Re: 802.1x authentication
hi, gary (gary.y...@browan.com) [11.10.13 09:21] wrote: Hi All I am trying to set up 802.1x with EAP PEAP/TTLS method by using intel PROSset client tool with the PC. Sometimes authentication success but mostly it fail. Log attached could someone give me some direction?thanks a lot. looks like the problem i faced too have a look at thread EAP-TLS + Symbian = weird behaviour here in ml -- Zeus V. Panchenko JID:z...@gnu.org.ua GMT+2 (EET) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x authentication
Hi All I am trying to set up 802.1x with EAP PEAP/TTLS method by using intel PROSset client tool with the PC. Sometimes authentication success but mostly it fail. Log attached could someone give me some direction?thanks a lot. Best Regards Gary login as: root root@192.168.21.30's password: Last login: Wed Oct 12 13:33:11 2011 from 192.168.21.205 [root@gary ~]# radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jul 19 2011 at 18:23:21 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct
Re: 802.1x authentication
gary wrote: Hi All I am trying to set up 802.1x with EAP PEAP/TTLS method by using intel PROSset client tool with the PC. *Sometimes authentication success but mostly it fail.* Log attached could someone give me some direction?thanks a lot. Read it. WARNING: !! WARNING: !! EAP session for state 0x6097435463935ad2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! This is documented in lots of places. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How Can I use local /etc/passwd users for 802.1x authentication
Hello ; I need authenticate local /etc/passwd users with FreeRadius for wired and wireless network 802.1x authentication ? Is it posible ? Or i can migrate all local users to ldap server in this case is it posible ? Because i dare say 802.1x authentication not correctly work with encrypted password on ldap ? Could You please give information about this issue ? Thank You, Akocak. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least I know it is possible to use EAP-TLS, and then use some attribute from the certificate and query LDAP about it. If that's the case in your configuration, you should be able to see that from the config files in your $raddb directory. You can post the config if you have questions. Matt On Wed, Jun 11, 2008 at 6:44 PM, Newall, Bryce [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 1:14 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue Newall, Bryce wrote: See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. Yes. Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Thursday, June 12, 2008 12:20 PM To: FreeRadius users mailing list Subject: RE: FreeRadius/eDirectory/802.1X authentication issue Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ahh, your answer just made our current RADIUS configuration more understandable to me! As I may have mentioned, I inherited this setup from someone else who left the district. The way it is currently working, we do not have to install certificates on a laptop. The Validate server certificate option on our laptops' wireless configuration is turned off. The idea was to keep it as simple as possible for users, yet maintain some semblance of security. Apparently, the way we're doing it right now is using EAP-TLS with PEAP authentication, which is passing the user's credentials through an encrypted tunnel to the RADIUS server, which is in turn passing the credentials through to eDirectory via LDAP. At least, I *think* I'm explaining that correctly. :) I'd like to maintain that setup with FreeRADIUS 2.0.5, but I'm still having a hard time following the configuration and authentication path with the current 1.1.0 setup. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Hi, No, it's not. The laptop is not storing the password; it's using the login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. thats because it IS cached - it gets cached in a different HIVE area. still an EAPOL though. this is proved by what you've just stated. run a regedit and look for lurking EAPOL. the RADIUS logs dont lie. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 10, 2008 11:08 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue Hi, on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. thats because it IS cached - it gets cached in a different HIVE area. still an EAPOL though. this is proved by what you've just stated. run a regedit and look for lurking EAPOL. the RADIUS logs dont lie. I'll take another look if I can get my hands on the laptop again. But it still doesn't make sense that a different user (me) has no problem logging in. Plus, these laptops were brand new, and when I tested User3's account on User2's laptop and vice versa, I had the same problem. That was the first time either user had logged in to the other's laptop, and I know I logged in with the correct password; otherwise, I wouldn't have been able to log in to Novell or Windows. Yet, they would still fail to authenticate wirelessly. I'm convinced that it has SOMETHING to do with how Windows is passing the credentials through to FreeRadius, rather than a FreeRadius problem; I'm just not sure where to troubleshoot. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: I'm convinced that it has SOMETHING to do with how Windows is passing the credentials through to FreeRadius, rather than a FreeRadius problem; I'm just not sure where to troubleshoot. You'll know from reading this list where *my* biases are. For most problem interactions with external devices, it's usually the external devices that are buggy. For behavior that's internal to the server, it's often administrator misconfiguration. For some rare cases, it's a FreeRADIUS bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without reset the users profile. we've had the same problem here and that fixed it. the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 11, 2008 2:00 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without reset the users profile. we've had the same problem here and that fixed it. Tried that first thing; no luck, unfortunately. And again, these were brand new laptops with brand new profiles, so that shouldn't have mattered, but I did it anyway just to be safe. I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, since the current server is running 1.1.0. As I mentioned before, though, I don't know a lot about RADIUS, and would love to find some HOW-TO's to help me make it work. We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, since the current server is running 1.1.0. As I mentioned before, though, I don't know a lot about RADIUS, and would love to find some HOW-TO's to help me make it work. As would I. This isn't a RADIUS thing. It's a Windows thing. FreeRADIUS is at the mercy of the Windows system, which is doing weird things. And that's not just me blaming everything on other people's software. There's really no other conclusion possible from your description. We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. Yes. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. The configuration files that the server comes with are pretty complete. To be honest, it's pretty much impossible to write any good HOWTO's for RADIUS. With tiny edits (as documented and explained in the configs), the default configuration works with PAP, CHAP, MS-CHAP, Digest, EAP-MD5, EAP-MSCHAPv2, PEAP, EAP-TTLS Follow the explanations in the config files, and add support for LDAP, SQL, ... Any HOWTO will be not much more than read the config files, and follow their instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect (Cached) password for that user on that laptop is wrong. Changing that wrong password will require a bit of registry hacking: http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 5:35 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect (Cached) password for that user on that laptop is wrong. No, it's not. The laptop is not storing the password; it's using the login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/eDirectory/802.1X authentication issue
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
I have installed smbldap-tools and tried to modify existing LDAP records using smbldap-usermod after updating the smbldap.conf and smbldap_bind.conf to connect to the LDAP but I keep getting an error that user cannot be found. Using ldapsearch, syslog shows Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:54:42 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: SRCH o=com 2 0 Feb 28 17:54:42 advert slapd[5679]: 0 0 0 Feb 28 17:54:42 advert slapd[5679]: filter: ((objectClass=advert-account)(uid=samba_servers)) Feb 28 17:54:42 advert slapd[5679]: attrs: But using smbldap-usermod, syslog shows Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: SRCH o=com 2 2 Feb 28 17:57:25 advert slapd[5679]: 0 0 0 Feb 28 17:57:25 advert slapd[5679]: filter: ((?=undefined)(uid=samba_servers)) Feb 28 17:57:25 advert slapd[5679]: attrs: Feb 28 17:57:25 advert slapd[5679]: Feb 28 17:57:25 advert slapd[5679]: bdb_idl_fetch_key: [b49d1940] Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) This is not a freeradius issue but can someone advise what could be the problem? Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with LDAP for 802.1x authentication
reading from http://deployingradius.com/documents/protocols/compatibility.html you can achive that there's no problem to make ldap work with EAP-PEAP, the only thing you must take care is the hashing algorithm for the password. Reading carefully from http://vuksan.com/linux/dot1x/802-1x-LDAP.html It is important depending what kind of password information you have stored in your LDAP database So nobody says you can't make work togher openldap and freeradius. :) Reading carefully 802-1x.LDAP.html you'll be able to set a working enviroment. On Mon, Feb 25, 2008 at 7:58 AM, Ryan [EMAIL PROTECTED] wrote: Hi All, Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that to do so additional attributes needs to be added to LDAP. Is this the only way? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- they don't own your box, but they have you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with LDAP for 802.1x authentication
Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? Don't use encrypted password. Or use nt hash and NT-Password. There is nothing to add - those attributes are already in ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with LDAP for 802.1x authentication
