Re: Thanks
Hi alll ! Of course Jean-Paul, the problem was in my LDAP, I have changed my own LDAP configuration and freeradius works correctly with TTLS and TLS, but I have not changed anything in my freeradius configurations. So, thanks for your help!! José Luis Solano [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 9:58 AM Subject: Re: Thanks Great, but could you say more !!! José Luis Solano wrote: Thanks, my freeradius runs. José Luis Solano Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XSupplicant client with TTLS
Hi all, I'm here again ;) Anybody uses XSupplicant client with TTLS? Anybody knows if XSupplicant works OK with TTLS? Please, if there is some guy who works with XSupplicant, I need help!!! Thanks José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Message-Authenticator = 0x3802f12111d5ab22325d397383592df9 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = a0153, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched a0153 at 4 modcall[authorize]: module files returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for a0153 radius_xlat: '(uid=a0153)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=a0153) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = a0153 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = a0153 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = a0153, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 8 users: Matched a0153 at 4 modcall[authorize]: module files returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for a0153 radius_xlat: '(uid=a0153)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=a0153) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 8 modcall: group authorize returns ok for request 8 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 13 with timestamp 403b1a6c Cleaning up request 4 ID 14 with timestamp 403b1a6c Cleaning up request 5 ID 15 with timestamp 403b1a6c Cleaning up request 6 ID 16 with timestamp 403b1a6c Cleaning up request 7 ID 17 with timestamp 403b1a6c Sending Access-Reject of id 18 to 192.168.49.252:1225 EAP-Message = 0x04060004 Message-Authenticator = 0x Cleaning up request 8 ID 18 with timestamp 403b1a6c Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
... rad_recv: Access-Request packet from host 192.168.49.252:1225, id=3, length=144 User-Name = 991 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010010013939393939393939393931 Message-Authenticator = 0x43aba66dea12643188e55a3130b4e1cd modcall: entering group authorize for request 11 modcall[authorize]: module preprocess returns ok for request 11 modcall[authorize]: module chap returns noop for request 11 modcall[authorize]: module mschap returns noop for request 11 rlm_realm: No '@' in User-Name = 991, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 11 rlm_eap: EAP packet type response id 1 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 11 users: Matched DEFAULT at 16 modcall[authorize]: module files returns ok for request 11 rlm_ldap: - authorize rlm_ldap: performing user authorization for 991 radius_xlat: '(uid=991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=991) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 11 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 11 modcall: group Auth-Type returns invalid for request 11 auth: Failed to validate the user. Delaying request 11 for 1 seconds Finished request 11 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 2 with timestamp 403b2142 Sending Access-Reject of id 3 to 192.168.49.252:1225 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 3 with timestamp 403b2146 Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
hi jean-Paul, have you seen the freeradius logs and my LDAP configuration? How many attributes LDAP needs? How freeradius get the password? Thanks a lot and sorry if I ask a lot José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 11:31 AM Subject: Re: AlfaAriss Client Help!!! Hi José, José Luis Solano wrote: Hi Jean-Paul!!! I have your configuration in my freeradius-snapshot-20040222 but I have the following error: (see freeradius logs please). I don't understand the configuration of users file: #- # Connexion 801.x a0153 What is it? It's a user of my Ldap back-End. # a0292 : Define the user for 802.1x Authentication #- a0292 == What is it? # a0292 : Define the user for 802.1x Authentication #- 9991 I have added, but I don't know why exactly??? :( # By default use Ldap for authentication #- DEFAULT Auth-Type := LDAP Ldap is the default authentication methode. Regards, Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP structure
Hi all, I use EAP/TTLS and a LDAP to store the users. What is the structure in my LDAP? do I need specific attributes in my LDAP (userPassword, etc)? do I need to change any schema files (RADIUS-LDAP.schema,RADIUS-LDAPv3.schema,RADIUS-SQL.schema)? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS error
NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 6 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for 9991 radius_xlat: '(uid=9991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=9991) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 9991 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = 9991 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = 9991 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = 9991, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for 9991 radius_xlat: '(uid=9991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=9991) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 9991 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 5 modcall: group authenticate returns fail for request 5 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 5 with timestamp 403b7974 Sending Access-Reject of id 6 to 192.168.49.252:1225 EAP-Message = 0x04060004 Message-Authenticator = 0x Cleaning up request 5 ID 6 with timestamp 403b7974 Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks
Thanks, my freeradius runs. José Luis Solano
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi Jean-Paul, As you know, I'm fightting with my freeradius to run EAP/TTLS. I use Secure W2 client and LDAP, so could you (Jean-Paul) send me your configuration, please? I would need: -do I need to change anything when I install freeradius? -Modules eap, authorize, authenticate and ldap in radiusd.conf -users file configuration -have you changed anything in dictionary file? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 20, 2004 4:14 PM Subject: Re: AlfaAriss Client Help!!! Hi Tom, Tom Rixom wrote: Sorry about the previous email wasn't awake yet... here is a repost: Hello, If your LDAP back-end uses encrypted passwords certain authentication methods cannot be used. PEAP-EAP-MSCHAPV2 for example requires either clear-text passwords or Microsoft NT HASH passwords. I am not sure about LEAP. Because SecureW2 v1 sends over the password in the clear it can be used on any kind of database encryption their is. Are you using encryption in your LDAP database? I'm using Active Directory which encrypt the password. Tom Rixom Alfa Ariss Today, i succeeded a configuration with FreeRadius for EAP/TTLS (PAP) (SecureW2 client on Windows) which running with user/password check on Ldap back-end(AD). But for EAP/PEAP and EAP/LEAP challenge use MS-CHAP or MS-CHAPV2 for hashing. So FreeRadius can't retreive clear-text password from packets and can't perform check on Ldap back-end. Are you agree with this ? I 'm searching a solution to authenticate LEAP client (Mac OSX) with FreeReadius and Ldap back-end. Regards, Jean-Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client question
Hi Arthur, I think Alfa·ariss client is free for your personal usage, but you can't distribute it. Regars. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:39 AM Subject: Re: AlfaAriss Client question hi tom thanks for the clarification. me for my part i also tested it here and i confirm that it also works for me (alfaariss, cisco 350, win XP; cisco aps 1100/1200; freeradius ttls). tom, do you have any idea about legal issues with the alfaariss client? is it free, can i use it in an university? do i need a license? or supposing that i have a business, can i install it my client's network? thanks, artur Tom Rixom wrote: Hi, If you are having trouble with the cisco card under W2K try using the fake key trick. Just fill in a random WEP key (this also allows you to choose the WEP key size) and this will allow the authentication to proceed. After authentication the WEP key is overridden with the correct dynamic key and everything works. I have tested Cisco 350 cards on Windows XP Windows 2000 and Windows CE and they all worked (Using Cisco 350 1100 and 1200) Regards, Tom Rixom SecureW2 Alfa Ariss -Oorspronkelijk bericht- Van: Artur Hecker [mailto:[EMAIL PROTECTED] Verzonden: zo 22-2-2004 12:05 Aan: [EMAIL PROTECTED] CC: Onderwerp: Re: AlfaAriss Client question - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi lionel! Thanks a lot, of course and please send me your radiusd.conf. You can use my personal email [EMAIL PROTECTED] In user file, what I need to change? Thanks a lot again Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM Subject: RE: AlfaAriss Client Help!!! Hi José, I can send to you my radius.conf configuration where EAP/TTLS with LDAP work with SecureW2 client. Lionel. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 23 février 2004 10:11 À : [EMAIL PROTECTED] Objet : Re: AlfaAriss Client Help!!! Hi Jean-Paul, As you know, I'm fightting with my freeradius to run EAP/TTLS. I use Secure W2 client and LDAP, so could you (Jean-Paul) send me your configuration, please? I would need: -do I need to change anything when I install freeradius? -Modules eap, authorize, authenticate and ldap in radiusd.conf -users file configuration -have you changed anything in dictionary file? