Re: Cisco Wireless
> I'm a little confused about what I need to have in order to use EAP authentication with the following setup: > Cisco 350 series 802.11 access point > Cisco 350 wireless network card > Linux server running freeradius connected to the access point via ethernet. Which Supplicant are you using? > I setup freeradius and configured the access point to talk to it, and when the client card goes to authenticate it appears to work halfway. I see the auth request come in and > the reply go out, but the client always fails to authenticate (after a fairly long timeout). Which EAP-Type authentication did you configure in the server ? > I'm wondering if I'm missing some part of the puzzle. Should freeradius work in this configuration? What I really want is for the radius server to give out per session wep keys > to the clients (as well as a broadcast key), but I don't see any information about how to set this up. If there is some code that needs to be written still, I'm willing to do that since it has a lot of potential for use by my company and out clients. If you are using EAP-TLS in freeradius then there is a patch provided by <[EMAIL PROTECTED]> & <[EMAIL PROTECTED]> for key generation, with the subject EAP-TLS key generation on June 20th in user list archive. If possible, test that patch and let us know your experience. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP documentation
Henrik Eriksson wrote: >I think I confused you a bit regarding the broadcast key. >The broadcast key needs to be sent to the supplicant both >if it is individual to that STA or if it is common to all >STAs in the BSS (which I think it always is). A better >description of step two could be: > >2. AP generates Unicast(Session) key. The unicast key > and the broadcast/default key of the BSS are > encrypted using the Session Secret and sent to the > supplicant in separate EAPOL-Key messages. > > Comments taken. > >I don't mind at all. Does that mean that you are also including the >patch? The description above is kind of meaningless without the code. > > I am willing to apply the patch. As I donot have any resources to test your patch, I would appreciate if some one on this list can test your patch and let us know their experience, before I apply it. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP documentation
>>>>1. Authentication server generates Session Secret, but not
>>>>Session Key,
>>>> and sends it to both supplicant and AP.
>>>>
>
>I missed this in my previous mail. The supplicant already has the
>session secret (since it's generated by the AS and supplicant
>together) so it is only sent to the AP. Having the AS send the
>keying material to both the AP and STA would defeat the whole
>purpose of the key distribution mechanism (which is to distribute
>session keys without a previously shared secret).
>
>>>>2. AP generates both Session(Unicast) Key and Broadcast Key
>>>>and encrypts
>>>> them using Session Secret and sends to the supplicant.
>>>>
>
>The broadcast key is most probably previously generated, but
>otherwise this the behavior we've seen.
>
>>>>3. Supplicant decrypts Session(Unicast) Key and Broadcast key
>>>>using the
>>>> Session Secret that it got from Authentication Server.
>>>>
>
>using the session secret that was derived as part of the TLS
>authentication
>
Currently Dynamic WEP key generation is done using EAP/TLS.
The sequence for Dynamic WEP key generation is
1. AS and Supplicant independtly generates
Session Secret based on the Master Secret.
AS sends this Session Secret to AP in MS-MPPE-..
attributes.
2. AP generates Unicast(Session) key and encrypts it
using Session Secret and sends it to the supplicant.
(Broadcast/default key is the same for all
stations within a broadcast domain.If this is
not the case then AP generates even Broadcast key
and encrypts using Session Secret and sends it to
the supplicant)
3. Supplicant decrypts the Unicast and/or Broadcast key
using the generated Session Secret (from step 1)
Please confirm, if we are on the same page or not.
>Sorry, AFAIK there are no document that officially spells out
>all the details; the IEEE 802.1x standard, RFC 2716 and the I-D
>mentioned above together is probably the best documentation
>available on this.
>
I have all these documents. Thankyou.
>The EAPOL-Key messages originates from the AP not the authentication
>server. I'll try to make it a bit more clear (note that the below is
>based mostly on observed behavior of existing implementations).
>
> 1. trust by
> v- shared radius key ---v
> STA AP AS (radius)
> ^^
> |STA - 2. EAP/TLS authentication --AS|
>derives shared secret for
>distribution of WEP keys
>based on TLS master secret
>
> ^ ^
> |AP - 3. WEP key -AS|
>distribution secret
>sent to AP using
>MS-MPPE-... VSAs
>
> ^ ^
> |STA 4. WEP keys sent in ---AP|
> EAPOL Key frames
> encrypted using
> the key distribution
> secret
>
>
>The three key (no pun intended) observations I make from the above
>are:
>
>1. the trust beetwen the STA and AP is derived from the trust
> between STA/AS and AP/AS - this is not a good thing
>
>2. the mechanism used to send the key distribution secret from AS
> to AP is of no interest to the STA, currently this is done using
> MS-MPPE-{Send|Recv}-Key but that could (should?) be changed
>
>3. the AS is not involved in the generation of the EAPOL-Key
> messages (and hence the WEP keys), this is all done by the AP
>
That is a pretty good description.
