EAPOL with WinXP SP2 - long delay till Authentication starts off

2005-05-09 Thread Mark Wasmer 
Hi,

I'm using EAP-TLS machine certificates for authentication and VLAN-determination
against freeradius 1.0.2 over HP 2524  Cisco 2950 as authenticator. When
connecting XP-Clients with machine certificates installed it takes up to 60sec
or so till authentication starts. The delay with 2000SP4 is slower, with
XSupplicant there is no delay.
I remember to have read a Registry-Tweak to this XP-delay-problem, but can't
find the source again, even with google ;-)

Thank you,
 Mark Wasmer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HP 2524 won't use the VLAN-ID, why ???

2005-04-01 Thread Mark Wasmer 
 mark at baeckerei-wasmer.de writes:


 --snip--users-File--
 #testuser   Service-Type == Framed-User
 # Tunnel-Media = IEEE-802,a
 # Tunnel-Private-Group-Id = 5,
 # Tunnel-Type = VLAN
 
 testuserService-Type == Framed-User
   Tunnel-Type += 13,
   Tunnel-Media += 6,
   Tunnel-Private-Group-Id += 5,
 

Whops, simply used the wrong syntax in the users-File, this works now :

testuser
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 5



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius documentation

2005-03-31 Thread Mark Wasmer 
   And how about freeradius configuration and function description?

This remembers me the response of the CA-Tool TinyCA when klicking on the
help-button - the following popup say Your are kidding, are you?? ;-)
There is none - why don't start something like a Wiki (such as mediawiki.org)
for this purpose ? I set up one for my internal use becaus i'm doing a
educational projekt like you with FreeRADIUS.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

some trouble EAP-TLS with v1.0.2 on Debian

2005-03-28 Thread Mark Wasmer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello FreeRADIUS-users,
According to http://wapu.org/projects.php?id=freeradius-eaptls i have
built my own FreeRADIUS-debs from 1.0.2-Sources, but :
- --Snap Output freeradius -X--
~ rlm_eap: Loaded and initialized type gtc
~  tls: rsa_key_exchange = no
~  tls: dh_key_exchange = yes
~  tls: rsa_key_length = 512
~  tls: dh_key_length = 512
~  tls: verify_depth = 0
~  tls: CA_path = (null)
~  tls: pem_file_type = yes
~  tls: private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~  tls: certificate_file =
/etc/freeradius/certs2/[EMAIL PROTECTED]
~  tls: CA_file = /etc/freeradius/certs2/radiustest-cacert.pem
~  tls: private_key_password = 
~  tls: dh_file = /dev/urandom
~  tls: random_file = /dev/urandom
~  tls: fragment_size = 1024
~  tls: include_length = yes
~  tls: check_crl = no
~  tls: check_cert_cn = (null)
~ 7681:error:0200100D:system library:fopen:Permission
denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r')
~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
~ 7681:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
~ rlm_eap_tls: Error reading Trusted root CA list
~ rlm_eap: Failed to initialize type tls
~ radiusd.conf[9]: eap: Module instantiation failed.
- --snap eap.conf-file--
~ tls {
~ private_key_password =
~ private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~ certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~ CA_file = /etc/freeradius/certs2/CA/radiustest-cacert.pem
~ dh_file = /etc/freeradius/certs2/DH
~ random_file = /etc/freeradius/certs2/random
~ fragment_size = 1024
~ include_length = yes
~ # check_crl = yes
~ #  check_cert_cn = %{User-Name}
~ }
- --snap users-file--
~ testuser1 Service-Type == Framed-User
~   Tunnel-Type += 13,
~   Tunnel-Media += 6,
~   Tunnel-Private-Group-Id += 10,
~ testuser2 Service-Type == Framed-User
~   Tunnel-Type += 13,
~   Tunnel-Media += 6,
~   Tunnel-Private-Group-Id += 99,
I've created the certificates several time according to
http://www.ccc.de/congress/2004/fahrplan/
files/100-sicherheit-fuer-hostap-wlans-paper.pdf with TinyCA - they also
used FreeRADIUS with EPA-TLS.
Thanky you very much for every help!
~ Mark Wasmer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCSEkErUtz+gVmmXsRAujWAJ9kzDT4V4fgwjJht+UWRfXWSogCXACfRA6+
QQBw1HhFGJP6KuOdr2fSyo4=
=futB
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

