Re: Linksys WIFI Authentication using freeradius?
On Fri, Dec 9, 2011 at 11:36 PM, Michel Bulgado mic...@casa.co.cu wrote: In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Like Alan said, some NAS simply won't work for what you're trying to achieve, because it doesn't send accounting packets. Fix the NAS. There is another alternative. Instead of using 802.1x, you could use a captive portal. chllispot (and derivaties) is widely used and can send accounting packets just fine. It's more complex to setup (e.g. requires you setup a web server, and have a server or wireless AP which can function as captive portal), but it should work with any wireless access point that either: - captive-portal-capable (e.g. anything that can be flashed with dd-wrt standard or higher), OR - can bridge wireless to wired network, effectively making wireless clients to be in the same ethernet broadcast domain as wired clients. You'd still need a captive portal, but in this setup the captive portal can be another AP or a server. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Fajar A. Nugraha l...@fajar.net escribió: On Fri, Dec 9, 2011 at 11:36 PM, Michel Bulgado mic...@casa.co.cu wrote: In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Like Alan said, some NAS simply won't work for what you're trying to achieve, because it doesn't send accounting packets. Fix the NAS. There is another alternative. Instead of using 802.1x, you could use a captive portal. chllispot (and derivaties) is widely used and can send accounting packets just fine. It's more complex to setup (e.g. requires you setup a web server, and have a server or wireless AP which can function as captive portal), but it should work with any wireless access point that either: - captive-portal-capable (e.g. anything that can be flashed with dd-wrt standard or higher), OR - can bridge wireless to wired network, effectively making wireless clients to be in the same ethernet broadcast domain as wired clients. You'd still need a captive portal, but in this setup the captive portal can be another AP or a server. -- Fajar Fajar My Wlan is a WRT-110, so DD-WRT is not supported on this model. I wondered if I could at least implement Simultaneous-Use so that I can limit the user to connect once, but I think it is not possible, it would at least check the table raddact is where you store the Accounting and returning to the above not possible. This router is commercial, maybe for its commercial nature, the firmware you have installed, do not send those packets. Regards Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/08/2011 10:06 PM, Fajar A. Nugraha wrote: On Fri, Dec 9, 2011 at 9:39 AM,mic...@casa.co.cu wrote: Michel Bulgadomic...@casa.co.cu escribió: On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote: On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cuwrote: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? sites-available/default look for sql in accounting section. This is my accounting section in /etc/raddb/sites-available/default accounting { detail sql } And don't work Michel Hello again As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds Let's go back to the basics. Does your NAS send accounting packets? (hint: run FR in debug mode, then get a client to connect and disconnect) Some NAS (last time I tried with dd-wrt) it can authenticate using EAP, but it can't send accounting packet. Hi Fajar I run radiusd in debug mode : This is the output of the request: rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=125, length=121 User-Name = michel NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = 00-1E-E5-F4-7B-21 Calling-Station-Id = 00-1F-E1-2B-28-57 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d696368656c Message-Authenticator = 0x72d68fa1027b67d016dd173b01c92dcf +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} - michel [sql] sql_set_user escaped user -- 'michel' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'michel' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'michel' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'michel' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Computacion' ORDER BY id [sql] User found in group Computacion [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Computacion' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57 ++[checkval] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 125 to 192.168.25.15 port 32771 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Acct-Interim-Interval = 60 EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0xa86f76f4a86d635fb1337e0b98514b2f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=126, length=240 User-Name = michel NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = 00-1E-E5-F4-7B-21 Calling-Station-Id = 00-1F-E1-2B-28-57 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020070158000661603010061015d03014ee2247053e29359e617993c10c473b4005b225795041ba292b2e85d81f47f553600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 State =
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado wrote: So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not. Linkys Router dont send that packet in stream? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/09/2011 10:49 AM, Alan DeKok wrote: Michel Bulgado wrote: So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not. Linkys Router dont send that packet in stream? Yes. Alan DeKok. Alan Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem. In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side. As simple as the user only have to put user and password to connect Regards Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado wrote: Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem. Solving the problem means buying a NAS which works. Linksys ones are usually NOT good enough for what you want to do. In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? I have no idea what that means. So should I change the mechanism to use! If the NAS isn't doing accounting correctly, blame the NAS. This is *ALWAYS* the problem with RADIUS. The NAS is in control of *everything*. If something is going wrong, then BLAME THE NAS. No amount of poking FreeRADIUS or posting on this list will result in your NAS magically working. Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side. As simple as the user only have to put user and password to connect It's impossible. WiFi 802.1X doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Does the router send any accounting packets ? The accounting packets, if sent ate from the NAS and therefore won't be in any EAP tunnel the clients will be using 802.11i , hence EAP , hence the need to know and trust the server cert of the RADIUS server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/07/2011 08:37 AM, Michel Bulgado wrote: On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM,mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel At last! Finally after much struggle, I configure freeradius with mysql to authenticate wireless users. EAP-TTLS But another problem arises for me: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? Ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado mic...@casa.co.cu wrote: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? sites-available/default look for sql in accounting section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote: On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cu wrote: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? sites-available/default look for sql in accounting section. This is my accounting section in /etc/raddb/sites-available/default accounting { detail sql } And don't work Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado mic...@casa.co.cu escribió: On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote: On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cu wrote: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? sites-available/default look for sql in accounting section. This is my accounting section in /etc/raddb/sites-available/default accounting { detail sql } And don't work Michel Hello again As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. And in turn asked me take this opportunity to ask Alan for who knows more about the subject: 1 - You know how to get them to perform the accounting either through a script? In case there is no solution with TTLS: 2 - Which of these authentication mechanisms PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, accounting works and in turn not necessarily need to install client-side certificates? regards Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Fri, Dec 9, 2011 at 9:39 AM, mic...@casa.co.cu wrote: Michel Bulgado mic...@casa.co.cu escribió: On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote: On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cu wrote: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? sites-available/default look for sql in accounting section. This is my accounting section in /etc/raddb/sites-available/default accounting { detail sql } And don't work Michel Hello again As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds Let's go back to the basics. Does your NAS send accounting packets? (hint: run FR in debug mode, then get a client to connect and disconnect) Some NAS (last time I tried with dd-wrt) it can authenticate using EAP, but it can't send accounting packet. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM, mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Linksys WIFI Authentication using freeradius?
hello I have a Linksys WRT-110 router which supports various security mechanisms: WPA WPA2 Personal, WPA Enterprise and Radius authentication. Today WPA2 Personal use where all my clients use the same key or password to connect. I want to change this so that each user can connect with username and password in a personal way, I was thinking my router to authenticate against a radius server. google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. It OpenWrt I saw as another variant to follow and the router does not appear in the list of supported devices. Ideas? Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Wed, Dec 7, 2011 at 1:15 PM, mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html