Do you mind, if I place this in EAP documentation?
>>Unfortunately "IEEE 802.1X RADIUS Usage Guidelines" also talks
>>about the use of these MS-MPPE-... VSAs.
>>
>
>The use of the MS-MPPE- VSAs are probably an artifact of Microsoft
>being the first to use EAP-TLS as an 802.11/1x authentication
>mechanism.
>
Hopefully this usage of VSA doesnot stand long.
>That's Task Group I of 802.11. They are discussing a number of rather
>large changes to 802.11/WEP including migrating WEP from RC4 to AES,
>a better MIC, improved per-packet WEP-key generation. Check out their
>document submission queue at http://grouper.ieee.org/groups/802/11/>
>for more information (if you've not already done that).
>
>EAPOL-Key messages may or may not become deprecated (I haven't seen
>any indications of the latter, but I don't have access to TgI internal
>documents/discussions) however that is a non-issue for the Authentication
>Server since the EAPOL-Key messages are exchanged from AP to STA.
>
My question is, if EAPOL-Key messages are to be deprecated then the
purpose/advantage of your patch is lost, as the Secret sharing between
AS & AP is no longer required.
What is your opinion?
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP documentation
Henrik Eriksson wrote: >>From: Raghu [mailto:[EMAIL PROTECTED]] >>Sent: Tuesday, July 09, 2002 7:35 PM >> >> >>If you have already tested it I would like to take your point. >>If I got your point right then, >> >>1. Authentication server generates Session Secret, but not >>Session Key, >> and sends it to both supplicant and AP. >>2. AP generates both Session(Unicast) Key and Broadcast Key >>and encrypts >> them using Session Secret and sends to the supplicant. >>3. Supplicant decrypts Session(Unicast) Key and Broadcast key >>using the >> Session Secret that it got from Authentication Server. >> >>Please correct me if I am wrong. >>I would appreciate if you can send some links/documents >>confirming this. >> > >Section 4 of the "IEEE 802.1X RADIUS Usage Guidelines" I-D >http://www.ietf.org/internet-drafts/draft-congdon-radius-8021x-20.txt> >combined with section 3.5 of rfc 2716 should cover most of it. > Thankyou for the link. The draft has no reference about the above 3 step sequence. If possible, can you send more links/documents in this regard. > > >>I was on vacation last month and I might have missed many mails. >>I just got your patch from the archives. >> >>Your patch looks good to me except for use of VSA (MS-MPPE-...). >>I am still not sure, if the supplicant is linux based and >>cisco AP is used, >>What Radius attributes should be used for these key sharing? >> > >Which Radius attributes are used to send the keying data to >the AP doesn't matter to the supplicant since it only sees >the EAPOL-Key messages over 802.11. We didn't test with the >Xsupplicant (we may do that when we get time, but don't hold >your breath) but the code seems to work like the described >behavior. > >Cisco APs use the same Radius attributes (it'd be pretty weird >if they didn't). We did not test that with freeradius EAP-TLS, >but we did trace the communication between a Cisco AP and Win2k >radius during an EAP-TLS authentication. > I am not sure I made my point clear. Cisco AP & linux supplicant are just an example to refer to non MS. To pass 802.11 EAPOL key messages from RADIUS Server to AP to suppliant (no matter, which RADIUS Server, AP and Supplicant are used) they need to support Microsoft dictionary. As they use MS-MPPE-.. VSAs. This is weird. Unfortunately "IEEE 802.1X RADIUS Usage Guidelines" also talks about the use of these MS-MPPE-... VSAs. I expect something like IEEE802 dictionary and if the APs claim to support 802.11 EAPOL key messages, then it is understood that one of the VSAs from this IEEE802 dictionary are used. I hope you got my point. What is your opinion on the following snip from "IEEE 802.1X RADIUS Usage Guidelines" 5.7. Key management issues The EAPOL-Key descriptor described in Section 4 is likely to be deprecated in the future, when the 802.11 enhanced security group completes its work. Known security issues include: -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP documentation
> A point on the WEP key generation section:
> quote
> 10. RADIUS server and the supplicant agree to a specific WEP key.
> 11. The supplicant loads the key ready for logging on.
> 12. The RADIUS server sends the key for this session (Session key) to the
AP.
