've actually installed freeradius n 've been successful 2 authenticate from same system using radtest. Sql integration 2 is successfully working. I wanna use EAP to connect to another system.
On 4/26/11, freeradius-users-requ...@lists.freeradius.org <freeradius-users-requ...@lists.freeradius.org> wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Authenticating against Win2k8r2 without ntlm_auth (schilling) > 2. Re: Authenticating against Win2k8r2 without ntlm_auth > (Thomas Smith) > 3. Re: Authenticating against Win2k8r2 without ntlm_auth > (Phil Mayers) > 4. Re: Authenticating against Win2k8r2 without ntlm_auth > (Phil Mayers) > 5. (arpitha arpitha) > 6. Re: (Suman Dash) > 7. Problem with EAP-TLS authentication in Freeradius (senthil kumar) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 25 Apr 2011 09:44:33 -0400 > From: schilling <schilling2...@gmail.com> > Subject: Re: Authenticating against Win2k8r2 without ntlm_auth > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <BANLkTik2ML94FHiB_0HGtTvC=cayv-s...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Could we extend the AD schema with another accessible ntPassword hash, > and thus use LDAP against AD for PEAP/MSCHAP? > > Schilling > > On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers <p.may...@imperial.ac.uk> > wrote: >> On 04/24/2011 12:48 AM, Thomas Smith wrote: >> >>> While Samba 3.5 and Likewise 6 fixed the problems authenticating >>> against Win2k8r2, Likewise removed support for Samba/Winbind in their >>> 6.x series product (they included full support for Samba/Winbind in >>> their 5.x series product)--they now use their own libraries to provide >>> "winbind" functionality. The result of this is that the Samba-included >>> ntlm_auth no longer works (and Likewise doesn't provide a comparable >>> replacement)--since my FreeRADIUS install was using ntlm_auth for AD >>> authentication and authorization, it is no longer working. >> >> If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in >> which >> case you have precisely one option - continuing to use Samba/ntlm_auth. >> >> Neither kerberos nor LDAP against AD (nor any other method) can be used to >> process MSCHAP authentications. >> >> If Likewise are going to replace bits of the Samba stack, they should >> provide compatible bits. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > ------------------------------ > > Message: 2 > Date: Mon, 25 Apr 2011 11:33:56 -0700 > From: Thomas Smith <theitsm...@gmail.com> > Subject: Re: Authenticating against Win2k8r2 without ntlm_auth > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <banlktimfyms_qobo1bxe4q8xgkdz0za...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On Sun, Apr 24, 2011 at 1:33 AM, Phil Mayers <p.may...@imperial.ac.uk> > wrote: >> On 04/24/2011 12:48 AM, Thomas Smith wrote: >> >>> While Samba 3.5 and Likewise 6 fixed the problems authenticating >>> against Win2k8r2, Likewise removed support for Samba/Winbind in their >>> 6.x series product (they included full support for Samba/Winbind in >>> their 5.x series product)--they now use their own libraries to provide >>> "winbind" functionality. The result of this is that the Samba-included >>> ntlm_auth no longer works (and Likewise doesn't provide a comparable >>> replacement)--since my FreeRADIUS install was using ntlm_auth for AD >>> authentication and authorization, it is no longer working. >> >> If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in >> which >> case you have precisely one option - continuing to use Samba/ntlm_auth. >> >> Neither kerberos nor LDAP against AD (nor any other method) can be used to >> process MSCHAP authentications. >> >> If Likewise are going to replace bits of the Samba stack, they should >> provide compatible bits. > > Yeah, that's exactly what I've been doing. I was hoping to find > another method, but that doesn't sound promising. > > I brought this to Likewise' attention as soon as I noticed the issue. > They are looking into it but haven't given me a time frame for a > "fix", or even if there will provide one. > > > ------------------------------ > > Message: 3 > Date: Mon, 25 Apr 2011 21:30:14 +0100 > From: Phil Mayers <p.may...@imperial.ac.uk> > Subject: Re: Authenticating against Win2k8r2 without ntlm_auth > To: freeradius-users@lists.freeradius.org > Message-ID: <4db5d9d6.7060...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 04/25/2011 02:44 PM, schilling wrote: >> Could we extend the AD schema with another accessible ntPassword hash, >> and thus use LDAP against AD for PEAP/MSCHAP? > > Yes, if you know everyones plaintext password. But if you do, you don't > have this problem at all; you can just store Cleartext-Password in some > secured SQL database and use that. > > In short: it's usually impractical. > > > ------------------------------ > > Message: 4 > Date: Mon, 25 Apr 2011 21:39:10 +0100 > From: Phil Mayers <p.may...@imperial.ac.uk> > Subject: Re: Authenticating against Win2k8r2 without ntlm_auth > To: freeradius-users@lists.freeradius.org > Message-ID: <4db5dbee.4040...