Re: What cert import to Windows Clients
Hi, Thanks guys, I have done test imported only certificate of the Root CA to windowS 7 and seem it's working but now I fall in other old question as follow bellow. I'm using PEAP on Wireless configuration and the client machine is a Windows 7 that user: d1am is on LDAP/SAMBA with attributes LM-Password and NT-Password Why does complain about "No Cleartext-Password configured. Cannot create LM-Password" What I have do in my system ( FreeRadius, LDAP or Client machine ) to work that integration ? I should like my Wireless users ( Windows 7, XP and MAC OS ) were authenticate on LDAP through FreeRadius. any tip is welcome [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: d1am [mschap] Told to do MS-CHAPv2 for d1am with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect thanks! 2013/3/14 > > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: errors when check with huntgroup (a.l.m.bu...@lboro.ac.uk) >2. What cert import to Windows Clients (Usu?rio do Sistema) >3. Re: What cert import to Windows Clients (Alan DeKok) >4. Re: What cert import to Windows Clients (a.l.m.bu...@lboro.ac.uk) >5. Re: How to use checkval (Danny Kurniawan) >6. Re: How to use checkval (Fajar A. Nugraha) > > > -- > > Message: 1 > Date: Thu, 14 Mar 2013 19:51:38 + > From: a.l.m.bu...@lboro.ac.uk > To: FreeRadius users mailing list > > Subject: Re: errors when check with huntgroup > Message-ID: <20130314195138.gc31...@lboro.ac.uk> > Content-Type: text/plain; charset=us-ascii > > hi, > > you've edited a whole lot of stuff out of your debug log...including > the stuff which actually matters where the failure actually occurs > (you just kept the part where the end result was recorded). > > alan > > > ------ > > Message: 2 > Date: Thu, 14 Mar 2013 17:27:18 -0300 > From: Usu?rio do Sistema > To: FreeRadius users mailing list > > Subject: What cert import to Windows Clients > Message-ID: > > > Content-Type: text/plain; charset=ISO-8859-1 > > Hello everyone, > > I have just deploy a Freeradius on CentOS 5.9 Linux machine. > > I should like use EAP method with TLS so I have genetated the certs. I > had just ran bootstrap script from /etc/raddb/certs and it generated > many files as follow > > 01.pem > ca.der > ca.key > ca.pem > dh > server.crt > server.csr > server.key > server.p12 > server.pem > > What are that files I have import to windows clients machine ? > > I have installed ca.der on an windows XP but unseccessfull. I can't to > connect at the network Wireless. > > I wonderful any tip about how to generate certs on freeradius and > import they to windows machine. > > > thanks > > > -- > > Message: 3 > Date: Thu, 14 Mar 2013 16:40:37 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Subject: Re: What cert import to Windows Clients > Message-ID: <514235c5.7050...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Usu?rio do Sistema wrote: > > I should like use EAP method with TLS so I have genetated the certs. I > > had just ran bootstrap script from /etc/raddb/certs and it generated > > many files as follow > ... > > What are that files I have import to windows clients machine ? > > Just the ca.der and client certificate. > > > I have installed ca.der on an windows XP but unseccessfull. I can't to > > connect at the network Wireless. > > Well... there's more to it than that. > > > I wonderful
Re: What cert import to Windows Clients
Hi, > 01.pem > ca.der > ca.key > ca.pem > dh > server.crt > server.csr > server.key > server.p12 > server.pem > > What are that files I have import to windows clients machine ? for EAP-TLS ? as thats a certificate authentication method you need to generate client certificatesthe standard provided script will make client.* files and you'll need the client.der or client.cer file. > I have installed ca.der on an windows XP but unseccessfull. I can't to > connect at the network Wireless. doing what if you only have ca.der installed - and you put it into the correct certificate store as per microsoft docs (or various correct online resources) then you can only be doing PEAP with that windows XP client - so ensure its using a username/password that is known to the RADIUS server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Usuário do Sistema wrote: > I should like use EAP method with TLS so I have genetated the certs. I > had just ran bootstrap script from /etc/raddb/certs and it generated > many files as follow ... > What are that files I have import to windows clients machine ? Just the ca.der and client certificate. > I have installed ca.der on an windows XP but unseccessfull. I can't to > connect at the network Wireless. Well... there's more to it than that. > I wonderful any tip about how to generate certs on freeradius and > import they to windows machine. Read this: http://deployingradius.com/ It has a detailed set of instructions. Or click on the "documentation" link on www.freeradius.org. There's an EAP-TLS Howto. This is all very well documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What cert import to Windows Clients
Hello everyone, I have just deploy a Freeradius on CentOS 5.9 Linux machine. I should like use EAP method with TLS so I have genetated the certs. I had just ran bootstrap script from /etc/raddb/certs and it generated many files as follow 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. I wonderful any tip about how to generate certs on freeradius and import they to windows machine. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
