Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

2008-12-11 Thread Jason Wittlin-Cohen 
On Thu, Dec 11, 2008 at 9:16 AM, Attou eric  wrote:

> Hi Everybody.
>
> We are having some issues in setting up freeradius to support EAP-TLS,
> EAP-TTLS and EAP-PEAP.
> Our goal is to have our authentication server providing those three
> Auth-Type simultaneously.
> To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>

You can use TinyCA, but you must add the proper extended key usage. Under
Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 for Server
Certificates into Extended Key usage, and 1.3.6.1.5.5.7.3.2 into Client
Certificate Extended Key Usage.

Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

2008-12-11 Thread tnt 
>We are having some issues in setting up freeradius to support EAP-TLS, 
>EAP-TTLS and EAP-PEAP.
>Our goal is to have our authentication server providing those three Auth-Type 
>simultaneously.
>To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>We also add radius' log after an authentication attempt from  windows XP OS
>
>using windows built in supplicant by supplying a username and password stored 
>in 
>
>our /etc/passwd file. But the authentication failed with this error message :
> 
>rlm_eap: identity does not match User-Name, setting from EAP identity
> 
>Thu Dec 11 14:59:10 2008 : Debug: radiusd:  Loading Realms and Home 
>Servers 
>Thu Dec 11 14:59:10 2008 : Debug:  proxy server {
>Thu Dec 11 14:59:10 2008 : Debug:       retry_delay = 5
>Thu Dec 11 14:59:10 2008 : Debug:       retry_count = 3
>Thu Dec 11 14:59:10 2008 : Debug:       default_fallback = no
>Thu Dec 11 14:59:10 2008 : Debug:       dead_time = 120
>Thu Dec 11 14:59:10 2008 : Debug:       wake_all_if_all_dead = no
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server localhost {
>Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = 127.0.0.1
>Thu Dec 11 14:59:10 2008 : Debug:       port = 1812
>Thu Dec 11 14:59:10 2008 : Debug:       type = "auth"
>Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
>Thu Dec 11 14:59:10 2008 : Debug:       response_window = 20
>Thu Dec 11 14:59:10 2008 : Debug:       max_outstanding = 65536
>Thu Dec 11 14:59:10 2008 : Debug:       zombie_period = 40
>Thu Dec 11 14:59:10 2008 : Debug:       status_check = "status-server"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_check = "none"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       check_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       num_answers_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       num_pings_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       revive_interval = 120
>Thu Dec 11 14:59:10 2008 : Debug:       status_check_timeout = 4
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server_pool my_auth_failover {
>Thu Dec 11 14:59:10 2008 : Debug:       type = fail-over
>Thu Dec 11 14:59:10 2008 : Debug:       home_server = localhost
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  realm uac.bj {
>Thu Dec 11 14:59:10 2008 : Debug:       auth_pool = my_auth_failover
>Thu Dec 11 14:59:10 2008 : Debug:  }

You have configured the server to proxy requests to itself. Don't do
that. Configure it as local realm (just {}).

..
>rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, 
>length=145
>        User-Name = "[EMAIL PROTECTED]"
>        NAS-IP-Address = 172.21.1.251
>        Connect-Info = "CONNECT 802.11"
>        Called-Station-Id = "0060b33573b4"
>        Calling-Station-Id = "000e35dfc4c9"
>        NAS-Identifier = "ap"
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 40
>        NAS-Port-Id = "40"
>        Framed-MTU = 1400
>        EAP-Message = 0x0269001001746f746f407561632e626a
>        Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
..
>Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: 
>'HsrtQesmWHodM:14211::' to config_items

That's not going to work with PEAP.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

2008-12-11 Thread Alan DeKok 
Attou eric wrote:
> We are having some issues in setting up freeradius to support EAP-TLS,
> EAP-TTLS and EAP-PEAP.
> Our goal is to have our authentication server providing those three
> Auth-Type simultaneously.
> To support EAP-TLS, we generate our CA and certificates via TinyCA.

  Please read eap.conf.  You need certain things in the certificates for
PEAP to work on Windows.  I'm not sure that TinyCA does the right thing
here.

> We also add radius' log after an authentication attempt from  windows XP OS  
> using windows built in supplicant by supplying a username and password
> stored in
> our /etc/passwd file.

  PEAP will NOT work with /etc/passwd.  It's impossible.


 But the authentication failed with this
> error message :
>  
> *rlm_eap: identity does not match User-Name, setting from EAP identity*
>  
> Radius logs 
> ...Thu Dec 11 14:59:10 2008 : Debug: main {

  Please *follow* the instructions in the FAQ, README, INSTALL, and
"man" page.  We want "radiusd -X", not "radiusd -xX".  Adding the dates
makes the debug output harder to read.

  Note also that the debug output *includes* the configuration.  So
there's no need to post it separately.  And we don't ask for it, either.

> Sending Access-Request of id 200 to 127.0.0.1 port 1812
...
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200,
> length=143

  Could you explain why you're proxying the packet from the server to
itself?  This isn't necessary.  It's also bad.

> Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match
> User-Name, setting from EAP Identity.

  Your supplicant is broken.  The two fields should match.

  Or, you're editing the User-Name.  Don't do that.

> Is there something wrong in our configurations?
> Is tit normal that there is no User-Password attribute in Access-Request
> packet?

  Yes.  This is how EAP works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html