RE: wpa2 freeradius peap rlm_perl
Hi. I have discovered that my goal is possible. However, I had to change the way I was thinking about the authentication. Essentially, the rlm_perl script does not perform the password comparison--it only retrieves the password and makes it available to the mschap module. Summary: Yes, you can authenticate Windows clients with WPA2 PEAP using a perl script. -- Ray Eads -Original Message- From: freeradius-users-bounces+reads=sno-isle@lists.freeradius.org [mailto:freeradius-users-bounces+reads=sno-isle@lists.freeradius.org] On Behalf Of Ray Eads Sent: Monday, December 05, 2011 14:30 To: 'freeradius-users@lists.freeradius.org' Subject: wpa2 freeradius peap rlm_perl Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa2 freeradius peap rlm_perl
Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. -- Ray Eads (re...@sno-isle.org) Network Engineer II - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hi, have you found a solution or a workaround? I have the same problem, you experienced. I configured freeradius to talk with LDAP on Mac but at the end I realized that in the userPassword field isn't saved the clear-text password of the LDAP user. OpenDirectory doesn't use that field and implements the authentication thru Kerberos. I've just recompiled freeradius with the rlm_opendirectory module enabled and now I'm experiencing the problem you was talking about..., I suppose I have to install freeradius on the same machine as OpenDirectory. I'm pretty upset about it..., it's a little odd Have you got some useful information about it? Let me know, please. Max -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hey everyone !
I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2
with an Active Directory 2008.
It's my fisrt radius install so go easy with me, I'm a noob :)
I've followed the following howto :
http://deployingradius.com/documents/configuration/active_directory.html
and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is
correctly authentified.
I'm no trying to connect a Windows 7 supplicant using that radius server.
(That client is configured to use Microsoft : Protected EAP (PEAP),
validate server certificate is unchecked and the authentication is on
secured password (EAP-MSCHAPv2).
The problem seems to be that my client stops answering after 4-5
Access-Challenge. I saw the remarks about the xpextensions of the
certificats and make sure that the included makefile correctly uses the
xpextensions wich it seems to be doing.
The full debug is here : http://pastebin.com/B86AgN1N
It's seems that mschap correctly authentifies the user :
Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...}
Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list
Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2
Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2
Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...}
Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for
gchavepeyer with NT-Password
Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the
User-Name.
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--domain=%{mschap:NT-Domain:-EUROPE} - --domain=EUROPE
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--username=%{mschap:User-Name} - --username=gchavepeyer
Fri Mar 18 09:51:31 2011 : Info: [mschap] mschap2: 5c
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} - --challenge=82d538878ea2db35
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0
Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok
Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
} # server inner-tunnel
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11
EAP-Message =
0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836
Message-Authenticator = 0x
State = 0x3cafd11f3dbbcb7c3fe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x011400331a0313002e533d4644354536323645394645383839333042323031364339453731463231323146443337303836
Message-Authenticator = 0x
State = 0x3cafd11f3dbbcb7c3fe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 29 to 10.32.25.204 port 32768
EAP-Message =
0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991
Message-Authenticator = 0x
State = 0x11c1c21a16d5dba84c633101b1a44bc3
Fri Mar 18 09:51:31 2011 : Info: Finished request 7.
Fri Mar 18 09:51:31 2011 : Debug: Going to the next request
Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests.
The server send an Access-Challenge (instead of a Access-Accept ?) again but
the client never answers back and the client gets a unable to connect to
Can someone please help me with this ? (All my configuration is visible in
the first debug lines but if needed i can post the content of any file.)
Thanks a lot
Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hi, I've followed the following howto : [1]http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. my first question is why so old a version of FreeRADIUS is you are only just starting out? 2.1.10 has a LOT of bug fixes compared to the very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 7 (*) Win7 is also VERY fussy about certs.have you installed the CA cert that your RADIUS server is signed with i know you havent ticked the validate button..but Win7 is fussy(!) alan (*) release to manufaturing was july 2009, release to retail was oct 2009 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+peap+mschap+AD
Hi, I have some strange problems with peap+mschap+AD I followed the howto on the wiki for AD but with no luck. When authenticating a user I'll get: Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK but then the inner tunnel does something } # server inner-tunnel Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a Mon Apr 26 12:32:15 2010 : Info: Finished request 6. After that nothing happens. I'm using: FreeRADIUS Version 2.1.1 I have tried both OS X 10.6 and Ubuntu 10.04 clients I have tried changing AP from CISCO to a Linksys WRT-54GL with DD-WRT with no luck. Has anyone any idea on whats wrong? -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi,
This is what I get.
