> Message: 3 > Date: Thu, 21 Aug 2008 08:36:07 +0200 > From: "Martin Schneider" <[EMAIL PROTECTED]> > Subject: Re: EAP-TNC supported? > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi > > 2008/8/20 Alan DeKok <[EMAIL PROTECTED]>: >> Martin Schneider wrote: >>> - I read in wikipedia, that the spring 2008 release of FreeRadius has >>> "experimental EAP-TNC" support. I couldn't find any information on the >>> FreeRadius homepage or wiki, that this information is correct. Has >>> FreeRadius >>> EAP-TNC support? And "how experimental" is the EAP-TNC support? >> It's very experimental. Some people have gotten it to work, but I >> don't think it's ready for production use. > > What a pity! > > Does anybody know about a patch or something for FreeRadius that adds > more stable EAP-TNC processing? I heard about a patch from FH Hannover > (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I > don't know how good this one works. Did maybe anybody of you guys play > with that patch? Yes, it is very experimental. We have done some refactoring the last weeks but the new version of the EAP-TNC-Patch is currently not in the FreeRADIUS sources. You can download it from http://tnc.inform.fh-hannover.de. We will modify some further aspects soon (such as removing the dynamic loading of NAA-TNCS.so at runtime).
> >>> - In case FreeRadius supports EAP-TNC, is it possible to run EAP-TNC >>> "inside" a EAP-TTLS tunnel? EAP-TTLS as outer method and EAP-TNC as >>> inner method? >> No. EAP-TNC is designed to be run as an authorization method *after* >> the user has been authenticated. It *cannot* be run all by itself >> inside of a TTLS tunnel. >> >> You can run it inside of the TTLS tunnel after another EAP method has >> been executed. You may have to edit the source code to get this to work. > You can do EAP-TNC inside EAP-TTLS without modifying the source. I tested it with the latest development version of wpa_supplicant. But you will have to modify the source if you want to to EAP-TNC inside EAP-TTLS _after_ another EAP-method (such as MD5). > Ok, thanks for clarifying this point! I really mixed this one up. > > I read in the EAP-TTLS draft, that you can perform mutual > authentication of server AND client using EAP-TTLS. (Client also needs > a Certificate...). So theoretically you should be able to run EAP-TNC > directly after EAP-TTLS in the TLS tunnel without any other user > authenticating EAP-method? > Yes. Regards Ingo > Regards > Martin > > >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > ------------------------------ > > Message: 4 > Date: Thu, 21 Aug 2008 08:42:16 +0200 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: EAP-TNC supported? > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Martin Schneider wrote: >> Does anybody know about a patch or something for FreeRadius that adds >> more stable EAP-TNC processing? I heard about a patch from FH Hannover >> (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I >> don't know how good this one works. Did maybe anybody of you guys play >> with that patch? > > The EAP-TNC code in FreeRADIUS *is* the FH Hannover code. There's > just *more* work that has to be done to make it ready for a production > environment. > >> I read in the EAP-TTLS draft, that you can perform mutual >> authentication of server AND client using EAP-TTLS. (Client also needs >> a Certificate...). So theoretically you should be able to run EAP-TNC >> directly after EAP-TTLS in the TLS tunnel without any other user >> authenticating EAP-method? > > Perhaps. Check with the TNC specifications to see if this is permitted. > > Alan DeKok. > > > ------------------------------ > > Message: 5 > Date: Thu, 21 Aug 2008 09:31:59 +0100 > From: Phil Mayers <[EMAIL PROTECTED]> > Subject: Re: FreeRadius 2.0.5 AD PEAP > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii; format=flowed > >>> Perhaps try it with a Cleartext-Password in the "users" file. i.e. >>> *Without* using ntlm_auth. That works for me, including with >> eapol_test, and TTLS/EAP-MSCHAPv2. >> >> Can you clarify this setup/change to test? I was pretty sure I needed >> to use ntlm_auth to auth against AD to test mschapv2 > > Put a test user in the "users" file: > > test Cleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0 > >>> If that still fails, then there's something wrong with the system >> that breaks the server in 2.0.5. >> >> Running Samba 3.2.0 on Fedora 9 > > Your problem is very odd. I'm using 2.0.5 on RHEL5 with ntlm_auth and > it's working fine. > > The only time I've seen eapol_test fail with "mismatch" is when I've > failed to strip the DOMAIN\ or @DOMAIN.COM from usernames with realms > and this has confused the key hashing - but your usernames are > unadorned. > > Perhaps the Samba version in F9 has problems? What OS and samba version > is your (working) 1.1.7 server running? > >>> FYI: Unknown network block for the CA_CERT with regards to the eapol >>> test config file >>> What does that mean? >> Within the config you provided to for eapol_test at the bottom is a >> ca_cert declaration that errors out when uncommented >> >> Anyone using FC9 with freeradius 2.0.5 against AD working that I can use >> to compare? >> >> Thanks much appreciated >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > ------------------------------ > > Message: 6 > Date: Thu, 21 Aug 2008 10:53:17 +0200 > From: Thomas Buchberger <[EMAIL PROTECTED]> > Subject: Re: Auth-Type := Accept - CHAP problems > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Alan and Ivan, > > Alan DeKok wrote: >>> Config looks like this: >>> >>> DEFAULT Auth-Type := Accept >>> >> This completely bypasses any password checks. >> >>> ERX-Virtual-Router-Name = "vpn:XXX", >>> ERX-Egress-Policy-Name = "XXX", >>> ERX-Local-Loopback-Interface = "loopback 255", >>> Service-Type = Framed-User, >>> Framed-Protocol = PPP, >>> Fall-Through = Yes >>> >>> Test100 Password = "Test100" >>> >> Use: >> >> Test100 Cleartext-Password := "Test100" >> > OK - now I understand... > with Cleartext-Password PAP and CHAP behave the same way... > For us the wrong way :-) > Is there a possibility so solve it with freeradius? > We want to Accept all Users but give "authenticated" (correct username > and password) users individual attributes and "non authenticated" users > (wrong username and / or password) different attributes but no "Login > incorrect". > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html