>Am I in the right place? No. You are looking at the radius server for something configured on the suppicant. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Tue, 2008-11-25 at 10:06 +0100, Alan DeKok wrote: > Craig White wrote: > > I realize that freeradius has little control over the supplicant but I'm > > wondering if it's something in my setup of tls that the authentication > > should/shouldn't be part of the tunnel because it just assumes a login > > of anonymous instead of the Windows User/Password or never asks me for a > > User/Password... > > Because you've likely configured an anonymous outer identity, and it's > not proceeding to the inner session. So it's not asking for the > username or password. OK perhaps I am just looking in the wrong place and I'm using an older version of freeradius (part or RHEL/CentOS 5) but eap.conf, in peap section only has these options and I haven't found any combination that works... copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes proxy_tunneled_request_as_eap = no and I have the ttls section commented out. Am I in the right place? Am I missing something really obvious? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
Craig White wrote: > I realize that freeradius has little control over the supplicant but I'm > wondering if it's something in my setup of tls that the authentication > should/shouldn't be part of the tunnel because it just assumes a login > of anonymous instead of the Windows User/Password or never asks me for a > User/Password... Because you've likely configured an anonymous outer identity, and it's not proceeding to the inner session. So it's not asking for the username or password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 02:59 -0600, Alan DeKok wrote: > Craig White wrote: > > OK - that quiets the notification but I still can't figure out the issue > > where I can authenticate RRAS, Macintosh and iPod clients against radius > > via LDAP using mschapv2 but even with the certificates on Windows XP > > clients, with the 'xpextensions' they always try to authenticate as > > 'uid=anonymous' and never ask me for name/password credentials to supply > > for authentication. > > Then the supplicant is misconfigured. > > > While I probably would agree that the certificates should be enough and > > not need the user/password authentication, I can't figure out how to > > tell radiusd to accept those with the certificates. > > No. PEAP does MS-CHAP for username/passwd authentication. If you > want authentication via client certs, use TLS. > > > Either way I would be happy...getting windows clients to provide > > username/password or getting radius to accept a client with the > > certificate. > > There's something else in your windows configuration that is making it > *not* ask you for the username/password. Maybe it's cached in the registry. HLCU\Software\Microsoft doesn't even have an EAPOL entry at all. fixed the cert issue but still it's trying to authenticate as anonymous ;-( I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... rad_recv: Access-Request packet from host 192.168.1.250:2054, id=168, length=161 User-Name = "anonymous" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Called-Station-Id = "00-21-29-E3-D1-84" Calling-Station-Id = "00-04-23-62-BD-3D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x026300061900 State = 0x7de5407f2f55958f61578bc598c219a9 Message-Authenticator = 0x0682bd2213fba7b19656a91ac1454267 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module "preprocess" returns ok for request 46 modcall[authorize]: module "chap" returns noop for request 46 modcall[authorize]: module "mschap" returns noop for request 46 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 46 rlm_eap: EAP packet type response id 99 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 46 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 46 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 46 modcall: leaving group authorize (returns updated) for request 46 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 46 modcall: leaving group authenticate (returns handled) for request 46 Sending Access-Challenge of id 168 to 192.168.1.250 port 2054 EAP-Message = 0x0164040619400355040b130b4d61696e204f696365311a301806035504031311772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d7
Re: last hurdle...windows clients
>OK - that quiets the notification but I still can't figure out the issue >where I can authenticate RRAS, Macintosh and iPod clients against radius >via LDAP using mschapv2 but even with the certificates on Windows XP >clients, with the 'xpextensions' they always try to authenticate as >'uid=anonymous' and never ask me for name/password credentials to supply >for authentication. > >Thus since my Default Auth Type = LDAP (in users), these clients always >fail authentication. > Then there must be a setting in the supplicant that changes user name to anonymous for the outer tunnel negotiation. If you upgrade to 2.1.1. you can leave anonymous as it is and enable ldap only for inner-tunnel virtual server (where true user name will be used). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