--
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password
[mschap]expand: %{Stripped-User-Name} - username
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=username
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} -
--domain=LNU.SE
[mschap] mschap2: 67
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=756cc36d609e7393
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb
Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
---
I'm using WPA2-enterprise (tried WPA-ent to)
I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is
used on the client.
On 2010-04-26 15:37, Alan Buxey wrote:
Hi,
Info: ++[mschap] returns ok
Debug: MSCHAP Success
So i assume that the auth. against AD is OK
not if you havent done the EAP inner-tunnel stuff yet - unless you mean
basic authorize has completed.
but then the inner tunnel does something
well, it tries to
Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
EAP-Message =
0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
Message-Authenticator = 0x
State = 0x3b975d133d90441898602b7c0076958a
it sends a challenge back to the NAS/AP - but nothign else is happening.
so, either the NAS or the client. how have you got the AP set up? 802.1X or
WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or
EAP-TTLS/MSCHAPv2?
got the required certificate installed on the client?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se
O ascii ribbon campaign - stop html mail - www.asciiribbon.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: 2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Are you trying to use EAP-TTLS? Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok al...@deployingradius.com:
Bruno Kremel wrote:
Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
EAP-Message = 0x010c00061900
Message-Authenticator = 0x
State = 0x53b1704557bd694fbe3359243d2a2638
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 40 ID 0 with timestamp +589
Ready to process requests.
This is documented in the FAQ, in the comments in raddb/eap.conf, and
on my web site (http://deployingradius.com/).
Please read the existing documentation,
That Access-Challenge should authenticate my client if I am not wrong,
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for that links... I have read that FAQ and so I copyed over
default eap.conf and tryed it with uses file.. it is working OK i can
connect to AP with username/password, but when I tryed to use SQL (I
have corret format in SQL now) again it ends up this with
Accept-Reject:
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [pokus2/via Auth-Type = EAP] (from client
ciscorouter port 44 cli 001e650ece6c)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - pokus2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 0 to 192.168.3.1 port 1327
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 23 ID 0 with timestamp +735
Ready to process requests.
Bud radtest gives me:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 54224,
id=218, length=57
User-Name = test2
User-Password = pokus2
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = test2, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - test2
rlm_sql (sql): sql_set_user escaped user -- 'test2'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'test2' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'test2' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'test2' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password pokus2
rlm_pap: Using clear text password pokus2
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test2/pokus2] (from client localhost port 1812)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 218 to 127.0.0.1 port 54224
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 218 with timestamp +263
Ready to process requests.
So is it sql problem or something with eap?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote:
I am posting full log with first is radtest accepted and others are
failde login from wifi client with 2 different accounts...
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29
2010 at 15:58:09
You should probably upgrade to 2.1.8. It has a lot of fixes
features over 2.0.4.
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = 123, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 8 length 62
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
And no sql. Edit raddb/sites-available/inner-tunnel, and add sql
to the authorize section. It's already there, so you likely just have
to uncomment it.
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Yup. No known good password means no authentication.
You could also try: http://networkradius.com/freeradius.html
This lets you cut paste the debug output into a form. The response
is a colorized HTML page indicating common errors, and things you should
look into. It won't catch this problem, but it will highlight the fact
that there was no known good password for the user.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP.. stuck on validating identity..
Hi,
I have freeradius for WPA2 Enterprise authentification in small
network in library, it is stable version (2.0.4) on Debian Lenny
compiled from sources with OpenSSL support..
Everything seems to be OK, but when I try to connect to AP from laptop
with Windows XP after I enter name and password I am stuck on
Validating identity, same on Ubuntu machine...
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
This is what freeradius -X gives me when I try to connect to AP:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.3.1 port 1291, id=0,
length=123
User-Name = pokus
NAS-IP-Address = 192.168.3.1
Called-Station-Id = 00259c523046
Calling-Station-Id = 001e650eb532
NAS-Identifier = 00259c523046
NAS-Port = 9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a01706f6b7573
Message-Authenticator = 0x634f3b088572fda3a12eca56ed6035b9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = pokus, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pokus/via Auth-Type = Accept] (from client router port 9
cli 001e650eb532)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.3.1 port 1291
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +59
Ready to process requests.
