Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
On Thu, Dec 11, 2008 at 9:16 AM, Attou eric wrote: > Hi Everybody. > > We are having some issues in setting up freeradius to support EAP-TLS, > EAP-TTLS and EAP-PEAP. > Our goal is to have our authentication server providing those three > Auth-Type simultaneously. > To support EAP-TLS, we generate our CA and certificates via TinyCA. > > You can use TinyCA, but you must add the proper extended key usage. Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 for Server Certificates into Extended Key usage, and 1.3.6.1.5.5.7.3.2 into Client Certificate Extended Key Usage. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
>We are having some issues in setting up freeradius to support EAP-TLS, >EAP-TTLS and EAP-PEAP. >Our goal is to have our authentication server providing those three Auth-Type >simultaneously. >To support EAP-TLS, we generate our CA and certificates via TinyCA. > >We also add radius' log after an authentication attempt from windows XP OS > >using windows built in supplicant by supplying a username and password stored >in > >our /etc/passwd file. But the authentication failed with this error message : > >rlm_eap: identity does not match User-Name, setting from EAP identity > >Thu Dec 11 14:59:10 2008 : Debug: radiusd: Loading Realms and Home >Servers >Thu Dec 11 14:59:10 2008 : Debug: proxy server { >Thu Dec 11 14:59:10 2008 : Debug:      retry_delay = 5 >Thu Dec 11 14:59:10 2008 : Debug:      retry_count = 3 >Thu Dec 11 14:59:10 2008 : Debug:      default_fallback = no >Thu Dec 11 14:59:10 2008 : Debug:      dead_time = 120 >Thu Dec 11 14:59:10 2008 : Debug:      wake_all_if_all_dead = no >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: home_server localhost { >Thu Dec 11 14:59:10 2008 : Debug:      ipaddr = 127.0.0.1 >Thu Dec 11 14:59:10 2008 : Debug:      port = 1812 >Thu Dec 11 14:59:10 2008 : Debug:      type = "auth" >Thu Dec 11 14:59:10 2008 : Debug:      secret = "testing123" >Thu Dec 11 14:59:10 2008 : Debug:      response_window = 20 >Thu Dec 11 14:59:10 2008 : Debug:      max_outstanding = 65536 >Thu Dec 11 14:59:10 2008 : Debug:      zombie_period = 40 >Thu Dec 11 14:59:10 2008 : Debug:      status_check = "status-server" >Thu Dec 11 14:59:10 2008 : Debug:      ping_check = "none" >Thu Dec 11 14:59:10 2008 : Debug:      ping_interval = 30 >Thu Dec 11 14:59:10 2008 : Debug:      check_interval = 30 >Thu Dec 11 14:59:10 2008 : Debug:      num_answers_to_alive = 3 >Thu Dec 11 14:59:10 2008 : Debug:      num_pings_to_alive = 3 >Thu Dec 11 14:59:10 2008 : Debug:      revive_interval = 120 >Thu Dec 11 14:59:10 2008 : Debug:      status_check_timeout = 4 >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: home_server_pool my_auth_failover { >Thu Dec 11 14:59:10 2008 : Debug:      type = fail-over >Thu Dec 11 14:59:10 2008 : Debug:      home_server = localhost >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: realm uac.bj { >Thu Dec 11 14:59:10 2008 : Debug:      auth_pool = my_auth_failover >Thu Dec 11 14:59:10 2008 : Debug: } You have configured the server to proxy requests to itself. Don't do that. Configure it as local realm (just {}). .. >rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, >length=145 >       User-Name = "[EMAIL PROTECTED]" >       NAS-IP-Address = 172.21.1.251 >       Connect-Info = "CONNECT 802.11" >       Called-Station-Id = "0060b33573b4" >       Calling-Station-Id = "000e35dfc4c9" >       NAS-Identifier = "ap" >       NAS-Port-Type = Wireless-802.11 >       NAS-Port = 40 >       NAS-Port-Id = "40" >       Framed-MTU = 1400 >       EAP-Message = 0x0269001001746f746f407561632e626a >       Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e .. >Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: >'HsrtQesmWHodM:14211::' to config_items That's not going to work with PEAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
Attou eric wrote: > We are having some issues in setting up freeradius to support EAP-TLS, > EAP-TTLS and EAP-PEAP. > Our goal is to have our authentication server providing those three > Auth-Type simultaneously. > To support EAP-TLS, we generate our CA and certificates via TinyCA. Please read eap.conf. You need certain things in the certificates for PEAP to work on Windows. I'm not sure that TinyCA does the right thing here. > We also add radius' log after an authentication attempt from windows XP OS > using windows built in supplicant by supplying a username and password > stored in > our /etc/passwd file. PEAP will NOT work with /etc/passwd. It's impossible. But the authentication failed with this > error message : > > *rlm_eap: identity does not match User-Name, setting from EAP identity* > > Radius logs > ...Thu Dec 11 14:59:10 2008 : Debug: main { Please *follow* the instructions in the FAQ, README, INSTALL, and "man" page. We want "radiusd -X", not "radiusd -xX". Adding the dates makes the debug output harder to read. Note also that the debug output *includes* the configuration. So there's no need to post it separately. And we don't ask for it, either. > Sending Access-Request of id 200 to 127.0.0.1 port 1812 ... > rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200, > length=143 Could you explain why you're proxying the packet from the server to itself? This isn't necessary. It's also bad. > Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match > User-Name, setting from EAP Identity. Your supplicant is broken. The two fields should match. Or, you're editing the User-Name. Don't do that. > Is there something wrong in our configurations? > Is tit normal that there is no User-Password attribute in Access-Request > packet? Yes. This is how EAP works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html