RE: wpa2 freeradius peap rlm_perl
Hi. I have discovered that my goal is possible. However, I had to change the way I was thinking about the authentication. Essentially, the rlm_perl script does not perform the password comparison--it only retrieves the password and makes it available to the mschap module. Summary: Yes, you can authenticate Windows clients with WPA2 PEAP using a perl script. -- Ray Eads -Original Message- From: freeradius-users-bounces+reads=sno-isle@lists.freeradius.org [mailto:freeradius-users-bounces+reads=sno-isle@lists.freeradius.org] On Behalf Of Ray Eads Sent: Monday, December 05, 2011 14:30 To: 'freeradius-users@lists.freeradius.org' Subject: wpa2 freeradius peap rlm_perl Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa2 freeradius peap rlm_perl
Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. -- Ray Eads (re...@sno-isle.org) Network Engineer II - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hi, have you found a solution or a workaround? I have the same problem, you experienced. I configured freeradius to talk with LDAP on Mac but at the end I realized that in the userPassword field isn't saved the clear-text password of the LDAP user. OpenDirectory doesn't use that field and implements the authentication thru Kerberos. I've just recompiled freeradius with the rlm_opendirectory module enabled and now I'm experiencing the problem you was talking about..., I suppose I have to install freeradius on the same machine as OpenDirectory. I'm pretty upset about it..., it's a little odd Have you got some useful information about it? Let me know, please. Max -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hey everyone ! I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2 with an Active Directory 2008. It's my fisrt radius install so go easy with me, I'm a noob :) I've followed the following howto : http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. I'm no trying to connect a Windows 7 supplicant using that radius server. (That client is configured to use Microsoft : Protected EAP (PEAP), validate server certificate is unchecked and the authentication is on secured password (EAP-MSCHAPv2). The problem seems to be that my client stops answering after 4-5 Access-Challenge. I saw the remarks about the xpextensions of the certificats and make sure that the included makefile correctly uses the xpextensions wich it seems to be doing. The full debug is here : http://pastebin.com/B86AgN1N It's seems that mschap correctly authentifies the user : Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...} Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2 Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2 Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...} Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for gchavepeyer with NT-Password Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the User-Name. Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --domain=%{mschap:NT-Domain:-EUROPE} - --domain=EUROPE Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --username=%{mschap:User-Name} - --username=gchavepeyer Fri Mar 18 09:51:31 2011 : Info: [mschap] mschap2: 5c Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=82d538878ea2db35 Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0 Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled } # server inner-tunnel Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836 Message-Authenticator = 0x State = 0x3cafd11f3dbbcb7c3fe5efc8d331 Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836 Message-Authenticator = 0x State = 0x3cafd11f3dbbcb7c3fe5efc8d331 Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 29 to 10.32.25.204 port 32768 EAP-Message = 0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991 Message-Authenticator = 0x State = 0x11c1c21a16d5dba84c633101b1a44bc3 Fri Mar 18 09:51:31 2011 : Info: Finished request 7. Fri Mar 18 09:51:31 2011 : Debug: Going to the next request Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds. Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp +27 Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds. Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp +27 Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests. The server send an Access-Challenge (instead of a Access-Accept ?) again but the client never answers back and the client gets a unable to connect to Can someone please help me with this ? (All my configuration is visible in the first debug lines but if needed i can post the content of any file.) Thanks a lot
Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hi, I've followed the following howto : [1]http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. my first question is why so old a version of FreeRADIUS is you are only just starting out? 2.1.10 has a LOT of bug fixes compared to the very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 7 (*) Win7 is also VERY fussy about certs.have you installed the CA cert that your RADIUS server is signed with i know you havent ticked the validate button..but Win7 is fussy(!) alan (*) release to manufaturing was july 2009, release to retail was oct 2009 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+peap+mschap+AD