2008/2/25, Ryan [EMAIL PROTECTED]: Hi All, Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that to do so additional attributes needs to be added to LDAP. Is this the only way? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think that the easiest way is using EAP-TTLS if you use encrypted password into OpenLDAP, you should use PAP. The problem is that Windows has not native PAP support, so you should use something like securew2. The other option is that the Ivan Kalikmention it (something that I asked many times :) ) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
Hello, I use FreeRadius with OpenLDAP to authenticate device using EAP-PEAP and it works fine. The only problem I had was the encrypted password in my LDAP database. I by-passed this problem using clear-text Password in LDAP Database and it works fine. You can also have a look at this : http://deployingradius.com/documents/protocols/compatibility.html Regards, Nicolas SOULEMAN. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : lundi 25 février 2008 11:59 À : freeradius-users@lists.freeradius.org Objet : Freeradius-Users Digest, Vol 34, Issue 124 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. rlm_dbm can not work? (Hangjun He) 2. EAP-PEAP with LDAP for 802.1x authentication (Ryan) 3. Re: EAP-PEAP with LDAP for 802.1x authentication (Arjuna Scagnetto) 4. Re: rlm_dbm can not work? ([EMAIL PROTECTED]) 5. Re: EAP-PEAP with LDAP for 802.1x authentication (Ivan Kalik) 6. Re: EAP-PEAP with LDAP for 802.1x authentication (Sergio Belkin) 7. radius users update after NAS downing (Zahra Bahar) 8. ldap configuration parameters in radiusd.conf file (Gopinath Reddy N) -- Message: 1 Date: Mon, 25 Feb 2008 11:15:38 +0800 (CST) From: Hangjun He [EMAIL PROTECTED] Subject: rlm_dbm can not work? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=gb2312 Hi, I am using freeRADIUS 1.1.6. I can not let rlm_dbm work. Result of rlm_dbm_cat: [EMAIL PROTECTED] raddb]# pwd /usr/local/etc/raddb [EMAIL PROTECTED] raddb]# rlm_dbm_cat -f users.db hhe4 Cleartext-Password := hhe123 Reply-Message = Hello hhe123Cleartext-Password := hhe123 Reply-Message = Hello [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# ls users.* users.db.dir users.db.pag [EMAIL PROTECTED] raddb]# Debug message: Module: Loaded dbm dbm: usersfile = /usr/local/etc/raddb/users.db Module: Instantiated dbm (dbm) Listening on authentication *:1812 Listening on accounting *:1813 ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1033, id=26, length=58 User-Name = hhe123 User-Password = hhe123 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_dbm: try open database file: /usr/local/etc/raddb/users.db rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add hhe123 to user list rlm_dbm: User hhe123 not foud in database Remove hhe123 from user list sm_parse_user.c: check for loops Add DEFAULT to user list rlm_dbm: User DEFAULT not foud in database Remove DEFAULT from user list modcall[authorize]: module dbm returns notfound for request 0 modcall: leaving group authorize (returns noop) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Sending Access-Reject of id 26 to 127.0.0.1 port 1033 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 26 with timestamp 47c220be Nothing to do. Sleeping until we see a request. John. - ??? -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008022 5/e76144cb/attachment-0001.html -- Message: 2 Date: Mon, 25 Feb 2008 14:58:11 +0800 From: Ryan [EMAIL PROTECTED] Subject: EAP-PEAP with LDAP for 802.1x authentication To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Hi All, Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that to do so additional
RE: EAP-PEAP with LDAP for 802.1x authentication
Hello, I use FreeRadius with OpenLDAP to authenticate device using EAP-PEAP and it works fine. The only problem I had was the encrypted password in my LDAP database. I by-passed this problem using clear-text Password in LDAP Database and it works fine. You can also have a look at this : http://deployingradius.com/documents/protocols/compatibility.html Regards, Nicolas SOULEMAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
Passwords are currently encrypted in LDAP. In this case, am I correct to say that I will need to add both nt hash and NT-Password to LDAP using smb-ldap related tools for it to work with PEAP? Will samba be required to be configured on my LDAP server? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with LDAP for 802.1x authentication
Ryan wrote: Passwords are currently encrypted in LDAP. In this case, am I correct to say that I will need to add both nt hash and NT-Password to LDAP using smb-ldap related tools for it to work with PEAP? You will need to *create* the NT hash or clear-text password on your LDAP server. This usually involves asking all of the users to re-enter their passwords. Will samba be required to be configured on my LDAP server? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP with LDAP for 802.1x authentication
Hi All, Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that to do so additional attributes needs to be added to LDAP. Is this the only way? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Authentication