> 13. The AP encrypts its Broadcast key with the Session key
> 14. The AP sends the encrypted key to the supplicant
> 15. The supplicant decrypts the Broadcast key with the Session key and
> the session continues using the Broadcast and Session keys until
> the session ends.
> (Please note that WEP is not yet supported in freeradius)
> un-quote
> AFAIK the authentication server and supplicant agree on a shared session
> secret, but that is not the actual WEP unicast key to be used between the
> AP and STA. I believe that the key distribution actually do this:
> 1. the authentication server send the shared session secret to the
>AP using MPPE-{Send|Recv}-Key attributes
> 2. the AP generates a WEP unicast key for the STA and a broadcast key
> 3. these keys are encrypted with the shared session secret and sent to the
>STA in separate EAPOL-Key messages
> This seems correct according to the behavior of the WinXP supplicant and
> Lucent WavePOINT-II AP.
If you have already tested it I would like to take your point.
If I got your point right then,
1. Authentication server generates Session Secret, but not Session Key,
and sends it to both supplicant and AP.
2. AP generates both Session(Unicast) Key and Broadcast Key and encrypts
them using Session Secret and sends to the supplicant.
3. Supplicant decrypts Session(Unicast) Key and Broadcast key using the
Session Secret that it got from Authentication Server.
Please correct me if I am wrong.
I would appreciate if you can send some links/documents confirming this.
> We actually sent a patch that implemented the generation of the keying
> data in the rlm_eap_tls module a while back (June 20th), but there where
> no response.
I was on vacation last month and I might have missed many mails.
I just got your patch from the archives.
Your patch looks good to me except for use of VSA (MS-MPPE-...).
I am still not sure, if the supplicant is linux based and cisco AP is used,
What Radius attributes should be used for these key sharing?
Please CC me, as I am not subscribed to the list currently.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP documentation
> Has the level of support for EAP changed in 0.6 from what there was iin 0.5 > It still doesn't support cisco LEAP correct ? Only MD5 and TLS are supported. LEAP is not supported. I am not sure, if anyone is currently working on it. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP documentation
-Identity is received. Supplicant will respond with EAP-Acknowledge(EAP-MD5). Server now responds with MD5-Challenge. INSTALLATION EAP and EAP-MD5 doesnot require any additional packages. Freeradius contains all the required packages. For EAP-TLS, OPENSSL, <http://www.openssl.org/>, is required to be installed. Any version from 0.9.6b, should fairly work with this module. CAVEATS It probably still has bugs. Most notably, there is a small memory leak somewhere in the eap_tls code. I suspect it's because of my misuse of OPENSSL libraries, but I have no proof yet. ACKNOWLEDGEMENTS Primary author - Raghu <[EMAIL PROTECTED]>
Re: EAP + proxying
Alan DeKok wrote:
> If there is NO User-Name attribute in the packet, then the server is
> unable to root through the EAP-Message stuff to find what EAP thinks
> is the user name. In that case, without a User-Name attribute,
> proxying cannot be done on realms in User-Names.
>
I am not sure if I made my point clear in my earlier mail or not.
Freeradius can still proxy the request with the following configuration
authorize {
eap
... other modules.
}
What this does is User-Name attribute is created
from EAP-Identity response, if it is not present.
The other modules should take care of proxying.
Infact, Freeradius can also handle EAP-Start
Requests with the above configuration.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + proxying
> Laurent Butti wrote:
>
> Hello,
>
> Does FreeRadius support (or will support) proxying for EAP
> authentication methods (MD5/TLS), with a kind of user@realm in EAP
> Response Identity which should be used in order to delegate
> authentication to a 3rd party AAA ?
>
EAP Proxying is supported if the
1. User-Name attribute is present in the Access-Request.
2. User-Name attribute is not present then
if eap is present as in the authorize block
as one of the first modules.
ie
authorize {
eap
... all other modules.
}
What this does is User-Name attribute is created
from EAP-Identity response, if it is not present.
The other modules should take care of proxying.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
Artur Hecker wrote:
>
> hi
>
> > >Please change it as below
> > >
> > >artur Auth-Type := System, User-Password == "hello"
> > > Reply-Message = "Hello, %u"
> > >
> > >Please note the := before Sytem.
> >
> > I asked to change the operator('='), as it was causing the problem,
> > ie User-Password was never being picked up into the config_items.
>
> You mean that the "System" itself just doesn't matter at all in this
> context, don't you? So I can put in what I want? Is it ignored?
>
Yes. As long as your authorize block contains eap.
ie
authorize {
files,
eap
}
EAP module overwrites any other Auth-Type with EAP,
if present in authorize block.
