Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On 27 August 2010 23:06, Alan DeKok al...@deployingradius.com wrote:
Jean-Yves Avenard wrote:
You seem to miss the point that the issue occurs *only* with Win 7
clients. All other clients are fine.
I don't really care which client it is. All that matters is:
a) what data is in the packet
b) what you configure the server to do with that data
You have posted output from (a). That's nice. You *also* need (as I
said already) to configure the server for (b).
Okay..
As requested.
Here is the log from the Win 7 client, when it is configured in
Advanced Settings - 802.11X Settings - Specify authentication mode:
user authentication
I've preceded each line with so if like me you are using gmail, it's
easier to skip through
rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=103,
length=177
User-Name = jean-yves.avenard
NAS-IP-Address = 192.168.0.20
NAS-Port = 0
Called-Station-Id = 00-1C-B3-AD-13-5F:HYDRIX-TEST
Calling-Station-Id = C4-46-19-25-31-52
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x02d40016016a65616e2d797665732e6176656e617264
Message-Authenticator = 0xd617293cc36f9d2934e4364c48696da2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = jean-yves.avenard, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 212 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
rlm_opendirectory: The host 192.168.0.20 does not have an access group.
rlm_opendirectory: User jean-yves.avenard is authorized.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 103 to 192.168.0.20 port 65513
EAP-Message = 0x01d500061920
Message-Authenticator = 0x
State = 0x56ebca49563ed3c34eaeaec5306add89
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=104,
length=304
User-Name = jean-yves.avenard
NAS-IP-Address = 192.168.0.20
NAS-Port = 0
Called-Station-Id = 00-1C-B3-AD-13-5F:HYDRIX-TEST
Calling-Station-Id = C4-46-19-25-31-52
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message =
0x02d50083198000791603010074017003014c7bbc6f1988ef8942fd2a91e0d171c08e57e6f23dbce06bfb570dc2a39ee7b218002f00350005000ac013c014c009c00a0032003800130004012fff010001160014116a65616e2d797665732e6176656e617264000a0006000400170018000b00020100
State = 0x56ebca49563ed3c34eaeaec5306add89
Message-Authenticator = 0xdc87572842154eda0af298bfad361a81
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = jean-yves.avenard, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 213 length 131
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 121
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0074], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 068a], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 104 to 192.168.0.20 port 65513
EAP-Message =
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Mon, Aug 30, 2010 at 9:25 PM, Jean-Yves Avenard jyaven...@gmail.com wrote: This is from a Win 7 client, using default configuration settings that is just username / password and that Authentication is PEAP:MSCHAPv2 rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=112, length=163 User-Name = host/ramon So... what *should* the User-Name look like? This is for you to decide. I'm not sure I follow what you re saying here... I am only interested at this stage by the user name, not the computer name as part of the User-Name If you could point me to directions on how to configure the server for (b), it would be greatly appreciated. I think what Alan is saying is look at what User-Name being sent by the CLIENT. Your Win7 client log says the client is sending User-Name = host/ramon. If you want it to be something like, change the client configuration. At this point, it has nothing to do with server configuration. There might be some checkbox somewhere on your Win7 that says Authenticate as computer when computer information is available or something like that. Uncheck it. Windows 7 user might be able to help you more (or you could ask MS). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 31 August 2010 02:04, Fajar A. Nugraha fa...@fajar.net wrote: I think what Alan is saying is look at what User-Name being sent by the CLIENT. Your Win7 client log says the client is sending User-Name = host/ramon. If you want it to be something like, change the client configuration. At this point, it has nothing to do with server configuration. There might be some checkbox somewhere on your Win7 that says Authenticate as computer when computer information is available or something like that. Uncheck it. Windows 7 user might be able to help you more (or you could ask MS). Allright, so this is what I thought it was and I have provided the solution already. On Windows 7, you go into Advanced Settings - 802.11X Settings - Specify authentication mode: and select user authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote:
As requested.
Here is the log from the Win 7 client, when it is configured in
Advanced Settings - 802.11X Settings - Specify authentication mode:
user authentication
The first debug log shows the user being found by the unix module.
i.e. the User-Name has an entry in /etc/passwd, or the Apple equivalent.
The second debug log shows that the user is *not* found by the unix
module.
I'm not sure I follow what you re saying here...
I am only interested at this stage by the user name, not the computer
name as part of the User-Name
I'm aware of that. I'm saying that *you* need to figure out which is
which, and edit the configuration to use the right one.
