EAP authentication stopped working
Hi Freeradius users, i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the wimax clients are supplying EAPttls Mschapv2 for authentication. a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. the users are created in the users file and below is the radiusd -X output. any more info required will be promptly provided. could someone help me out on this? the wimax system is 4M alvarion and the CPe are well configured. ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module detail from file /etc/raddb/modules/detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.accounting_response from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module attr_filter.access_reject from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject key = %{User-Name} relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46422 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153, length=196 User-Name = {sm=1}rawlacur...@adn.com EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3 NAS-Identifier = 201 NAS-IP-Address = 11.0.0.205 Calling-Station-Id = AC-81-12-78-CA-6E WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t - Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - {sm=1}rawlacur...@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +1 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=154, length=196
Re: EAP authentication stopped working
Why does auth_log return fail? On May 4, 2013 8:04 PM, larry tembu larryte...@yahoo.com wrote: Hi Freeradius users, i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the wimax clients are supplying EAPttls Mschapv2 for authentication. a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. the users are created in the users file and below is the radiusd -X output. any more info required will be promptly provided. could someone help me out on this? the wimax system is 4M alvarion and the CPe are well configured. ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module detail from file /etc/raddb/modules/detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.accounting_response from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module attr_filter.access_reject from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject key = %{User-Name} relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46422 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153, length=196 User-Name = {sm=1}rawlacur...@adn.com EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3 NAS-Identifier = 201 NAS-IP-Address = 11.0.0.205 Calling-Station-Id = AC-81-12-78-CA-6E WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t - Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - {sm= 1}rawlacur...@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to
Re: EAP authentication stopped working
On Sat, May 4, 2013 at 3:24 PM, Peter Lambrechtsen pe...@crypt.co.nzwrote: Why does auth_log return fail? On May 4, 2013 8:04 PM, larry tembu larryte...@yahoo.com wrote: a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t - Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT My GUESS is that it's something as simple as disk full. Try df -h and df -i. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication stopped working
Hi, My GUESS is that it's something as simple as disk full. Try df -h and df -i. yep. thats the most common error. check in your change log for any changes made to your system , check revision control for any changes, check your 'gold reference' 'radiusd -X' output against what it looks like now etc. if none of tht has changed then you'll need to look elsewhere - such as system patches that have been applied BUT, the obvious failure would be lack of diskspace. and the defauly bahaviour is if the auth etc cannot be logged then the authentication will fail (otherwise you wont have audit trails of the connection/usage) ...and then advice that you start putting system monitoring into place for such things. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP Authentication working not every time
Hello! we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2. This works very well, but sometimes the clients got an Access-Reject and i don't know why ;( I set the radius Server to debug mode and get those output: Waking up in 0.7 seconds. Waking up in 2.2 seconds. Waking up in 1.9 seconds. WARNING: !! WARNING: !! EAP session for state 0x69522edb6a233743 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Waking up in 0.3 seconds. Ready to process requests. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default Waking up in 3.9 seconds. Waking up in 1.9 seconds. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Login incorrect: [m1588a00@EAP/via Auth-Type = EAP] (from client 10.55.0.0/16 port 0 cli 00-27-22-D2-CD-83) # Executing group from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Waking up in 0.9 seconds. The wiki talks about windows clients and decreasing the tunnel MTU. I'm not sure what they mean. How can i get a more detailed debug msg on what is actually wrong. thx for your help Stefan __ www.epb.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 2:44 PM, stefan novak lms.bruba...@gmail.com wrote: Hello! we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2. This works very well, but sometimes the clients got an Access-Reject and i don't know why ;( If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 [root@wlan-radius rad_eap_test-0.23]# } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = nagios [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = nagios [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 9 to 172.21.15.1 port 59848 EAP-Message = 0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98f2f6e Message-Authenticator = 0x State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Finished request 779. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10, length=226 User-Name = nagios NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 70-6F-6C-69-73-68 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = rad_eap_test + eapol_test EAP-Message = 0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = nagios, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [nagios/via Auth-Type = EAP] (from client 172.21.15.1 port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} - nagios [sql] sql_set_user escaped user -- 'nagios' [sql] expand: %{User-Password} - [sql] ... expanding second conditional [sql] expand: %{Chap-Password} - [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
Re: Problem with EAP Authentication working not every time
Hi, just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 where the fail? all those are access-accept. byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead - comes as part of 'WPA_Supplicant' toolsetand FreeRADIUS has scripts ready to use with it (eg freeradius-server-2.1.12/src/tests from source) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
stefan novak wrote: just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? Your method is wrong. You ran the client 5 times. Yet you only looked at the debug output for one authentication. Look at BOTH ends of the RADIUS conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 3:43 PM, stefan novak lms.bruba...@gmail.com wrote: If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, How did you determine that it fails? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 Those are all access-accept, aren't they? The second number (reading from http://wiki.eduroam.cz/rad_eap_test/README) should be latency, not an indication that something failed. CMIIW. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 3:49 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test also uses eapol_test from wpa_supplicant. Shouldn't it produce the same behavior? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test also uses eapol_test from wpa_supplicant. Shouldn't it produce the same behavior? rad_eap_test is only a wrapper script around eapol_test because it produces much output. Those are all access-accept, aren't they? The second number (reading from http://wiki.eduroam.cz/rad_eap_test/README) should be latency, not an indication that something failed. CMIIW. yes, sorry. understand that false ok, then it seams that radius server is ok, but the clients are generating false eap packets. i will post debug from those later, but debugging there is limited ;( -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