Recommended to first try EAP-PEAP configuration (802.1x) before certificates. When in doubt, Google is your best friend: Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part I, II III http://www.linuxjournal.com/article/8017 http://www.linuxjournal.com/article/8095 http://www.linuxjournal.com/article/8151 You can also integrate Freeradius with Novell eDirectory or OpenLDAP. // Joakim Lindgren Devinder Singh wrote: Hi Does Free Radius has support for 802.1x authentication such as providing Certificate. Can it also integrate with MIcrosoft Active Direcrtory, Regards -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/802.1x-Authentication-tp15221933p15259428.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Authentication
Am Freitag, 1. Februar 2008 08:29 schrieb Devinder Singh: Hi Does Free Radius has support for 802.1x authentication such as providing Certificate. Can it also integrate with MIcrosoft Active Direcrtory, Regards 2 x Yes. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x Authentication
Hi Does Free Radius has support for 802.1x authentication such as providing Certificate. Can it also integrate with MIcrosoft Active Direcrtory, Regards -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
I can't see the fault with the server or the client (certificates are there, wired 802.1x supplicant is enabled by default and set to do EAP-TLS with certificate from local store by default). Only place left to look is NAS. Can you enable debug radius and see what does the log show? Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates. I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary? Thanks, Bryant. You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in Trusted Root and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, There are Event log errors in Application and System. Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: The specified user does not exist. Event ID 5719 - The system cannot log you on now because the domain name is not available. This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN. I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD. Here is my USERS file. http://www.nabble.com/file/p11222403/users users Thanks, Bryant. tnt wrote: OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in Trusted Root and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Ivan, There are Event log errors in Application and System. Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: The specified user does not exist. Event ID 5719 - The system cannot log you on now because the domain name is not available. This would be expected because port security is preventing traffic. Since DOT1X is enabled on the Cisco switch port for the server, I need to authenticate against the RADIUS server which is sending credentials to my AD domain controller. Both the server and the radius server are on the same switch, so there are no firewall issues. The switch is an access switch uplinked to the core switch where the DC is located. All servers are in the same VLAN. I cannot decipher the meaning of the debug negotiations that are happening, but it looks like to me that there is some kind of default in the users file for 255.255.255.254 that is not the IP address of the server in question. Again, my question is if I need a USERS files, because I was reading that this file is not required for AD. Here is my USERS file. http://www.nabble.com/file/p11222403/users users Thanks, Bryant. tnt wrote: OK. What does the Event Viewer on Win2K3 client say about failed login attempts. Has it recieved Access-Challenge packet? There might be a firewall problem. Ivan Kalik Kalik Informatika ISP Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piĹĄe: Hi Ivan, Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem to the local machine certificate store. I was reading a document that was saying that the USERS file is not necessary for authenticating to Active Directory. Is that really true? Here are my config files. http://www.nabble.com/file/p11217074/clients.conf clients.conf http://www.nabble.com/file/p11217074/smb.conf smb.conf http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf http://www.nabble.com/file/p11217074/eap.conf eap.conf http://www.nabble.com/file/p11217074/hosts hosts Thanks, Bryant. Yes. Certificates created with xpextensions will work with Win2K3 clients as well. But you need to import CA certificate to the trusted certificate store on Windows clients (XP and 2K3; Win 2K can't be used). Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in the trusted root certificates. I was looking at another document that was putting chmod 0444 on the cert-clt.p12 and chmod 0400 on the cacert.pem. Then, chown to radius:users on both. Is that necessary? Thanks, Bryant. You don't need users file if all user/pass information is stored in AD. Can you check if imported certificate is in Trusted Root and not some other certificate folder. I can't think of any other reason why the conversation wouldn't start with your network configuration. Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the scripts/xpextensions file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. What you have posted is just a snip of the whole conversation. If it is the end of it then this is most likely your problem. But to be sure you need to post the whole thing. Ivan Kalik Kalik Infprmatika ISP -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11201237 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 User-Name = CORP\\bugman Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-0F-34-A8-FB-0A Calling-Station-Id = 00-14-38-A7-F4-2B EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = CORP\bugman, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_realm: Looking up realm CORP for User-Name = CORP\bugman rlm_realm: No such realm CORP modcall[authorize]: module ntdomain returns noop for request 6 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 168 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x6b41a15d99600d47f03b461bf870cbb6 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 168 Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 46782c03 Nothing to do. Sleeping until we see a request. OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with 802.1X authentication to Active Directory
preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. http://www.nabble.com/file/p11131716/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11131716 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests. Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Here is the doc with the debug output at bottom. Bryant. tnt wrote: Uploaded it where? Debug output in your first message is just server startup. It hasn't recieved any packets. Check where is your NAS sending those requests. Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. Bryant -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11143424 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.nabble.com/file/p11144421/radius-auth.doc radius-auth.doc -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144421 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ...followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Have you read the bit of eap.conf titled: ! WARNINGS for Windows compatibility ! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi, I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? if you have copied the certs to the windows system as per the instructions and available help guides etc and you see the authentication attempts made (sorry, you only posted the main start of radiusd -X and a small snip of the debug output - we need to see it all - yes, ALL 550 odd lines of 'garbage') and you are not seeing ANY attempt being made to hit the ntlm_auth line, then the certs have not been correctly generated. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Ivan, Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2 Is that correct? tnt wrote: Have you read the bit of eap.conf titled: ! WARNINGS for Windows compatibility ! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11145180 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
No. I mean this: # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the scripts/xpextensions file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. What you have posted is just a snip of the whole conversation. If it is the end of it then this is most likely your problem. But to be sure you need to post the whole thing. Ivan Kalik Kalik Infprmatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piše: Ivan, Well in my EAP.Conf file, I have in the eap module a default_eap_type = peap and in my peap module the default_eap_type = mschapv2 Is that correct? tnt wrote: Have you read the bit of eap.conf titled: ! WARNINGS for Windows compatibility ! just above the peap module? Ivan Kalik Kalik Informatika ISP Dana 15/6/2007, Bryant Marsh [EMAIL PROTECTED] piĹĄe: Hi Alan, My initial config on Centos was to turn firewall off. I do have authentication going on, but it looks like the certificates are not working. I uploaded a doc with the output of the debug on the first message. http://www.nabble.com/file/p11144608/radius-auth.doc radius-auth.doc Bryant Hi, I have FreeRadius setup as outlined by the Howto at this link. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I am using CENTOS 5 as the host system actiing as the SAMBA/RADIUS server. All the *.conf files are configured as directed. I have joined the radius server to the Active Directory domain and configured the radius server with custom SSL certificates. The Radius server starts correctly but I cannot get my supplicant to authenticate. Any Ideas? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. followed by silence. nothing there. no attempts to talk RADIUS ever seen. looks very much like you need to let the firewall on the CentOS box allow UDP ports 1812/1813 through /sbin/iptables -L -n alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11144608 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11145180 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Hi Alan, Mak: I tried the patch on both freeRADIUS 1.1.2 and freeRADIUS 1.1.3 - had seen similar problems with wpa-supplicant and freeRADIUS with EAP-TTLS/MS-CHAPv2 and hence had to enable wpa_workaround flag to get past the issue... (which was incorrect) But Mak's patch resolves the issue and now I can get EAP-TTLS/MS-CHAPv2 to work successfully without the workaround. I would suggest this patch go in as high-priority fix as part of the next release as it resolves the existing issues with the inner phase-2 mschapv2. Thx. Regards, Mohammed. Mak Moussa mmoussa at mmoussa.com Thu Oct 12 19:06:59 CEST 2006 Previous message: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? Next message: rewriting Frame-IP-Netmask Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Thanks to Alan Buxey for reattaching the files in a tgz file.Resending again.Mak-Original Message-From: freeradius-users-bounces+mmoussa=mmoussa.com at lists.freeradius.org[mailto:freeradius-users-bounces+mmoussa=mmoussa.com at lists.freeradius.org]On Behalf Of Alan DeKokSent: Thursday, October 12, 2006 5:44 AMTo: FreeRadius users mailing listSubject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? "Mak Moussa" mmoussa at mmoussa.com wrote: He tested the patch successfully using v1.1.3 on Linux and bothTTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications. Great. Please review the attached patch for any additional improvements asneeded. Hmm... Content-Disposition: attachment; filename="winmail.dat" Could you attach the files in a *standard* format(i.e. non-Outlook), or put them on a web page? Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