Hi, I have some strange problems with peap+mschap+AD I followed the howto on the wiki for AD but with no luck. When authenticating a user I'll get: Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK but then the inner tunnel does something } # server inner-tunnel Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a Mon Apr 26 12:32:15 2010 : Info: Finished request 6. After that nothing happens. I'm using: FreeRADIUS Version 2.1.1 I have tried both OS X 10.6 and Ubuntu 10.04 clients I have tried changing AP from CISCO to a Linksys WRT-54GL with DD-WRT with no luck. Has anyone any idea on whats wrong? -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, This is what I get. -- [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password [mschap]expand: %{Stripped-User-Name} - username [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=username [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} - --domain=LNU.SE [mschap] mschap2: 67 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=756cc36d609e7393 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success --- I'm using WPA2-enterprise (tried WPA-ent to) I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is used on the client. On 2010-04-26 15:37, Alan Buxey wrote: Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: 2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Are you trying to use EAP-TTLS? Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok al...@deployingradius.com: Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for that links... I have read that FAQ and so I copyed over default eap.conf and tryed it with uses file.. it is working OK i can connect to AP with username/password, but when I tryed to use SQL (I have corret format in SQL now) again it ends up this with Accept-Reject: rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus2/via Auth-Type = EAP] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - pokus2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 23 ID 0 with timestamp +735 Ready to process requests. Bud radtest gives me: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54224, id=218, length=57 User-Name = test2 User-Password = pokus2 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = test2, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - test2 rlm_sql (sql): sql_set_user escaped user -- 'test2' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password pokus2 rlm_pap: Using clear text password pokus2 rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test2/pokus2] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 218 to 127.0.0.1 port 54224 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 218 with timestamp +263 Ready to process requests. So is it sql problem or something with eap? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: I am posting full log with first is radtest accepted and others are failde login from wifi client with 2 different accounts... FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 2010 at 15:58:09 You should probably upgrade to 2.1.8. It has a lot of fixes features over 2.0.4. server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = 123, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop And no sql. Edit raddb/sites-available/inner-tunnel, and add sql to the authorize section. It's already there, so you likely just have to uncomment it. rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Yup. No known good password means no authentication. You could also try: http://networkradius.com/freeradius.html This lets you cut paste the debug output into a form. The response is a colorized HTML page indicating common errors, and things you should look into. It won't catch this problem, but it will highlight the fact that there was no known good password for the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP.. stuck on validating identity..
Hi, I have freeradius for WPA2 Enterprise authentification in small network in library, it is stable version (2.0.4) on Debian Lenny compiled from sources with OpenSSL support.. Everything seems to be OK, but when I try to connect to AP from laptop with Windows XP after I enter name and password I am stuck on Validating identity, same on Ubuntu machine... My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients. This is what freeradius -X gives me when I try to connect to AP: Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1291, id=0, length=123 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a01706f6b7573 Message-Authenticator = 0x634f3b088572fda3a12eca56ed6035b9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - pokus rlm_sql (sql): sql_set_user escaped user -- 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [pokus/via Auth-Type = Accept] (from client router port 9 cli 001e650eb532) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.3.1 port 1291 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +59 Ready to process requests. To me it seems that name/password was accepted so I have no clue where is the problem.. Thank you in advance for any help.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients. And what did you put in SQL? expand: %{User-Name} - pokus rlm_sql (sql): sql_set_user escaped user -- 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority ... rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: Bruno Kremel wrote: My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients. And what did you put in SQL? expand: %{User-Name} - pokus rlm_sql (sql): sql_set_user escaped user -- 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority ... rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. What should be there? The user's password? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... shrug I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I attached the captured packets. Please open it with wireshark. The password from OD is “”. It is neither cleartext password nor encrypted password. --- 10年3月18日,周四, John elmer_rad...@yahoo.com.cn 写道: 发件人: John elmer_rad...@yahoo.com.cn 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月18日,周四,下午7:01 I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -下面为附件内容- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ODldap.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? Best. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moritz Dereschkewitz wrote: Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? You need to run FreeRADIUS on the same machine as Open Directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hello List! I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. But: The Apple version of Samba/OD doesn’t store the password hashes in a single attribute like “ntPassword” but has an attribute authAuthority wherein I can find the password hash along with other data. It looks as follows: ;ApplePasswordServer;0x483c17c8243ef2e500630063,1024 35 125970781877265371419068079752014021791262844836946048377957311154497136228042965757375847122307734052483074746624578126000618735633773317278498981627114249689772743602420918339130341864974993436477801319895573061225381390477597326815293162022588098739972549400419565510594125451003170841605019718114727580097 r...@schulserver.intern:10.10.1.1 Question: Is there a possibility of modifying the LDAP return value (e.g. by a regex) so that I only get the hash? I’ve searched the web for over two weeks now, but haven’t found an answer, that satisfies me. I know, I also could use ntlm_auth for authentication, but as far as I can see, I couldn’t select a user group to be granted access. Either all users that Samba knows or none. Via LDAP/OP I could select a single group (e.g. named “WirelessAccess”) that will be successfully granted access to the Wireless. Or am I mistaken at that point? Any help would be greatly appreciated! Thanks in advance, moenster _ http://redirect.gimas.net/?n=M1002xWin72 Windows 7 - Alles was Du brauchst und noch viel mehr!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Am 13.02.2010 08:21, schrieb Alan DeKok: Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? Thanks four your help so far, Alan! moenster - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: That should be: ldap ldap1 { .. } ldap ldap2 { .. } What i wrote should go in the authorize section instead of ldap entry. Hi, Thanks a zillion times ;) Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x with freeradius + PEAP + 3com Switch
Hi, I managed to get authentication of users logged on Windows XP workstation to the network. The machine authentication (while booting) however fails thus preventing the users from retrieving their roaming profiles. Here is the relevant part of the log: Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: - authorize Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: performing user authorization for host/mycomputer Thu Feb 5 14:39:16 2009 : Debug: radius_xlat: Running registered xlat function of module mschap for string 'User-Name:None' Thu Feb 5 14:39:16 2009 : Debug: expand: (uid=%{mschap:User-Name:None}) - (uid=mycomputer$) Thu Feb 5 14:39:16 2009 : Debug: expand: ou=People,dc=mycompany,dc=com - ou=People,dc=mycompany,dc=com Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: attempting LDAP reconnection It seems freeradius tries to authenticate the computer from the ou=People,dc=mydomain,dc=com. In radiusd.conf I have the following: ldap { server = 192.168.0.3 identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com password = ldapreadpasswd basedn = ou=People,dc=mydomain,dc=com filter = (uid=%{mschap:User-Name:None}) I now need to instruct the ldap to search in ou=Computers,dc=mydomain,dc=com for the computers authentication. How do I do this while preserving the working users auth ? Thanks Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
It seems freeradius tries to authenticate the computer from the ou=People,dc=mydomain,dc=com. In radiusd.conf I have the following: ldap { server = 192.168.0.3 identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com password = ldapreadpasswd basedn = ou=People,dc=mydomain,dc=com filter = (uid=%{mschap:User-Name:None}) I now need to instruct the ldap to search in ou=Computers,dc=mydomain,dc=com for the computers authentication. How do I do this while preserving the working users auth ? Make another ldap instance that has that basedn. Machine usernames have $ at the end - use unlang to test for that and switch ldap instance as required. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
Make another ldap instance that has that basedn. Machine usernames have $ at the end - use unlang to test for that and switch ldap instance as required. I see how to create another instance but really don't see where and how to use unlang to switch between the 2 instances depending on the username. Any clue ? regex. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: regex. Thanks Ivan, Can you please give me some hint about what to put in config's stanzas ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
if(User-Name =~ /\$$/ ) { ldapmachine } else { ldapuser } Ivan Kalik Kalik Informatika ISP Dana 5/2/2009, Laurent CARON lca...@lncsa.com piše: t...@kalik.net wrote: regex. Thanks Ivan, Can you please give me some hint about what to put in config's stanzas ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: if(User-Name =~ /\$$/ ) { ldapmachine } else { ldapuser } in my radiusd.conf file I've got 2 stanzas like this: ldap { server = port = } ldap2 { server = port = } I did copy/paste the lines you gave me just over the first server = ... line but it doesn't seem to do anything. Any clue ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