Hi, rad_eap_test is only a wrapper script around eapol_test because it produces much output. yes..and i believe it has a bug or 2 yes, sorry. understand that false ok, then it seams that radius server is ok, but the clients are generating false eap packets. i will post debug from those later, but debugging there is limited ;( when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
Output from the ubnt client: Aug 7 07:15:18 wpa-supplicant: CTRL-EVENT-EAP-STARTED EAP authentication started Aug 7 07:15:21 wpa-supplicant: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Aug 7 07:15:57 pppd[1714]: No response to 5 echo-requests Aug 7 07:15:57 pppd[1714]: Serial link appears to be disconnected. Aug 7 07:15:57 pppd[1714]: Connect time 719.4 minutes. Aug 7 07:15:57 pppd[1714]: Sent 144586850 bytes, received 1342640159 bytes. Aug 7 07:16:06 pppd[1714]: Connection terminated. Aug 7 07:16:06 pppd[1714]: Modem hangup Aug 7 07:16:22 pppd[1714]: Timeout waiting for PADO packets Aug 7 07:16:22 pppd[1714]: Unable to complete PPPoE Discovery Aug 7 07:16:30 dnsmasq[1716]: no servers found in /etc/resolv.conf, will retry Aug 7 07:16:31 wpa-supplicant: CTRL-EVENT-EAP-FAILURE EAP authentication failed Aug 7 07:16:33 wpa-supplicant: Authentication with 00:27:22:4c:9c:1a timed out. Aug 7 07:16:33 wireless: ath0 Sending disassoc to 00:27:22:4c:9c:1a. Reason: Station has left the basic service area and is disassociated (8). Aug 7 07:16:33 wireless: ath0 New Access Point/Cell address:Not-Associated Aug 7 07:16:33 wpa-supplicant: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
I'm not 100% sure but as I know the UBNT equipment has introduced RADIUS client support in firmw. 5.x which is still active and under development... RADIUS MAC authentication was introduced in latest firmware (5.5) so I believe that some things are still not as they should. On 8.8.2012 11:59, stefan novak wrote: when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com http://www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at http://www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl added pairs disapear after eap authentication
-Oorspronkelijk bericht- Van: freeradius-users- bounces+p.kaagman=atlascollege...@lists.freeradius.org [mailto:freeradius-users- bounces+p.kaagman=atlascollege...@lists.freeradius.org] Namens Peter Kaagman Verzonden: donderdag 31 mei 2012 13:52 Aan: freeradius-users@lists.freeradius.org Onderwerp: rlm_perl added pairs disapear after eap authentication Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Did some more debugging as you guys suggested... and sure enough there was an error. A messed up regex which caused the NAS to resend the request over and over solved... But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules. I found reference to this problem on the list in December 2009 in which Alan replied: quote= Коньков Евгений wrote: Can't load '/usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so: Undefined symbol PL_sv_undef at /usr/local/lib/perl5/5.10.1/mach/XSLoader.pm line 70. at /usr/local/lib/perl5/5.10.1/mach/Data/Dumper.pm line 36 It turns out this is largely a bug in libltl. (Of course). We won't be able to address it directly in 2.1.8, but you should be able to do minor modifications to 2.1.8 that will fix it. end quote= I'm using 2.1.10 and am getting : Can't load '/usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so: undefined symbol: PL_charclass at /usr/share/perl/5.14/XSLoader.pm line 71. at /usr/local/lib/perl/5.14.2/Data/Dumper.pm line 36 whenever I try to use Data::Dumper, and Can't load '/usr/lib/perl5/auto/DBI/DBI.so' for module DBI: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_thr_key at /usr/lib/perl/5.14/DynaLoader.pm line 184. at /usr/lib/perl5/DBI.pm line 268 whenever I try to use DBI. Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working? Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
On 06/01/2012 09:08 AM, Peter Kaagman wrote: But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules. I found reference to this problem on the list in December 2009 in which Alan replied: Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working? I forget the details but I know we patched our packages to fix this a while ago (2 years?). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl added pairs disapear after eap authentication
Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Below the trace and versions. Peter FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Ubuntu 64bit 12.04 (wheezy/sid) FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30
Re: rlm_perl added pairs disapear after eap authentication
Peter Kaagman wrote: After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. That's how the server works. It doesn't cache attributes across multiple packets. You'll need to set the VLAN in the post-auth section. That's what it's for. Setting VLANs in the authorize section won't work. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Uh.. it *will* work if you do it correctly. There's no magic. The client doesn't know about post-auth versus authorize. Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap Do NOT set Auth-Type = Perl. Why are you doing that? - Why does the authorization run first? I would have thought authentication comes first. The server runs authorize, authenticate, and then post-auth. The reasons are historical. rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl Don't set that. [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = host/lt-pkn.atlas.atlascollege.nl In which you don't set any additional attributes. Sending Access-Accept of id 209 to 10.0.9.48 port 1645 MS-MPPE-Recv-Key = 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75 MS-MPPE-Send-Key = 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = host/lt-pkn.atlas.atlascollege.nl And you don't set any additional attributes here. Set the attributes in the post-auth section. It *will* work. If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl added pairs disapear after eap authentication
If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see. Alan DeKok. Thanks for the reply Alan. Haven't got a lab available at the moment will give it a shot tomorrow and get back to you. Off course I did something wrong no discussion there :D Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;) Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page. But I will get back to you tomorrow with details on what I did and am trying to achieve. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
Peter Kaagman wrote: Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;) They're not set in the default configuration. Someone changed them. And it's local to you. Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page. So... you DID change them. In case the Wiki doesn't make it clear, you ONLY set Auth-Type = Perl if you want the Perl module to be called during the authentication phase. So... don't set it. Delete that entry from the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
On Thu, May 31, 2012 at 01:51:43PM +0200, Peter Kaagman wrote: I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., On the understanding (from above) that everything is working except your perl code that is not setting the VLAN correctly, you could try - 1. Remove everything related to the perl code, so the server authenticates users correctly, but no VLAN is set. 2. Add something like update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 999 } to the outer post-auth section. 3. Verify that the server a) works, and b) sends the above attributes in the Access-Accept (check the debug output). 4. Only after all the above, replace the update reply {} with rlm_perl, and work on that. At this stage you know that setting the AVPs there works, so if it's broken it must be your perl code or rlm_perl settings :-) Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi, I'm having the same problem on another Freeradius 1.1.6, tried to modify in the same way but i dont know where to insert the eap action, there is non policy.conf file and cannot find the same configurations in other files. I can't upgrade this freeradius , also because has been heavily modified by other consultants, including default tables and query. Is it possible to do the same thing in this version? where i've to modify? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4845036.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