To me it seems that name/password was accepted so I have no clue where
is the problem..
Thank you in advance for any help..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
What should be there?
Beacuse I don't know I am using Daloradius web interafce for adding data to
database, so I just loaded default daloradius sql which was intendet
(according to readme od daloradius) for 2.X Freeradius... and added accounts
in web interface...
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me
Accept-Accept only on correct login and password so I think that it's not that
SQL...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you for answer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. What should be there? The user's password? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... shrug I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I attached the captured packets. Please open it with wireshark. The password from OD is “”. It is neither cleartext password nor encrypted password. --- 10年3月18日,周四, John elmer_rad...@yahoo.com.cn 写道: 发件人: John elmer_rad...@yahoo.com.cn 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月18日,周四,下午7:01 I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -下面为附件内容- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ODldap.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? Best. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moritz Dereschkewitz wrote: Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? You need to run FreeRADIUS on the same machine as Open Directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hello List! I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. But: The Apple version of Samba/OD doesn’t store the password hashes in a single attribute like “ntPassword” but has an attribute authAuthority wherein I can find the password hash along with other data. It looks as follows: ;ApplePasswordServer;0x483c17c8243ef2e500630063,1024 35 125970781877265371419068079752014021791262844836946048377957311154497136228042965757375847122307734052483074746624578126000618735633773317278498981627114249689772743602420918339130341864974993436477801319895573061225381390477597326815293162022588098739972549400419565510594125451003170841605019718114727580097 r...@schulserver.intern:10.10.1.1 Question: Is there a possibility of modifying the LDAP return value (e.g. by a regex) so that I only get the hash? I’ve searched the web for over two weeks now, but haven’t found an answer, that satisfies me. I know, I also could use ntlm_auth for authentication, but as far as I can see, I couldn’t select a user group to be granted access. Either all users that Samba knows or none. Via LDAP/OP I could select a single group (e.g. named “WirelessAccess”) that will be successfully granted access to the Wireless. Or am I mistaken at that point? Any help would be greatly appreciated! Thanks in advance, moenster _ http://redirect.gimas.net/?n=M1002xWin72 Windows 7 - Alles was Du brauchst und noch viel mehr!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Am 13.02.2010 08:21, schrieb Alan DeKok: Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? Thanks four your help so far, Alan! moenster - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote:
That should be:
ldap ldap1 {
..
}
ldap ldap2 {
..
}
What i wrote should go in the authorize section instead of ldap entry.
Hi,
Thanks a zillion times ;)
Laurent
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x with freeradius + PEAP + 3com Switch
Hi,
I managed to get authentication of users logged on Windows XP
workstation to the network.
The machine authentication (while booting) however fails thus preventing
the users from retrieving their roaming profiles.
Here is the relevant part of the log:
Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: - authorize
Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: performing user
authorization for host/mycomputer
Thu Feb 5 14:39:16 2009 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'User-Name:None'
Thu Feb 5 14:39:16 2009 : Debug: expand:
(uid=%{mschap:User-Name:None}) - (uid=mycomputer$)
Thu Feb 5 14:39:16 2009 : Debug: expand:
ou=People,dc=mycompany,dc=com - ou=People,dc=mycompany,dc=com
Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: attempting LDAP reconnection
It seems freeradius tries to authenticate the computer from the
ou=People,dc=mydomain,dc=com.
In radiusd.conf I have the following:
ldap {
server = 192.168.0.3
identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com
password = ldapreadpasswd
basedn = ou=People,dc=mydomain,dc=com
filter = (uid=%{mschap:User-Name:None})
I now need to instruct the ldap to search in
ou=Computers,dc=mydomain,dc=com for the computers authentication.
How do I do this while preserving the working users auth ?
Thanks
Laurent
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
It seems freeradius tries to authenticate the computer from the
ou=People,dc=mydomain,dc=com.
In radiusd.conf I have the following:
ldap {
server = 192.168.0.3
identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com
password = ldapreadpasswd
basedn = ou=People,dc=mydomain,dc=com
filter = (uid=%{mschap:User-Name:None})
I now need to instruct the ldap to search in
ou=Computers,dc=mydomain,dc=com for the computers authentication.
