Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 31 August 2010 13:58, Fajar A. Nugraha wrote: > On Tue, Aug 31, 2010 at 10:41 AM, Jean-Yves Avenard > wrote: >> Looking at the log, I don't think that when win7 sent the computer >> name as the login, the user's name is sent anywhere, so configuration >> change can only be done on the win7 client > > So did you finaly manage to get it working by changing the > configuration on the client? oh yes... Did so last week and reported it here :) You go and edit a new wireless profile, you go into Advanced Settings -> 802.11X Settings -> Specify authentication mode: and select "user authentication" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Tue, Aug 31, 2010 at 10:41 AM, Jean-Yves Avenard wrote: > Looking at the log, I don't think that when win7 sent the computer > name as the login, the user's name is sent anywhere, so configuration > change can only be done on the win7 client So did you finaly manage to get it working by changing the configuration on the client? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On Tuesday, August 31, 2010, Alan DeKok wrote:
> The first debug log shows the user being found by the "unix" module.
> i.e. the User-Name has an entry in /etc/passwd, or the Apple equivalent.
>
> The second debug log shows that the user is *not* found by the "unix"
> module.
>
Yes, because in the 2nd case, Win 7 sent the name of the computer instead.
>
> I'm aware of that. I'm saying that *you* need to figure out which is
> which, and edit the configuration to use the right one.
But configuration where? on the freeradius server or win 7?
>
>> If you could point me to directions on how to configure the server for
>> (b), it would be greatly appreciated.
>
> Edit raddb/sites-enabled/inner-tunnel, the "authorize" section:
>
> authorize {
> ...
>
> if (User-Name =~ /\/(.*)/) {
> update request {
> Stripped-User-Name := "%{1}"
> }
> }
> ...
> }
This would only help if the user format is in the form of blah/user ;
which it isn't when the user name is sent and not the computer's name.
Looking at the log, I don't think that when win7 sent the computer
name as the login, the user's name is sent anywhere, so configuration
change can only be done on the win7 client
JY
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote:
> As requested.
> Here is the log from the Win 7 client, when it is configured in
> Advanced Settings -> 802.11X Settings -> Specify authentication mode:
> user authentication
The first debug log shows the user being found by the "unix" module.
i.e. the User-Name has an entry in /etc/passwd, or the Apple equivalent.
The second debug log shows that the user is *not* found by the "unix"
module.
> I'm not sure I follow what you re saying here...
> I am only interested at this stage by the user name, not the computer
> name as part of the "User-Name"
I'm aware of that. I'm saying that *you* need to figure out which is
which, and edit the configuration to use the right one.
> If you could point me to directions on how to configure the server for
> (b), it would be greatly appreciated.
Edit raddb/sites-enabled/inner-tunnel, the "authorize" section:
authorize {
...
if (User-Name =~ /\/(.*)/) {
update request {
Stripped-User-Name := "%{1}"
}
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 31 August 2010 02:04, Fajar A. Nugraha wrote: > I think what Alan is saying is look at what User-Name being sent by > the CLIENT. Your Win7 client log says the client is sending "User-Name > = "host/ramon"". If you want it to be something like, change the > client configuration. At this point, it has nothing to do with server > configuration. > > There might be some checkbox somewhere on your Win7 that says > "Authenticate as computer when computer information is available" or > something like that. Uncheck it. Windows 7 user might be able to help > you more (or you could ask MS). Allright, so this is what I thought it was and I have provided the solution already. On Windows 7, you go into Advanced Settings -> 802.11X Settings -> Specify authentication mode: and select "user authentication" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Mon, Aug 30, 2010 at 9:25 PM, Jean-Yves Avenard wrote: > This is from a Win 7 client, using default configuration settings that > is just username / password and that Authentication is PEAP:MSCHAPv2 > >> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=112, >> length=163 >> User-Name = "host/ramon" >> So... what *should* the User-Name look like? This is for you to decide. > > I'm not sure I follow what you re saying here... > I am only interested at this stage by the user name, not the computer > name as part of the "User-Name" > > If you could point me to directions on how to configure the server for > (b), it would be greatly appreciated. I think what Alan is saying is look at what User-Name being sent by the CLIENT. Your Win7 client log says the client is sending "User-Name = "host/ramon"". If you want it to be something like, change the client configuration. At this point, it has nothing to do with server configuration. There might be some checkbox somewhere on your Win7 that says "Authenticate as computer when computer information is available" or something like that. Uncheck it. Windows 7 user might be able to help you more (or you could ask MS). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On 27 August 2010 23:06, Alan DeKok wrote:
> Jean-Yves Avenard wrote:
>> You seem to miss the point that the issue occurs *only* with Win 7
>> clients. All other clients are fine.
>
> I don't really care which client it is. All that matters is:
>
> a) what data is in the packet
>
> b) what you configure the server to do with that data
>
>
> You have posted output from (a). That's nice. You *also* need (as I
> said already) to configure the server for (b).