hi, urgh. please never attached things using outlook/outlook express. the rest of the world doesnt tak winmail.dat files. I've fentun'd the result and reattached for you. alan ttls_patch.tgz Description: TTLS patch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Mak Moussa [EMAIL PROTECTED] wrote: He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications. Great. Please review the attached patch for any additional improvements as needed. Hmm... Content-Disposition: attachment; filename=winmail.dat Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Thanks to Alan Buxey for reattaching the files in a tgz file. Resending again. Mak -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 12, 2006 5:44 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? Mak Moussa [EMAIL PROTECTED] wrote: He tested the patch successfully using v1.1.3 on Linux and both TTLS-mschap and TTLS-mschav2 authentications worked fine. I tested the patch using v1.1.2 on Freebsd 5.3 and got the same successful authentications. Great. Please review the attached patch for any additional improvements as needed. Hmm... Content-Disposition: attachment; filename=winmail.dat Could you attach the files in a *standard* format (i.e. non-Outlook), or put them on a web page? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ttls_patch.tgz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Mak Moussa [EMAIL PROTECTED] wrote: Would you still say that it is the ttls.c code, even though ttls w/mschap worked fine? Yes. I am looking for a differentiator in the code between mschap and mschapv2, Like the code I pointed you to? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Hi, I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck. The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3 The freeradius debug does indicate successful auth and both MPPE keys sent to the client. modcall[authenticate]: module mschap returns ok for request 17 modcall: leaving group MS-CHAP (returns ok) for request 17 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 17 modcall: leaving group authenticate (returns ok) for request 17 Sending Access-Accept of id 21 to 172.16.10.254 port 32777 MS-MPPE-Recv-Key = 0x6a72b3417ed819d9e4d3e5fa8867d1d8211c41941fe2035d33f24b906b3b4406 MS-MPPE-Send-Key = 0x29098f385530c131460af68bc229719d9b5b1dea1e70a783f89acac8ea17aa17 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = Moussa Finished request 17 However, the client debug shows wpa msg 1 was dropped as follows: 22:53:12.156 ++ EAPOL message received 22:53:12.156 Message dequeued 22:53:12.156 [DTL] Received EAPOL packet : 01 03 00 5F FE 00 89 00 20 00 00 00 00 00 00 00 ..._ ... 0010: 01 1F 74 D9 48 45 D8 28 4E 3C E4 B3 0B D4 59 3D ..t.HE.(NY= 0020: 04 C0 20 9B 00 3A 81 5D EE 4D 90 F1 96 63 98 7B .. ..:.].M...c.{ 0030: E5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060: 00 00 00 ... 22:53:12.156 [NRM] Processing EAPOL-Key message 22:53:12.156 [DTL] Received replay counter is 0001 22:53:12.156 [DTL] EAPOL-Key message version = 1 22:53:12.156 [NRM] Processing EAPOL-Key 4-way handshake message 1 22:53:12.156 [NRM] Setting master session key(s) 22:53:12.156 [ERR] Cannot set master key: authentication not complete or method does not support session keys 22:53:12.156 [ERR] EAPOL-Key pairwise key message 1 discarded: no PMK If I made a freeradius configuration mistake, TTLS with mschap wouldn't work. Any help is very much appreciated. Mak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Mak Moussa [EMAIL PROTECTED] wrote: I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck. OK... The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3 OK. If I made a freeradius configuration mistake, TTLS with mschap wouldn't work. Hmm... it may be that the MSCHAPv2 support in the TTLS code needs work. I haven't looked at it recently, but I do recall some work-arounds.. Which client are you using? It looks like Windows, but Windows doesn't support TTLS natively, so you're obviously doing something special. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Dear Alan, Thank you for the quick reply. Indeed, on WinXP I was using the Funk Odyssey client as it offered a good debug log. However, I tested using different supplicants like IntelPROSet on WinXP and the OSX 10.4 built-in supplicant with consistent results. I even tried a LinkSys WAP54G Fat AP firmware v3.04, as well as the Aruba switch with its thin AP with no difference in the results. I would certainly appreciate any tips on the possible workarounds you mentioned. Thx Mak -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 05, 2006 8:05 AM To: FreeRadius users mailing list Subject: Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ? Mak Moussa [EMAIL PROTECTED] wrote: I would appreciate any insight into the 802.1x authentication using TTLS with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much luck. OK... The following authentication schemes worked fine: 1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2, v1.1.3 2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions. 3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3 OK. If I made a freeradius configuration mistake, TTLS with mschap wouldn't work. Hmm... it may be that the MSCHAPv2 support in the TTLS code needs work. I haven't looked at it recently, but I do recall some work-arounds.. Which client are you using? It looks like Windows, but Windows doesn't support TTLS natively, so you're obviously doing something special. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Mak Moussa [EMAIL PROTECTED] wrote: Thank you for the quick reply. Indeed, on WinXP I was using the Funk Odyssey client as it offered a good debug log. Ok... However, I tested using different supplicants like IntelPROSet on WinXP and the OSX 10.4 built-in supplicant with consistent results. i.e. it doesn't work, either? It looks like it may be an issue with FreeRADIUS. See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c, function process_reply(). Poke that code, and see if it helps... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x authentication
just do google everything is there Pradeep Date: Fri, 7 Jul 2006 09:32:17 -0500From: Jin Fan [EMAIL PROTECTED]Subject: RE: 802.1x authenticationTo: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Message-ID:[EMAIL PROTECTED]Content-Type: text/plain; charset=iso-8859-1 Hi, all:To further describe my challenge, here is debugging output from freeradius.One line says, rlm_eap: Failed in EAP select.I must have set up eap wrong.Could anyone help me out here?Btw, in the following example, user TRPZEDU\\jfan tries to authenticate through 802.1x.Thanks.Jinrad_recv: Access-Request packet from host 192.168.3.26:2, id=89, length=157NAS-Port-Id = 1/1Calling-Station-Id = 00-0B-BE-D4-50-46 Called-Station-Id = 00-0B-0E-13-74-C0:hotspotService-Type = Framed-UserUser-Name = TRPZEDU\\jfanState = 0xdcfe3f22dc8680c7b0e05b3d498b6090EAP-Message = 0x020200060319 NAS-Identifier = TrapezeNAS-Port-Type = Wireless-802.11NAS-IP-Address = 192.168.3.26Message-Authenticator = 0xc846da111c9f48b4a5570fff318767a2 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 6modcall[authorize]: module preprocess returns ok for request 6modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6rlm_realm: No '@' in User-Name = TRPZEDU\jfan, looking up realm NULLrlm_realm: No such realm NULLmodcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6rlm_eap: No EAP Start, assuming it's an on-going EAP conversationmodcall[authorize]: module eap returns updated for request 6users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171users: Matched entry TRPZEDU\jfan at line 228modcall[authorize]: module files returns ok for request 6radius_xlat:'TRPZEDU\\jfan'rlm_sql (sql): sql_set_user escaped user -- 'TRPZEDU\\jfan' radius_xlat:'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'TRPZEDU=5C=5C=5C=5Cjfan' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 3rlm_sql (sql): User TRPZEDU\\jfan not found in radcheck radius_xlat:'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.opFROM radgroupcheck,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat:'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute ,radgroupreply.Value,radgroupreply.opFROM radgroupreply,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id 'rlm_sql (sql): User TRPZEDU\\jfan not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 3modcall[authorize]: module sql returns notfound for request 6 modcall: group authorize returns updated for request 6rad_check_password:Found Auth-Type EAPauth: type EAPProcessing the authenticate section of radiusd.confmodcall: entering group authenticate for request 6 rlm_eap: Request found, released from the listrlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peaprlm_eap: Failed in EAP selectmodcall[authenticate]: module eap returns invalid for request 6 modcall: group authenticate returns invalid for request 6auth: Failed to validate the user.Delaying request 6 for 1 secondsFinished request 6Going to the next requestWaking up in 1 seconds...--- Walking the entire request list --- Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 89 to 192.168.3.26:2EAP-Message = 0x04020004Message-Authenticator = 0x Trapeze-VLAN-Name = vlan10Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 5 ID 88 with timestamp 44ae6d5dCleaning up request 6 ID 89 with timestamp 44ae6d5d Nothing to do.Sleeping until we see a request.From: freeradius-users-bounces+jfan=[EMAIL PROTECTED] on behalf of Jin FanSent: Thu 7/6/2006 5:22 PMTo: FreeRadius users mailing listSubject: 802.1x authenticationHi, All:I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2 )authentication in freeradius.Generating certificates? Modifyingconfigurations?Jin-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part --A non-text attachment was scrubbed...Name: not availableType: application/ms-tnefSize: 7486 bytesDesc: not availableUrl : https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060707/9c97739f/attachment.bin---List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlEnd of Freeradius-Users Digest, Vol 15, Issue 19-- Regards Pradeep Singh+91-9320216000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x authentication