How do I do this while preserving the working users auth ?
Make another ldap instance that has that basedn. Machine usernames have $
at the end - use unlang to test for that and switch ldap instance as
required.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
Make another ldap instance that has that basedn. Machine usernames have $ at the end - use unlang to test for that and switch ldap instance as required. I see how to create another instance but really don't see where and how to use unlang to switch between the 2 instances depending on the username. Any clue ? regex. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: regex. Thanks Ivan, Can you please give me some hint about what to put in config's stanzas ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
if(User-Name =~ /\$$/ ) {
ldapmachine
}
else {
ldapuser
}
Ivan Kalik
Kalik Informatika ISP
Dana 5/2/2009, Laurent CARON lca...@lncsa.com piše:
t...@kalik.net wrote:
regex.
Thanks Ivan,
Can you please give me some hint about what to put in config's stanzas ?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote:
if(User-Name =~ /\$$/ ) {
ldapmachine
}
else {
ldapuser
}
in my radiusd.conf file I've got 2 stanzas like this:
ldap {
server =
port =
}
ldap2 {
server =
port =
}
I did copy/paste the lines you gave me just over the first server =
... line but it doesn't seem to do anything.
Any clue ?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
in my radiusd.conf file I've got 2 stanzas like this:
ldap {
server =
port =
}
ldap2 {
server =
port =
}
I did copy/paste the lines you gave me just over the first server =
... line but it doesn't seem to do anything.
Any clue ?
That should be:
ldap ldap1 {
..
}
ldap ldap2 {
..
}
What i wrote should go in the authorize section instead of ldap entry.
Ivan Kalik
Kalik Informatika ISP
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote:
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
And you didn't post the debug output as suggested in the FAQ, README,
INSTALL, and daily on this list.
Knowing WHY it was rejected, and WHAT ERROR was produced is key
information that is needed to be able to solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribió: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, luis a [EMAIL PROTECTED] piše: pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribiĂł: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht MĂźnster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use:
--username=%{mschap:User-Name}
and it should work.
Ivan Kalik
Kalik Informatika ISP
Dana 3/10/2008, Vieri [EMAIL PROTECTED] piše:
--- On Thu, 10/2/08, Vieri [EMAIL PROTECTED] wrote:
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux
server (PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth
parameters in the mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the
--domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN
filed; besides, if I run the freeradius daemon with debug
enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication
fails if I add --domain. How can I find out why?
Then, adding --require-membership-of with or without
--domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI'
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN
--username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
and now it works.
So this leads me to ask how I can specify group names with spaces such as
'WIFI 1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
succeeds only if the client does NOT specify a domain in the domain or user
field.
So I'm attaching some debug outputs with the hope that someone can shed some
light on this aspect which I obviously don't grasp.
Thanks,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, PEAP, Active Directory and --require-membership-of
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the mschap
module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).
Ivan Kalik
Kalik Infromatika ISP
Dana 2/10/2008, Vieri [EMAIL PROTECTED] piše:
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the
mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Read provided instructions in eap.conf. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP and Wireless
I'm trying to setup freeradius with ldap for use with a wireless
network. I don't want to have to deal with tls and certificates if
possible, I would just like for users to use their username and password
to connect. The radius config for ldap is pretty easy, but I'm having a
problem when trying to enable peap as my default eap type. I've done so
in my eap.conf which I've included and a section of debug when trying to
start radiusd. Appreciate any info.
When trying to start radiusd:
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1939] Unknown module eap.
radiusd.conf[1886] Failed to parse authenticate section.
eap.conf basically, everything else is commented out.
