 99, I've created the certificates several time according to http://www.ccc.de/congress/2004/fahrplan/ files/100-sicherheit-fuer-hostap-wlans-paper.pdf with TinyCA - they also used FreeRADIUS with EPA-TLS. Thanky you very much for every help! ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCSEzFrUtz+gVmmXsRAnZQAJ4izenMZE6IliwH55v0n15md5vKNgCfWjxV BTMJqYeroOa1wKne4pgLL9Q= =MLsK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : some trouble EAP-TLS with v1.0.2 on Debian
Hello FreeRADIUS-users, ~ 7681:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r') ~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: ~ 7681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: ~ rlm_eap_tls: Error reading Trusted root CA list ~ rlm_eap: Failed to initialize type tls ~ radiusd.conf[9]: eap: Module instantiation failed. After testing the same with the freeradius-certs-testfiles i've got similar errors, this was strange. So i simply did a chmod -R 777 * onto my own cert-directory and now it seems to work. The server starts up without a hitch :-) Thanky you very much for every help! ~ Mark Wasmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: some trouble EAP-TLS with v1.0.2 on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello FreeRADIUS-users, ~ 7681:error:0200100D:system library:fopen:Permission denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r') ~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109: ~ 7681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: ~ rlm_eap_tls: Error reading Trusted root CA list ~ rlm_eap: Failed to initialize type tls ~ radiusd.conf[9]: eap: Module instantiation failed. After testing the same with the freeradius-certs-testfiles i've got similar errors, this was strange. So i simply did a chmod -R 777 * onto my own cert-directory and now it seems to work. The server starts up without a hitch :-) Thanky you very much for every help! ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCSF+jrUtz+gVmmXsRAgauAJ9VzeMI7jYOKdaplQrAWwpGzk20wgCfXxX/ XfTwDqrFG+JxVV95HZhrEfQ= =Y6E/ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is transferred | over the net, so no plaintext passwords on the line. Seems i misunderstood the method - so EAP-MD5 will work fine for me :-) | SMB experimental yes. I'll give it a try. | Well, I could not imagine how WinNT could deliver VLANs since these | information is not stored in WinNT user profiles. Perhaps you have to use | realms to link user groups to VLANs. Only the username part is forwarded to | WinNT. The username could look like [EMAIL PROTECTED] Would'nt this be insecure ? The users would be able to define themselves which VLAN they join - if i understand you correctly. This is not intended. Even though, how do i tell FreeRADIUS to strip the @vlan-group-part of the username and use it as VLAN-Identifier ? Greetings ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFCOHdNrUtz+gVmmXsRAvHuAJjAmW+Q5eI7fQ5bznB0IAoZqujjAJ9hpxyB h5FmlRmsEt7qpmJLYQfCTw== =x9RK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
Hello FreeRADIUS-users, I have to set up a FreeRADIUS-server to authenticate notebooks and PCs (Win2000, WinXP, Linux) via the existing Windows-NT PDC (will be replaced with Server2003 sometimes) and add them to their matching VLAN (using HP 2524-switches). Can someone give me a few hints what might be the best way to do this ? Through the lack of consistent documentation i can't see how to move on. The urgent questions in detail : 1. The Windows-NT server is not allowed to deliver plaintext-passwords, so which authentication-protokol should be used ? EAP-MD5 would be fine, but does it work without plaintext-passwords ? 2. How to get the passwords from the PDC at all ? I've read about rlm_smb (but is not included in the used Debian-Sarge-packet), ntlm_auth, winbindd, PAM_winbind and the SMB-Method described in the experimental.conf *puh* ??? 3. If the things above work, how to define which user belongs to which VLAN and get RADIUS to tell this to the authenticator ? 4. And finally - how to set up a centralized/convenient administration method for the whole thing which makes it easy to add/delete users ? Thanky you very much for every help! Mark Wasmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html