andreapepa wrote: I can't upgrade this freeradius , also because has been heavily modified by other consultants, including default tables and query. Yes, you can upgrade. It just takes time. If you understand the system, upgrading isn't hard. If you don't understand it, why are you running it? Is it possible to do the same thing in this version? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication accept, user not found
Hi all, I'm wondering if my freeradius is acting correctly against the request below: This Mikrotik CPE is authenticathing by an EAP certificate and ad a username with password is requested. The problem is that the CPE is authenticated with every username that doesn't exist in radcheck. why FR authenticate even with nonexistent username? rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162, length=175 Service-Type = Framed-User Framed-MTU = 1400 User-Name = test155 State = 0x06c5601b03c36da7f69234e83e184b70 NAS-Port-Id = wlan2 Calling-Station-Id = 00-0C-42-B3-D1-F5 Called-Station-Id = 00-80-48-60-66-D9:WiNET-TR5G506106 EAP-Message = 0x020600060d00 Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60 NAS-Identifier = ced-wl3 NAS-IP-Address = 10.25.66.8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] expand: %t - Mon Sep 26 16:35:21 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test155, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} - test155 [sql] sql_set_user escaped user -- 'test155' rlm_sql (sql): Reserving sql socket id: 19 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 19 [sql] User test155 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 162 to 10.25.66.8 port 56485 MS-MPPE-Recv-Key = 0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440 MS-MPPE-Send-Key = 0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = test155 Finished request 69. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
why FR authenticate even with nonexistent username? I don't know... Why don't you send the full debug log (you know, the bit where the certificates are actually being checked) instead of the last round, where EAP is just inserting the cached response. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
On 26 Sep 2011, at 17:27, andreapepa wrote: http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. A notfound return code in the authorize section means continue with a priority of 1. The EAP module runs after the SQL module and returns handled. A handled return code in the authorize section means return and so the notfound return code is never processed. If you want the server to stop processing the request if the user isn't found in the SQL database, rewrite the notfound return code to reject. sql { notfound = reject } Unfortunately there's no way to signal the EAP module to send an EAP fail, so you have to do it manually... Add the following to policy.conf policy { eap_failure { if(EAP-Message =~ /^..([0-9a-f]{2})/i){ update reply { EAP-Message := 0x04%{1}0004 } } } ... } The add a call in post-auth { post-auth-type REJECT { eap_failure } } That rewrites the EAP message returned with the reject to be a 'fail' with the correct ID field value. Extremely hacky, but it works, and is the only way to do it currently... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi Arran, Thank you that works great! -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4842017.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac OSX FreeRadius EAP Authentication making progress - But still not there
I'd recommend you start poking at this to see why ntlm_auth is failing. Are you having Samba problems, is your machine part of whatever domain it's trying to authenticate against? I noticed there's no Domain in the User-Name field, whereas when I'm looking at Domain authentications, I usually see domain\username coming from the users. I'm not certain how that'll affect Samba's behavior, but it's worth double checking so that you're confident about it. - Jacob On 5 Sep 2011, at 00:26, DavidS wrote: [2011/09/04 21:07:10, 0, pid=1176] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac OSX FreeRadius EAP Authentication making progress - But still not there
DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 68 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 68 Sending Access-Reject of id 221 to 192.168.0.98 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 63 ID 216 with timestamp +907 Cleaning up request 64 ID 217 with timestamp +907 Cleaning up request 65 ID 218 with timestamp +907 Cleaning up request 66 ID 219 with timestamp +907 Cleaning up request 67 ID 220 with timestamp +907 Waking up in 1.0 seconds. Cleaning up request 68 ID 221 with timestamp +907 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OSX-FreeRadius-EAP-Authentication-making-progress-But-still-not-there-tp4769218p4769218.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius error with eap authentication
Hi, I have some problems with Freeradius and EAP I use freeradius version 2.1.11 on debian 5 When I start the radius server in debug mode (radiusd -xX), there are no error (file debug1.txt) When eduroam server enable connexion on your freeradius server, I have some errors (file debug2.txt) Could you help me? Best regards Didier Denjean Administrateur Systèmes et Réseaux AMUE Montpellier 34 rue Henri Nogueres 34090 MONTPELLIER 04 99 77 30 11 Wed Jul 20 10:04:35 2011 : Info: FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 19 2011 at 16:35:48 Wed Jul 20 10:04:35 2011 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Wed Jul 20 10:04:35 2011 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Wed Jul 20 10:04:35 2011 : Info: PARTICULAR PURPOSE. Wed Jul 20 10:04:35 2011 : Info: You may redistribute copies of FreeRADIUS under the terms of the Wed Jul 20 10:04:35 2011 : Info: GNU General Public License v2. Wed Jul 20 10:04:35 2011 : Info: Starting - reading configuration files ... Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/radiusd.conf Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/proxy.conf Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/clients.conf Wed Jul 20 10:04:35 2011 : Debug: including files in directory /usr/local/freeradius-2.1.11/etc/raddb/modules/ Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/ldap Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/pap Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/wimax Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/chap Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/expiration Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/redis Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/realm Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/counter Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/attr_rewrite Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/passwd Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/exec Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/sql_log Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/dynamic_clients Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/digest Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/policy Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/radutmp Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/soh Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/pam Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/smsotp Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/sqlcounter_expire_on_login Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/smbpasswd Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/detail.log Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/detail Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/sradutmp Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/cui Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/checkval Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/mac2ip Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/ntlm_auth Wed Jul 20 10:04:35 2011 : Debug: including configuration file /usr/local/freeradius-2.1.11/etc/raddb/modules/files
Re: Freeradius error with eap authentication