> I'm currently trying to analyze what's happening with Ethereal, as you
> advised me. On which link would it be better to use Ethereal? On the
> wireless (between user and client) or on the wired? (between client and
> server?)
>
> I'm currently trying between server and client and I see the following
> in the Ethereal:
>
Server & Client.
Which version of Ethereal are you using?
Try the latest one, It can tell you the
EAP type and content in the Radius packets.
> ap -> server: Access Request(1) (id=11)
> server -> ap: Accounting challenge(11) (id=11)
> ap -> server: Access Request(1) (id=12)
> server -> ap: Access Reject(3) (id=12)
>
> then a sequence of ignored requests follows:
> ap -> server: Access Request(1) (id=13)
>
> As you know, the second Request is interpreted as a Notification message
> causing the reject...
>
> Which data would be interesting?
>
RADIUS/EAP data
1. with your old configuration
2. with Auth-Type := EAP
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question
Artur Hecker wrote:
>
> hi
>
> > > deciding where to take the password from in the authorize {} section in
> > > radiusd.conf file and to authenticate with the ... appropriate module in
> > > authenticate {} ?
> >
> > The 'unix' module. It's called 'system' for historical reasons.
>
> Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu
> said I should do.
> What does Local mean then? "files"?
>
No.
What I meant is,
Your user file configuration was
>> users:
>>
>>
>> artur Auth-Type = System, User-Password == "hello"
>> Reply-Message = "Hello, %u"
>>
>>
>Please change it as below
>
>artur Auth-Type := System, User-Password == "hello"
> Reply-Message = "Hello, %u"
>
>Please note the := before Sytem.
I asked to change the operator('='), as it was causing the problem,
ie User-Password was never being picked up into the config_items.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP 350 to EAP/LDAP...
> > > > testuser Auth-Type := Local, User-Password == "mypassword"
> > >
> > > Try Auth-Type := System
> > >
> >
> > Well, Auth-Type := System would authenticate against local passwords
> > (right ?). I used the above as a test to see if it would make a
> > difference, but clearly it didn't.
>
> well, that's what i thought. but since my EAP didn't work, they all
> (Alan, Raghu) have proposed to use Auth-Type := System instead. so, it
> seems to be the vice versa?
>
To avoid further confusion on this, I would suggest to use the
following,
testuser User-Password == "mypassword"
In authorize block {
ldap, -- if users are configured in ldap
files, -- if users are configured in users file.
eap
}
authenticate {
eap
}
This way Server dynamically sets the authentication type.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get EAP/TLS module to load
Michael Murphy wrote: > > Hello. > > I am trying to get EAP/TLS running with FreeRadius using Ken Roser's great Howto. >My problem is that, when I start radiusd -X, the following is at the end of the >output: > > Module: Loaded eap > eap: default_eap_type = "tls" > eap: timer_expire = 60 > rlm_eap: Failed to link EAP-Type/tls: file not found > radiusd.conf[500]: eap: Module instantiation failed. > > I have the following tls related libraries in /usr/local/radius/lib : > > Name Size > - > rlm_eap_tls.a 433996 > rlm_eap_tls.la 755 > rlm_eap_tls.so20 > rlm_eap_tls.so.0 20 > rlm_eap_tls.so.0.0.0 304017 > > I tried to strace it, and it looks to me like it is finding the libraries OK, but I >am pretty new to the Unix world, so I could very easily have missed something. > > I am running FreeRadius CVS snapshot from 5/20/2002 on Red Hat 7.1. > > If anyone has any ideas, they would be greatly appreciated. > Try, ldd /path/rlm_eap_tls.so It might give you some clue about missing libraries. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 340 & WinXP
Artur Hecker wrote: > > hi > > first of all thanks for support. second: nope, it didn't help :( > > > Try Auth-Type := EAP and remove eap in the authorize > > and check if it works. > > That is even worth. Then the eap-mod says that it can't find neither > Username nor password. > > This is even strange. Can you post the logs for this. > > or try eap as the last one in the above authorize block. > > Which changed nothing, sorry... > > > The problem is that the configured User-Password is never picked > > into the REQUEST->config_items VALUE_PAIR. > > Yes, evidently the password is not given to the module for validation... > It looks like a configuration issue. If you can post your Users file, radiusd.conf and the corresponding logs, It would certaily help us to locate the problem. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 350 & WinXP
Artur Hecker wrote:
> > > in fact, in my authorize section EAP was the first module from the
> > > beginning on and in the authenticate section it is even the only one.
