Thank you Guy! The SecureW2 free plugin works perfectly!
--
Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336
On Mon, 13 Dec 2004, Guy Davies wrote:
Hi Tim,
EAP-TTLS is not supported by default by the MS 802.1x supplicant. *However*, you can get a copy of SecureW2 at http://www.securew2.com/, which behaves as a plugin to the MS 802.1x supplicant to provide support for EAP-TTLS. If you want to use a third party complete supplicant, I'd recommend Funk's Odyssey client. It's not free, but you can download a 30 day free trial from http://www.funk.com/.
Regards,
Guy
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 18:32 To: [EMAIL PROTECTED] Subject: RE: rlm_eap_tls not built because OpenSSL not found
Grrrr. It's always something.
Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP?
When I enable TTLS, what default_eap_type do I specify? I would guess PAP.
I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot)
--
Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336
On Mon, 13 Dec 2004, Guy Davies wrote:
PEAP/MS-CHAPv2.Hi Tim,
You can't authenticate to the /etc/passwd file usingdatabase withAny CHAP based authentication mechanism requires the server to have access to the *clear text* passwords.
If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other)it's insideclear text (or trivially reversible) passwords.
If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry,applies the samethe outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simplycrypt algorithm to the received password and checks theresult againstBehalf Of Timyour /etc/passwd file.
Regards,
Guy
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Onthe requestWinders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found
SSLv3 read clientMon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error inrlm_eap_tls: Receivedcertificate A Mon Dec 13 07:02:02 2004 : Info:EAP-TLS ACK message
That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should processMethod: Securedanyway. Examine the debug output to see if there is anyother failure.Encryption
I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, DataWEP, EAP Type Protected EAP (PEAP), AuthenticationHere is thepassword (EAP-MSCHAP v2).
Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this.
No reason. I have changed the configuration to WPA/TKIP.Nothing to do.degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP.
--- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb89610.0.1.231:21646, id=237,Sleeping until we see a request. rad_recv: Access-Request packet from hostrequest 23length=134 User-Name = "twinders" Framed-MTU = 1400 Called-Station-Id = "0012.7f75.d940" Calling-Station-Id = "0090.4b65.34a5" Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = "sub-ap1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok forconversationmodcall[authorize]: module "chap" returns noop for request 23 modcall[authorize]: module "mschap" returns noop for request 23 modcall[authorize]: module "digest" returns noop for request 23 rlm_realm: No '@' in User-Name = "twinders", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAPrequest 23modcall[authorize]: module "eap" returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled forNothing to do.modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 237 to 10.0.1.231:21646 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe2c50ab039bff81ff87783b7c4dc1736 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 237 with timestamp 41bdb8b7system.Sleeping until we see a request.
I see where it matches the DEFALT entry in the users file. This is simply:
DEFAULT Auth-Type = System Fall-Through = 1
I am trying to authenticate to the /etc/passwd file on thethe intendedDial up PPP users are able to connect and authenticate OK using the default Framed-User service type:
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
Perhaps the problem is here? I am new to freeradius and may have missed something here.
--
Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This e-mail is private and may be confidential and is forit. We userecipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained inThe rightreasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking.to monitor e-mail communications through our network is reserved by us.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html