On 07/20/2011 09:22 AM, DENJEAN Didier wrote: Hi, I have some problems with Freeradius and EAP I use freeradius version 2.1.11 on debian 5 When I start the radius server in debug mode (radiusd -xX), there are no error (file debug1.txt) When eduroam server enable connexion on your freeradius server, I have some errors (file debug2.txt) Could you help me? Wed Jul 20 10:14:01 2011 : Info: WARNING: Empty authorize section. Using default return values. Wed Jul 20 10:14:01 2011 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Wed Jul 20 10:14:01 2011 : Info: Failed to authenticate the user. Wed Jul 20 10:14:01 2011 : Info: Delaying reject of request 0 for 1 seconds You have deleted or broken the server config. Uninstall it and start again with the default config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postproxy breaks eap authentication
Hi, I have 2 freeradius server: 1 as proxy server, 1 as authentication server. Everything is working fine (Auth. for WPA2, MSCHAPv2 ) until I implement the postproxy function: Then the authentication process did not finished. Putting the vlanid etc into radreply on the authentication radius, everything is working also. Is there something wrong in my config? Version: freeradius/lucid uptodate 2.1.8+dfsg-1ubuntu1 /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Regards hans -- Hans Bornemann IT Medien Centrum - TU Dortmund Tel. 0049 231 7552132 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postproxy breaks eap authentication
On 17/11/10 12:31, hans.bornem...@tu-dortmund.de wrote: Hi, I have 2 freeradius server: 1 as proxy server, 1 as authentication server. Everything is working fine (Auth. for WPA2, MSCHAPv2 ) until I implement the postproxy function: Post the debugging output, as advised frequently on this list: radiusd -X | tee log post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy You're probably filtering the EAP-Message and other required attributes out /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 This filter is insufficient. Please study the examples - you need at least: Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY, State =* ANY ...to be sure of EAP working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: postproxy breaks eap authentication
hans.bornem...@tu-dortmund.de wrote: the debug output: the differences begin at line 82. shrug You can try to figure out exactly what is misconfigured, or you can go back to using the default configuration. The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. If you don't know what you changed to break the server, your management processes are insufficient. Track which changes you made, why you made them, and test the configuration before you make any permanent change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: postproxy breaks eap authentication
The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 If you don't know what you changed to break the server, your management processes are insufficient. Track which changes you made, why you made them, and test the configuration before you make any permanent change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: postproxy breaks eap authentication
On 17/11/10 14:27, hans.bornem...@tu-dortmund.de wrote: The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/sites-enabled/default: post-proxy { post_proxy_log #attr_rewrite attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Yes, BECAUSE YOU HAVE BROKEN EAP. Did you read my email? EAP requires the EAP-Message, Message-Authenticator and other attributes. You have configured the attribute filter to remove them. So EAP is breaking. Fix your broken attribute filter. Look at the /etc/raddb/attrs file that comes with FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: postproxy breaks eap authentication
Hi, The default configuration works for proxying EAP packets. If your configuration doesn't work, it's because you changed something and broke it. The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken: /etc/freeradius/attrs: tu-dortmund.de Tunnel-Private-Group-ID :=8, Fall-Through = Yes DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 THAT file isnt the default config. you have pretty much removed all of the attributes that must be passed through for EAP to work. basically, what you have done is said, 'okay, you've authenticated, but before I send the packet back, i will run it through a filter. your filter doesnt list any of the required attributes and therefore is breaking things. the email from Phil correctly stated all the attributes needed as a minimumthese are in the default attrs file - I know, because I ensured all the right ones were there for EAP proxy to work (back in 1.0.x days) - I deal with several queries each month from sites where they have just enabled pre-proxy or post-proxy filtering for security - without realising what they are doing. I wouldnt put those values into attrs...i would use a different way alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP authentication
When I install the operating system, installed with the LAMP option, which is supposed to be already installed OpenSSL. Even so, I've re-installed but it do not work. I have to put something in radiusd.conf to search OpenSSL libraries? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP authentication
On 12/02/2009 07:18 AM, Diego Chovares Moreno wrote: When I install the operating system, installed with the LAMP option, which is supposed to be already installed OpenSSL. Even so, I've re-installed but it do not work. I have to put something in radiusd.conf to search OpenSSL libraries? Thanks There is a difference between runtime support for SSL and being able to build a program which uses SSL. If you're trying to build FreeRADIUS it is *not* sufficient to have *only* runtime support, you *must* also have the development files installed. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP authentication
Hi, When I install the operating system, installed with the LAMP option, which is supposed to be already installed OpenSSL. Even so, I've re-installed but it do not work. I have to put something in radiusd.conf to search OpenSSL libraries? Thanks you need not just the SSL toolset (eg openssl), you also need the development libaries and headers.. usually this would be eg 'openssl-devel' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius EAP authentication
Hello everyone, I am installing a RADIUS server on a ubuntu server with freeradius. All tests are working properly except when I try to connect through an access point. This is the debug that I get: rad_recv: Access-Request packet from host 192.168.1.1 port 1084, id=1, length=206 Message-Authenticator = 0x789bf39c8f59de88701888fc6ed3a2f2 Service-Type = Framed-User User-Name = diego\000 Framed-MTU = 1488 State = 0x734ffec0734ee45437bb08e87fc6420c Called-Station-Id = 00-15-E9-A3-01-CE:radius Calling-Station-Id = 00-15-AF-9F-8D-E0 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020100060319 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = diego, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - diego [sql] sql_set_user escaped user -- 'diego' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'diego' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'diego' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'diego' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - diego [sql] sql_set_user escaped user -- 'diego' expand: %{User-Password} - expand: %{Chap-Password} - expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}[image: Silbando despreocupadamente]%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'diego', '', 'Access-Reject', '2009-11-27 17:33:06') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'diego', '', 'Access-Reject', '2009-11-27 17:33:06') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{User-Name} - diego attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 192.168.1.1 port 1084 EAP-Message = 0x04010004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +53 Waking up in 0.9 seconds. Cleaning up request 1 ID 1 with timestamp +53 Ready to process requests. I think the error occurs here: [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select But I do not know how to fix it ... if anyone can help I would be extremely grateful, as I have tried many things, but not fix. Thanks in advance and greetings - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP authentication