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 20, 2004 4:14 PM Subject: Re: AlfaAriss Client Help!!! Hi Tom, Tom Rixom wrote: Sorry about the previous email wasn't awake yet... here is a repost: Hello, If your LDAP back-end uses encrypted passwords certain authentication methods cannot be used. PEAP-EAP-MSCHAPV2 for example requires either clear-text passwords or Microsoft NT HASH passwords. I am not sure about LEAP. Because SecureW2 v1 sends over the password in the clear it can be used on any kind of database encryption their is. Are you using encryption in your LDAP database? I'm using Active Directory which encrypt the password. Tom Rixom Alfa Ariss Today, i succeeded a configuration with FreeRadius for EAP/TTLS (PAP) (SecureW2 client on Windows) which running with user/password check on Ldap back-end(AD). But for EAP/PEAP and EAP/LEAP challenge use MS-CHAP or MS-CHAPV2 for hashing. So FreeRadius can't retreive clear-text password from packets and can't perform check on Ldap back-end. Are you agree with this ? I 'm searching a solution to authenticate LEAP client (Mac OSX) with FreeReadius and Ldap back-end. Regards, Jean-Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client question
Hi Arthur, Currently there are three clients available: **XSupplicant: Linux, I don't know if the last version works correctly with TTLS. Free. **SecureW2: Windows, TTLS (pap). Free for personal usage. **AEGISClient: Windows and Linux, Not free. Regards. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 11:00 AM Subject: Re: AlfaAriss Client question thanks jose i've just read the agreement on their site. it's free for the personal use. however, i don't want to install it in the university's network. we will probably propose the TTLS access here. well, i personally don't know any other available TTLS clients for windows. so i suppose that the students (at least the Windows-users among them) will use Alfa-Ariss - any of them at a personal basis, since i won't install anything in the network. i just ask myself if it's completely ok for AA, that's all. because otherwise we will need to develop it. ciao artur José Luis Solano wrote: Hi Arthur, I think Alfa·ariss client is free for your personal usage, but you can't distribute it. Regars. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:39 AM Subject: Re: AlfaAriss Client question hi tom thanks for the clarification. me for my part i also tested it here and i confirm that it also works for me (alfaariss, cisco 350, win XP; cisco aps 1100/1200; freeradius ttls). tom, do you have any idea about legal issues with the alfaariss client? is it free, can i use it in an university? do i need a license? or supposing that i have a business, can i install it my client's network? thanks, artur Tom Rixom wrote: Hi, If you are having trouble with the cisco card under W2K try using the fake key trick. Just fill in a random WEP key (this also allows you to choose the WEP key size) and this will allow the authentication to proceed. After authentication the WEP key is overridden with the correct dynamic key and everything works. I have tested Cisco 350 cards on Windows XP Windows 2000 and Windows CE and they all worked (Using Cisco 350 1100 and 1200) Regards, Tom Rixom SecureW2 Alfa Ariss -Oorspronkelijk bericht- Van: Artur Hecker [mailto:[EMAIL PROTECTED] Verzonden: zo 22-2-2004 12:05 Aan: [EMAIL PROTECTED] CC: Onderwerp: Re: AlfaAriss Client question - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Thanks Alan!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 3:18 PM Subject: Re: AlfaAriss Client Help!!! =?iso-8859-1?Q?Jos=E9_Luis_Solano?= [EMAIL PROTECTED] wrote: -have you changed anything in dictionary file? Don't edit the dictionary files. 99.9% of the time, it's the wrong thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 21 ID 10 with timestamp 403a2284 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 11 to 192.168.49.252:1225 Reply-Message += Password Has Expired\r\n Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.49.252:1225, id=12, length=146 User-Name = 8881 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001101383838383838383838383831 Message-Authenticator = 0xe2a546a1d8596e1437b9d629a2e8a7de modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 rlm_realm: No '@' in User-Name = 8881, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 23 rlm_ldap: - authorize rlm_ldap: performing user authorization for 8881 radius_xlat: '(uid=8881)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=8881) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 22 op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 8881 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 23 modcall: group authorize returns updated for request 23 auth: Failed to validate the user. Delaying request 23 for 1 seconds Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 22 ID 11 with timestamp 403a2289 Sending Access-Reject of id 12 to 192.168.49.252:1225 Reply-Message += Password Has Expired\r\n Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 12 with timestamp 403a228d Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: José Luis Solano [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 4:06 PM Subject: Re: AlfaAriss Client Help!!! Thanks Alan!