in my radiusd.conf file I've got 2 stanzas like this: ldap { server = port = } ldap2 { server = port = } I did copy/paste the lines you gave me just over the first server = ... line but it doesn't seem to do anything. Any clue ? That should be: ldap ldap1 { .. } ldap ldap2 { .. } What i wrote should go in the authorize section instead of ldap entry. Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: However, user authentication is rejected when I add the --domain parameter: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} And you didn't post the debug output as suggested in the FAQ, README, INSTALL, and daily on this list. Knowing WHY it was rejected, and WHAT ERROR was produced is key information that is needed to be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribió: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, luis a [EMAIL PROTECTED] piše: pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribiĂł: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht MĂźnster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use: --username=%{mschap:User-Name} and it should work. Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, Vieri [EMAIL PROTECTED] piše: --- On Thu, 10/2/08, Vieri [EMAIL PROTECTED] wrote: I'm running freeradius-2.0.5 on Linux. My setup is as follows: Windows Vista native client - Linksys AP - FreeRadius Linux server (PEAP/mschapv2) - Active Directory Windows server Everything works smoothly with the following ntlm_auth parameters in the mschap module: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} However, user authentication is rejected when I add the --domain parameter: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (from the Windows Vista client I obviously set the DOMAIN filed; besides, if I run the freeradius daemon with debug enabled I see that it correclty reeives 'DOMAIN\username') For starters, I don't understand why authentication fails if I add --domain. How can I find out why? Then, adding --require-membership-of with or without --domain also fails. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Finally, running ntlm_auth from the command line yields: # ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser --require-membership-of='DOMAIN\\WIFI' password: NT_STATUS_OK: Success (0x0) I found this in the radiusd debug log: [2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID! so I removed the '' in the ntlm_auth string like this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} and now it works. So this leads me to ask how I can specify group names with spaces such as 'WIFI 1'. Also, I had to specify the domain explicitly either via --domain=DOMAIN or --domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication succeeds only if the client does NOT specify a domain in the domain or user field. So I'm attaching some debug outputs with the hope that someone can shed some light on this aspect which I obviously don't grasp. Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, PEAP, Active Directory and --require-membership-of
Hi, I'm running freeradius-2.0.5 on Linux. My setup is as follows: Windows Vista native client - Linksys AP - FreeRadius Linux server (PEAP/mschapv2) - Active Directory Windows server Everything works smoothly with the following ntlm_auth parameters in the mschap module: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} However, user authentication is rejected when I add the --domain parameter: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (from the Windows Vista client I obviously set the DOMAIN filed; besides, if I run the freeradius daemon with debug enabled I see that it correclty reeives 'DOMAIN\username') For starters, I don't understand why authentication fails if I add --domain. How can I find out why? Then, adding --require-membership-of with or without --domain also fails. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Finally, running ntlm_auth from the command line yields: # ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser --require-membership-of='DOMAIN\\WIFI' password: NT_STATUS_OK: Success (0x0) Could it be a bug in the freeradius version I'm running? Can anyone please suggest how I can debug this (not a radius expert ;-) )? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
As with every other freeradius problem - when it doesn't work - debug (radiusd -X). Ivan Kalik Kalik Infromatika ISP Dana 2/10/2008, Vieri [EMAIL PROTECTED] piše: Hi, I'm running freeradius-2.0.5 on Linux. My setup is as follows: Windows Vista native client - Linksys AP - FreeRadius Linux server (PEAP/mschapv2) - Active Directory Windows server Everything works smoothly with the following ntlm_auth parameters in the mschap module: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} However, user authentication is rejected when I add the --domain parameter: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (from the Windows Vista client I obviously set the DOMAIN filed; besides, if I run the freeradius daemon with debug enabled I see that it correclty reeives 'DOMAIN\username') For starters, I don't understand why authentication fails if I add --domain. How can I find out why? Then, adding --require-membership-of with or without --domain also fails. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Finally, running ntlm_auth from the command line yields: # ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser --require-membership-of='DOMAIN\\WIFI' password: NT_STATUS_OK: Success (0x0) Could it be a bug in the freeradius version I'm running? Can anyone please suggest how I can debug this (not a radius expert ;-) )? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Read provided instructions in eap.conf. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP and Wireless