If you could point me to directions on how to configure the server for
(b), it would be greatly appreciated.
Edit raddb/sites-enabled/inner-tunnel, the authorize section:
authorize {
...
if (User-Name =~ /\/(.*)/) {
update request {
Stripped-User-Name := %{1}
}
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On Tuesday, August 31, 2010, Alan DeKok al...@deployingradius.com wrote:
The first debug log shows the user being found by the unix module.
i.e. the User-Name has an entry in /etc/passwd, or the Apple equivalent.
The second debug log shows that the user is *not* found by the unix
module.
Yes, because in the 2nd case, Win 7 sent the name of the computer instead.
I'm aware of that. I'm saying that *you* need to figure out which is
which, and edit the configuration to use the right one.
But configuration where? on the freeradius server or win 7?
If you could point me to directions on how to configure the server for
(b), it would be greatly appreciated.
Edit raddb/sites-enabled/inner-tunnel, the authorize section:
authorize {
...
if (User-Name =~ /\/(.*)/) {
update request {
Stripped-User-Name := %{1}
}
}
...
}
This would only help if the user format is in the form of blah/user ;
which it isn't when the user name is sent and not the computer's name.
Looking at the log, I don't think that when win7 sent the computer
name as the login, the user's name is sent anywhere, so configuration
change can only be done on the win7 client
JY
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Tue, Aug 31, 2010 at 10:41 AM, Jean-Yves Avenard jyaven...@gmail.com wrote: Looking at the log, I don't think that when win7 sent the computer name as the login, the user's name is sent anywhere, so configuration change can only be done on the win7 client So did you finaly manage to get it working by changing the configuration on the client? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 31 August 2010 13:58, Fajar A. Nugraha fa...@fajar.net wrote: On Tue, Aug 31, 2010 at 10:41 AM, Jean-Yves Avenard jyaven...@gmail.com wrote: Looking at the log, I don't think that when win7 sent the computer name as the login, the user's name is sent anywhere, so configuration change can only be done on the win7 client So did you finaly manage to get it working by changing the configuration on the client? oh yes... Did so last week and reported it here :) You go and edit a new wireless profile, you go into Advanced Settings - 802.11X Settings - Specify authentication mode: and select user authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On 26 August 2010 23:35, Alan DeKok al...@deployingradius.com wrote:
Jean-Yves Avenard wrote:
I am running freeradius that comes installed and configured with MacOS
10.6 server.
A Windows XP can connect just fine using Microsoft Protected EAP.
iPhone, mac os client connect just fine using EAP-TTLS
Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
not with the default build-in PEAP.
The log you posted shows a clear issue:
When connecting with Windows 7, I would read:
Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
user's uuid.
Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
dsGetRecordList() status = 0, recCount=0
Any hint about what I should be looking at?
Run the server in debugging mode (radiusd -X). Look for the above
errors, and *read* the lines of text around them.
Then use the information from the debug output to look the user up in
OpenDirectory. Odds are that the user doesn't exist, which is why it
can't get the UUID.
Mind new, I'm a complete noob when it comes to radius, I only started
playing with it 2 days ago.
This isn't much of a RADIUS error. The user lookup in OpenDirectory
fails, and the UUID wasn't found. The only issue is *who* was being
looked up, and *why* the UUID wasn't found.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allright...
Here are some logs...
rad_recv: Access-Request packet from host 192.168.0.20 port 65513,
id=51, length=163
User-Name = host/ramon
NAS-IP-Address = 192.168.0.20
NAS-Port = 0
Called-Station-Id = 00-1C-B3-AD-13-5F:HYDRIX-TEST
Calling-Station-Id = C4-46-19-25-31-52
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x027e000f01686f73742f72616d6f6e
Message-Authenticator = 0x4f4536256e97a2b596511e8560ef07ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = host/ramon, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 126 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_opendirectory: The host 192.168.0.20 does not have an access group.
rlm_opendirectory: Could not get the user's uuid.
++[opendirectory] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[snip]
By default it tries to connect with the computer name rather than the
user name..
Going into the Advanced option, I can force the type of authentication
use to User Authentication...