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 3:18 PM Subject: Re: AlfaAriss Client Help!!! =?iso-8859-1?Q?Jos=E9_Luis_Solano?= [EMAIL PROTECTED] wrote: -have you changed anything in dictionary file? Don't edit the dictionary files. 99.9% of the time, it's the wrong thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize and Authenticate with FILES: auth: Failed to validate the user
Hi all!!! I have installed freeradius-snapshot-20040216 with redhat 9. I use AlfaAriss client under Windows XP, cisco pcmcia car on my laptop. I use FILES to authorize and authenticate, but TTLS don't run ok. any idea?? please help?? (Alan, Lionel, Jean-Paul, please) freeradius logs -- [EMAIL PROTECTED] raddb]# rad_recv: Access-Request packet from host 192.168.49.252:1225, id=41, length=140 User-Name = "anonymous" NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1C-44" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e01616e6f6e796d6f7573 Message-Authenticator = 0xd46c99136b226ede9c334c88dfb2fa91modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "files" returns notfound for request 0modcall: group authorize returns ok for request 0auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 41 to 192.168.49.252:1225Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 41 with timestamp 4035e87fNothing to do. Sleeping until we see a request. users file - sgisev Auth-Type := Local , User-Password == "12345678" DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP radiusd.conf - eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type=md5 copy_request_to_tunnel = no use_tunneled_reply=no } } José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Re: Authorize and Authenticate with FILES: auth: Failed to validate the user
Sorry, and my authorize and authenticate modules in radiusd.conf are: authorize { preprocess # Read the 'users' file files } authenticate { Auth-Type PAP { pap } } José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060 - Original Message - From: José Luis Solano To: [EMAIL PROTECTED] Sent: Friday, February 20, 2004 12:15 PM Subject: Authorize and Authenticate with FILES: "auth: Failed to validate the user" Hi all!!! I have installed freeradius-snapshot-20040216 with redhat 9. I use AlfaAriss client under Windows XP, cisco pcmcia car on my laptop. I use FILES to authorize and authenticate, but TTLS don't run ok. any idea?? please help?? (Alan, Lionel, Jean-Paul, please) freeradius logs -- [EMAIL PROTECTED] raddb]# rad_recv: Access-Request packet from host 192.168.49.252:1225, id=41, length=140 User-Name = "anonymous" NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1C-44" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e01616e6f6e796d6f7573 Message-Authenticator = 0xd46c99136b226ede9c334c88dfb2fa91modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "files" returns notfound for request 0modcall: group authorize returns ok for request 0auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 41 to 192.168.49.252:1225Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 41 with timestamp 4035e87fNothing to do. Sleeping until we see a request. users file - sgisev Auth-Type := Local , User-Password == "12345678" DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP radiusd.conf - eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type=md5 copy_request_to_tunnel = no use_tunneled_reply=no } } José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Hi alll !!! I use: freeradius-snapshot-20040216, openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP client I would like to run PEAP but freeradius show me the following error. Please, look my authenticate and authorize modules!!! any idea?? thanks in advance!!! freeradius logs -- S-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1C-44" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a State = 0x112e15244708c595cec067388e416f35 Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 rlm_realm: No '@' in User-Name = "1119", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAPauth: type "EAP"modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting.rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8modcall: group authenticate returns invalid for request 8auth: Failed to validate the user.Delaying request 8 for 1 secondsFinished request 8Going to the next requestWaking up in 6 seconds... radiusd.conf - modules {## Each module has a configuration as follows:##name [ instance ] {#config_item = value#...