Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hi, have you found a solution or a workaround? I have the same problem, you experienced. I configured freeradius to talk with LDAP on Mac but at the end I realized that in the userPassword field isn't saved the clear-text password of the LDAP user. OpenDirectory doesn't use that field and implements the authentication thru Kerberos. I've just recompiled freeradius with the rlm_opendirectory module enabled and now I'm experiencing the problem you was talking about..., I suppose I have to install freeradius on the same machine as OpenDirectory. I'm pretty upset about it..., it's a little odd Have you got some useful information about it? Let me know, please. Max -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hi, I've followed the following howto : [1]http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. my first question is why so old a version of FreeRADIUS is you are only just starting out? 2.1.10 has a LOT of bug fixes compared to the very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 7 (*) Win7 is also VERY fussy about certs.have you installed the CA cert that your RADIUS server is signed with i know you havent ticked the validate button..but Win7 is fussy(!) alan (*) release to manufaturing was july 2009, release to retail was oct 2009 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi,
This is what I get.
--
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password
[mschap]expand: %{Stripped-User-Name} - username
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=username
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} -
--domain=LNU.SE
[mschap] mschap2: 67
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=756cc36d609e7393
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb
Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
---
I'm using WPA2-enterprise (tried WPA-ent to)
I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is
used on the client.
On 2010-04-26 15:37, Alan Buxey wrote:
Hi,
Info: ++[mschap] returns ok
Debug: MSCHAP Success
So i assume that the auth. against AD is OK
not if you havent done the EAP inner-tunnel stuff yet - unless you mean
basic authorize has completed.
but then the inner tunnel does something
well, it tries to
Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
EAP-Message =
0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
Message-Authenticator = 0x
State = 0x3b975d133d90441898602b7c0076958a
it sends a challenge back to the NAS/AP - but nothign else is happening.
so, either the NAS or the client. how have you got the AP set up? 802.1X or
WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or
EAP-TTLS/MSCHAPv2?
got the required certificate installed on the client?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se
O ascii ribbon campaign - stop html mail - www.asciiribbon.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: 2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Are you trying to use EAP-TTLS? Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok al...@deployingradius.com:
Bruno Kremel wrote:
Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
EAP-Message = 0x010c00061900
Message-Authenticator = 0x
State = 0x53b1704557bd694fbe3359243d2a2638
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 40 ID 0 with timestamp +589
Ready to process requests.
This is documented in the FAQ, in the comments in raddb/eap.conf, and
on my web site (http://deployingradius.com/).
Please read the existing documentation,
That Access-Challenge should authenticate my client if I am not wrong,
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for that links... I have read that FAQ and so I copyed over
default eap.conf and tryed it with uses file.. it is working OK i can
connect to AP with username/password, but when I tryed to use SQL (I
have corret format in SQL now) again it ends up this with
Accept-Reject:
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [pokus2/via Auth-Type = EAP] (from client
ciscorouter port 44 cli 001e650ece6c)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - pokus2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 0 to 192.168.3.1 port 1327
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 23 ID 0 with timestamp +735
Ready to process requests.
Bud radtest gives me:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 54224,
id=218, length=57
User-Name = test2
User-Password = pokus2
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = test2, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - test2
rlm_sql (sql): sql_set_user escaped user -- 'test2'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'test2' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'test2' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'test2' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password pokus2
rlm_pap: Using clear text password pokus2
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test2/pokus2] (from client localhost port 1812)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 218 to 127.0.0.1 port 54224
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 218 with timestamp +263
Ready to process requests.
So is it sql problem or something with eap?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote:
I am posting full log with first is radtest accepted and others are
failde login from wifi client with 2 different accounts...
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29
2010 at 15:58:09
You should probably upgrade to 2.1.8. It has a lot of fixes
features over 2.0.4.
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = 123, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 8 length 62
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
And no sql. Edit raddb/sites-available/inner-tunnel, and add sql
to the authorize section. It's already there, so you likely just have
to uncomment it.
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Yup. No known good password means no authentication.
You could also try: http://networkradius.com/freeradius.html
This lets you cut paste the debug output into a form. The response
is a colorized HTML page indicating common errors, and things you should
look into. It won't catch this problem, but it will highlight the fact
that there was no known good password for the user.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
What should be there?