some trouble EAP-TLS with v1.0.2 on Debian

2005-03-28 Thread Mark Wasmer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello FreeRADIUS-users,
According to http://wapu.org/projects.php?id=freeradius-eaptls i have
built my own FreeRADIUS-debs from 1.0.2-Sources, but :
- --Snap Output freeradius -X--
~ rlm_eap: Loaded and initialized type gtc
~  tls: rsa_key_exchange = no
~  tls: dh_key_exchange = yes
~  tls: rsa_key_length = 512
~  tls: dh_key_length = 512
~  tls: verify_depth = 0
~  tls: CA_path = (null)
~  tls: pem_file_type = yes
~  tls: private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~  tls: certificate_file =
/etc/freeradius/certs2/[EMAIL PROTECTED]
~  tls: CA_file = /etc/freeradius/certs2/radiustest-cacert.pem
~  tls: private_key_password = 
~  tls: dh_file = /dev/urandom
~  tls: random_file = /dev/urandom
~  tls: fragment_size = 1024
~  tls: include_length = yes
~  tls: check_crl = no
~  tls: check_cert_cn = (null)
~ 7681:error:0200100D:system library:fopen:Permission
denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r')
~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
~ 7681:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
~ rlm_eap_tls: Error reading Trusted root CA list
~ rlm_eap: Failed to initialize type tls
~ radiusd.conf[9]: eap: Module instantiation failed.
- --snap eap.conf-file--
~ tls {
~ private_key_password =
~ private_key_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~ certificate_file = /etc/freeradius/certs2/[EMAIL PROTECTED]
~ CA_file = /etc/freeradius/certs2/CA/radiustest-cacert.pem
~ dh_file = /etc/freeradius/certs2/DH
~ random_file = /etc/freeradius/certs2/random
~ fragment_size = 1024
~ include_length = yes
~ # check_crl = yes
~ #  check_cert_cn = %{User-Name}
~ }
- --snap users-file--
~ testuser1 Service-Type == Framed-User
~   Tunnel-Type += 13,
~   Tunnel-Media += 6,
~   Tunnel-Private-Group-Id += 10,
~ testuser2 Service-Type == Framed-User
~   Tunnel-Type += 13,
~   Tunnel-Media += 6,
~   Tunnel-Private-Group-Id += 99,
I've created the certificates several time according to
http://www.ccc.de/congress/2004/fahrplan/
files/100-sicherheit-fuer-hostap-wlans-paper.pdf with TinyCA - they also
used FreeRADIUS with EPA-TLS.
Thanky you very much for every help!
~ Mark Wasmer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCSEzFrUtz+gVmmXsRAnZQAJ4izenMZE6IliwH55v0n15md5vKNgCfWjxV
BTMJqYeroOa1wKne4pgLL9Q=
=MLsK
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : some trouble EAP-TLS with v1.0.2 on Debian

2005-03-28 Thread Mark Wasmer 
Hello FreeRADIUS-users,
~ 7681:error:0200100D:system library:fopen:Permission
denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r')
~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
~ 7681:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
~ rlm_eap_tls: Error reading Trusted root CA list
~ rlm_eap: Failed to initialize type tls
~ radiusd.conf[9]: eap: Module instantiation failed.
After testing the same with the freeradius-certs-testfiles i've got
similar errors, this was strange.
So i simply did a chmod -R 777 * onto my own cert-directory and now it
seems to work. The server starts up without a hitch :-)
Thanky you very much for every help!
~ Mark Wasmer
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: some trouble EAP-TLS with v1.0.2 on Debian

2005-03-28 Thread Mark Wasmer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello FreeRADIUS-users,
~ 7681:error:0200100D:system library:fopen:Permission
denied:bss_file.c:104:fopen('/etc/freeradius/certs2/radiustest-cacert.pem','r')
~ 7681:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:109:
~ 7681:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
~ rlm_eap_tls: Error reading Trusted root CA list
~ rlm_eap: Failed to initialize type tls
~ radiusd.conf[9]: eap: Module instantiation failed.
After testing the same with the freeradius-certs-testfiles i've got
similar errors, this was strange.
So i simply did a chmod -R 777 * onto my own cert-directory and now it
seems to work. The server starts up without a hitch :-)
Thanky you very much for every help!
~ Mark Wasmer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCSF+jrUtz+gVmmXsRAgauAJ9VzeMI7jYOKdaplQrAWwpGzk20wgCfXxX/
XfTwDqrFG+JxVV95HZhrEfQ=
=Y6E/
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC

2005-03-16 Thread Mark Wasmer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is
transferred
| over the net, so no plaintext passwords on the line.
Seems i misunderstood the method - so EAP-MD5 will work fine for me :-)
| SMB experimental yes.
I'll give it a try.
| Well, I could not imagine how WinNT could deliver VLANs since these
| information is not stored in WinNT user profiles. Perhaps you have to use
| realms to link user groups to VLANs. Only the username part is
forwarded to
| WinNT. The username could look like [EMAIL PROTECTED]
Would'nt this be insecure ? The users would be able to define themselves
which VLAN they join - if i understand you correctly. This is not
intended. Even though, how do i tell FreeRADIUS to strip the
@vlan-group-part of the username and use it as VLAN-Identifier ?
Greetings
~ Mark Wasmer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFCOHdNrUtz+gVmmXsRAvHuAJjAmW+Q5eI7fQ5bznB0IAoZqujjAJ9hpxyB
h5FmlRmsEt7qpmJLYQfCTw==
=x9RK
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS for VLAN-assignment auth. via WinNT-PDC

2005-03-15 Thread Mark Wasmer 
Hello FreeRADIUS-users,
I have to set up a FreeRADIUS-server to authenticate notebooks and PCs 
(Win2000, WinXP, Linux) via the existing Windows-NT PDC (will be 
replaced with Server2003 sometimes) and add them to their matching VLAN 
(using HP 2524-switches).
Can someone give me a few hints what might be the best way to do this ?
Through the lack of consistent documentation i can't see how to move on.

The urgent questions in detail :
1. The Windows-NT server is not allowed to deliver plaintext-passwords, 
so which authentication-protokol should be used ? EAP-MD5 would be fine, 
but does it work without plaintext-passwords ?

2. How to get the passwords from the PDC at all ? I've read about 
rlm_smb (but is not included in the used Debian-Sarge-packet), 
ntlm_auth, winbindd, PAM_winbind and the SMB-Method described in the 
experimental.conf *puh* ???

3. If the things above work, how to define which user belongs to which 
VLAN and get RADIUS to tell this to the authenticator ?

4. And finally - how to set up a centralized/convenient administration 
method for the whole thing which makes it easy to add/delete users ?

Thanky you very much for every help!
 Mark Wasmer
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html