I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, I would just like for users to use their username and password to connect. The radius config for ldap is pretty easy, but I'm having a problem when trying to enable peap as my default eap type. I've done so in my eap.conf which I've included and a section of debug when trying to start radiusd. Appreciate any info. When trying to start radiusd: Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1939] Unknown module eap. radiusd.conf[1886] Failed to parse authenticate section. eap.conf basically, everything else is commented out. eap { default_eap_type = peap peap { default_eap_type = mschapv2 } mschapv2 { } } -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized authenticated by the respective modules. If you're purely using ldap for authorization authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius -peap ad/ldap
Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira [EMAIL PROTECTED] wrote: Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. We were all new at some point, some people just forget that :) i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Alan DeKok wrote: Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. My mistake - I was convinced I'd seen it. (I suppose it's possible that I had the Cisco wireless card software installed, along with it's supplicant-fiddling extensions.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/PEAP
Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/PEAP
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett [EMAIL PROTECTED] wrote: James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the plaintext.josh.James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files.I would like to use PAM but UNIX will work too.I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work.I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yuri Francalacci[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor [EMAIL PROTECTED] wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store known good passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password. What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the gtc section in eap.conf PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a crypt. In any event, PAM seems to work very badly because of threading issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + peap + ldap
Hi, I have this environment: WinXP PEAP wireless client + linksys AP + freeradius 1.0.5 + openldap (with kerberos password) and I would like to setup the 802.1x peap authentication. Everything works well if I use users file for authenticating wireless client, but if I use ldap users, clients are not authenticated. My password attribute is UserPassword The error is (I suppose) here: --modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: Told to do MS-CHAPv2 for yuri with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 -- Does anyone has a working configuration that looks like (more or less) mine? --- radiusd.conf -- mschap section mschap { authtype = MS-CHAP use_mppe = no # require_encryption = yes # require_strong = yes with_ntdomain_hack = no } Thanks, Yuri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
On Tuesday 16 August 2005 10:28, Jamie Crawford wrote: Everything seems to work great until the certificate negotiation, then it blows chunks. Bad or wrong certificates. Server and supplicant need a copy of the same trusted root certificate. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
Thanks for your response. I downloaded my cacert.pem and imported it into my xp client as a trusted root authority and that did not help. Here are the steps I took to create my certs. Remember I am trying to use PEAP. Thanks Here's what I did to create the certs. rhel as 4.0 freeradius 1.0.4 On my freeradius server I went to: /usr/share/ssl/openssl.cnf changed dir = ./productionCA changed countryName_default = US changed stateOrProviceName_default = Missouri changed localityName_default = Warrensburg changed 0.organizationName_default = CMSU changed organizationalUnitName_default = Information Services changed commonName_default = Wireless changed emailAddress_default = [EMAIL PROTECTED] changed challengePassword_default = password I saved the file. Then I went into /usr/share/ssl/misc/CA and changed CATOP=./productionCA Then I went back into the usr/share/ssl directory and ran /usr/share/ssl/misc/CA -newca Entered my passphrase password Verified password Hit the default of US for Country name Hit the default of MIssouri for state name Hit the default of Warrensburg for state name Hit the default of CMSU for organization name Hit the defaut of Information Services for organizational unit name Hit the default of WIRELESS for the common name Hit the default of [EMAIL PROTECTED] for the email address Now I have my new root certificate (cacert.pem) and private key (cakey.pem). In my /usr/share/ssl/productionCA directory I have -rw-r--r-- 1 root root 1346 Aug 16 14:54 cacert.pem drwxr-xr-x 2 root root 4096 Aug 16 14:52 certs drwxr-xr-x 2 root root 4096 Aug 16 14:52 crl -rw-r--r-- 1 root root0 Aug 16 14:52 index.txt drwxr-xr-x 2 root root 4096 Aug 16 14:52 newcerts drwxr-xr-x 2 root root 4096 Aug 16 14:52 private -rw-r--r-- 1 root root3 Aug 16 14:52 serial In the private directory I have: -rw-r--r-- 1 root root 963 Aug 16 14:54 cakey.pem Now I create my server certificate, but first I must create the xpextensions file because WindowsXP expects certain attributes in server and client certificates. Contents of xpextensions [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Now I run: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config openssl.cnf This asks for the PEM pass phrase: So I enter password I verify password Hit the default of US for Country name Hit the default of MIssouri for state name Hit the default of Warrensburg for state name Hit the default of CMSU for organization name Hit the defaut of Information Services for organizational unit name Enter in server.cmsu.edu for the common name Hit the default of [EMAIL PROTECTED] for the email address It asks for a challenge password so I type in