eap {
default_eap_type = peap
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
--
Cody Jarrett
IT Freedom
[EMAIL PROTECTED]
Office: 512.419.0070
Fax: 512.419.0080
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized authenticated by the respective modules. If you're purely using ldap for authorization authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius -peap ad/ldap
Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira [EMAIL PROTECTED] wrote: Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. We were all new at some point, some people just forget that :) i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Alan DeKok wrote: Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. My mistake - I was convinced I'd seen it. (I suppose it's possible that I had the Cisco wireless card software installed, along with it's supplicant-fiddling extensions.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/PEAP
Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/PEAP
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett [EMAIL PROTECTED] wrote: James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the plaintext.josh.James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files.I would like to use PAM but UNIX will work too.I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work.I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yuri Francalacci[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor [EMAIL PROTECTED] wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store known good passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password. What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the gtc section in eap.conf PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a crypt. In any event, PAM seems to work very badly because of threading issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + peap + ldap
Hi,
I have this environment: WinXP PEAP wireless client + linksys AP +
freeradius 1.0.5 + openldap (with kerberos password) and I would like
to setup the 802.1x peap authentication. Everything works well if I use
users file for authenticating wireless client, but if I use ldap users,
clients are not authenticated. My password attribute is UserPassword
The error is (I suppose) here:
--modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: Told to do MS-CHAPv2 for yuri with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 6
modcall: group Auth-Type returns reject for request 6
--
Does anyone has a working configuration that looks like (more or less) mine?
--- radiusd.conf -- mschap section
mschap {
authtype = MS-CHAP
use_mppe = no
# require_encryption = yes
# require_strong = yes
with_ntdomain_hack = no
}
Thanks, Yuri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
On Tuesday 16 August 2005 10:28, Jamie Crawford wrote: Everything seems to work great until the certificate negotiation, then it blows chunks. Bad or wrong certificates. Server and supplicant need a copy of the same trusted root certificate. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
Thanks for your response. I downloaded my cacert.pem and imported it into my
xp client as a trusted root authority and that did not help. Here are the
steps I took to create my certs. Remember I am trying to use PEAP. Thanks
Here's what I did to create the certs.
rhel as 4.0
freeradius 1.0.4
On my freeradius server I went to:
/usr/share/ssl/openssl.cnf
changed dir = ./productionCA
changed countryName_default = US
changed stateOrProviceName_default = Missouri
changed localityName_default = Warrensburg
changed 0.organizationName_default = CMSU
changed organizationalUnitName_default = Information Services
changed commonName_default = Wireless
changed emailAddress_default = [EMAIL PROTECTED]
changed challengePassword_default = password
I saved the file.
Then I went into /usr/share/ssl/misc/CA and changed
CATOP=./productionCA
Then I went back into the usr/share/ssl directory and ran
/usr/share/ssl/misc/CA -newca
Entered my passphrase password
Verified password
Hit the default of US for Country name
Hit the default of MIssouri for state name
Hit the default of Warrensburg for state name
Hit the default of CMSU for organization name
Hit the defaut of Information Services for organizational unit name
Hit the default of WIRELESS for the common name
Hit the default of [EMAIL PROTECTED] for the email address
Now I have my new root certificate (cacert.pem) and private key (cakey.pem).
In my /usr/share/ssl/productionCA directory I have
-rw-r--r-- 1 root root 1346 Aug 16 14:54 cacert.pem
drwxr-xr-x 2 root root 4096 Aug 16 14:52 certs
drwxr-xr-x 2 root root 4096 Aug 16 14:52 crl
-rw-r--r-- 1 root root0 Aug 16 14:52 index.txt
drwxr-xr-x 2 root root 4096 Aug 16 14:52 newcerts
drwxr-xr-x 2 root root 4096 Aug 16 14:52 private
-rw-r--r-- 1 root root3 Aug 16 14:52 serial
In the private directory I have:
-rw-r--r-- 1 root root 963 Aug 16 14:54 cakey.pem
Now I create my server certificate, but first I must create the xpextensions
file because WindowsXP expects certain attributes in server and client
certificates.
Contents of xpextensions
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Now I run:
openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config
openssl.cnf
This asks for the PEM pass phrase:
So I enter password
I verify password
Hit the default of US for Country name
Hit the default of MIssouri for state name
Hit the default of Warrensburg for state name
Hit the default of CMSU for organization name
Hit the defaut of Information Services for organizational unit name
Enter in server.cmsu.edu for the common name
Hit the default of [EMAIL PROTECTED] for the email address
It asks for a challenge password so I type in password
It asks for a optional company name and I hit enter for nothing.
This creates the files server_req.pem which contains the actual request-an
unsigned certificate and server_key.pem the private key.
