Re: Wifi-Enabled Phones + FreeRadius
Hi, Now I want to test if it is possible for me to do authentication on wifi-enabled phones? And also, do I need to make additional configurations on the server? which method? if eg PEAP/MSCHAPv2 then theres not really anything different - certainly no changes to the server...just configure the phone - eg iPhone, Android or Nokia. if using eg EAP-TTLS/PAP then you would have issues - some phones wont do that method natively alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, if using eg EAP-TTLS/PAP then you would have issues - some phones wont do that method natively yes i do use EAP-TTLS/PAP, so does that mean that configurations should done on the mobile devices and not on the server? -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29539779.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 2:53 PM, rrperez rrpe...@apc.edu.ph wrote: Thanks for the response Alan, if using eg EAP-TTLS/PAP then you would have issues - some phones wont do that method natively yes i do use EAP-TTLS/PAP, so does that mean that configurations should done on the mobile devices and not on the server? Are you still authenticating against Lotus Domino LDAP? Basically to get an authentication method to work, the device needs to be configured to use it, and the server needs to support it. So you need to have a method that's supported by both device and server. It's easy enough to configure the server to support multiple methods, but if you're still authenticating against Lotus Domino LDAP, you might want to enable only TTLS-PAP and PEAP-GTC. For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see how it goes. If it doesn't, they try other methods. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Are you still authenticating against Lotus Domino LDAP? Yes, I still do. Basically to get an authentication method to work, the device needs to be configured to use it, and the server needs to support it. So you need to have a method that's supported by both device and server. It's easy enough to configure the server to support multiple methods, but if you're still authenticating against Lotus Domino LDAP, you might want to enable only TTLS-PAP and PEAP-GTC. I'm quite aware now about this, thanks to your hints from my previous posts. I configure my server to do the two eap methods (TTLS-PAP/PEAP-GTC) and supported my computer clients with supplicant (secureW2). So now I'm trying to do authentication for wifi mobile phones. For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see how it goes. If it doesn't, they try other methods. I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even though I configured my server to do TTLS-PAP. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29539973.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 3:24 PM, rrperez rrpe...@apc.edu.ph wrote: For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see how it goes. If it doesn't, they try other methods. I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even though I configured my server to do TTLS-PAP. That's odd. Did you already disable EAP/MS-CHAP on eap.conf (since you can't use it anyway with your setup)? In my eap.conf, I have (most important parts only) eap { default_eap_type = peap gtc { auth_type = LDAP # back then it was needed to specify this, not sure about now } peap { default_eap_type = gtc } } other lines not shown there (like TLS part) should be left as it is, but I specifically comment out all mschapv2 and TTLS entries. In your case you might want to start by simply comment-out mschapv2 entry on eap.conf. Using this setup I simply have to select the wifi network name on iphone, enter username password, and accept the certificate warning. You could also contact Apple support and ask if they support TTLS-PAP. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Hi, yes i do use EAP-TTLS/PAP, so does that mean that configurations should done on the mobile devices and not on the server? some devices eg symbian nokias wont do EAP-TTLS/PAP (iirc its all of them) - you can kludge this by using EAP-GTC but then you get request for password all the time - as the device is expecting it to be a one time token... there is nothing more you can do on the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Hi, I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even though I configured my server to do TTLS-PAP. if the device can do TTLS/MSCHAPv2 then it'll do that. if the device cant do EAP-TTLS/PAP (any many dont) then theres nothing you can do on the server to change that. ie client needs to be capable and configured correctly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Regarding your configurations, when I configured mine, my computers are now unable to connect, my computer clients now are not ask by their username and password, the server uses the computer name instead. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540666.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, you can kludge this by using EAP-GTC but then you get request for password all the time - as the device is expecting it to be a one time token... when I configured my server like what Fajar posted, it doesn't ask for username and password anymore. I'm quite confused now. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540678.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, you can kludge this by using EAP-GTC but then you get request for password all the time - as the device is expecting it to be a one time token... when I configured my server like what Fajar posted, it doesn't ask for username and password anymore. I'm quite confused now with the EAP-GTC configuration. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540679.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 4:59 PM, rrperez rrpe...@apc.edu.ph wrote: Thanks for the response Fajar, Regarding your configurations, when I configured mine, my computers are now unable to connect, my computer clients now are not ask by their username and password, the server uses the computer name instead. Which part did you change? If you completely disable TTLS (like I did), and your clients are still configured to do TTLS/PAP, then they wouldn't be able to connect. You should start by disabling MSCHAPv2 on eap.conf first, and see if iphone can connect (just in case it can support TTLS/PAP). To be honest, after reading the comment on eap.conf, I'm not sure how you can use EAP-GTC and TTLS/PAP simultaneusly. Perhaps Alan can answer this. # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
rrperez wrote: I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even though I configured my server to do TTLS-PAP. The client chooses the authentication method. Go fix the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 3:49 PM, Fajar A. Nugraha fa...@fajar.net wrote: Using this setup I simply have to select the wifi network name on iphone, enter username password, and accept the certificate warning. Scratch that. Perhaps it's because I had connected to the network previously that it was asking username password. When configuring new network you need to manually specify that you want WPA2 Enterprise. On wireless network list, choose other, type your SSID name, choose WPA2 Enterprise security, and then you can input username and password. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, I think also that the clients are the ones that is needed to be configured. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548673.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, I don't have problem with my server using my previous configuration to authenticate with wifi computers. But when I reconfigured my server, thats the time it fails. My previous config which is running smoothly was default_eap_type = gtc only and the others are left as it is. Testing your posted configuration, the authentication for the computers don't ask for username and password anymore, and also the server uses the computer names as username that automatically fails the authentication. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548698.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 8:32 AM, rrperez rrpe...@apc.edu.ph wrote: My previous config which is running smoothly was default_eap_type = gtc only and the others are left as it is. Testing your posted configuration, the authentication for the computers don't ask for username and password anymore, and also the server uses the computer names as username that automatically fails the authentication. Did you try leaving everything the way it was when it works and only comment-out mschapv2 section? Did you try configuring iphone to use WPA2 enterprise security? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Did you try leaving everything the way it was when it works and only comment-out mschapv2 section? Yes i tried that yesterday, and it still works. Did you try configuring iphone to use WPA2 enterprise security? I did that also, but I've never tried to do both at the same time, I'll try that now. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548832.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 9:05 AM, rrperez rrpe...@apc.edu.ph wrote: Thanks for the response Fajar, Did you try leaving everything the way it was when it works and only comment-out mschapv2 section? Yes i tried that yesterday, and it still works. Did you try configuring iphone to use WPA2 enterprise security? I did that also, but I've never tried to do both at the same time, I'll try that now. If that still doesn't work, try these links: http://blogs.sun.com/cphcampus/entry/setting_up_your_iphone_for http://www.apple.com/support/iphone/enterprise/ ... and as usual, post the debug logs -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Finally it worked out, I commented out the mschapv2 and configured the peap to do gtc, and on the gtc to do auth type ldap. Thanks for the big help. Now I'm trying to test different kind of mobile phones. I'm just confused with iPhone because the certificate was sent when I tried to connect to the network, while with the other phones, the certificates are installed manually. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29549400.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 11:49 AM, rrperez rrpe...@apc.edu.ph wrote: Now I'm trying to test different kind of mobile phones. I'm just confused with iPhone because the certificate was sent when I tried to connect to the network, while with the other phones, the certificates are installed manually. Not really. Both TTLS and PEAP uses server certificate which is sent to the client/phones. Some clients ask whether you trust this certificate, and you can simply click yes/accept/continue. Some others probably simply reject it if it's not on the list of known certificates, thus you have to install it before connecting. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html