> >
> > If you're ever going to do System authentication, you'll need the
> > 'unix' module, too.
>
> but if not, i don't need it, right?
>
Yes. You don't need it.
>
> > > the error message after the reponse to the challenge is now:
> > >
> > > rlm_eap: Request found, released from the list
> > > rlm_eap: EAP_TYPE - md5
> > > rlm_eap: processing type md5
> > > rlm_eap_md5: No password configured for this user
> > >
> > > Do I have to configure something like EAP-Password in the user section?
> >
> > No. Hmm... maybe try 'User-Password :=' ???
>
> Tried that one, but no effect, the same behaviour.
>
>
> > Due to historical issues, the treatment of 'User-Password' in the
> > 'users' file is a little odd.
> >
> > Alan DeKok.
>
> My user definition looks like that: (etc/raddb/users)
>
> artur Auth-Type = System, User-Password == "hello"
> Reply-Message = "Hello, %u"
>
Try Auth-Type := EAP and remove eap in the authorize
and check if it works.
> i'm still using radius 0.5 and my sections look like that:
>
> authorize {
> preprocess
> eap
> suffix
> files
> }
>
or try eap as the last one in the above authorize block.
> authenticate {
> eap
> }
>
> any idea where this comes from?
The problem is that the configured User-Password is never picked
into the REQUEST->config_items VALUE_PAIR.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security
Chris Parker wrote: > > Yes, but that has far less support ( at the moment ) than IPSec and is > still draft. :\ > I think, for now EAP-TTLS does not have any added advantage over IPSec. Just curious, how did you find that it has less support? -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security
Alan DeKok wrote: > I'm curious if there would be any use/interest in hacking FreeRADIUS > to "encrypt" packets it's sending to a proxy. > http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-01.txt If my understanding is right, EAP-TTLS does just that. Only after the successful handshake is done, Radius attributes are passed,encrypted, to perform PAP, CHAP etc -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and LDAP...
Ricardo Stella wrote:
>
> Alan DeKok wrote:
> >
> > Read the documentation and configuration files.
> >
>
> I already did and I'm still not clear on this... I mean come on, it's
> confusing... I understand how EAP would work, but still not clear on
> how you set up the authentication{} and authorize{} in the config
> file...
>
> I searched the archives, and the only thing close by was a post about
> how to use an external source for passwords with EAP. The answer was
> yes you can do it, but noone explained how...
>
> Again, can anyone help ?
In radiusd.conf
authorize {
ldap
eap
}
authenticate {
eap
}
In authorize block,
ldap should get the Configured password.
eap should set the authenticate type as EAP
In authenticate block,
eap authentication should take place.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Authentication Types
Alan DeKok wrote: > > Raymond <[EMAIL PROTECTED]> wrote: > > Our wireless ethernet land will require two-factor authentication, something > > you have (x.509 cert) and something you know (system pasword via pam). > > Windoz (98, 2K and XP) and Linux (suse and redhat) endpoints will be > > utilizing Meetinghouse's Aegis 802.1x client. > > How do they authenticate over RAIDUS using an X.509 cert? Knowing > that will help answer your question. > EAP-TLS is certificate based authentication and supports x509 certs. The answer to Raymonds question, probably, is EAP-TTLS, which is not currently supported in freeradius. Anyway EAP-TTLS is still a draft and not an RFC. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS on a Solaris platform
David Wong wrote: > > Hi, I'm running FreeRADIUS on a Solaris platform. To > me, the Access-Challenge seems way too long. When I > run FreeRADIUS on a Linux platform, the > Is there some setting in a file i need to change for > Solaris? Any help will be greatly appreciated .. thanks! > Which version of Freeradius are you running. Grab the latest CVS snapshot, it should be fine. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP debug output..
Sunil Chitnis wrote:
>
> Raghu,
> Thanks much for your prompt reply.
> Could you please also post the relevent config entries for user "raghu" to
> do EAP-MD5 authentication?
> I believe I have some missing config entries. I used the TLS URL provided
> as a base to configure the following...
> users
> -
> eapuser Auth-Type := EAP ///In this how to specify the challenge
> password?