Now I will use the ca key to sign the request.
openssl ca -config openssl.cnf -policy_anything -out server_cert.pem
-extensions xpserver_ext -extfile xpextensions -infiles server_req.pem
This asks for the pass phrase for /productionCA/private/cakey.pem
I type in password
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 16 20:09:23 2005 GMT
Not After : Aug 16 20:09:23 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Missouri
localityName = Warrensburg
organizationName = CMSU
organizationalUnitName= Information Services
commonName= server.cmsu.edu
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Aug 16 20:09:23 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This command reads the file server_req.pem and after prompting for my CA key's
passphrase, saves a signed version of it plus its corresponding private key to
the file server_cert.pem.
Now I opend up my signed certificate server_cert.pem and delete everything
before the line BEGIN CERTIFICATE
Now I concatenate it and my key into a single file by typing:
cat server_key.pem server_cert.pem server_keycert.pem
Next I copy the server_keycert.pem file and cacert.pem file over to my certs
directory.
Whie in this directory I run these two commands to create the dh file and
random file.
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
my eap.conf file
tls {
private_key_password = password
private_key_file = ${raddbdir}/certs/server_keycert.pem
freeradius PEAP/MS-CHAPv2 and aegis client
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12
freeradius PEAP/MS-CHAPv2 and aegis client setup
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12 15:21:36 2005 : Debug:
FreeRADIUS + PEAP
Hello Everyone! I have FreeRADIUS up and running and authenticating users who dial up into our network. FreeRADIUS is working perfectly for that purpose. I am now trying to configure FreeRADIUS to also authenticate my wireless users who connect to a Linksys WAP54G Wireless Access Point. I have configured the Linksys to authenticate against my FreeRADIUS server using WPA. FreeRADIUS does get the authentication requests, but it seems that I've done something wrong and the requests are not being authenticated properly. Here's what I get in my FreeRADIUS log: Fri Mar 4 13:11:11 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Length Included Fri Mar 4 13:11:41 2005 : Info: (other): SSL negotiation finished successfully Fri Mar 4 13:11:41 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 0) Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client wireless.meitech.com port 9 cli 000b7d0fa264) Why is there no username attribute? I have configured the Windows XP workstation to use PEAP and it asks me for my login name and password, which I entered, but it seems that the password attribute is not being sent to FreeRADIUS, or maybe it's being sent in a way that FreeRADIUS isn't understanding? I have attached my radiusd.conf file to this e-mail as well, in case anyone wants to review it. PS - I generated the certificates I'm using for eap/tls authentication using OpenSSL for the purposes of having my own in-house CA, which allows my to issue certificates to customers and employees as I need to. I figured it was best to use the same certificates for my wireless authentication, no? My wireless users are connecting using login names and passwords, not certificates, but I think that eap needs certificates anyhow, correct? Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ radiusd.conf Description: Binary data smime.p7s Description: S/MIME cryptographic signature
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). Alan Dekok wrote: It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. I tried the configure switch and got another Segment Fault(coredump). Is there other debug information that is useful for resolving this problem? Thanks, John Gauntt [EMAIL PROTECTED]
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: I tried the configure switch and got another Segment Fault(coredump). If you look, you'll probably see the same problem. Delete ALL of the previously installed FreeRADIUS binaries and libraries. Then re-configure and re-make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
Hi folks, This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). I am using an Windows XP 802.1x client, Cisco 1100 AP and Sun Solaris ver. 8 for freeRadius 1.0.1. After configuring the client, the AP and the radiusd.conf, the client.conf and the users files (not yet the eap.conf file) I was successful in getting the freeRadius server to authenticate the client. Next I attempted to configure the client and the eap.conf file for PEAP MSCHAP, resulting in the coredump. Enabling PEAP results in error messages directing the configuration of TLS. Enabling TLS results in the coredump. I have tried numerous combinations of configuration, some of these I copied from the archive, with the same result. The radius -X output, the gdb bt output, the eap.conf file, and a slice of the radiusd.conf file follow this text. I appreciate any help on this problem. Thanks, John Gauntt radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = yes main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc Segmentation Fault(coredump) gdb bt GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.8... Core was generated by `radiusd -X'. Program terminated with signal 9, Killed. Reading symbols from /usr/lib/libcrypt_i.so.1...done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /usr/local/lib/libradius-1.0.1.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.1.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libnsl.so.1...done.
