I'm a hard core Linux User with a Linux infrastructure I am attempting
to expand upon and include FreeRadius, with my existing Linux-only
OpenLDAP, Kerberos, Samba, Bind Infrastructure.
Here is my situation.
I want to be able to create MS-CHAPv2 VPNs, that use pptpd, pppd and
freeRadius.
I want
Do you know why my pppd would launch inappropriately in CHAP Mode
rather than pppd.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you know why my pppd would launch inappropriately in CHAP Mode
rather than MS-CHAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is the configuration producing the MS-CHAP issue. No matter what I
do, it wants to use CHAP instead of MS-CHAP
radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
raddbdir = /etc/raddb
radacctdir =
Contents:
localip 192.168.102.1-101
remoteip 192.168.102.102-203
option /etc/ppp/options.pptpd
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
Evan Vittitow wrote:
Contents:
localip 192.168.102.1-101
remoteip 192.168.102.102-203
option /etc/ppp/options.pptpd
In which case I don't have any other suggestion.
pppd decides what authentication algorithm to use - Radius does not
have any choice in the matter
When using OpenLDAP, is there a way to make CHAP work without storing
passwords as clear text/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you folks ever show up on Freenode's #FreeRadius channel?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I posted an idea and you decided not to reply to my questions !
I suspect that your VPN server doesn't know Microsoft Radius
attributes and refuses to send them to the radius server. I've tested
a bad setup (lack of Microsoft radius dictionary), and I get the same
radiusd -X debug log: no
Working Dictionaries requested. Anyone with known working dictioniaries?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
Evan Vittitow wrote:
Working Dictionaries requested. Anyone with known working dictioniaries?
In all probability, you're attempting to use dictionaries which your
version of pppd+radius plugin+radiusclient can't parse.
For example, the built-in radiusclient in the ppp
The next stage of Radius is using it to secure my Wireless network. I'm
fairly sure EAP-TLS is Certificate based, and EAP-MD5 has to do with
using an MD5 Has as a Shared Secret
But, I don't completely understand PEAP, and how it relates to MS-CHAP v2.
I want to try to use PEAP to secure my
before implementing a broken system I recommend that you purchase and
read a book called 'Wi-Foo' . this will help you understand all of these
protocols and methods.
alan
-
Here is how I think that that it works.
The AP recives an EAP message from the XSupplicant program on the
workstation.
Here is the result of my first attempt. I added a Pukey-EAP entry in
the LDAP tree but it didn't do much good. And I can't tell whats the
matter with my CA.
rad_recv: Access-Request packet from host 192.168.0.250:1110, id=8,
length=159
User-Name = Pukey-EAP
Cisco-AVPair =
I think a large part of my problem is the creation of a Certificate
authority.
This will get a little Hypothetical so let me lay a few facts out on the
table.
Mandriva 2007 discontinues CA.sh in favor of CA.pl
Certificates as far as I know, at least the demo certs are in
/etc/pki/tls - not
Alan DeKok wrote:
Evan Vittitow wrote:
I think a large part of my problem is the creation of a Certificate
authority.
Why? See the various 802.1x howto's (pointed to from freeradius.org
the wiki) for how to create certificates for the server.
Its very possible, that said
I keep getting this.
I have been following documentation.
A username and password, and optionally the CA cert so they can
trust the radius server cert.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
rlm_eap: SSL error error:0B080074:x509 certificate
rad_recv: Access-Request packet from host 192.168.0.250:1175, id=66,
length=149
User-Name = kurama
Cisco-AVPair = ssid=Pukey
NAS-IP-Address = 192.168.0.250
Called-Station-Id = 004096285ceb
Calling-Station-Id = 00095b679ccf
NAS-Identifier =
[CONFIG] Socket 4 (frame handler) had an event!
Network ID from EAP hint : Pukey
If this is a wired network, the above ID can be used in the
configuration file to identify this network.
[CONFIG] Working from config file /etc/xsupplicant.conf.
Network ID from EAP hint : Pukey
If this is a wired
I got a Lull in my school work long enough such that I can work on
Free Radius, homework combined with minor Illness did that.
Allright, just so everyone is on the same page. I want to implement Host
based 802.1X with PEAP or EAP-TLS. Currently, all my Samba Hosts have a
Object in the LDAP
To repeat my previous email - xsupplicant does not have a CA cert that
allows it to trust the server.
The line:
Loaded root certificate /etc/raddb/certs/cert-clt.pem
...looks wrong. It looks as if you've told xsupp that the CA cert is
the client cert, which it isn't. They're different
I finally got PEAP working, nowe I have two questions, should I create a
dummy account for the mschap element of authentication. Secondly, how do
I create additional certs for additional hosts in FreeRadius? As it is
now, I can only authenticate one node.
-
List info/subscribe/unsubscribe? See
Alright, I'm going to step back and talk conceptually. The issue is that
the laptops use a combination of LDAP and Kerberos to authenticate to
the Domain Controllers. (OpenLDAP and a Kerberos KDC.) to authorize and
authenticate Humans. So you get a Chicken/Egg issue. You can't
authenticate Humans
Let me re-phrase, as I think I'm not quite making sense.
openssl req -new -keyout kurama.pem -out kurama.pem -days 730
openssl x509 -in kurama.pem -out kurama.crt
openssl req -new -keyout altanis.pem -out altanis.pem -days 730
openssl x509 -in altanis.pem -out altanis.crt
openssl req -new
Phil Mayers wrote:
Evan Vittitow wrote:
Let me re-phrase, as I think I'm not quite making sense.
openssl req -new -keyout kurama.pem -out kurama.pem -days 730
openssl x509 -in kurama.pem -out kurama.crt
openssl req -new -keyout altanis.pem -out altanis.pem -days 730
openssl x509
I'm having an issue telling my server certificate from my client
certificate:
Issues: Which of these is the client certificate, and which of these is
the server cert.
in eap.conf
private_key_file = ${raddbdir}/certs/cakey.pem
certificate_file =
I've been doing reasearch and reading, and started using a GUI for my CA
called OpenCA.
Using this, I have created some certs
cacert.pem
cacert.key (Private Key)
A variety of Host certs in the format of host-cert.pem and host-key.pem.
(A Prublic/Private key per host.)
Here is my
I need help using TinyCA to manage certificates with FreeRadius. I keep
getting this.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 144 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module
FreeRadius is booting the EAP clients if more than one EAP node shows up
on the AP. XSupplicant and Radius give the EoAoL message to boot
additional nodes. And my Aironet, while succeeded in authentication,
reasociates with the other APs in a standard assciation, not an EAP one.
-
List
29 matches
Mail list logo