>
eapuser Auth-Type := EAP, User-Password == whatever
> radiusd.conf
> -
> eap {
> default_eap_type = md5
> md5 {
> }
> }
authorize {
eap
# other required modules, if you want
}
authenticate {
eap
# other required modules, if you want
}
> clients
> ---
> client xxx.xxx.xxx.xxx {
> secret = whatever
> shortname = myNAS
> }
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem - "rlm_eap: State verification failed"
Sebastian Rieger wrote: > > Hi there! > > I've got a big prob. Thanks to the excellent howto of Adam Sulmicki, I finally > managed to move back from my Win2k RADIUS towards freeRADIUS. I'm using > freeRADIUS with eap tls enabled (cvs snaptshot 2002-04-08), a 3Com 8000 WLAN > AP and xsupplicant under Linux to auth via 802.1x/EAP-TLS. > > The messages look quite ok, but as soon as the secand request is handeled EAP > is complainig about "rlm_eap: State verification failed.". As I looked out > for the State Attribute of the last message, I found it some chars shorter > than it was in the message before. I tried to adjust the fragment size, but > could'nt solve the problem. The packet has a length of 144 bytes, so it > should not be a big deal with (standard) 1024 byte fragments. State Attribute has nothing to do with the Fragment size. Fragment size is meant for EAP-TLS packet only. > State = > 0x3df30ad930886ee1c76b2ec405f54c47455db43c219ab001a93e6b8dfbf601baf54db839 > rad_recv: Access-Request packet from host 134.76.4.7:1812, id=12, length=144 > State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219a The problem is here. Radius Server is sending Access-Challenge packet with State Attribute. During the Challenge response, Your AP should send the same State Attribute UN-MODIFIED. Find out why your AP is truncating this Value. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP debug output..
Sunil Chitnis wrote:
>
> Could someone post the debug output of radiusd for a complete valid
> authentication/authorization using EAP. Please erase any security related
> information from the output before posting. I want to verify the types of
> attributes being passed back and forth (including VSAs).
>
For EAP-TLS debug o/p check
http://www.missl.cs.umd.edu/~adam/802
Typical, EAP-MD5 debug o/p
rad_recv: Access-Request packet from host 192.168.1.225:1034, id=0,
length=119
User-Name = "raghu"
NAS-IP-Address = 192.20.100.1
Called-Station-Id = "000X"
Calling-Station-Id = "000X"
NAS-Identifier = "ATMO02A1"
NAS-Port = 29
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\203\000\n\001raghu"
Message-Authenticator = 0x6dd277e211ebd26747aa2ba634b3a9d2
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
modcall[authorize]: module "suffix" returns ok
users: Matched raghu at 13
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 1 to 192.168.1.225:1035
Class = 0x01
EAP-Message =
"\001\001\000\026\004\020%\223\334\014\032\260\005.\\D\363\362'\336\034"
Message-Authenticator = 0x
State =
0x0710f9a066479548ffd1961a1ff4faa9689bb33c63ded6080a3453955089c2
6ef09dea43
Finished request 95
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.225:1036, id=2,
length=174
User-Name = "raghu"
NAS-IP-Address = 172.20.100.1
Called-Station-Id = "000X"
Calling-Station-Id = "000X"
NAS-Identifier = "ATMO02A1"
NAS-Port = 29
Framed-MTU = 1400
State =
0x0710f9a066479548ffd1961a1ff4faa9689bb33c63ded6080a3453955089c26ef09dea43
NAS-Port-Type = Wireless-802.11
EAP-Message =
"\002\001\000\033\004\020\317\250<\305E\254~z\355y\235R\256\242\372$raghu"
Message-Authenticator = 0x76b74b0c038e07b29355eec4a834
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
modcall[authorize]: module "suffix" returns ok
users: Matched raghu at 13
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 2 to 192.168.1.225:1036
Class = 0x01
EAP-Message = "\003\002\000\004"
Message-Authenticator = 0x
Finished request 96
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 94 ID 0 with timestamp 3cb39b68
Cleaning up request 95 ID 1 with timestamp 3cb39b68
Cleaning up request 96 ID 2 with timestamp 3cb39b68
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crash with EAP/TLS