Hello everyone, I am installing a RADIUS server on a ubuntu server with freeradius. All tests are working properly except when I try to connect through an access point. This is the debug that I get: [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select Go back to configure output and see what happened with openSSL support. It looks like openSSL or development libraries aren't installed. Fix that and then build freeradius again. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Hi all, I have a question that some coworkers and I have been unable to answer in the last few weeks and we are hoping to have your insight. Here are the details (if I leave something important out, please let me know): We are running radiusd: FreeRADIUS Version 1.1.7, for host sparc-sun-solaris2.10 Currently we have TTLS/PAP authentication setup and working just fine. Some authentication occurs locally, while other realms are proxied off to another radius server that share a secret with us, but all TTLS tunnels are terminated by our freeradius box and then proxying is done radius to radius server. In the near future we will have some AD servers (LDAP) which will authenticate enterprise-wide credentials that are being issued to everyone on campus. In lab, we have made PEAP terminate on freeradius and then have used ntlm_auth samba to proxy ms_chap out to the AD server for authentication. What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route. I hope this makes sense and thanks for any help offered. Sincerely, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route. No, domain controler is not a radius server. They would need to set up IAS. Freeradius can proxy to that thing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Thanks for the quick reply and your help. Setting up IAS/NPS is not a problem. Assuming this is set up on the AD box, can we simply terminate PEAP type connections or connections for a certain realm at their IAS/NPS instead of at radiusd? That is to say, all we want freeradius to do is recognize a certain trigger and simply send the connection to IAS/AD for the entire authentication and authorization process. We do not want to use samba and ntlm_auth if such a thing is feasible for TTLS/MSCHAP, we simply want the entire radius access-request from the NAS to go through to their IAS from us. Sincerely, Max Ivan Kalik wrote: What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route. No, domain controler is not a radius server. They would need to set up IAS. Freeradius can proxy to that thing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Hi, What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route. yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc) and then you simply proxy the whole shaboodle off to them to deal with - then you dont need to play around with ntlm_auth etc etc. of course, they'll have to put required certs onto their auth system but thats a minor issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
I can't believe it. We had a line in our hints file that was totally screwing us up -- I had no idea it was there until just now: DEFAULT Prefix == anonymous, Strip-User-Name = No Realm = LOCAL This is why I couldn't understand what you guys were talking about, since we always use anonymous as our outer-identity for TLS type connections, I could not for the life of me figure out why adding a server to the proxy.conf would ever work. Is it possible to select based on EAP-type (i.e. if TTLS, do LOCAL authentication?) Right not we are doing it based on prefix/suffix. Regardless, I think we have this solved now. This problem was way easier than we thought once we got a grasp on all of the processing we were doing. Argh! Thank you Ivan Alan for pointing us in the right direction. Sincerely, Max a.l.m.bu...@lboro.ac.uk wrote: Hi, What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route. yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc) and then you simply proxy the whole shaboodle off to them to deal with - then you dont need to play around with ntlm_auth etc etc. of course, they'll have to put required certs onto their auth system but thats a minor issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Is it possible to select based on EAP-type (i.e. if TTLS, do LOCAL authentication?) Right not we are doing it based on prefix/suffix. Stick to it. Since radius server has no say in what authentication protocol is used (that is determined between NAS and supplicant) such policy would be easily defeated. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP authentication
I have a problem authenticating with Cisco Aironet 1200 access point. I have valid certificates on my laptop and on Freeradius. This is the output on AP: Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Sending station has left the BSS Interface Dot11Radio0, Station NBD7FB3G3J 001e.4c8c.8406 Associated KEY_MGMT[NONE] 3 Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Previous authentication no longer valid This is what I get on freeradius: [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/server_keycert.pem tls: certificate_file = /etc/raddb/certs/server_keycert.pem tls: CA_file = /etc/raddb/certs/cacert.pem tls: private_key_password = freeradius tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module:
Re: Problems with EAP authentication
Tomislav Goluza wrote: I have a problem authenticating with Cisco Aironet 1200 access point. I have valid certificates on my laptop and on Freeradius. Are you sure? This is the output on AP: Which is irrelevant. This is what I get on freeradius: ... Sending Access-Challenge of id 24 to 192.168.177.121 port 1645 ... Finished request 1 Going to the next request Waking up in 6 seconds... This is in the FAQ in the comments in eap.conf. Please read them. If you think you have the right certificates, check again. Windows is telling you that you DO NOT have the right certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: EAP Authentication
I want to authenticate users through using EAP authentication. I managed to generate the client and root certs from Free Radius. I have installed the client sert in my notebook. and managed to get authenticated via AP to Radius. But i cant seem to find them in the Free Radius accounting database. Does the debug show accounting packets. If not, portal is not sending them. There is no log event in the database. I want them to be authenticated in the radcheck table so that i can set bandwidth to them. No need. sql is a database - it doesn't do authentication, just stores data. Set the bandwidth in radreply table and leave certificate authentication as it is. Would it be possible to also have monowall users to log into the captive portal at the same time with EAP turned on in Free Radius. I want private users to authenticate via certs and also go through captive portal. If i enable EAP TLS then users cant login using the captive portal login page. That's the whole idea. Portal captures users that are *not* authenticated. It does not capture them after authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: EAP Authentication
Hi Ivan Yes i maanaged to solve the problem I was using files instead of SQL as i followed the wiki example on 802.1x secure wireless. Not i can authenticate users with certs and then they login into the captive portal to login to Radius Server. Thanks Devinder On 07/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: I want to authenticate users through using EAP authentication. I managed to generate the client and root certs from Free Radius. I have installed the client sert in my notebook. and managed to get authenticated via AP to Radius. But i cant seem to find them in the Free Radius accounting database. Does the debug show accounting packets. If not, portal is not sending them. There is no log event in the database. I want them to be authenticated in the radcheck table so that i can set bandwidth to them. No need. sql is a database - it doesn't do authentication, just stores data. Set the bandwidth in radreply table and leave certificate authentication as it is. Would it be possible to also have monowall users to log into the captive portal at the same time with EAP turned on in Free Radius. I want private users to authenticate via certs and also go through captive portal. If i enable EAP TLS then users cant login using the captive portal login page. That's the whole idea. Portal captures users that are *not* authenticated. It does not capture them after authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
