RE: ldap inside ttls
Hey Rick, sorry to not reply to you. My company is under attack from hackers and I really don't have time right now to discuss this. As soon as this is over I will call you. Sorry for the delay. -- Shon Acts 2:37-41 -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 10:32 AM To: [EMAIL PROTECTED] Subject: ldap inside ttls Is it possible to have ldap authentication within ttls? rick... Rom.5:8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work
great. Where do I specify pap as the authenticator with ttls? I continue
to get:
/etc/rc.d/rc.radius: line 67: 9985 Segmentation fault $RADIUSD $ARGS
radiusd
I know it is a configuration error on my part, but I cannot figure where? I
do have
Auth-Type PAP {
pap
}
set in authentication and default_eap_type = pap under ttls. What am I
missing?
Thanks - Shon
-Original Message-
From: Nixon, Anthony S. [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 10:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls?
-Original Message-
From: Antonia Kujundzic [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hello!
I have noticed a post to this list in which suggested the Alfa Ariss
client for use as a TTLS client for Win2k. Has anyone actually got this
to
work?
Yes, I had.
Do not forget to include 802.1x patch for Win2k.
The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK
Odyssey 2.22 client works very well. Are there other clients available at
a
respectable price or will this Alfa Ariss client work with FreeRADIUS?
I use AlfaAriss client with Freeradius, and it's working OK.
Antonia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
You cannot - Funk supports it quite well in the 2.22 client.
-Original Message-
From: Roman Janos [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hi,
I have downloaded the Alfa and Ariss client yesterday and there was only
TTLS(PAP) support. How do you get working TTLS (EAP-MD5) with this client?
regards
Roman
-Puvodní zpráva-
Od: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] uzivatele Nixon,
Anthony S.
Odesláno: 9. októbra 2003 16:03
Komu: '[EMAIL PROTECTED]'
Predmet: RE: Alfa and Ariss client with FreeRADIUS
Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work
great. Where do I specify pap as the authenticator with ttls? I continue
to get:
/etc/rc.d/rc.radius: line 67: 9985 Segmentation fault $RADIUSD $ARGS
radiusd
I know it is a configuration error on my part, but I cannot
figure where? I
do have
Auth-Type PAP {
pap
}
set in authentication and default_eap_type = pap under ttls. What am I
missing?
Thanks - Shon
-Original Message-
From: Nixon, Anthony S. [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 10:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls?
-Original Message-
From: Antonia Kujundzic [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hello!
I have noticed a post to this list in which suggested the Alfa Ariss
client for use as a TTLS client for Win2k. Has anyone actually got this
to
work?
Yes, I had.
Do not forget to include 802.1x patch for Win2k.
The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK
Odyssey 2.22 client works very well. Are there other clients
available at
a
respectable price or will this Alfa Ariss client work with FreeRADIUS?
I use AlfaAriss client with Freeradius, and it's working OK.
Antonia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
I understand this, but exactly where do I specify PAP with TTLS? -Original Message- From: Roman Janos [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: RE: Alfa and Ariss client with FreeRADIUS set in authentication and default_eap_type = pap under ttls. What am I missing? actualy PAP is not an EAP type. Change it to MD5 Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alfa and Ariss client with FreeRADIUS
I have noticed a post to this list in which suggested the Alfa Ariss client for use as a TTLS client for Win2k. Has anyone actually got this to work? The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK Odyssey 2.22 client works very well. Are there other clients available at a respectable price or will this Alfa Ariss client work with FreeRADIUS? -- Shon This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls? -Original Message- From: Antonia Kujundzic [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 9:40 AM To: [EMAIL PROTECTED] Subject: RE: Alfa and Ariss client with FreeRADIUS Hello! I have noticed a post to this list in which suggested the Alfa Ariss client for use as a TTLS client for Win2k. Has anyone actually got this to work? Yes, I had. Do not forget to include 802.1x patch for Win2k. The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK Odyssey 2.22 client works very well. Are there other clients available at a respectable price or will this Alfa Ariss client work with FreeRADIUS? I use AlfaAriss client with Freeradius, and it's working OK. Antonia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Gentlemen - thanks for the slap on the forehead and the healthy discussion. I have made the move to a Proxim ORiNOCO AP-2000 w/ 11bg card. Although a little pricier than the other APs, it works - and well I might add. I am able to use WEP (and WPA-TKIP) with either dynamic or static keys and best of all - TTLS works like a charm. Thanks again. I recommend them highly, especially with the security features built in to the newest firmware release. -- Shon -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS Michael Brown [EMAIL PROTECTED] wrote: I agree with you in principle, that is how things should be; but we all know that how things SHOULD WORK is not often how they really do. The RFC's explain how to make the AP work with *all* EAP types. If your AP doesn't do that, I suggest talking to hem, and telling them it's broken. e.g. the Intel AP discussed recently on this list, which expected certain attributes to be in a particular order, for no reason whatsoever. Yet, when customers complain about such stupidities, the vendor almost always responds with a polite version of f*ck off. To me, this is yet another reason for using open source software: You can FIX IT when something goes wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Umm, forgive me, but I thought they wrote the spec? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS Nixon, Anthony S. [EMAIL PROTECTED] wrote: When I switch it over to authenticate with TTLS, I get a Failure - Authentication rejected by server on the Funk 2.22 client. Funk may not implement TTLS correctly... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS and TTLS
I have implemented TLS and TTLS on the latest snapshot of FreeRADIUS. When authenticating with TLS on a D-Link DWL-2000AP, I have no problems. Works great! When I switch it over to authenticate with TTLS, I get a Failure - Authentication rejected by server on the Funk 2.22 client. I did get TTLS authentication working with a Linksys WAP54G. I have ran the server in debug mode and captured the logging info of both TLS and TTLS sessions to separate text files. The main question here is exactly what do I look for that would possibly point to a failure? I see the tunnel is created and then the negotiation starts fine after that using TTLS. Could I get some possible reasons for failure of TTLS verses TLS success? Thanks - Shon Nixon This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS Configuration
Hello, I have successfully implemented TTLS using Funk's client and the latest snapshot of FreeRadius (excellent work). I first had to get TLS working, which has great documentation on the web, and finally TTLS w/ md5. I have two questions - 1) Does the client require just the root CA from the radius server when using TTLS, or are client certs still necessary? 2) I am having a problem getting the client to pick up a DHCP address now. I had no problem when using just EAP-MD5, but now am having trouble. Is there an issue with TTLS and DHCP, or is this a RADIUS issue? Thanks - Shon Nixon Midrex Technologies Inc. This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius(RH 9.0)+wrt54g+WinXP(sp1) [?]
That is exactly what I am doing (Linksys WRT54G WAP54G) and have made it work with both using EAP-MD5, EAP-TLS, and EAP-TTLS (with Funk's new client). I am now trying to implement EAP-TTLS and do have TTLS working and the client authenticated with WEP-RADIUS, but cannot get it to pick a DHCP address. Will advise when I figure it out - with the help of this list I hope :) - Shon -Original Message- From: pablo [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 1:16 PM To: [EMAIL PROTECTED] Subject: freeradius(RH 9.0)+wrt54g+WinXP(sp1) [?] Hello, I'd like to ask shortly if anybody here set up properly Linksys WRT54G wireless router with Freeradius? I am trying to do this but without any success. I don't want to send you all my logs so please let me know if somebody has this hardware. Thank you in advance. Pawel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS Configuration
Thanks for the reply Alan. I have since changed back to WEP and have no problems obtaining an address. I have changed it back to RADIUS+WEP on the Linksys. Funk client shows open and authenticated using TTLS w/ MD5. I try to perform an ipconfig /renew but end up getting a network unreachable error. Anything I can do to try and solve this mystery? Thanks - Shon -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: Re: TTLS Configuration Nixon, Anthony S. [EMAIL PROTECTED] wrote: I have successfully implemented TTLS using Funk's client and the latest snapshot of FreeRadius (excellent work). I first had to get TLS working, which has great documentation on the web, and finally TTLS w/ md5. I have two questions - 1) Does the client require just the root CA from the radius server when using TTLS, or are client certs still necessary? The client certificates are NOT necessary in TTLS. 2) I am having a problem getting the client to pick up a DHCP address now. I had no problem when using just EAP-MD5, but now am having trouble. Is there an issue with TTLS and DHCP, or is this a RADIUS issue? I'm not sure. If the client is doing DHCP after TTLS authentication, then it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS Configuration
Thanks again Alan. I have added a static ip to the adapter and still no joy. This is looking like the AP is not passing the traffic. I do have good authentication from the radius server using TTLS w/ MD5. So I agree with you - not FreeRADIUS , but a bad AP. This was Linksys's first pass at a firmware upgrade to 11g standards, so I guess it will take a while to get it fixed :( Anyone tried this with another brand of AP and have it working with DHCP? I have a D-Link 11g AP on the way to test, so hopefully they will work better. Thanks - Shon BTW, I used just openssl-0.9.7b exclusively for everything - cert generation, compiling - everything. Is that an issue? If the server/client are authenticating, would that not that point to it working (Win2K w/ Funk Odyssey 2.22)? Also would copy_request_to_tunnel and use_tunneled_reply = no have an affect? Thanks - Shon -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 3:05 PM To: [EMAIL PROTECTED] Subject: Re: TTLS Configuration Nixon, Anthony S. [EMAIL PROTECTED] wrote: Thanks for the reply Alan. I have since changed back to WEP and have no problems obtaining an address. I have changed it back to RADIUS+WEP on the Linksys. Funk client shows open and authenticated using TTLS w/ MD5. I try to perform an ipconfig /renew but end up getting a network unreachable error. Anything I can do to try and solve this mystery? I would suggest configuring with a static IP address. I've heard of other AP's having similar problems with other RADIUS servers, so it's not just FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS Configuration
Linksys WAP54G with 1.08.04 firmware. I am working with the folks at FUnk to try and solve this - FreeRADIUS rocks to high heaven. I now have a TTLS server up and running and plan to actually make it - no don't say it! - production - YES - as soon as I get this issue fixed. Have a couple of Dell server blades waiting for the install. Great work guys. Thanks - Shon -Original Message- From: Fastbyte [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 4:37 PM To: [EMAIL PROTECTED] Subject: Re: TTLS Configuration Hi Shon, we are having same problems. Which AP are you using? Nixon, Anthony S. wrote: Thanks for the reply Alan. I have since changed back to WEP and have no problems obtaining an address. I have changed it back to RADIUS+WEP on the Linksys. Funk client shows open and authenticated using TTLS w/ MD5. I try to perform an ipconfig /renew but end up getting a network unreachable error. Anything I can do to try and solve this mystery? Thanks - Shon -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: Re: TTLS Configuration Nixon, Anthony S. [EMAIL PROTECTED] wrote: I have successfully implemented TTLS using Funk's client and the latest snapshot of FreeRadius (excellent work). I first had to get TLS working, which has great documentation on the web, and finally TTLS w/ md5. I have two questions - 1) Does the client require just the root CA from the radius server when using TTLS, or are client certs still necessary? The client certificates are NOT necessary in TTLS. 2) I am having a problem getting the client to pick up a DHCP address now. I had no problem when using just EAP-MD5, but now am having trouble. Is there an issue with TTLS and DHCP, or is this a RADIUS issue? I'm not sure. If the client is doing DHCP after TTLS authentication, then it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Regards, MfG, Dist.Saluti, Sergio - Srdjan Vemic, CEO Chief Executive Office, FutureBrain [EMAIL PROTECTED] +-+ | FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy | | Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014 | | [EMAIL PROTECTED], w w w . f u t u r e b r a i n . i t | +-+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