password It asks for a optional company name and I hit enter for nothing. This creates the files server_req.pem which contains the actual request-an unsigned certificate and server_key.pem the private key. Now I will use the ca key to sign the request. openssl ca -config openssl.cnf -policy_anything -out server_cert.pem -extensions xpserver_ext -extfile xpextensions -infiles server_req.pem This asks for the pass phrase for /productionCA/private/cakey.pem I type in password Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 16 20:09:23 2005 GMT Not After : Aug 16 20:09:23 2006 GMT Subject: countryName = US stateOrProvinceName = Missouri localityName = Warrensburg organizationName = CMSU organizationalUnitName= Information Services commonName= server.cmsu.edu emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Aug 16 20:09:23 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated This command reads the file server_req.pem and after prompting for my CA key's passphrase, saves a signed version of it plus its corresponding private key to the file server_cert.pem. Now I opend up my signed certificate server_cert.pem and delete everything before the line BEGIN CERTIFICATE Now I concatenate it and my key into a single file by typing: cat server_key.pem server_cert.pem server_keycert.pem Next I copy the server_keycert.pem file and cacert.pem file over to my certs directory. Whie in this directory I run these two commands to create the dh file and random file. openssl dhparam -check -text -5 512 -out dh dd if=/dev/urandom of=random count=2 my eap.conf file tls { private_key_password = password private_key_file = ${raddbdir}/certs/server_keycert.pem
freeradius PEAP/MS-CHAPv2 and aegis client
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12
freeradius PEAP/MS-CHAPv2 and aegis client setup
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12 15:21:36 2005 : Debug:
FreeRADIUS + PEAP
Hello Everyone! I have FreeRADIUS up and running and authenticating users who dial up into our network. FreeRADIUS is working perfectly for that purpose. I am now trying to configure FreeRADIUS to also authenticate my wireless users who connect to a Linksys WAP54G Wireless Access Point. I have configured the Linksys to authenticate against my FreeRADIUS server using WPA. FreeRADIUS does get the authentication requests, but it seems that I've done something wrong and the requests are not being authenticated properly. Here's what I get in my FreeRADIUS log: Fri Mar 4 13:11:11 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Info: (other): SSL negotiation finished successfully Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 0) Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Why is there no username attribute? I have configured the Windows XP workstation to use PEAP and it asks me for my login name and password, which I entered, but it seems that the password attribute is not being sent to FreeRADIUS, or maybe it's being sent in a way that FreeRADIUS isn't understanding? I have attached my radiusd.conf file to this e-mail as well, in case anyone wants to review it. PS - I generated the certificates I'm using for eap/tls authentication using OpenSSL for the purposes of having my own in-house CA, which allows my to issue certificates to customers and employees as I need to. I figured it was best to use the same certificates for my wireless authentication, no? My wireless users are connecting using login names and passwords, not certificates, but I think that eap needs certificates anyhow, correct? Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ radiusd.conf Description: Binary data smime.p7s Description: S/MIME cryptographic signature
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). Alan Dekok wrote: It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. I tried the configure switch and got another Segment Fault(coredump). Is there other debug information that is useful for resolving this problem? Thanks, John Gauntt [EMAIL PROTECTED]
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: I tried the configure switch and got another Segment Fault(coredump). If you look, you'll probably see the same problem. Delete ALL of the previously installed FreeRADIUS binaries and libraries. Then re-configure and re-make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
Hi folks, This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). I am using an Windows XP 802.1x client, Cisco 1100 AP and Sun Solaris ver. 8 for freeRadius 1.0.1. After configuring the client, the AP and the radiusd.conf, the client.conf and the users files (not yet the eap.conf file) I was successful in getting the freeRadius server to authenticate the client. Next I attempted to configure the client and the eap.conf file for PEAP MSCHAP, resulting in the coredump. Enabling PEAP results in error messages directing the configuration of TLS. Enabling TLS results in the coredump. I have tried numerous combinations of configuration, some of these I copied from the archive, with the same result. The radius -X output, the gdb bt output, the eap.conf file, and a slice of the radiusd.conf file follow this text. I appreciate any help on this problem. Thanks, John Gauntt radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = yes main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc Segmentation Fault(coredump) gdb bt GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.8... Core was generated by `radiusd -X'. Program terminated with signal 9, Killed. Reading symbols from /usr/lib/libcrypt_i.so.1...done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /usr/local/lib/libradius-1.0.1.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.1.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libnsl.so.1...done.