Hi Ivan, Before i enabled EAP authentication radius reads the users name and password from radcheck table. When i enabled EAP it only read the users.conf file. I want it to read the radcheck table which has the usernames and password for EAP authentication. I have generated the Certs and they are installed on the Client computer. Thank you. Devinder On 04/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radcheck? EAP-TLS is certificate based authentication. What is it reading from users file? Reply attributes? They should be in radreply table. This would be so much easier if you would provide relevant information: user file entry that you want to store in sql; sql data for that user; radiusd -X output (when data is in sql). Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Im using EAP-TLS authentication. Could you tell me the sql configuration to allow EAP-TLS to read radcheck table instead of users.conf file Thanks -Devinder On 04/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: Which EAP? TLS, PEAP, something else? Have you uncommented sql in authorize section? Debug would help. Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Kalik When i set EAP turned on using 802.1x authentication i dont sem to get users authenticated to the RADIUS Raccheck account table. How do i enable EAP using 802.1x and allow users to get authenticated to the RADIUS Server radcheck table which has the user name and login details Thank you Devinder On 04/04/2008, Devinder Singh [EMAIL PROTECTED] wrote: I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: EAP Authentication
I want to authenticate users through using EAP authentication. I managed to generate the client and root certs from Free Radius. I have installed the client sert in my notebook. and managed to get authenticated via AP to Radius. But i cant seem to find them in the Free Radius accounting database. There is no log event in the database. I want them to be authenticated in the radcheck table so that i can set bandwidth to them. Hope you can help me on this. Would it be possible to also have monowall users to log into the captive portal at the same time with EAP turned on in Free Radius. I want private users to authenticate via certs and also go through captive portal. If i enable EAP TLS then users cant login using the captive portal login page. Regards, -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
Hi Ivan Kalik When i set EAP turned on using 802.1x authentication i dont sem to get users authenticated to the RADIUS Raccheck account table. How do i enable EAP using 802.1x and allow users to get authenticated to the RADIUS Server radcheck table which has the user name and login details Thank you Devinder On 04/04/2008, Devinder Singh [EMAIL PROTECTED] wrote: I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
Which EAP? TLS, PEAP, something else? Have you uncommented sql in authorize section? Debug would help. Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Kalik When i set EAP turned on using 802.1x authentication i dont sem to get users authenticated to the RADIUS Raccheck account table. How do i enable EAP using 802.1x and allow users to get authenticated to the RADIUS Server radcheck table which has the user name and login details Thank you Devinder On 04/04/2008, Devinder Singh [EMAIL PROTECTED] wrote: I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
Hi Ivan Im using EAP-TLS authentication. Could you tell me the sql configuration to allow EAP-TLS to read radcheck table instead of users.conf file Thanks -Devinder On 04/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: Which EAP? TLS, PEAP, something else? Have you uncommented sql in authorize section? Debug would help. Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Kalik When i set EAP turned on using 802.1x authentication i dont sem to get users authenticated to the RADIUS Raccheck account table. How do i enable EAP using 802.1x and allow users to get authenticated to the RADIUS Server radcheck table which has the user name and login details Thank you Devinder On 04/04/2008, Devinder Singh [EMAIL PROTECTED] wrote: I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
radcheck? EAP-TLS is certificate based authentication. What is it reading from users file? Reply attributes? They should be in radreply table. This would be so much easier if you would provide relevant information: user file entry that you want to store in sql; sql data for that user; radiusd -X output (when data is in sql). Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Im using EAP-TLS authentication. Could you tell me the sql configuration to allow EAP-TLS to read radcheck table instead of users.conf file Thanks -Devinder On 04/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: Which EAP? TLS, PEAP, something else? Have you uncommented sql in authorize section? Debug would help. Ivan Kalik Kalik Informatika ISP Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Ivan Kalik When i set EAP turned on using 802.1x authentication i dont sem to get users authenticated to the RADIUS Raccheck account table. How do i enable EAP using 802.1x and allow users to get authenticated to the RADIUS Server radcheck table which has the user name and login details Thank you Devinder On 04/04/2008, Devinder Singh [EMAIL PROTECTED] wrote: I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Authentication
I guesss i need to use VLAN methods and two SSID On 03/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote: radiusd -X. Send the debug of the monowall request. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Authentication
Hi I have set up Free Radius to allows users to set up certificates on their notebook and get access to the Internet. When i set EAP i cant sem to allow monowall captiv portal users to login to the RADIUS Server. Is there any settings to be done in users.conf file or radiusd .conf file to allow users to login via the monowall captive portal login page. FREE Radisu rejects login from the caprive portal login. Shoud i be using MSCHAP or can i still use EAP. Thank you Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Alan DeKok schrieb: Norbert Wegener wrote: Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the thread pool section and num_sql_socks, as I have a database backend. Yes. The interaction effects are strong. If there are fewer SQL sockets than threads, then the threads will block waiting for an SQL socket to become ready. At that point, performance drops significantly. I would be curious to know how many PAP authentications/s you can do with that database back-end. Knowing the 3 numbers will help scope interaction effects. e.g. OpenSSL says: S rsa/a PAP says: P requests/s EAP testing says: E requests/s You say E S, but E P, too... Tuning all parameters in mysql/freeradius that I know of and that seemed to make sense, the maximum number of pap requests is about twice the number of rsa signatures. The bottleneck here seems to be mysql. radius used about 20% of the cpu, mysql about 80%. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Norbert Wegener wrote: Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the thread pool section and num_sql_socks, as I have a database backend. Yes. The interaction effects are strong. If there are fewer SQL sockets than threads, then the threads will block waiting for an SQL socket to become ready. At that point, performance drops significantly. I would be curious to know how many PAP authentications/s you can do with that database back-end. Knowing the 3 numbers will help scope interaction effects. e.g. OpenSSL says: S rsa/a PAP says: P requests/s EAP testing says: E requests/s You say E S, but E P, too... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Just for information: I made some tests on different machines. Around 60% of the theoretical maximum was the best value I got. The behaviour was heavy influenced by the parameters in the thread pool section and num_sql_socks, as I have a database backend. Norbert Wegener Alan DeKok wrote: Sebastian Heil wrote: with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %. That's less than 10/s. I think that the virtual server is running at a clock rate of about 800MHz, maybe less. There's some overhead/delay involved in RADIUS and EAP. But it shouldn't drop the performance by 80%. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Norbert Wegener wrote: Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? I don't have hard numbers, unfortunately. It also depends on the number, and kind of queries the server does for each request. If you do a simplistic analysis, you could assume that the two processes are simply stealing CPU time from each other. If I recall my numerical analysis courses... E = # of EAP requests/s (say 30 on a normal machine) Q = # of SQL qeuries/s (likely 1000 un-cached on a normal machine) Assuming one SQL query per EAP transaction, we have 'E' SQL queries/s. So E/Q = 3% of CPU time is being used for SQL. That is stolen directly from EAP requests, so there is 97% CPU time left, or .97*30 = 29 EAP transactions/s as a theoretical maximum. Realistically, there is a lot more overhead than this. But I would be surprised if it lowered the maximum number of EAP sessions by more than 10-20%. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Original-Nachricht Datum: Wed, 13 Feb 2008 19:04:25 +0100 Von: Norbert Wegener [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: eap authentication and cpu utilization Alan DeKok wrote: .. $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener Alan DeKok. - I don't know if it is helpful: As i mentioned in the other mailing-thread, i tried some kind of stress-test with freeradius and eap-tls. the freeradius-server is running on a virtual-machine (vmware-workstation) and the virtual suse linux server has about 300 mb ram and one cpu-core (intel xeon with 2.4 ghz (i think :-) ). i also installed a mysql-database and tried some tests with 4 simultaneous scripts on another server, that did eap-tls authentication requests. with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %. Maybe this is helpful for you. :-) Sebastian -- Psst! Geheimtipp: Online Games kostenlos spielen bei den GMX Free Games! http://games.entertainment.web.de/de/entertainment/games/free - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Sebastian Heil wrote: with my configuration, the freeradius-server can handle about 300 to 400 eap-tls-authentication-request per minute. the cpu load is about 30 - 35 %. That's less than 10/s. I think that the virtual server is running at a clock rate of about 800MHz, maybe less. There's some overhead/delay involved in RADIUS and EAP. But it shouldn't drop the performance by 80%. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and cpu utilization
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? Or did someone some practical research on that issue? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Norbert Wegener wrote: Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. It's all in the SSL rsa keying setup. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and cpu utilization
Alan DeKok wrote: .. $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication problem
Mike Zoeteweij wrote: Can anyone tell me what I'm doing wrong here? Read eap.conf. Look for Windows. See also the wiki. Sending Access-Challenge of id 3 to 192.168.100.5:4855 ... Waking up in 6 seconds... --- Walking the entire request list --- This *exact* behavior is explained in eap.conf. If you edited the file to configure PEAP, you should have seen the comments explaining this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication problem
Can anyone tell me what I'm doing wrong here? trying to auth. a wireless user with freeradius. I'm not sure if the mistake is in the certificates of the radius config. authebtication process gets stuck in attempting to authenticate EAP-Message = 0x064d5a2d6166740e00 Message-Authenticator = 0x State = 0x55a44efe0a103d2b2a24bb8f72998edc Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.5:4855, id=3, length=191 Message-Authenticator = 0xfab5bbc4d21c025b436d243b9579b617 Service-Type = Framed-User User-Name = wireless Framed-MTU = 1488 State = 0x55a44efe0a103d2b2a24bb8f72998edc Called-Station-Id = 00-18-F8-F5-87-53:mikiemike Calling-Station-Id = 00-13-E8-94-F3-B5 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020300060d00 NAS-IP-Address = 192.168.100.5 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = wireless, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched wireless at 231 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 3 to 192.168.100.5:4855 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104000a0d80 Message-Authenticator = 0x State = 0xbf025c40824435e386c6a8b6a1ad5735 Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 0 with timestamp 479f9369 Cleaning up request 5 ID 1 with timestamp 479f9369 Cleaning up request 6 ID 2 with timestamp 479f9369 Cleaning up request 7 ID 3 with timestamp 479f936 thanks a lot in advance for any help. reg. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication with Cisco AP
Hi All, I have been trying, unsuccessfully, to get a windows supplicant (as shipped with Vista) to authenticate via freeradius/ldap. The freeradius/ldap combo works well with the existing VPN authen/auth that we have here on campus but not with EAP. I'm not sure what or where to go from here ...any pointers? freeradius logging: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.56.7.81:1645, id=246, length=130 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x7d2246236182294e8085da177383f3b4 EAP-Message = 0x0202000801746e67 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap-dev.stvincents.com.au:389, authentication 0 rlm_ldap: bind as cn=superuser,o=schs,c=au/ldapadmin to ldap-dev.stvincents.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au, with filter (cn=timmy) rlm_ldap: checking if remote access for timmy is allowed by cn rlm_ldap: Password header not found in password timmysPASSWORD for user timmy rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value timmysPASSWORD op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user timmy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module people_search returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 246 to 10.56.7.81 port 1645 EAP-Message = 0x010300160410da433545ecf08558fb23fb9d7a1e9251 Message-Authenticator = 0x State = 0x84dc68e3b83cac07d2bdde56656fa45b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.56.7.81:1645, id=247, length=146 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x80896aec4445abeab1b82e57df662896 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 State = 0x84dc68e3b83cac07d2bdde56656fa45b NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0
Re: EAP authentication with Cisco AP
Peter Param wrote: I have been trying, unsuccessfully, to get a windows supplicant (as shipped with Vista) to authenticate via freeradius/ldap. The freeradius/ldap combo works well with the existing VPN authen/auth that we have here on campus but not with EAP. I'm not sure what or where to go from here ...any pointers? ... Sending Access-Challenge of id 251 to 10.56.7.81 port 1645 EAP-Message = 0x010800501900170301002056b3fce58dfde9876381acb7eb7ec8139c58d280947a6c2cae9d9eeba78271f61703010020086e9221f752701d9d96797db6f7ae6 c3d6ff0e8afe29639e9607da3bb708140 Message-Authenticator = 0x State = 0x144352a3976c560713ae411bf3b1f1fd Finished request 5 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 246 with timestamp 471df0af You don't have the magic Windows OID's in the certificates. This is in the FAQ, and documented in the comments in eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP address with EAP authentication
Hi all I'm using Freeradius to authenticate wificustomer with EAP and DHCP and it work well. But on accounting log, the is No IP address used by the customer. How can configure have also IP address on accounting log ? Thanks for any help. Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address with EAP authentication
JVUVANT Yahoo wrote: Hi all I'm using Freeradius to authenticate wifi customer with EAP and DHCP and it work well. But on accounting log, the is No IP address used by the customer. How can configure have also IP address on accounting log ? EAP is done before DHCP, so no IP address is assigned. Some APs can snoop the ARP/DHCP, and have the option to delay the initial accounting start, but that's specific to the AP, not a radius question. Check your AP docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and proxy radius