Cisco Aironet's WDS and FreeRadius Peap
I have Cisco Aironet 1100's that I am setting up on a private LAN that
go through a Firewall to get to the internal LAN. The FreeRadius server
is on the internal LAN.
Ok, so what works: I can connect the client (supplicant) to the
Wireless G Aironet that authenticates to the FreeRadius Server. I can
then connect to the VPN (which also authenticates to the Radius
server). Everything there is happy.
What does not work: The Aironet's use a system called WDS to allow
roaming between the access points. I set up one unit to be the primary
WDS, and configure a second Aironet to use WDS. The Aironets use the
Radius server for authentication, but they never are able to
authenticate with the WDS.
What I think I am doing wrong: I believe that I need to activate peap
for the Cisco Aironets to authenticate. I have tried to set this up per
documentation, but I get the following error when I now try to activate
the FreeRadius server using radiusd -A -X, cut to just show the eap
module failure:
**
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: certificate_file = (null)
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dh
tls: random_file = /usr/local/etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
9616:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTICATE
9616:error:0200100E:system library:fopen:Bad
address:bss_file.c:259:fopen('','r')
9616:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
9616:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:513:
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.
***
I have tried to use CA.all to create a certificate, but it gives an
error during the certificate creation. I have created a certificate
manually using openssl, and moved it into the /usr/local/etc/raddb/certs
folders (and DemoCA folders), but the server still fails.
I am running RedHat 9, kernel 2.4.20-8smp; openssl-0.9.7a-2;
freeradius-0.9.3-1.1
Does anyone know if the peap is even needed with the Aironets? If so,
is there another howto or other docs I can RTFM to resolve this
certificate issue, or do I just need to hack all of the config files,
CA.all, etc... Has anyone got this type of setup working (Cisco
Aironet's running WDS and FreeRadius)?
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet's WDS and FreeRadius Peap
That did it! I did not think that Cisco was still using LEAP. At least I can run tests now on the infrastructure. Thank you for your hint. Dave On Mon, 2004-12-13 at 10:08, Joe Matuscak wrote: On 13 Dec 2004, David Howard wrote: What does not work: The Aironet's use a system called WDS to allow roaming between the access points. I set up one unit to be the primary WDS, and configure a second Aironet to use WDS. The Aironets use the Radius server for authentication, but they never are able to authenticate with the WDS. What I think I am doing wrong: I believe that I need to activate peap for the Cisco Aironets to authenticate. Nope. From what I can tell, the client APs use LEAP to authenticate. Has anyone got this type of setup working (Cisco Aironet's running WDS and FreeRadius)? Yes, I've got it running in a test mode at the moment. Only two APs, but it seems to be behaving fine. I'm using the 1200 APs with IOS 12.2(15)JA and FreeRadius on Fedora Core 2 (freeradius-1.0.1-0.FC2). To get the client APs to authenicate, I had to set: default_eap_type = leap In eap.conf. Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: I'm still not seeing it. If it's listed in the authorize section, it will be printed out in debugging mode. Are you willing to provide debug logs? Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can
feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working. If I use
--username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth.
-Chris Hand
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
Ok, but isn't the with_ntdomain_hack =3D yes directive in the
raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the
with_ntdomain_hack isn't being used. Why would it? You're
passing the exact attributes you want to ntlm_auth. If you
don't like the attributes, change them. Why would we need
another configuration option to do the same thing?
So now my args for ntlm_auth are right, but I think something is up
with mschap still.
If the arguments to ntlm_auth are right, then it should work.
To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect.
I'm looking at the code in rlm_mschap.c. I believe this is the code that
creates the value for the --challenge argument for ntlm_auth. It is my
understanding that this is a hash created with this code:
challenge_hash(response-strvalue + 2,
chap_challenge-strvalue,
user_name-strvalue, buffer);
The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working. I've added debug statements to
my code. Its using the domain/user. This won't work.
When the Challenge or Response message is generated is it
still trying
to user domain/user as the username?
Ask the client, not FreeRADIUS.
I can't change the client. I can change freeradius. The client presents
freeradius with a domain/username. We all know that is the case.
And when you're using ntlm_auth, *you* configure it to use
domain\user, or just user. So to answer your question on
FreeRADIUS's side, go back and read your configuration.
I'm confused on this point. When PEAP identity is set to
username my
auths work. When the PEAP identity is of the form
domain/user MSCHAP
fails.
Yes. This is the problem. But it has nothing to do with PEAP.
You are right, it has nothing to do with PEAP. Freeradius gets what the
client gives it. The problem occurs in the mschap module.
There's no point trying to configure FreeRADIUS to do the right
thing, when you don't even know what the right thing is.
Find that out first, and THEN configure the server.
I know what the right thing is. In order for the ntlm_auth to return OK
all of its arguments have to be right. When a client is setup to send
domain/user instead of just user things breakdown in the MSCHAP module.
The NTLM_AUTH function takes 4 arguments from freeradius. They are as
follows:
--domain %{Realm}
--username %{Stripped-User-Name}
--challenge %{mschap:Challenge:-00}
--nt-response %{mschap:NT-Response:-00}
The challenge and nt-response are both hashes based in part on the
username. The username that freeradius uses when it generates these
hashes is the full username, not the stripped username. This is what is
causing my problem.
Now, the question is how to go about fixing the problem.
Brian D.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Brian D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, May 03, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html with_ntdomain_hack.patch Description: with_ntdomain_hack.patch
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. Similar code already existed in rlm_mschap.c. The fix was 1 line. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Hmm... you hacked the User-Name attribute, which isn't generally a good idea. Try the CVS snapshot tomorrow, or grab the latest via anonymous cvs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Hello all, We are in the process of testing 802.1x authentication for future deployment on campus. Our test setup includes the following: freeradius-snapshot-20040427 running on RHEL 3.0 AS Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth Multiple AD domains (smb.conf points to a Global Catalog Server) Linux/Windows XP/Windows 2K/Mac OS X clients What works: 1. using wbinfo -a domain+user%password I can authenticate as any user in any of our domains. 2. 802.1x auths as long as I don't supply a domain and the user is in the domain that the GC is in. What doesn't work: 1. Supplying domain with login credentials. I've got a realm for each of our domains setup up and I can see the preprocess module doing its job separating domain from username. Then the MSCHAPv2 module kicks in and the call to NTLM_AUTH fails with wrong password. 1. Keeping in mind that user1 in domain1 can auth as long as domain1 isn't supplied why does supplying domain1 cause the auth to fail? 2. What does preprocess do with realm is strips off? I'd like to be able to pass the realm as a --domain option to ntlm_auth. 3. Why does PEAP think the username is still domain/user? I see the following in the logs while running radius -X -A PEAP: Setting User-Name to UMC-USERS\dourtyb PEAP: Adding old state with 17 b0 PEAP: Sending tunneled request Should it be using Stripped-User-Name instead? Thanks, Brian Dourty IAT Services University of Missouri - Columbia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
1. Keeping in mind that user1 in domain1 can auth as long
as domain1
isn't supplied why does supplying domain1 cause the auth to fail?
Because the MS client does the MS-CHAP calculations using
the username without the domain, but supplies the username to
the RADIUS server WITH the domain.
See the list archives for more explanations.
Ok, but isn't the with_ntdomain_hack = yes directive in the
raidusd.conf file suppose to correct this behavior?
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
2. What does preprocess do with realm is strips off? I'd like to be
able to pass the realm as a --domain option to ntlm_auth.
Read the debug log. It adds it as an attribute.
Ah yes, I see that now. New attribute is called Realm so the line in
radiusd.conf is now:
ntlm_auth = /usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
So now my args for ntlm_auth are right, but I think something is up with
mschap still. When the Challenge or Response message is generated is it
still trying to user domain/user as the username?
3. Why does PEAP think the username is still domain/user? I see the
following in the logs while running radius -X -A
PEAP: Setting User-Name to UMC-USERS\dourtyb
Because that's the name in the EAP identity packet. Read
the debug log, it says this.
Should it be using Stripped-User-Name instead?
No.
I'm confused on this point. When PEAP identity is set to username my
auths work. When the PEAP identity is of the form domain/user MSCHAP
fails.
Am I wrong in thinking that with the correct configuration Freeradius
will allow me to have users from all trusted domains use the MSCHAP
module for 802.1x auth? Where am I going wrong?
Thanks!
Brian Dourty
IAT Services
University of Columbia - Missouri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
Hi,
I