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 04/25/2011 07:33 PM, Thomas Smith wrote: >> >> I brought this to Likewise' attention as soon as I noticed the issue. >> They are looking into it but haven't given me a time frame for a >> "fix", or even if there will provide one. > > I'm not familiar with Likewise (nor do I have any desire to become so). > But if they provide any development libraries or infrastructure, you may > be able to implement the feature yourself. > > All "ntlm_auth" ends up doing is SamNetworkLogon RPC against the > netlogon pipe of a domain controller. Minimally, they just need to > provide you a binary (or you code one up) that calls that RPC using the > challenge and ntresponse values (along with username/domain) and returns > the NT key value. > > The other alternative would be to compile Samba into a separate > directory tree, and configure it carefully - then join it to the domain > as a separate "virtual" domain member, which is only used for running > winbind and ntlm_auth. You might have problems with nmbd and binding to > port 13x. > > But honestly: it would probably be easier to just run Samba on your > FreeRadius servers, and forgo Likewise. > > > ------------------------------ > > Message: 5 > Date: Tue, 26 Apr 2011 10:16:22 +0530 > From: arpitha arpitha <arpitha...@gmail.com> > To: freeradius-users@lists.freeradius.org > Message-ID: <banlktikd7_uulhdujuhcracjf43+coj...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > hi, 'm very new to freeradius, i want to setup radius server to > authenticate another system connected through an access point. i'l b > grateful if any1 can tell d steps 2 do this r give links 2 d related > materials. Thnks in advance :-) > > > ------------------------------ > > Message: 6 > Date: Tue, 26 Apr 2011 10:40:31 +0530 > From: Suman Dash <su...@clydontech.com> > Subject: Re: > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4db653c7.3080...@clydontech.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > Please read the documentation on how to setup freeradius. From your post > it is unclear as what type of auth you need. There are official docs at > freeradius.org which you might want to see. > > On 4/26/2011 10:16 AM, arpitha arpitha wrote: >> hi, 'm very new to freeradius, i want to setup radius server to >> authenticate another system connected through an access point. i'l b >> grateful if any1 can tell d steps 2 do this r give links 2 d related >> materials. Thnks in advance :-) >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6042 (20110414) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110426/577713de/attachment.html> > > ------------------------------ > > Message: 7 > Date: Tue, 26 Apr 2011 11:08:34 +0530 > From: senthil kumar <mail...@gmail.com> > Subject: Problem with EAP-TLS authentication in Freeradius > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <BANLkTi=rbboy+q2uc3cbuyzltzqfmzk...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi All, > I am using Freeradius 2.1.0 > PEAP/TTLS is working fine and I am facing problem in TLS > authentication. I am able to generate certificate but while connecting it > throws Authentication error. > Can some one send me client.cnf and server.cnf. Also let me > know whether installing only client is enough or do we need to install > ca.pem also in client side. > Please let me know how to debug it. > > > > > > > rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, > length=147 > > User-Name = "ma...@nokia.com" > > NAS-IP-Address = 192.168.1.1 > > Called-Station-Id = "0023692c6f74" > > Calling-Station-Id = "0025d05b72ab" > > NAS-Identifier = "0023692c6f74" > > NAS-Port = 2 > > Framed-MTU = 1400 > > State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = 0x020200060d00 > > Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" > > [suffix] Found realm "DEFAULT" > > [suffix] Adding Stripped-User-Name = "maemo" > > [suffix] Adding Realm = "DEFAULT" > > [suffix] Authentication realm is LOCAL. > > ++[suffix] returns ok > > [eap] EAP packet type response id 2 length 6 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > ++[unix] returns updated > > [files] users: Matched entry maemo at line 74 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] Found existing Auth-Type, not changing it. > > ++[pap] returns noop > > Found Auth-Type = EAP > > +- entering group authenticate {...} > > [eap] Request found, released from the list > > [eap] EAP/tls > > [eap] processing type tls > > [tls] Authenticate > > [tls] processing EAP-TLS > > [tls] Received TLS ACK > > [tls] ACK handshake fragment handler > > [tls] eaptls_verify returned 1 > > [tls] eaptls_process returned 13 > > ++[eap] returns handled > > Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 > > EAP-Message = > 0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf > > EAP-Message = > 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc > > EAP-Message = > 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 > > EAP-Message = > 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803 > > EAP-Message = 0x01024000720070306e310b30 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 > > Finished request 156. > > Going to the next request > > Waking up in 0.4 seconds. > > rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, > length=147 > > User-Name = "ma...@nokia.com" > > NAS-IP-Address = 192.168.1.1 > > Called-Station-Id = "0023692c6f74" > > Calling-Station-Id = "0025d05b72ab" > > NAS-Identifier = "0023692c6f74" > > NAS-Port = 2 > > Framed-MTU = 1400 > > State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = 0x020300060d00 > > Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" > > [suffix] Found realm "DEFAULT" > > [suffix] Adding Stripped-User-Name = "maemo" > > [suffix] Adding Realm = "DEFAULT" > > [suffix] Authentication realm is LOCAL. > > ++[suffix] returns ok > > [eap] EAP packet type response id 3 length 6 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > ++[unix] returns updated > > [files] users: Matched entry maemo at line 74 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] Found existing Auth-Type, not changing it. > > ++[pap] returns noop > > Found Auth-Type = EAP > > +- entering group authenticate {...