Hi, all: To further describe my challenge, here is debugging output from freeradius. One line says, rlm_eap: Failed in EAP select. I must have set up eap wrong. Could anyone help me out here? Btw, in the following example, user TRPZEDU\\jfan tries to authenticate through 802.1x. Thanks. Jin rad_recv: Access-Request packet from host 192.168.3.26:2, id=89, length=157 NAS-Port-Id = 1/1 Calling-Station-Id = 00-0B-BE-D4-50-46 Called-Station-Id = 00-0B-0E-13-74-C0:hotspot Service-Type = Framed-User User-Name = TRPZEDU\\jfan State = 0xdcfe3f22dc8680c7b0e05b3d498b6090 EAP-Message = 0x020200060319 NAS-Identifier = Trapeze NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.3.26 Message-Authenticator = 0xc846da111c9f48b4a5570fff318767a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = TRPZEDU\jfan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry TRPZEDU\jfan at line 228 modcall[authorize]: module files returns ok for request 6 radius_xlat: 'TRPZEDU\\jfan' rlm_sql (sql): sql_set_user escaped user -- 'TRPZEDU\\jfan' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'TRPZEDU=5C=5C=5C=5Cjfan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User TRPZEDU\\jfan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User TRPZEDU\\jfan not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns notfound for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 6 modcall: group authenticate returns invalid for request 6 auth: Failed to validate the user. Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 89 to 192.168.3.26:2 EAP-Message = 0x04020004 Message-Authenticator = 0x Trapeze-VLAN-Name = vlan10 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 88 with timestamp 44ae6d5d Cleaning up request 6 ID 89 with timestamp 44ae6d5d Nothing to do. Sleeping until we see a request. From: [EMAIL PROTECTED] on behalf of Jin Fan Sent: Thu 7/6/2006 5:22 PM To: FreeRadius users mailing list Subject: 802.1x authentication Hi, All: I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2) authentication in freeradius. Generating certificates? Modifying configurations? Jin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x authentication
Jin Fan [EMAIL PROTECTED] wrote: To further describe my challenge, here is debugging output from freeradius. One line says, rlm_eap: Failed in EAP select. The *important* message is: rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap The client is asking for PEAP, and you didn't configure the server to do peap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x authentication
Hi, All: I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2) authentication in freeradius. Generating certificates? Modifying configurations? Jin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
No help for me?I'm desperate I've lost 3 nights now :D I already have my own certs. Best Regards João Mamede Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi I'm a student in computer sciences. In our network security class we are trying to get the 802.1x (dot1x) features of an Enterasys E1 Switch running with a freeradius server. Unfortunately Enterasys is not very talkative about this on their webpage. Does anyone know of an HOWTO or tutorial about this issue? Any help is kindly appreciated. Thanks Manuel Stadelmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi I'm a student in computer sciences. In our network security class we are trying to get the 802.1x (dot1x) features of an Enterasys E1 Switch running with a freeradius server. Hi, I'm using 802.1x on Enterasys switch, it works, then look : http://www.enterasys.com/support/manuals/hardware/3755_12.pdf, and go to chapter Security Configuration. BE CAREFULL when enabling 802.1x/EAPOL, it activate by default and without confirmation on ALL SWITCH PORTS. Before enabling 802.1x, you have to setup all port whith FORCED AUTHORIZED MODE, and just set AUTO mode on port you need once you are sure that you can connect to manage your switch. By default, It activate RADIUS authentication on the serial port too but it works not well, and I don't find yet how to use or change that, my switch is in production I can't do what I want. Then if you can't connect on serial port, you have to stop your Freeradius server, or cut connection beetween. Then there's a timeout wich allow classical password authentication. I don't want troll but I think 802.1x on Enterasys is not well designit's very easy to do very big mistake. In hope that can help you, I will be interested by return about your work,thx. Fred Unfortunately Enterasys is not very talkative about this on their webpage. Does anyone know of an HOWTO or tutorial about this issue? Any help is kindly appreciated. Thanks Manuel Stadelmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi Fred Thank you for your response. The PDF will surely be very helpful. Frédéric EVRARD wrote: In hope that can help you, I will be interested by return about your work,thx. Well, I'll point you to our documentation when it's done. I hope you understand german, because that's what it will be written in. Geetings Manuel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html