Cisco Aironet's WDS and FreeRadius Peap
I have Cisco Aironet 1100's that I am setting up on a private LAN that go through a Firewall to get to the internal LAN. The FreeRadius server is on the internal LAN. Ok, so what works: I can connect the client (supplicant) to the Wireless G Aironet that authenticates to the FreeRadius Server. I can then connect to the VPN (which also authenticates to the Radius server). Everything there is happy. What does not work: The Aironet's use a system called WDS to allow roaming between the access points. I set up one unit to be the primary WDS, and configure a second Aironet to use WDS. The Aironets use the Radius server for authentication, but they never are able to authenticate with the WDS. What I think I am doing wrong: I believe that I need to activate peap for the Cisco Aironets to authenticate. I have tried to set this up per documentation, but I get the following error when I now try to activate the FreeRadius server using radiusd -A -X, cut to just show the eap module failure: ** Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = (null) tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) 9616:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTICATE 9616:error:0200100E:system library:fopen:Bad address:bss_file.c:259:fopen('','r') 9616:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: 9616:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:513: rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. *** I have tried to use CA.all to create a certificate, but it gives an error during the certificate creation. I have created a certificate manually using openssl, and moved it into the /usr/local/etc/raddb/certs folders (and DemoCA folders), but the server still fails. I am running RedHat 9, kernel 2.4.20-8smp; openssl-0.9.7a-2; freeradius-0.9.3-1.1 Does anyone know if the peap is even needed with the Aironets? If so, is there another howto or other docs I can RTFM to resolve this certificate issue, or do I just need to hack all of the config files, CA.all, etc... Has anyone got this type of setup working (Cisco Aironet's running WDS and FreeRadius)? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet's WDS and FreeRadius Peap
That did it! I did not think that Cisco was still using LEAP. At least I can run tests now on the infrastructure. Thank you for your hint. Dave On Mon, 2004-12-13 at 10:08, Joe Matuscak wrote: On 13 Dec 2004, David Howard wrote: What does not work: The Aironet's use a system called WDS to allow roaming between the access points. I set up one unit to be the primary WDS, and configure a second Aironet to use WDS. The Aironets use the Radius server for authentication, but they never are able to authenticate with the WDS. What I think I am doing wrong: I believe that I need to activate peap for the Cisco Aironets to authenticate. Nope. From what I can tell, the client APs use LEAP to authenticate. Has anyone got this type of setup working (Cisco Aironet's running WDS and FreeRadius)? Yes, I've got it running in a test mode at the moment. Only two APs, but it seems to be behaving fine. I'm using the 1200 APs with IOS 12.2(15)JA and FreeRadius on Fedora Core 2 (freeradius-1.0.1-0.FC2). To get the client APs to authenicate, I had to set: default_eap_type = leap In eap.conf. Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: I'm still not seeing it. If it's listed in the authorize section, it will be printed out in debugging mode. Are you willing to provide debug logs? Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Bender Sent: Monday, August 23, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. If I use --username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth. -Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: Ok, but isn't the with_ntdomain_hack =3D yes directive in the raidusd.conf file suppose to correct this behavior? Theoretically, yes. But when you're calling ntlm_auth, the with_ntdomain_hack isn't being used. Why would it? You're passing the exact attributes you want to ntlm_auth. If you don't like the attributes, change them. Why would we need another configuration option to do the same thing? So now my args for ntlm_auth are right, but I think something is up with mschap still. If the arguments to ntlm_auth are right, then it should work. To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. I'm looking at the code in rlm_mschap.c. I believe this is the code that creates the value for the --challenge argument for ntlm_auth. It is my understanding that this is a hash created with this code: challenge_hash(response-strvalue + 2, chap_challenge-strvalue, user_name-strvalue, buffer); The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. When the Challenge or Response message is generated is it still trying to user domain/user as the username? Ask the client, not FreeRADIUS. I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. And when you're using ntlm_auth, *you* configure it to use domain\user, or just user. So to answer your