Okay..
As requested.
Here is the log from the Win 7 client, when it is configured in
Advanced Settings -> 802.11X Settings -> Specify authentication mode:
user authentication
I've preceded each line with > so if like me you are using gmail, it's
easier to skip through
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=103,
> length=177
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d40016016a65616e2d797665732e6176656e617264
> Message-Authenticator = 0xd617293cc36f9d2934e4364c48696da2
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 212 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns updated
> ++[files] returns noop
> rlm_opendirectory: The host 192.168.0.20 does not have an access group.
> rlm_opendirectory: User is authorized.
> ++[opendirectory] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 103 to 192.168.0.20 port 65513
> EAP-Message = 0x01d500061920
> Message-Authenticator = 0x
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=104,
> length=304
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message =
> 0x02d50083198000791603010074017003014c7bbc6f1988ef8942fd2a91e0d171c08e57e6f23dbce06bfb570dc2a39ee7b218002f00350005000ac013c014c009c00a0032003800130004012fff010001160014116a65616e2d797665732e6176656e617264000a0006000400170018000b00020100
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Message-Authenticator = 0xdc87572842154eda0af298bfad361a81
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 213 length 131
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 121
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0074], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 068a], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 104 to 192.168.0.20 port 65513
> EAP-Message =
> 0x01d6040019c006c7160301002a022603014c7bbc638660cb91c478e7233be221fa9048c65948c4c27d19bd88e7929394d52f00160301068a0b00068600068300035930820355308202bea003020102020310adba300d06
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: > You seem to miss the point that the issue occurs *only* with Win 7 > clients. All other clients are fine. I don't really care which client it is. All that matters is: a) what data is in the packet b) what you configure the server to do with that data You have posted output from (a). That's nice. You *also* need (as I said already) to configure the server for (b). Unfortunately, the OpenDirectory module does not take any configuration. This means that you will need to edit the "User-Name" attribute *before* it is used by the opendirectory module. So... what *should* the User-Name look like? This is for you to decide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27/08/10 13:38, Jean-Yves Avenard wrote: You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. Please post the debug output of freeradius, obtained by running: radiusd -X ...for a working and failing case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 27 August 2010 20:46, Alan DeKok wrote: > Jean-Yves Avenard wrote: >> Here are some logs... > ... >> rlm_opendirectory: The host 192.168.0.20 does not have an access group. > > And... what does this message mean? It's an OpenDirectory error > message, so find out what it means, and how to fix it. > 192.168.0.20 is the wireless access point >> rlm_opendirectory: Could not get the user's uuid. > > Which looks like a direct consequence of the previous message. > no, this is a consequence of it trying to lookup the machine name instead of the user name >> By default it tries to connect with the computer name rather than the >> user name.. > > Because that's what's in the RADIUS packet. If you want it to use > something *other* than what's in the packet, you will need to configure > the server to use the correct field. > > So which field do you want to use? As mentioned before; the username. You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: > Here are some logs... ... > rlm_opendirectory: The host 192.168.0.20 does not have an access group. And... what does this message mean? It's an OpenDirectory error message, so find out what it means, and how to fix it. > rlm_opendirectory: Could not get the user's uuid. Which looks like a direct consequence of the previous message. > By default it tries to connect with the computer name rather than the > user name.. Because that's what's in the RADIUS packet. If you want it to use something *other* than what's in the packet, you will need to configure the server to use the correct field. So which field do you want to use? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi
On 26 August 2010 23:35, Alan DeKok wrote:
> Jean-Yves Avenard wrote:
>> I am running freeradius that comes installed and configured with MacOS
>> 10.6 server.
>>
>> A Windows XP can connect just fine using Microsoft Protected EAP.
>> iPhone, mac os client connect just fine using EAP-TTLS
>>
>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
>> not with the default build-in PEAP.
>
> The log you posted shows a clear issue:
>
>> When connecting with Windows 7, I would read:
>>
>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
>> user's uuid.
>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
>> dsGetRecordList() status = 0, recCount=0
>>
>>
>> Any hint about what I should be looking at?
>
> Run the server in debugging mode (radiusd -X). Look for the above
> errors, and *read* the lines of text around them.
>
> Then use the information from the debug output to look the user up in
> OpenDirectory. Odds are that the user doesn't exist, which is why it
> can't get the UUID.
>
>> Mind new, I'm a complete noob when it comes to radius, I only started
>> playing with it 2 days ago.
>
> This isn't much of a RADIUS error. The user lookup in OpenDirectory
> fails, and the UUID wasn't found. The only issue is *who* was being
> looked up, and *why* the UUID wasn't found.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Allright...