#}## The 'name' is used to load the 'rlm_name' library# which implements the functionality of the module.## The 'instance' is optional. To have two different instances# of a module, it first must be referred to by 'name'.# The different copies of the module are then created by# inventing two 'instance' names, e.g. 'instance1' and 'instance2'## The instance names can then be used in later configuration# INSTEAD of the original 'name'. See the 'radutmp' configuration# below for an example.# # PAP module to authenticate users based on their stored password## Supports multiple encryption schemes# clear: Clear text# crypt: Unix crypt# md5: MD5 ecnryption# sha1: SHA1 encryption.# DEFAULT: cryptpap {encryption_scheme = crypt} # CHAP module## To authenticate requests containing a CHAP-Password attribute.#chap {authtype = CHAP} # Pluggable Authentication Modules## For Linux, see:#http://www.kernel.org/pub/linux/libs/pam/index.html## WARNING: On many systems, the system PAM libraries have# memory leaks! We STRONGLY SUGGEST that you do not# use PAM for authentication, due to those memory leaks.#pam {## The name to use for PAM authentication.# PAM looks in /etc/pam.d/${pam_auth_name}# for it's configuration. See 'redhat/radiusd-pam'# for a sample PAM configuration file.## Note that any Pam-Auth attribute set in the 'authorize'# section will over-ride this one.#pam_auth = radiusd} # Unix /etc/passwd style authentication#unix {## Cache /etc/passwd, /etc/shadow, and /etc/group## The default is to NOT cache them.## For FreeBSD, you do NOT want to enable the cache,# as it's password lookups are done via a database, so# set this value to 'no'.## Some systems (e.g. RedHat Linux with pam_pwbd) can# take *seconds* to check a password, from a passwd# file containing 1000's of entries. For those systems,# you should set the cache value to 'yes', and set# the locations of the 'passwd', 'shadow', and 'group'# files, below.## allowed values: {no, yes}cache = no # Reload the cache every 600 seconds (10mins). 0 to disable.cache_reload = 600 ## Define the locations of the normal passwd, shadow, and# group files.## 'shadow' is commented out by default, because not all# systems have shadow passwords.## To force the module to use the system password functions,# instead of reading the files, leave the following entries# commented out.## This is required for
Problems!!!!!!!!!!!!!!!!!!! (again)
Good morning! I haveinstalled Freeradius 0.9.3 with RedHat 9 and openssl 0.9.7c. TLS runs ok, but when I try toinsert TTLS or PEAP modules in radiusd.conf I get the following error when I try to run freeradius: ... Module: Loaded eapeap: default_eap_type = "tls"eap: timer_expire = 60rlm_eap: Loaded and initialized the type md5rlm_eap: Loaded and initialized the type leaptls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/usr/local/openssl/ssl/certs/server/server.pem"tls: certificate_file = "/usr/local/openssl/ssl/certs/server/server.pem"tls: CA_file = "/usr/local/openssl/ssl/certs/ca/ca.pem"tls: private_key_password = "izadisan"tls: dh_file = "/usr/local/openssl/ssl/certs/dh"tls: random_file = "/usr/local/openssl/ssl/certs/random"tls: fragment_size = 1024tls: include_length = yesrlm_eap_tls: conf N ctx storedrlm_eap: Loaded and initialized the type tlsrlm_eap: Failed to link EAP-Type/ttls: file not foundradiusd.conf[600]: eap: Module instantiation failed. = --- So, I'm going to change my configuration. Lionel, could you tell me your configuration please, and where can I find the versions you are using? Thanks in advance? José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Re: Problems!!!!!!!!!!!!!!!!!!! (again)
Hi, Jean-Paul, good morning!!! yes, I think!!! But could you review my radiusd.conf, please. Some variables have other values and ignore_unknown_eap_types = no not exists in my radiusd.conf. Note: For your configuration, perhaps you are using XSupplicant client under linux, is it correct? Thanks JP!!! ;) --- eap { default_eap_type = tls timer_expire = 60 md5 { } leap { } tls { private_key_password = XX private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type=tls use_tunneled_reply=no } peap { default_eap_type=mschapv2 copy_request_to_tunnel=yes } } José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 9:46 AM Subject: Re: Problems!!! (again) Hi José, Check if modules section in radiusd.conf looks like this : modules { eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = deleted private_key_file = /etc/1x/server.gicm.net.pem certificate_file = /etc/1x/server.gicm.net.pem CA_file = /etc/1x/root.pem dh_file = /etc/1x/DH random_file = /etc/1x/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } } Regards, Jean-Paul. José Luis Solano wrote: Good morning! I have installed Freeradius 0.9.3 with RedHat 9 and openssl 0.9.7c. TLS runs ok, but when I try to insert TTLS or PEAP modules in radiusd.conf I get the following error when I try to run freeradius: ... Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/openssl/ssl/certs/server/server.pem tls: certificate_file = /usr/local/openssl/ssl/certs/server/server.pem tls: CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem tls: private_key_password = izadisan tls: dh_file = /usr/local/openssl/ssl/certs/dh tls: random_file = /usr/local/openssl/ssl/certs/random tls: fragment_size = 1024 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls rlm_eap: Failed to link EAP-Type/ttls: file not found radiusd.conf[600]: eap: Module instantiation failed. = --- So, I'm going to change my configuration. Lionel, could you tell me your configuration please, and where can I find the versions you are using? Thanks in advance? José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (+34) 954.088.060 -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-authentication fails due to empty supplied password
Hi Tero, I send you my LDAP configuration. Good luck. Note: MYIP= localhost if the LDAP is the same PC. ldap { server = MYIP identity = cn=Manager,dc=sgi,dc=es password = MYPASS basedn = ou=Wireless,dc=sgi,dc=es #filter = (uid=%{Stripped-User-Name:-%{User-Name}}) filter = (uid=%u) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no tls_mode = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # password_header = {clear} # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Tero Ripattila [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 10:59 AM Subject: LDAP-authentication fails due to empty supplied password Hello All, For some reason the password I supply to my test login foo gets passed as empty [1] and I cannot understand why. I am running freeradius-0.9.3 on OpenBSD 3.4-stable. I built my FR by entering the following build statements: $ ./configure --enable-shared=no --without-rlm_krb5 --localstatedir=/var --sysconfdir=/etc $ gmake gmake install Here's the login information: $ userinfo foo login foo passwd * uid 2 groups users change NEVER class radius gecos FreeRadius test user dir /home/foo shell /usr/local/bin/bash expire NEVER $ cat foo-people-example-tld.ldif version: 1 # Entry 1: uid=foo,ou=People,dc=example,dc=tld dn:uid=foo,ou=People,dc=example,dc=tld uid: foo cn: Test sn: User uidNumber: 2 homeDirectory: /home/foo shadowMin: -1 shadowMax: 99 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: PureFTPdUser gidNumber: 2 loginShell: /usr/local/bin/bash userPassword: {CRYPT}iQpBkPrd9Egzg FTPStatus: disabled Here's information about my login class: $ cat /etc/login.conf radius:\ :requirehome@:\ :auth=radius:\ :radius-server=192.168.0.11:\ :radius-timeout=1:\ :radius-retries=5: See my attached radius_log for more detailed information about the login process. See line 25 ja 26: user and group are resolved as empty. I think there should be root.wheel, because I launced the daemon as root. See line 156-158: /etc/shadow, /etc/group and /etc/passwd - Or should I say master.passwd - are not resolved correctly. Perhaps I should define them in the .conf file. Greetings, Tero [1] rlm_ldap: empty password supplied - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi all!!! I have installed freeradius-snapshot-20040216 with redhat 9. I use AlfaAriss client under Windows XP, cisco pcmcia car on my laptop. When AlfaAriss client ask me user, password and domain I write my user and password, but I don't know exactly what is my domain. I think there are two possible raisons to this error: 1.- Write the correct domain. 2.- My radiusd.conf is not correct. help please!!! My freeradius logs and radiusd.conf are: My freeradius error is: --- rad_recv: Access-Request packet from host XXX.XXX.XXX.252:1229, id=90, length=146 User-Name = "001122334455" NAS-IP-Address = XXX.XXX.XXX.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1B-E2" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100110130303131323234343535 Message-Authenticator = 0xb2dfd83cf36fc223a2a5326d6b528259modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2rlm_ldap: - authorizerlm_ldap: performing user authorization for 001122334455radius_xlat: '(uid=001122334455)'radius_xlat: 'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: looking for check items in directory...rlm_ldap: Adding radiusExpiration as Expiration, value 08 op=21rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21rlm_ldap: looking for reply items in directory...rlm_ldap: user 001122334455 authorized to use remote accessldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2modcall: group authorize returns ok for request 2auth: Failed to validate the user. = -- radiusd.conf -- ... eap {default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no md5 { } leap { } tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { }} ... ldap { server = 192.168.49.222 identity = "cn=Manager,dc=sgi,dc=es" password = izadisan basedn = "ou=Wireless,dc=sgi,dc=es" filter = "(uid=%u)" start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Re: PEAP/LDAP
Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advan!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: freeradius-users [EMAIL PROTECTED] Sent: Monday, February 16, 2004 9:02 AM Subject: PEAP/LDAP Hi, I have some problems with PEAP/LDAP (and TTLS/LDAP). When I use LDAP only with a local authentification I don't have problem. Reciprocally with PEAP module without LDAP. But with these two modules the user is validated on the level of LDAP server but the 802.1x authentificaton failed! I don't have user entry in users files. Thanks. Lionel Gavage Extract of radius.conf: authorize { preprocess chap mschap suffix eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap Auth-Type LDAP { ldap } } Extract of log: rad_recv: Access-Request packet from host 139.165.212.248:21645, id=234, length=172 User-Name = u190336 Framed-MTU = 1400 Called-Station-Id = 000c.304f.75da Calling-Station-Id = 000c.3052.9812 Message-Authenticator = 0xc7f68224c50a922844d275cfcbdb5853 EAP-Message = 0x020b002b1900170301002098ab17170a67942473547a6c29b7c9fbca9c855e8117506214a1 92b989347f11 NAS-Port-Type = Wireless-802.11 NAS-Port = 322 State = 0xfc69a5223e55955e5e876a12c9561f84 Service-Type = Framed-User NAS-IP-Address = 139.165.212.248 modcall: entering group authorize for request 11 modcall[authorize]: module preprocess returns ok for request 11 modcall[authorize]: module chap returns noop for request 11 modcall[authorize]: module mschap returns noop for request 11 rlm_realm: No '@' in User-Name = u190336, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 11 rlm_eap: EAP packet type response id 11 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 11 users: Matched DEFAULT at 154 users: Matched DEFAULT at 173 modcall[authorize]: module files returns ok for request 11 rlm_ldap: - authorize rlm_ldap: performing user authorization for u190336 radius_xlat: '(uid=u190336)' radius_xlat: 'dc=ulg,dc=ac,dc=be' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulg,dc=ac,dc=be, with filter (uid=u190336) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user u190336 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 11 modcall: group authenticate returns invalid for request 11 auth: Failed to validate the user. Delaying request 11 for 1 seconds Finished request 11 Going to the next request Waking up in 5 seconds... Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS and TLS (EAP-TYPES)
Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS and TLS (EAP-TYPES)
Do you know if Windows XP client has authentication TTLS? Where is the option? If Windows XP client has not TTLS, then do you know other client? Thankss a lot!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 1:37 PM Subject: RE: TTLS and TLS (EAP-TYPES) Yes, on the level of the configuration client. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 13:14 À : [EMAIL PROTECTED] Objet : TTLS and TLS (EAP-TYPES) Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS and TLS (EAP-TYPES)
Thanks a lot Lionel! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 2:04 PM Subject: RE: TTLS and TLS (EAP-TYPES) Hi José, No Windows XP client hasn't TTLS option. Windows XP client supports PEAP on the other hand. You can use SecureW2 (http://www.alfa-ariss.com/) Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 14:04 À : [EMAIL PROTECTED] Objet : Re: TTLS and TLS (EAP-TYPES) Do you know if Windows XP client has authentication TTLS? Where is the option? If Windows XP client has not TTLS, then do you know other client? Thankss a lot!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 1:37 PM Subject: RE: TTLS and TLS (EAP-TYPES) Yes, on the level of the configuration client. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 13:14 À : [EMAIL PROTECTED] Objet : TTLS and TLS (EAP-TYPES) Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with remote LDAP