It's possible configure Freeradius to request two eap authentication? For example, the supplicant starts the eap-tls and the authentication is ok. But the server radius don't send Access Accept but it requests a new authentication (for example eap-md5). If also eap-md5 is ok, the supplicant is authenticated. authentication supplicant = (authentication eap-tls) (authentication eap-md5) If the first answer is Yes. It's possible that the first authentication is forwarded to remote radius server and the second one is resolved locally? authentication supplicant = (authentication eap-tls on remote radius server) (authentication eap-md5 on proxy radius server) Many thanks, Matteo Paoli -- Matteo Paoli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication and proxy radius
Matteo Paoli [EMAIL PROTECTED] wrote: For example, the supplicant starts the eap-tls and the authentication is ok. But the server radius don't send Access Accept but it requests a new authentication (for example eap-md5). If also eap-md5 is ok, the supplicant is authenticated. No. EAP doesn't work like that. If that's what you want, I suggest PEAP with client certificates. It's possible that the first authentication is forwarded to remote radius server and the second one is resolved locally? RADIUS doesn't work like that. I have no idea what you're trying to do, but your proposed implementation doesn't match how supplicants, EAP, or RADIUS works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
I use Cisco AP 1230 and I set on the authentication for MAC and EAP authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Thanks. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 14, 2005 01:03 Subject: Re: MAC+EAP authentication Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Jefri bin Dahari [EMAIL PROTECTED] wrote: authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Read your NAS documentation. There's nothing you can do to FreeRADIUS to get the NAS to behave differently. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Alan, well, unfortunately not really. and most importantly: it does not assure the users use the known SOFTware to access the net. imho, hardware has never ever represented a problem so far. ciao artur On 6/14/05, Alan DeKok [EMAIL PROTECTED] wrote: Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC+EAP authentication
Hi, I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
On Mon, Jun 13, 2005, Jefri bin Dahari wrote: Hi, I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? I check the MAC address during the authorization using an external perl script, and it works well. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
i personally think that it's completely useless. implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... (even if i understand that might be necessary for current WiFi phones, etc., please be aware that under linux you can actually change the MAC address with one command...) ciao artur On 6/13/05, Alan DeKok [EMAIL PROTECTED] wrote: Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication
Jacques VUVANT [EMAIL PROTECTED] wrote: I've test EAP/TLS authentication with freeradius wich work well. But it seems to work as well when username (same name as installed certificate on PC mobile) is removed on users.conf file, ie. EAP authentication still Ok for this certificate removed on users.conf. There is no user.conf file. The users file is not required for authentication or authorization. You can put all of the users in LDAP, and that will work, even if they're not listed in users. Does it mean that EAP doesn't use users.conf ? It would appear that way. Why radwho doesn't work with EAP connections ? Does your NAS send accounting packets to the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication
Hi I've test EAP/TLS authentication with freeradius wich work well. But it seems to work as well when username (same name as installed certificate on PC mobile) is removed on users.conf file, ie. EAP authentication still Ok for this certificate removed on users.conf. Someone has idea about it ? Does it mean that EAP doesn't use users.conf ? Why radwho doesn't work with EAP connections ? Thanks for any answer. Jacques VUVANT
Re: Proxied EAP authentication
My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxied EAP authentication
It is possible to reduce the number of messages for reauthentication by implementing what is variously known as Fast Roaming, Fast Reauthentication and Session Resumption. This doesn't have any impact on the initial authentication exchange. However, once both parties (supplicant and authenticator) know the master password, then the fact that each party knows the master password is considered sufficient to authenticate the supplicant and authenticator to each other. Generally, this is only applied for a fixed period/fixed number of reauthentications before a complete reauthentication involving the RADIUS server is required. IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jh vg Sent: 17 November 2004 11:40 To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
jh vg [EMAIL PROTECTED] wrote: My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. Are you implementing an existing protocol? If so, you must follow the protocol spec, in order to be inter-operable with other implementations. This means that you must implement the number, and order of messages as defined in the spec. The end result is that you can't reduce the number of messages. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). Yes, that's called proxying. In this diagram there arent any State or Proxy-State attributes. Then the diagram is wrong. End of story. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. It can't. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? If you're doing proxying, you're required to use Proxy-State. If you're using EAP, you're required to use State. The diagram is wrong. What you are trying to do is impossible. It's impossible because if you remove State Proxy-State, then what you're trying to do won't work. I suggest finding out why the diagram is wrong, and who created it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
Guy Davies [EMAIL PROTECTED] wrote: IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. FreeRADIUS doesn't implement fast reconnect for session resumption. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxied EAP authentication
Hi I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Thanks _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). There is no such document. RADIUS proxies are nothing more than a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enforcement rules after EAP authentication
Hi, I'm new to freeradius (and also to radius) and I've sucessfully setup EAP/TTLS authentication (thanks for this great project). Now I need to be able to do enforcement rules on my firewall per user basis (not only for authorization, but also for measurement). Is there a way to get the client MAC address from the radius server right after the EAP authentication fase? If not, how could I achieve this level of control? Thanks for you attention, Tacio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enforcement rules after EAP authentication
I haven't noticed it before. The AP sends the MAC in the Calling Station ID. Tacio On Monday 26 July 2004 08:11, Tacio Santos wrote: Hi, I'm new to freeradius (and also to radius) and I've sucessfully setup EAP/TTLS authentication (thanks for this great project). Now I need to be able to do enforcement rules on my firewall per user basis (not only for authorization, but also for measurement). Is there a way to get the client MAC address from the radius server right after the EAP authentication fase? If not, how could I achieve this level of control? Thanks for you attention, Tacio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Authentication
Hi What is the advantage of using EAP authentication ( in which a challenge reponse is associated ) in a RADIUS client. Is this mode of authentication more secure than a ordinary PAP authentication ? If yes, please tell me on how EAP is more secure than PAP. Regards, Barath Kumar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html