Re: MS-CHAP/PEAP
PEAP requires a certificate for the server, but not for the clients. What are the differences between PEAP and EAP-TTLS? Which one is more secure? Which one has broader support in supplicants? Can I use both eap-ttls and peap? -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP/PEAP
Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
Thanks, It makes more sense now. I'll give it a try! Bob McCormick wrote: PEAP requires a certificate for the server, but not for the clients.Freeradius comes with some scripts for generating a self signed certificate, or you can buy one from Verisign or Thawte. On May 21, 2004, at 10:47 AM, Barry Stewart wrote: Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b 1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
I looked into the certificates a bit and I found the scripts for generating them. I can certainly create certs and I can create my own CA. However, I'm not sure this is my problem now as FR comes with sample certs and the lines in eap.conf point to these. If I change the password in eap.conf FR won't start. It looks like it is working with the included certs. Please correct me if I'm wrong. Thanks again for your response. -Barry Bob McCormick wrote: PEAP requires a certificate for the server, but not for the clients.Freeradius comes with some scripts for generating a self signed certificate, or you can buy one from Verisign or Thawte. On May 21, 2004, at 10:47 AM, Barry Stewart wrote: Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b 1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
Thanks for the response, Bob McCormick clued me in on this. I thought this was about client certs. I have been succesfull authenticating with PEAP thanks to Kerry Hughes. I didn't have the users file configured right as I was including Auth-Type in the following line: userid User-Password == mypassword Now I am trying to get this working with LDAP. According to the docs there is a way to get the password from LDAP and the authenticate using CHAP. Is there a way to do this with PEAP/MS-CHAP? The passwords in the LDAP directory are encrypted. Thanks again, -Barry Alan DeKok wrote: Barry Stewart [EMAIL PROTECTED] wrote: I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. Then you can't authenticate users in a wireless network. From what I've read it looks like I will need to use mschapv2 and peap. Which requires the use of a server-side certificate. The comments in the eap.conf file say you need to configure the TLS module. To use PEAP, yes. I'm not quite sure how to do this if I'm not using certificates. You can't. It's impossible. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