Dear all !! My old configuration was (2 different PC's): IP Client: XXX.XXX.XXX.205 IP Freeradius and LDAP: XXX.XXX.XXX.222 With this configuration, my system runs ok!! My currently configuration is (3 different PC's): IP Client: XXX.XXX.XXX.205 IP Freeradius: XXX.XXX.XXX.206 IP LDAP: XXX.XXX.XXX.222 When I change the freeradius I can't access to my LDAP. (I have changed the server freeradiud IP in my access point too!!!) freeradius logs - S-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1B-E2" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100110130303131323234343535 Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for 001122334455radius_xlat: '(uid=001122334455)'radius_xlat: 'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to XXX.XXX.XXX.222:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=sgi,dc=es/izadisan to 192.168.49.222:389rlm_ldap: waiting for bind result ...rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: no dialupAccess attribute - access denied by default ==ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 0modcall: group authorize returns userlock for request 0Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds... my radiusd.conf ldap {server = XXX.XXX.XXX.222identity = "cn=Manager,dc=sgi,dc=es"password = izadisan basedn = "ou=Wireless,dc=sgi,dc=es" filter = "(uid=%u)" start_tls = no tls_mode = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5timeout = 4timelimit = 3net_timeout = 1} any idea?? Thanks in advance! José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Fw: Problem with remote LDAP
Thanks again Lionel ;) !!! José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060 - Original Message - From: Lionel Gavage To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 7:38 PM Subject: RE: Problem with remote LDAP Hi, Remove the "access_attr = "dialupAccess"" parameter in LDAP config (put in comment). And retest. Lionel Gavage. -Message d'origine-De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de José Luis SolanoEnvoyé: lundi 16 février 2004 19:32À: [EMAIL PROTECTED]Objet: Problem with remote LDAP Dear all !! My old configuration was (2 different PC's): IP Client: XXX.XXX.XXX.205 IP Freeradius and LDAP: XXX.XXX.XXX.222 With this configuration, my system runs ok!! My currently configuration is (3 different PC's): IP Client: XXX.XXX.XXX.205 IP Freeradius: XXX.XXX.XXX.206 IP LDAP: XXX.XXX.XXX.222 When I change the freeradius I can't access to my LDAP. (I have changed the server freeradiud IP in my access point too!!!) freeradius logs - S-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = "00-80-C8-01-01-55" Calling-Station-Id = "00-0B-46-26-1B-E2" NAS-Identifier = "DWL-1000AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100110130303131323234343535 Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for 001122334455radius_xlat: '(uid=001122334455)'radius_xlat: 'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to XXX.XXX.XXX.222:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=sgi,dc=es/izadisan to 192.168.49.222:389rlm_ldap: waiting for bind result ...rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: no dialupAccess attribute - access denied by default ==ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 0modcall: group authorize returns userlock for request 0Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds... my radiusd.conf ldap {server = XXX.XXX.XXX.222identity = "cn=Manager,dc=sgi,dc=es"password = izadisan basedn = "ou=Wireless,dc=sgi,dc=es" filter = "(uid=%u)" start_tls = no tls_mode = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5timeout = 4timelimit = 3net_timeout = 1} any idea?? Thanks in advance! José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
EAP-TTLS
hi all!! I'm going to use TTLS with my freeRadius 0.8.1. I have used TLS already and it run ok, but now I need TTLS too. Currently my code in radius.conf is: -- # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } }- What changes I need if I want authentacation with TLS AND TTLS. Anybody could to help me please??? Thanks a lot in advance!! --- A litle question: Anybody use XSupplicant client with TLS and TTLS? José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
To Alan Dekok: EAP-TTLS
Hi Alan!! Idon't know you but I know you are old in this list, so I thiks you can help me!! I'm going to use TTLS with my freeRadius 0.8.1. I have used TLS already and it run ok, but now I need TTLS too. Currently my code in radius.conf is: -- # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } }- What changes I need if I want authentacation with TLS AND TTLS. Anybody could to help me please??? Thanks a lot in advance!! --- A litle question: Anybody use XSupplicant client with TLS and TTLS? José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: freeradius-users [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems Hi, I
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!! If you want to send me your radiusd.conf, it will be très bien for me. So, please send me your file if it's possible. À tout!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 5:31 PM Subject: RE: Freeradius PEAP Problems Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive default_eap_type (in EAP module) must be fixed at tls. It's right And the default_eap_type (in TTLS module) to md5. It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet