Re : Re : EAP/TTLS PEAP MSCHAP
Thanks I can connect windows with PEAP/ MSCHAPv2 . Need to fix the certificates. == Benjamin K. Eshun - Message d'origine De : Arran Cudbard-Bell [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 4 Avril 2007, 23h16mn 24s Objet : Re: Re : EAP/TTLS PEAP MSCHAP Ian Truelsen wrote: On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us) The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. But I have no idea how to add it to the certificate, if you find out please let me know :) Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. Excellent, thanks, just what I was looking for :) Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ? Which would be In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with . In Configure Automatically use my windows logo name and password unchecked. Or are there more weird windows things ? Gah... never appreciated Mac OSX so much. oo looks like your connecting to an 802.11x network , please enter your username and password, hmm you havent chosen to explicitly trust this certificate would you like to ? Connected!. and now i'm going to save your username and password in the keychain so you'll never have to go through this amazingly simple process ever again. --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
Eshun Benjamin wrote: Hello Arran, Which specific OID? I also think it has to do with the certificate. Could you please be specific if possible with example. I trried to use another certificate and I am getting 2 issues; 1. is before access challenge ; Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module suffix returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP packet type response id 2 length 192 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module eap returns updated for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: users: Matched entry DEFAULT at line 225 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module files returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added LM-Password: '739EA6CD54DF1680AAD3B435B51404EE' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added NT-Password: 'F138C6624B18D0E17EA9630C746A8202' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items Wed Apr 4 21:33:09 2007 : Info: rlm_passwd: Adding Auth-Type = MS-CHAP Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module etc_smbpasswd returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing LM-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing NT-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module pap returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authorize (returns updated) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rad_check_password: Found Auth-Type EAP Wed Apr 4 21:33:09 2007 : Debug: auth: type EAP Wed Apr 4 21:33:09 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 21:33:09 2007 : Debug: modcall: entering group authenticate for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: Request found, released from the list Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP/peap Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: processing type peap Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: Authenticate Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: processing TLS Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: Length Included Wed Apr 4 21:33:09 2007 : Debug: eaptls_verify returned 11 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: TLS 1.0 Handshake [length 0086], ClientKeyExchange Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read client key exchange A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read finished A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write change cipher spec A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write finished A Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 flush data Wed Apr 4 21:33:09 2007 : Debug: (other): SSL negotiation finished successfully Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Apr 4 21:33:09 2007 : Debug: SSL Connection Established Wed Apr 4 21:33:09 2007 : Debug: eaptls_process returned 13 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 2 Wed
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us) The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. But I have no idea how to add it to the certificate, if you find out please let me know :) Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
Ian Truelsen wrote: On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us) The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. But I have no idea how to add it to the certificate, if you find out please let me know :) Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. Excellent, thanks, just what I was looking for :) Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ? Which would be In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with . In Configure Automatically use my windows logo name and password unchecked. Or are there more weird windows things ? Gah... never appreciated Mac OSX so much. oo looks like your connecting to an 802.11x network , please enter your username and password, hmm you havent chosen to explicitly trust this certificate would you like to ? Connected!. and now i'm going to save your username and password in the keychain so you'll never have to go through this amazingly simple process ever again. --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 22:16 +0100, Arran Cudbard-Bell wrote: Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ? Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me. Which would be In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with . In Configure Automatically use my windows logo name and password unchecked. I am using both client and server certificates, so the logon and password is not currently needed -- for me. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me. Hehe, yeah same for me first time round ! Now it's all done via sql with a modified version of 1.1.5 to allow user NAS queries :) I am using both client and server certificates, so the logon and password is not currently needed -- for me Eeek , yes not such a good solution in our case, certificate management for 10,000 very sleepy students not fun :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html