Here are some logs...
rad_recv: Access-Request packet from host 192.168.0.20 port 65513,
id=51, length=163
User-Name = "host/ramon"
NAS-IP-Address = 192.168.0.20
NAS-Port = 0
Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
Calling-Station-Id = "C4-46-19-25-31-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x027e000f01686f73742f72616d6f6e
Message-Authenticator = 0x4f4536256e97a2b596511e8560ef07ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 126 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_opendirectory: The host 192.168.0.20 does not have an access group.
rlm_opendirectory: Could not get the user's uuid.
++[opendirectory] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[snip]
By default it tries to connect with the computer name rather than the
user name..
Going into the Advanced option, I can force the type of authentication
use to "User Authentication"...
>From there it worked ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27 August 2010 05:19, Nolan King wrote: > check the capitalization of username. I have seen instances where xp clients > sends all lower, and win7 capitalised the first two characters. > What do you do in this case then? Have a script run by freeradius putting all characters as lower case? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters. nolan -- Nolan King Moulton Niguel Water District 27500 La Paz Rd. Laguna Niguel, CA 92677 (949) 425-3542 24hr: (949) 831-2500 >>> On 8/26/2010 at 11:44 AM, in message , Jean-Yves Avenard wrote: > Hi > > On Thursday, August 26, 2010, Alan DeKok wrote: >> Jean-Yves Avenard wrote: >>> I am running freeradius that comes installed and configured with MacOS >>> 10.6 server. >>> >>> A Windows XP can connect just fine using Microsoft Protected EAP. >>> iPhone, mac os client connect just fine using EAP-TTLS >>> >>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but >>> not with the default build-in PEAP. >> >> The log you posted shows a clear issue: >> >>> When connecting with Windows 7, I would read: >>> >>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the >>> user's uuid. >>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): >>> dsGetRecordList() status = 0, recCount=0 >>> >>> >>> Any hint about what I should be looking at? >> >> Run the server in debugging mode (radiusd -X). Look for the above >> errors, and *read* the lines of text around them. >> >> Then use the information from the debug output to look the user up in >> OpenDirectory. Odds are that the user doesn't exist, which is why it >> can't get the UUID. > > I was the one doing the testing. Username/password are identical in all > tests. > >> >>> Mind new, I'm a complete noob when it comes to radius, I only started >>> playing with it 2 days ago. >> >> This isn't much of a RADIUS error. The user lookup in OpenDirectory >> fails, and the UUID wasn't found. The only issue is *who* was being >> looked up, and *why* the UUID wasn't found. >> > > Will run radius in debug mode and report back. I'm still puzzled why > there would be a difference between 7 and XP in the way they are > transmitting the user name > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On Thursday, August 26, 2010, Alan DeKok wrote: > Jean-Yves Avenard wrote: >> I am running freeradius that comes installed and configured with MacOS >> 10.6 server. >> >> A Windows XP can connect just fine using Microsoft Protected EAP. >> iPhone, mac os client connect just fine using EAP-TTLS >> >> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but >> not with the default build-in PEAP. > > The log you posted shows a clear issue: > >> When connecting with Windows 7, I would read: >> >> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the >> user's uuid. >> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): >> dsGetRecordList() status = 0, recCount=0 >> >> >> Any hint about what I should be looking at? > > Run the server in debugging mode (radiusd -X). Look for the above > errors, and *read* the lines of text around them. > > Then use the information from the debug output to look the user up in > OpenDirectory. Odds are that the user doesn't exist, which is why it > can't get the UUID. I was the one doing the testing. Username/password are identical in all tests. > >> Mind new, I'm a complete noob when it comes to radius, I only started >> playing with it 2 days ago. > > This isn't much of a RADIUS error. The user lookup in OpenDirectory > fails, and the UUID wasn't found. The only issue is *who* was being > looked up, and *why* the UUID wasn't found. > Will run radius in debug mode and report back. I'm still puzzled why there would be a difference between 7 and XP in the way they are transmitting the user name - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: > I am running freeradius that comes installed and configured with MacOS > 10.6 server. > > A Windows XP can connect just fine using Microsoft Protected EAP. > iPhone, mac os client connect just fine using EAP-TTLS > > Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but > not with the default build-in PEAP. The log you posted shows a clear issue: > When connecting with Windows 7, I would read: > > Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the > user's uuid. > Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): > dsGetRecordList() status = 0, recCount=0 > > > Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. > Mind new, I'm a complete noob when it comes to radius, I only started > playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On Sat, Jun 05, 2010 at 12:50:59AM +0200, David wrote: > connecting with Window 7 the following gets written to radius.log: > > Sat Jun 5 00:00:59 2010 : Info: rlm_eap_md5: Issuing Challenge > Sat Jun 5 00:00:59 2010 : Info: rlm_eap_mschapv2: Issuing Challenge > > As opposed to EAP-TTLS, then the following gets written: > > Sat Jun 5 00:03:23 2010 : Info: rlm_eap_md5: Issuing Challenge > > Does anyone know where the problem may be? I cannot think of anything > to try anymore. Run the server with freeradius -X and record the output? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