Craig White wrote: > OK - that quiets the notification but I still can't figure out the issue > where I can authenticate RRAS, Macintosh and iPod clients against radius > via LDAP using mschapv2 but even with the certificates on Windows XP > clients, with the 'xpextensions' they always try to authenticate as > 'uid=anonymous' and never ask me for name/password credentials to supply > for authentication. Then the supplicant is misconfigured. > While I probably would agree that the certificates should be enough and > not need the user/password authentication, I can't figure out how to > tell radiusd to accept those with the certificates. No. PEAP does MS-CHAP for username/passwd authentication. If you want authentication via client certs, use TLS. > Either way I would be happy...getting windows clients to provide > username/password or getting radius to accept a client with the > certificate. There's something else in your windows configuration that is making it *not* ask you for the username/password. Maybe it's cached in the registry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 00:24 +0100, [EMAIL PROTECTED] wrote: > >I don't understand the message about unknown_ca in the log below either > >because I am acting as my own CA and this same cacert.pem seems to be > >happy on the Windows system I imported it on and I've been using it for > >a bunch of other daemons. > > > > It probably wants cacert.der. OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Thus since my Default Auth Type = LDAP (in users), these clients always fail authentication. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
>I don't understand the message about unknown_ca in the log below either >because I am acting as my own CA and this same cacert.pem seems to be >happy on the Windows system I imported it on and I've been using it for >a bunch of other daemons. > It probably wants cacert.der. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
last hurdle...windows clients
freeradius-1.1.3-1.2.el5 I am authenticating Windows RRAS connections, Macintosh wifi, iPhone wifi all with LDAP and mschapv2 (using sambaNTPassword hashes in OpenLDAP) My users basically consists of... DEFAULT Auth-Type = LDAP eap.conf default_eap_type = mschapv2 and of course my certificates and LDAP setup which works for all the above authentications. My problem is Windows XP laptops (updated to SP3) and I have generated certificates for them. I have loaded both the CA and p12 certificates on a Windows client, set for WPA, TKIP, PEAP but it never asks me for a user name and password and thus always tries to authenticate as anonymous (log below)...even if I check the box to 'Automatically use my Windows name and password' - it still comes in as 'anonymous' Is there some thing else I need to add so that Windows also uses name/password or do I have something else in Auth-Type to just allow those with the certificates? How do I do this? I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. Craig rad_recv: Access-Request packet from host 192.168.1.251:2050, id=112, length=172 User-Name = "anonymous" NAS-IP-Address = 192.168.1.251 NAS-Port = 0 Called-Station-Id = "00-21-29-E3-D1-8A" Calling-Station-Id = "00-04-23-62-BD-3D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02880011198715030100020230 State = 0xce80cf1b72bd9479de376550dc6d9052 Message-Authenticator = 0x90183570c2ef1940d04e9e5dc579a1bd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 59 modcall[authorize]: module "preprocess" returns ok for request 59 modcall[authorize]: module "chap" returns noop for request 59 modcall[authorize]: module "mschap" returns noop for request 59 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 59 rlm_eap: EAP packet type response id 136 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 59 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 59 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 59 modcall: leaving group authorize (returns updated) for request 59 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 59 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 59 modcall: leaving group authenticate (returns reject) for request 59 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows clients
[EMAIL PROTECTED] schrieb: > this is my config files: > ##EAP.conf## > [EMAIL PROTECTED]:/etc/freeradius# vi eap.conf > # > # The PEAP module needs the TLS module > to be installed > # and configured, in order to use the > TLS tunnel > # inside of the EAP packet. You will > still need to > # configure the TLS module, even if you > do not want > # to deploy EAP-TLS in your network. Did you do that? Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows clients
[EMAIL PROTECTED] wrote: > I'm trying to confiure RADIUS client on windows XP. I have installed > freeradius on ubuntu with mysql and phpmyadmin. I don't know what i make > error. Please someone could i help me. > this is my config files: Why do you think posting the configuration files will be useful? Read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows clients
Hi Everybody! I'm trying to confiure RADIUS client on windows XP. I have installed freeradius on ubuntu with mysql and phpmyadmin. I don't know what i make error. Please someone could i help me. this is my config files: ##EAP.conf## [EMAIL PROTECTED]:/etc/freeradius# vi eap.conf # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-PEAP does not # require a client certificate. # peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } # # This takes no configuration. # # Note that it is the EAP MS-CHAPv2 sub-module, not # the main 'mschap' module. # # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } } ##user.conf # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. clients.conf## # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 32 characters in length. # secret = testing123 # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. # # login = !root # password= someadminpas } #client some.host.org { # secret = testing123 # shortname = localhost #} # # You