Beacuse I don't know I am using Daloradius web interafce for adding data to
database, so I just loaded default daloradius sql which was intendet
(according to readme od daloradius) for 2.X Freeradius... and added accounts
in web interface...
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me
Accept-Accept only on correct login and password so I think that it's not that
SQL...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you for answer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. What should be there? The user's password? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... shrug I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I attached the captured packets. Please open it with wireshark. The password from OD is “”. It is neither cleartext password nor encrypted password. --- 10年3月18日,周四, John elmer_rad...@yahoo.com.cn 写道: 发件人: John elmer_rad...@yahoo.com.cn 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月18日,周四,下午7:01 I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2010年3月15日,周一,下午12:59 John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -下面为附件内容- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ODldap.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
John wrote: Hello, We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I found this option 'use_open_directory'. But looks we need to install freeRADIUS on the same machine with Open Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. Is there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moritz Dereschkewitz wrote: Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? You need to run FreeRADIUS on the same machine as Open Directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Am 13.02.2010 08:21, schrieb Alan DeKok: Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the mschap module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the mschap configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? Thanks four your help so far, Alan! moenster - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote:
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
And you didn't post the debug output as suggested in the FAQ, README,
INSTALL, and daily on this list.
Knowing WHY it was rejected, and WHAT ERROR was produced is key
information that is needed to be able to solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribió: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, luis a [EMAIL PROTECTED] piše: pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribiĂł: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht MĂźnster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use:
--username=%{mschap:User-Name}
and it should work.
Ivan Kalik
Kalik Informatika ISP
Dana 3/10/2008, Vieri [EMAIL PROTECTED] piše:
--- On Thu, 10/2/08, Vieri [EMAIL PROTECTED] wrote:
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux
server (PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth
parameters in the mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the
--domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN
filed; besides, if I run the freeradius daemon with debug
enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication
fails if I add --domain. How can I find out why?
Then, adding --require-membership-of with or without
--domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI'
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN
--username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
and now it works.
So this leads me to ask how I can specify group names with spaces such as
'WIFI 1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
succeeds only if the client does NOT specify a domain in the domain or user
field.
So I'm attaching some debug outputs with the hope that someone can shed some
light on this aspect which I obviously don't grasp.
Thanks,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).
Ivan Kalik
Kalik Infromatika ISP
Dana 2/10/2008, Vieri [EMAIL PROTECTED] piše:
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the
mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Read provided instructions in eap.conf. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized authenticated by the respective modules. If you're purely using ldap for authorization authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira [EMAIL PROTECTED] wrote: Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. We were all new at some point, some people just forget that :) i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Alan DeKok wrote: Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. My mistake - I was convinced I'd seen it. (I suppose it's possible that I had the Cisco wireless card software installed, along with it's supplicant-fiddling extensions.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Phil Mayers [EMAIL PROTECTED] wrote: PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/PEAP
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett [EMAIL PROTECTED] wrote: James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the plaintext.josh.James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files.I would like to use PAM but UNIX will work too.I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work.I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yuri Francalacci[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor [EMAIL PROTECTED] wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store known good passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password. What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? PEAP can have several inner types. One of these is GTC (generic token card) which sends a prompt and asks for a response. I believe the prompt can be password and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the gtc section in eap.conf PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a crypt. In any event, PAM seems to work very badly because of threading issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). Alan Dekok wrote: It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. I tried the configure switch and got another Segment Fault(coredump). Is there other debug information that is useful for resolving this problem? Thanks, John Gauntt [EMAIL PROTECTED]
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: I tried the configure switch and got another Segment Fault(coredump). If you look, you'll probably see the same problem. Delete ALL of the previously installed FreeRADIUS binaries and libraries. Then re-configure and re-make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: I'm still not seeing it. If it's listed in the authorize section, it will be printed out in debugging mode. Are you willing to provide debug logs? Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can
feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working. If I use
--username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth.
-Chris Hand
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
Ok, but isn't the with_ntdomain_hack =3D yes directive in the
raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the
with_ntdomain_hack isn't being used. Why would it? You're
passing the exact attributes you want to ntlm_auth. If you
don't like the attributes, change them. Why would we need
another configuration option to do the same thing?
So now my args for ntlm_auth are right, but I think something is up
with mschap still.
If the arguments to ntlm_auth are right, then it should work.
To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect.