From there it worked ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: Here are some logs... ... rlm_opendirectory: The host 192.168.0.20 does not have an access group. And... what does this message mean? It's an OpenDirectory error message, so find out what it means, and how to fix it. rlm_opendirectory: Could not get the user's uuid. Which looks like a direct consequence of the previous message. By default it tries to connect with the computer name rather than the user name.. Because that's what's in the RADIUS packet. If you want it to use something *other* than what's in the packet, you will need to configure the server to use the correct field. So which field do you want to use? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 27 August 2010 20:46, Alan DeKok al...@deployingradius.com wrote: Jean-Yves Avenard wrote: Here are some logs... ... rlm_opendirectory: The host 192.168.0.20 does not have an access group. And... what does this message mean? It's an OpenDirectory error message, so find out what it means, and how to fix it. 192.168.0.20 is the wireless access point rlm_opendirectory: Could not get the user's uuid. Which looks like a direct consequence of the previous message. no, this is a consequence of it trying to lookup the machine name instead of the user name By default it tries to connect with the computer name rather than the user name.. Because that's what's in the RADIUS packet. If you want it to use something *other* than what's in the packet, you will need to configure the server to use the correct field. So which field do you want to use? As mentioned before; the username. You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27/08/10 13:38, Jean-Yves Avenard wrote: You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. Please post the debug output of freeradius, obtained by running: radiusd -X ...for a working and failing case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. I don't really care which client it is. All that matters is: a) what data is in the packet b) what you configure the server to do with that data You have posted output from (a). That's nice. You *also* need (as I said already) to configure the server for (b). Unfortunately, the OpenDirectory module does not take any configuration. This means that you will need to edit the User-Name attribute *before* it is used by the opendirectory module. So... what *should* the User-Name look like? This is for you to decide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: I am running freeradius that comes installed and configured with MacOS 10.6 server. A Windows XP can connect just fine using Microsoft Protected EAP. iPhone, mac os client connect just fine using EAP-TTLS Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but not with the default build-in PEAP. The log you posted shows a clear issue: When connecting with Windows 7, I would read: Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the user's uuid. Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. Mind new, I'm a complete noob when it comes to radius, I only started playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On Thursday, August 26, 2010, Alan DeKok al...@deployingradius.com wrote: Jean-Yves Avenard wrote: I am running freeradius that comes installed and configured with MacOS 10.6 server. A Windows XP can connect just fine using Microsoft Protected EAP. iPhone, mac os client connect just fine using EAP-TTLS Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but not with the default build-in PEAP. The log you posted shows a clear issue: When connecting with Windows 7, I would read: Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the user's uuid. Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. I was the one doing the testing. Username/password are identical in all tests. Mind new, I'm a complete noob when it comes to radius, I only started playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Will run radius in debug mode and report back. I'm still puzzled why there would be a difference between 7 and XP in the way they are transmitting the user name - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters. nolan -- Nolan King Moulton Niguel Water District 27500 La Paz Rd. Laguna Niguel, CA 92677 (949) 425-3542 24hr: (949) 831-2500 On 8/26/2010 at 11:44 AM, in message aanlktikvfx7synjso3-nan1evjtsl6vvkjs=hctfz...@mail.gmail.com, Jean-Yves Avenard jyaven...@gmail.com wrote: Hi On Thursday, August 26, 2010, Alan DeKok al...@deployingradius.com wrote: Jean-Yves Avenard wrote: I am running freeradius that comes installed and configured with MacOS 10.6 server. A Windows XP can connect just fine using Microsoft Protected EAP. iPhone, mac os client connect just fine using EAP-TTLS Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but not with the default build-in PEAP. The log you posted shows a clear issue: When connecting with Windows 7, I would read: Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the user's uuid. Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. I was the one doing the testing. Username/password are identical in all tests. Mind new, I'm a complete noob when it comes to radius, I only started playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Will run radius in debug mode and report back. I'm still puzzled why there would be a difference between 7 and XP in the way they are transmitting the user name - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27 August 2010 05:19, Nolan King nk...@mnwd.com wrote: check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters. What do you do in this case then? Have a script run by freeradius putting all characters as lower case? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Sat, Jun 05, 2010 at 12:50:59AM +0200, David wrote: connecting with Window 7 the following gets written to radius.log: Sat Jun 5 00:00:59 2010 : Info: rlm_eap_md5: Issuing Challenge Sat Jun 5 00:00:59 2010 : Info: rlm_eap_mschapv2: Issuing Challenge As opposed to EAP-TTLS, then the following gets written: Sat Jun 5 00:03:23 2010 : Info: rlm_eap_md5: Issuing Challenge Does anyone know where the problem may be? I cannot think of anything to try anymore. Run the server with freeradius -X and record the output? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