} > > [eap] Request found, released from the list > > [eap] EAP/tls > > [eap] processing type tls > > [tls] Authenticate > > [tls] processing EAP-TLS > > [tls] Received TLS ACK > > [tls] ACK handshake fragment handler > > [tls] eaptls_verify returned 1 > > [tls] eaptls_process returned 13 > > ++[eap] returns handled > > Sending Access-Challenge of id 6 to 192.168.1.1 port 4908 > > EAP-Message = > 0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 > > Finished request 157. > > Going to the next request > > Waking up in 0.4 seconds. > > rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6, > length=154 > > User-Name = "ma...@nokia.com" > > NAS-IP-Address = 192.168.1.1 > > Called-Station-Id = "0023692c6f74" > > Calling-Station-Id = "0025d05b72ab" > > NAS-Identifier = "0023692c6f74" > > NAS-Port = 2 > > Framed-MTU = 1400 > > State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = 0x0204000d0d001503010002012a > > Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" > > [suffix] Found realm "DEFAULT" > > [suffix] Adding Stripped-User-Name = "maemo" > > [suffix] Adding Realm = "DEFAULT" > > [suffix] Authentication realm is LOCAL. > > ++[suffix] returns ok > > [eap] EAP packet type response id 4 length 13 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > ++[unix] returns updated > > [files] users: Matched entry maemo at line 74 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] Found existing Auth-Type, not changing it. > > ++[pap] returns noop > > Found Auth-Type = EAP > > +- entering group authenticate {...} > > [eap] Request found, released from the list > > [eap] EAP/tls > > [eap] processing type tls > > [tls] Authenticate > > [tls] processing EAP-TLS > > [tls] eaptls_verify returned 7 > > [tls] Done initial handshake > > [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate > > TLS Alert read:warning:bad certificate > > [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A > > In SSL Handshake Phase > > In SSL Accept mode > > SSL Application Data > > TLS failed during operation > > [tls] eaptls_process returned 4 > > [eap] Handler failed in EAP/tls > > [eap] Failed in EAP select > > ++[eap] returns invalid > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > +- entering group REJECT {...} > > expand: %{User-Name} -> ma...@nokia.com > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 158 for 1 seconds > > Going to the next request > > Waking up in 0.4 seconds. > > rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6, > length=136 > > User-Name = "ma...@nokia.com" > > NAS-IP-Address = 192.168.1.1 > > Called-Station-Id = "0023692c6f74" > > Calling-Station-Id = "0025d05b72ab" > > NAS-Identifier = "0023692c6f74" > > NAS-Port = 2 > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = 0x0204000d0d001503010002020a > > Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" > > [suffix] Found realm "DEFAULT" > > [suffix] Adding Stripped-User-Name = "maemo" > > [suffix] Adding Realm = "DEFAULT" > > [suffix] Authentication realm is LOCAL. > > ++[suffix] returns ok > > [eap] EAP packet type response id 4 length 13 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > ++[unix] returns updated > > [files] users: Matched entry maemo at line 74 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] Found existing Auth-Type, not changing it. > > ++[pap] returns noop > > Found Auth-Type = EAP > > +- entering group authenticate {...} > > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request > > [eap] Failed in handler > > ++[eap] returns invalid > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > +- entering group REJECT {...} > > expand: %{User-Name} -> ma...@nokia.com > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 159 for 1 seconds > > Going to the next request > > Waking up in 0.4 seconds. > > Cleaning up request 146 ID 6 with timestamp +2141 > > Cleaning up request 147 ID 6 with timestamp +2141 > > Waking up in 0.5 seconds. > > Sending delayed reject for request 158 > > Sending Access-Reject of id 6 to 192.168.1.1 port 4910 > > EAP-Message = 0x04040004 > > Message-Authenticator = 0x00000000000000000000000000000000 > > Sending delayed reject for request 159 > > Sending Access-Reject of id 6 to 192.168.1.1 port 4912 > > Waking up in 1.1 seconds. > > Cleaning up request 148 ID 6 with timestamp +2143 > > Cleaning up request 149 ID 6 with timestamp +2143 > > Cleaning up request 150 ID 6 with timestamp +2143 > > Cleaning up request 151 ID 6 with timestamp +2143 > > Waking up in 1.0 seconds. > > Cleaning up request 152 ID 6 with timestamp +2143 > > Cleaning up request 153 ID 6 with timestamp +2143 > > Waking up in 1.7 seconds. > > Cleaning up request 154 ID 6 with timestamp +2146 > > Cleaning up request 155 ID 6 with timestamp +2146 > > Cleaning up request 156 ID 6 with timestamp +2146 > > Cleaning up request 157 ID 6 with timestamp +2146 > > Waking up in 1.0 seconds. > > Cleaning up request 158 ID 6 with timestamp +2146 > > Cleaning up request 159 ID 6 with timestamp +2146 > > Regards > Senthil > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110426/77593d8a/attachment.html> > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 72, Issue 78 > ************************************************ > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html