I'm looking at the code in rlm_mschap.c. I believe this is the code that
creates the value for the --challenge argument for ntlm_auth. It is my
understanding that this is a hash created with this code:
challenge_hash(response-strvalue + 2,
chap_challenge-strvalue,
user_name-strvalue, buffer);
The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working. I've added debug statements to
my code. Its using the domain/user. This won't work.
When the Challenge or Response message is generated is it
still trying
to user domain/user as the username?
Ask the client, not FreeRADIUS.
I can't change the client. I can change freeradius. The client presents
freeradius with a domain/username. We all know that is the case.
And when you're using ntlm_auth, *you* configure it to use
domain\user, or just user. So to answer your question on
FreeRADIUS's side, go back and read your configuration.
I'm confused on this point. When PEAP identity is set to
username my
auths work. When the PEAP identity is of the form
domain/user MSCHAP
fails.
Yes. This is the problem. But it has nothing to do with PEAP.
You are right, it has nothing to do with PEAP. Freeradius gets what the
client gives it. The problem occurs in the mschap module.
There's no point trying to configure FreeRADIUS to do the right
thing, when you don't even know what the right thing is.
Find that out first, and THEN configure the server.
I know what the right thing is. In order for the ntlm_auth to return OK
all of its arguments have to be right. When a client is setup to send
domain/user instead of just user things breakdown in the MSCHAP module.
The NTLM_AUTH function takes 4 arguments from freeradius. They are as
follows:
--domain %{Realm}
--username %{Stripped-User-Name}
--challenge %{mschap:Challenge:-00}
--nt-response %{mschap:NT-Response:-00}
The challenge and nt-response are both hashes based in part on the
username. The username that freeradius uses when it generates these
hashes is the full username, not the stripped username. This is what is
causing my problem.
Now, the question is how to go about fixing the problem.
Brian D.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Brian D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, May 03, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html with_ntdomain_hack.patch Description: with_ntdomain_hack.patch
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. Similar code already existed in rlm_mschap.c. The fix was 1 line. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Hmm... you hacked the User-Name attribute, which isn't generally a good idea. Try the CVS snapshot tomorrow, or grab the latest via anonymous cvs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
1. Keeping in mind that user1 in domain1 can auth as long
as domain1
isn't supplied why does supplying domain1 cause the auth to fail?
Because the MS client does the MS-CHAP calculations using
the username without the domain, but supplies the username to
the RADIUS server WITH the domain.
See the list archives for more explanations.
Ok, but isn't the with_ntdomain_hack = yes directive in the
raidusd.conf file suppose to correct this behavior?
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
2. What does preprocess do with realm is strips off? I'd like to be
able to pass the realm as a --domain option to ntlm_auth.
Read the debug log. It adds it as an attribute.
Ah yes, I see that now. New attribute is called Realm so the line in
radiusd.conf is now:
ntlm_auth = /usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
So now my args for ntlm_auth are right, but I think something is up with
mschap still. When the Challenge or Response message is generated is it
still trying to user domain/user as the username?
3. Why does PEAP think the username is still domain/user? I see the
following in the logs while running radius -X -A
PEAP: Setting User-Name to UMC-USERS\dourtyb
Because that's the name in the EAP identity packet. Read
the debug log, it says this.
Should it be using Stripped-User-Name instead?
No.
I'm confused on this point. When PEAP identity is set to username my
auths work. When the PEAP identity is of the form domain/user MSCHAP
fails.
Am I wrong in thinking that with the correct configuration Freeradius
will allow me to have users from all trusted domains use the MSCHAP
module for 802.1x auth? Where am I going wrong?
Thanks!
Brian Dourty
IAT Services
University of Columbia - Missouri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
Hi,
I
RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive default_eap_type (in EAP module) must be fixed at tls.
It's right
And the default_eap_type (in TTLS module) to md5. It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!!
If you want to send me your radiusd.conf, it will be très bien for me. So,
please send me your file if it's possible.
À tout!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 5:31 PM
Subject: RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive default_eap_type (in EAP module) must be fixed at tls.
It's right
And the default_eap_type (in TTLS module) to md5. It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The
first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently,
my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added copy_request_to_tunnel = yes in the PEAP module and set default_eap_type = peap in EAP module to default_eap_type = tls Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : default_eap_type = peap in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