question on FreeRADIUS's side, go back and read your configuration. I'm confused on this point. When PEAP identity is set to username my auths work. When the PEAP identity is of the form domain/user MSCHAP fails. Yes. This is the problem. But it has nothing to do with PEAP. You are right, it has nothing to do with PEAP. Freeradius gets what the client gives it. The problem occurs in the mschap module. There's no point trying to configure FreeRADIUS to do the right thing, when you don't even know what the right thing is. Find that out first, and THEN configure the server. I know what the right thing is. In order for the ntlm_auth to return OK all of its arguments have to be right. When a client is setup to send domain/user instead of just user things breakdown in the MSCHAP module. The NTLM_AUTH function takes 4 arguments from freeradius. They are as follows: --domain %{Realm} --username %{Stripped-User-Name} --challenge %{mschap:Challenge:-00} --nt-response %{mschap:NT-Response:-00} The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Brian D. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Brian D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, May 03, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html with_ntdomain_hack.patch Description: with_ntdomain_hack.patch
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. Similar code already existed in rlm_mschap.c. The fix was 1 line. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Hmm... you hacked the User-Name attribute, which isn't generally a good idea. Try the CVS snapshot tomorrow, or grab the latest via anonymous cvs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Hello all, We are in the process of testing 802.1x authentication for future deployment on campus. Our test setup includes the following: freeradius-snapshot-20040427 running on RHEL 3.0 AS Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth Multiple AD domains (smb.conf points to a Global Catalog Server) Linux/Windows XP/Windows 2K/Mac OS X clients What works: 1. using wbinfo -a domain+user%password I can authenticate as any user in any of our domains. 2. 802.1x auths as long as I don't supply a domain and the user is in the domain that the GC is in. What doesn't work: 1. Supplying domain with login credentials. I've got a realm for each of our domains setup up and I can see the preprocess module doing its job separating domain from username. Then the MSCHAPv2 module kicks in and the call to NTLM_AUTH fails with wrong password. 1. Keeping in mind that user1 in domain1 can auth as long as domain1 isn't supplied why does supplying domain1 cause the auth to fail? 2. What does preprocess do with realm is strips off? I'd like to be able to pass the realm as a --domain option to ntlm_auth. 3. Why does PEAP think the username is still domain/user? I see the following in the logs while running radius -X -A PEAP: Setting User-Name to UMC-USERS\dourtyb PEAP: Adding old state with 17 b0 PEAP: Sending tunneled request Should it be using Stripped-User-Name instead? Thanks, Brian Dourty IAT Services University of Missouri - Columbia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: 1. Keeping in mind that user1 in domain1 can auth as long as domain1 isn't supplied why does supplying domain1 cause the auth to fail? Because the MS client does the MS-CHAP calculations using the username without the domain, but supplies the username to the RADIUS server WITH the domain. See the list archives for more explanations. Ok, but isn't the with_ntdomain_hack = yes directive in the raidusd.conf file suppose to correct this behavior? # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. 2. What does preprocess do with realm is strips off? I'd like to be able to pass the realm as a --domain option to ntlm_auth. Read the debug log. It adds it as an attribute. Ah yes, I see that now. New attribute is called Realm so the line in radiusd.conf is now: ntlm_auth = /usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} So now my args for ntlm_auth are right, but I think something is up with mschap still. When the Challenge or Response message is generated is it still trying to user domain/user as the username? 3. Why does PEAP think the username is still domain/user? I see the following in the logs while running radius -X -A PEAP: Setting User-Name to UMC-USERS\dourtyb Because that's the name in the EAP identity packet. Read the debug log, it says this. Should it be using Stripped-User-Name instead? No. I'm confused on this point. When PEAP identity is set to username my auths work. When the PEAP identity is of the form domain/user MSCHAP fails. Am I wrong in thinking that with the correct configuration Freeradius will allow me to have users from all trusted domains use the MSCHAP module for 802.1x auth? Where am I going wrong? Thanks! Brian Dourty IAT Services University of Columbia - Missouri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: freeradius-users [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems Hi, I