Hi Mack, As for the "looping" problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant???
I have EAP/TTLS running at home and ran into a "looping" problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software "fixed" the problem.... As for YMMV it means "Your Mileage May Vary" .... [grin]... gm... ----- Original Message ----- From: "Mack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) > Gary, > > No, no, not you. I didn't mean you...sorry. You've been helpful...more > so, you've shown a willingness to help. Thanks for that. > > I followed your suggestion about looking deeper into the list archives, > and have progressed a bit further (i think). I stumbled upon PEAP, and configured > my client to use mschapv2, thus answering the question of how to send LDAP username & > password to radius. This is all with EAP-TLS working (as far as I can > tell). However, there's one catch... > > While running radiusd in debug mode, watching the output while the client > authenticates (sends username & password), it seems to get caught in a > "loop"...same output over & over again, and the client never gets totally > authenticated. The output appears to indicate that the ldap auth and eap > auth were both successful, but this is where it keeps looping...over and over again, > keeps saying both were successful. Unless I'm just misinterpreting the output > (that's VERY likely). I've attached some of the output to this email (hope that's > ok...seemed to big to include in the body of the message). > > I am using a gentoo ebuild of freeradius now, but will look into the > 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 > build. If nothing else, I can at least read thru the different docs included in that > build, as you've suggested. > > Ready for a really dumb question? What does "ymmv" mean? I've often seen > it on lists/boards, but have never seen a translation. > > Thanks for the help, > mack > > On 21 Jun 2004 at 6:10, Gary McKinney wrote: > > > Mack, > > > > I Was not trying to "blow you off" by making the statement of reading > > the archives... I am still, what I consider, a newbie as well... > > > > The statement about a lot of discussion on the subject you are > > requesting is true so I thought you would be better served checking > > over those discussions! > > > > As for documentation - have you read the rlm-eap and rlm-ldap > > documentation in the docs directory of the installation package (at > > least the version 1.0.0-pre1 and later source code) has information on > > what you are looking for in terms of using eap/tls and ldap together > > (in the rlm-eap docs). > > > > If you can use the pre-release code I would suggest doing so - while > > 0.9.3 is stable I have found the pre-release code does more [ymmv]... > > > > gm.. > > > > ----- Original Message ----- > > From: "Mack" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Sunday, June 20, 2004 10:30 PM > > Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) > > > > > > > Gary, > > > > > > I had scanned them prior to posting, but there seem to be no > > > solutions to > > all of the > > > problems people have with this configuration. My impression is that > > > most > > of the > > > "gurus" on the list are assuming WAY too much of some of us newbies. > > > They > > keep > > > coming back with the same replies, like "read the faqs, readme, rfc, > > > etc., > > etc." But, > > > that begs the question: If that's going to be the reply each time, > > > then > > why even > > > bother with the list in the first place? Oh, well. I am definitely > > taking a more indepth > > > look at the archives, though, as you've suggested. If nothing else, > > > maybe > > that will > > > help me form better questions. Thanks for the help! > > > > > > mack > > > > > > On 19 Jun 2004 at 6:34, Gary McKinney wrote: > > > > > > > Mack, > > > > > > > > Check the email archives over the last three months - there is a > > > > great deal of information on using EAP/TLS and how to use LDAP > > > > with freeradius (including example snippets). > > > > > > > > gm... > > > > ----- Original Message ----- > > > > From: "Mack" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Friday, June 18, 2004 11:52 PM > > > > Subject: radius, 802.1x, eap/tls, and edirectory (ldap) > > > > > > > > > > > > > Hi, > > > > > > > > > > I'm a newbie to all of this, so please bear with me. This list > > > > > is all > > > > I've got! > > > > > > > > > > We are introducing a wireless infrastructure on our campus (a > > > > > little late > > > > in the game). > > > > > Right now we're in testing phase. In this testing phase, We are > > > > > using > > > > several 3com > > > > > 7250 AP's, some 3com cards capable of 802.1x, and Novell > > > > > eDirectory > > > > (LDAP). My > > > > > requirement is to enable 802.1x authentication to the AP's using > > > > > EAP/TLS. Additionally, I need to be able to authenticate the > > > > > users to Novell via > > > > LDAP. All via > > > > > the FreeRADIUS server. > > > > > > > > > > I have configured freeradius version 0.9.3 to work successfully > > > > > with only > > > > ldap > > > > > authentication against Novell eDirectory. I have also verified > > > > > that > > > > 802.1x > > > > > authentication is working with the AP. However, if I attempt to > > > > > somehow > > > > enable both > > > > > authentication mechanisms, I fail. The logs keep passing the > > > > > EAP username (common name from cert) to ldap and of course ldap > > > > > spits it out because > > > > the object > > > > > does not exist. > > > > > > > > > > Again, I'm new to this, and maybe I have made incorrect > > > > > assumptions of > > > > what the > > > > > end result should be. Maybe this isn't even possible, but > > > > > here's what I > > > > had hoped to > > > > > come away with: the wireless user boots their laptop, then gets > > > > authenticated via > > > > > eap/tls. They then open a browser, and are asked for username > > > > > and > > > > password (via > > > > > dialog box?), or either redirected to a login page. The > > > > > username and > > > > password are > > > > > then passed to ldap for authentication. Successful > > > > > authentication results > > > > in the client > > > > > being given internet access. Is this possible? Or, am I > > > > > totally > > > > misunderstanding how > > > > > this is all supposed to work (very likely)? > > > > > > > > > > I must admit, I'm not very comfortable when working with the > > > > > config files. > > > > Not too > > > > > sure what I'm doing in there. I tackled this whole project > > > > > somewhat > > > > blindly, with the > > > > > help of various bits of info I gathered from google searches. I > > > > > do need > > > > to obtain a > > > > > good book on this stuff...that's obvious...but I am hoping that > > > > > someone on > > > > this list > > > > > has experience with getting freeradius to work with eap/tls and > > > > > novell > > > > ldap > > > > > authentication and is willing to share that experience and > > > > > wisdom. > > > > > > > > > > (Embarrassed) Sorry again for the newbie-ness of this post, and > > > > > thanks in > > > > advance > > > > > for any help! > > > > > > > > > > mack > > > > > > > > > > -- > > > > > This message has been scanned for viruses and > > > > > dangerous content by the CSU Email Gateway, and is > > > > > believed to be clean. > > > > > > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > --- > > > > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by the CSU Email Gateway, and is > > > > believed to be clean. > > > > > > > > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by the CSU Email Gateway, and is > > > believed to be clean. > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > --- > > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > > This message has been scanned for viruses and > > dangerous content by the CSU Email Gateway, and is > > believed to be clean. > > > > > > -- > This message has been scanned for viruses and > dangerous content by the CSU Email Gateway, and is > believed to be clean. > > ---------------------------------------------------------------------------- ---- > The following section of this message contains a file attachment > prepared for transmission using the Internet MIME message format. > If you are using Pegasus Mail, or any other MIME-compliant system, > you should be able to save it or view it from within your mailer. > If you cannot, please ask your system administrator for assistance. > > ---- File information ----------- > File: output.log > Date: 21 Jun 2004, 20:03 > Size: 27663 bytes. > Type: Unknown > --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