Radius, Cisco 1600 and Windows Clients
Dear List, I apologize if this issue has been discussed, but I couldn't find any docs that help me out. I have a network with a cisco 1601R connected to Internet and a radius server (simply an ethernet switch with windows workstations, the router and the server running freeradius). I'm trying to configure the cisco so clients dial to it, the cisco validate the user and password with the radius, and if everything is ok, it opens the door to that client for accessing Internet. I've based my freeradius installation reading http://www.frontios.com/freeradius.html so the server is running ok and the tests show me that it's validating as I need. The communication between the router and the server is also ok. The big problem is between the NAS and the clients. I read almost everything I've found in cisco about VTI, VPDN, PPP, AAA and RADIUS, but I cannot make it work... Besides I'm no sure about what kind of windows client I should use (pppoe as an ADSL connection or VPN with the ip of the router to dial-in). I'll appreciatte any comment, or perhaps you know a good howto or something that I could read. THANKS IN ADVANCE!!! Sincerely, Agustín - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setup Help: freeradius + cisco catalist + linux & windows clients
Adrian Turcu <[EMAIL PROTECTED]> wrote: > Could someone point me to some comprehensive howto's about how should I > configure the freeradius to authenticate the clients based on their mac > address with the catalyst in the middle? There's no "howto" for that. Instead, the documentation describes generally how to configure the server, and what to do. > i get this messages on the screen and the client is never authenticated: > > rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77, > length=122 ... > Calling-Station-Id = "00-10-a4-99-8c-c4" > EAP-Message = 0x02150159424e494e5445524e4154494f4e414c The workstation is using EAP, not MAC address authentication. > in users i have addded > > someuserAuth-Type := Local Which will ensure EAP doesn't work. You also need to supply a password for he user, otherwise the server has no idea how to authenticate them. > for the above debug i used linux workstation with its mac-address > 00-10-a4-99-8c-c4 And xsupplicant is configured to do EAP, not MAC address authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setup Help: freeradius + cisco catalist + linux & windows clients
Hello list, I'm completely new on this field with the concept of radius authentication. For the last 2 weeks i read tons of docs about this concept. I am confused. My task looks like a simple one: - linux workstations running xsupplicant 1.0 (wired mode) - windows XP and 2000 with 802.1x support - cisco catalyst 3550 switch SMI license - freeradius 1.0.1 that have to authenticate each workstation on the network when plugged into the switch based on their mac address. Could someone point me to some comprehensive howto's about how should I configure the freeradius to authenticate the clients based on their mac address with the catalyst in the middle? I have compiled and installed freeradius with no errors. The configuration files are the default ones, with the following additions: in clients.conf i have added 192.168.10.10 { secret = 1234567 shortname = ciscocatalyst nastype = cisco } in users i have addded someuserAuth-Type := Local Service-Type = Framed-User the cisco catalyst is configured for radius: aaa new-model aaa authentication dot1x default enable group radius radius-server host 192.168.10.217 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server key 1234567 ! ! freeradius connected to FE 0/1 ! interface FastEthernet0/1 switchport access vlan 100 switchport mode access no cdp enable spanning-tree portfast ! ! client connected to FE0/2 ! interface FastEthernet0/2 switchport access vlan 100 switchport mode access dot1x port-control auto With radius running from the cmd line "radiusd -A -X" i get this messages on the screen and the client is never authenticated: rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77, length=122 NAS-IP-Address = 192.168.10.10 NAS-Port-Type = Async User-Name = "someuser" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-10-a4-99-8c-c4" EAP-Message = 0x02150159424e494e5445524e4154494f4e414c Message-Authenticator = 0x914c5e809544da2aacf9babe83e2542b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "someuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 0 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched someuser at 219 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 77 to 192.168.10.10:1812 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 77 with timestamp 417fb130 Nothing to do. Sleeping until we see a request. for the above debug i used linux workstation with its mac-address 00-10-a4-99-8c-c4 Please help. Kind Regards, Adrian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html