Ken Roser wrote: > > When I do this I get a core dump with FreeRADIUS. > > Details: > > FreeRADIUS CVS snapshot of April 4th. > OpenSSL, tried both the one used in the TLS notes and version of April 8th. (this >dump is with the same OpenSSL Adam used) > Server is Sun Blade 100 with Solaris 8 > AP is Cisco Aironet 340 > Looks like another Solaris problem. > I've noticed some OpenSSL errors scattered through the RADIUS log but I don't know >(yet) what they mean. Even Adam's log on the eaptls website had some errors, but >none classified as "fatal" as I do. > Yes none of these SSL errors are fatal, except for one, ie Alert 49: Access denied in your logs > Is there any glaring error here that someone can see? Otherwise I'll dig in further >and debug it. Not sure of the actual problem, but I pointed out some suspicious areas, below. Hope you can debug further and let us know your findings. > > (gdb) bt > #0 0xfefb3084 in strlen () from /usr/lib/libc.so.1 > #1 0xff0028d8 in _doprnt () from /usr/lib/libc.so.1 > #2 0xff004a4c in vsnprintf () from /usr/lib/libc.so.1 > #3 0x18124 in radlogdir_iswritable () > #4 0x1836c in radlog () > #5 0xfee62fc8 in cbtls_verify (ok=1, ctx=0xffbecb38) at cb.c:135 Core dumped in this function at 135. Put a break point and check the contents here. > #16 0xfee6220c in eaptls_authenticate (arg=0xb, handler=0xc2b88) > at rlm_eap_tls.c:203 arg=0xb, This looks like Invalid pointer. It should always be a valid pointer. > #17 0xfee81bc0 in eaptype_call (eap_type=276976, action=AUTHENTICATE, eap_type looks odd to me as it cannot exceed 13, but still it picked up the correct EAP-Type ie EAP-TLS ? See below just before the crash. > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 192.168.123.2:3202, id=60, length=1465 > User-Name = "KEN" > NAS-IP-Address = 192.168.123.2 > Called-Station-Id = "004096431d06" > Calling-Station-Id = "000625039e69" > NAS-Identifier = "AP340-431d06" > NAS-Port = 29 > Framed-MTU = 1400 > State = >0x7226690e9d9a241ae69c1eb30db1d0f83cb36076453b1acea082cf49d0461f171435b6ff > NAS-Port-Type = Wireless-802.11 > EAP-Message = . > Message-Authenticator = 0xbda4ad5c2ed49b2170d0263da605d455 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > rlm_realm: Looking up realm NULL for User-Name = "KEN" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched KEN at 25 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Multiple EAP_Message attributes found > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - tls > rlm_eap: processing type tls This is the proof that it picked up the right EAP-Type, I am not sure how. > rlm_eap_tls: Length Included > <<< TLS 1.0 Handshake [length 03d4], Certificate > > chain-depth=1, > error=0 > Segmentation Fault - core dumped Looks like the UserName in cb.c is corrupted. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius troubles with cisco access point
David Wong wrote: > rad_recv: Access-Request packet from host > 10.0.0.68:1065, id=31, length=139 >User-Name = "test" >NAS-IP-Address = 10.0.0.68 >Called-Station-Id = "00409655a415" >Calling-Station-Id = "0040965a763c" >NAS-Identifier = > "applications1.undisclosed.com" >NAS-Port = 29 >Framed-MTU = 1400 >NAS-Port-Type = Wireless-802.11 >EAP-Message = "\002Z\000\t\001test" >Message-Authenticator = > 0xd27bef927bcc6defa8bafab78573c66c > rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate > rlm_unix: Attribute "User-Password" is required for > authentication. > modcall[authenticate]: module "unix" returns invalid > modcall: group authenticate returns invalid > auth: Failed to validate the user. > > and the "test" entry in my users file looks like this: > > testAuth-Type := System, User-Password == > "password" > > any help would be greatly appreciated ... AP is sending Radius packets with EAP-Message. So you cannot do 'System' authentication as there no User-Password. Configure Auth-Type := EAP for the user "test" In radiusd.conf add 'eap' in authorize and authenticate sections. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius / EAP-TLS / WEP key generation
David Akhtar wrote:
>
> Hello people ..
>
> I have set up EAP/TLS authentication between Win-XP and Freeradius
> (recentish CVS archive). I have a setup similar to that described at
> http://www.missl.cs.umd.edu/~adam/802 .. but using XP as the supplicant.
>
> All works fine
Good News.
> and dandy until I try and get my setup to dynamicaly generate
> wep keys ..
>
> This seems to work on my microsoft/cisco setup(with MS windows 2000 radius
> server/XP supplicant / cisco 350 AP)... Having logged the wired side of this
> I've noticed that the Win2k server appends some vendor specific stuff to the
> end of the EAP-Success packet (it appends an MS-MPPE-Send-Key and a
> MS-MPPE-Recv-Key) which I assume is used by the AP (or the supplicant ?) to
> generate (or as ?) the WEP key ?
Currently EAP module doesnot send any VSAs with the Access-Accept
packet.
I think this can be achieved by calling multiple modules in
authenticate{},
just similar to authorize{}, in radiusd.conf.
For now, this feature is not supported.
> does anyone know anything about this ? .. has anyone got 'dynamic
> generation' of WEP keys working with freeradius ? ... Any pointers/help
> would be greatly appreciated !
>
Dynamic generation of WEP keys is not supported in FR.
Patches are welcome. I guess that will in a different module.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius troubles with cisco access point
David Wong wrote: > > can anybody verify if freeradius works with cisco's > 350 series wireless access point? and if not, can Yes. It works for me even for EAP-MD5 & EAP-TLS. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pb configuring EAP/MD5 auth with Orinoco AP1000
> EAP-Message = "\002\004\000\r\001portable" > modcall: group authenticate returns ok > radius_xlat: 'Coucou Mathieu' > Sending Access-Challenge of id 4 to 134.214.79.172:192 > User-Name = "portable" > User-Password = "portable" > Reply-Message = "Coucou Mathieu" > EAP-Message = > "\001\004\000\026\004\020[\212\202\037\031\201\001v\244\362\212\317\350+\360 > " > Message-Authenticator = 0x > State = > 0x0e3eafaa13bde6170947e6a9c48e97f6f295ad3c996cb47d000dbb24cb4b05b943d8a3c5 > > ... And then no answer, XP client cannot connect to the network... Strangely Access-Challenge is sending User-Password attribute. Check your radius configuration. This should never happen. I am not sure about Orinico AP-1000. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 seg fault on Solaris 8
Ken Roser wrote: > > Has this segmentation fault on Solaris 8 been fixed yet? I tried to build last >night's CVS build but it wouldn't even compile. I'm still using version .5 as a >result. > > If it hasn't been fixed, let me know what needs to be done and I'll be glad to >assist in the debugging. > Seg fault is already fixed. Try to compile and run the freeradius from the latest CVS snapshots and post your feedback. -- (( )) | |.| HereUAre !! |_| (( Raghu )) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: EAP-MD5: EAP-TLS
Artur Hecker wrote: > > EAP-TLS has been developed by Mr. Adoba (et al.) who is currently > working for Microsoft if I'm not completely mistaken. It represents a > complete TLS exchange using EAP. EAP itself is only the negotiation > scheme and the carrier frame for the negotiated protocol. So, I guess > that the real challenge during the protocol development was the > segmentation of TLS packets which can become rather huge with all the > certificate stuff in them. EAP-TLS should be natively supported by every > WinXP box (well, I'm not sure for the "home edition"...) which is > interesting from the customer's/user's point of view. (Besides: Does > anybody know something about such support (for WiFi) in Linux? Would be > very interesting to get some links.) http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg03808.html -- (( )) | |.| HereUAre !! |_| (( Raghu )) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: EAP-MD5: Password sources
"McNutt, Justin M." wrote: > > Again, same idea. MS uses the repository of password-equivalent strings that are >stored in Active Directory, the NT domain, whatever to compare against the >authentication string provided in the EAP request. > > The problem I have with all of this is the fact that the actual passwords can be >deduced using the "cleartext equivalent" that MS stores. This is a huge weakness in >NT/2K-based authentication that I was hoping to get around using FreeRADIUS. > > Unfortunately the way EAP-MD5 works with FreeRADIUS is just as bad (or worse) from >the standpoint of having a file somewhere with all of my users' passwords in them in >cleartext (or a trivially-decodable) form. > > So if I want to use FreeRADIUS and EAP, EAP-TLS is the only option I have left (so >far). > I am not sure about MS but based on your observation, I think EAP-TLS is your best option. Here you are talking about 2 different aspects 1. Secure mechanism of storing Passwords locally. You got to deal this locally. Partly the same problem applies even for certificates. 2. Secure mechanism of authentication over the network. CHAP, EAP-MD5 are better but EAP-TLS is the best (IMHO). -- (( )) | |.| HereUAre !! |_| (( Raghu )) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get detail logging to work
Heiko Blume wrote: > > hi, > > please forgive my ingorance :-) > > i installed freeradius, and it works fine (great job!), but it does not > want to write the detail files for me > Sending Access-Accept of id 80 to 127.0.0.1:3280 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 255.255.255.254 > Framed-MTU = 1500 > Service-Type = Framed-User > Finished request 0 > Going to the next request > Thread 1 waiting to be assigned a request > > The directory /home/htel/radius-1/var/log/radius/radacct/DOES exist, > but no directories/files > show up there. i ran strace on it and it doesn't even seem to try to > open/stat it... > i created the directory for one of the clients manually - nothing. > > what am i missing here? Accounting packets are missing in the logs you posted. Probably that is the reason radacct directory is empty. Make sure your NAS sends accounting packets. (( )) | |.| HereUAre !! |_| (( Raghu )) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5: Password sources
"McNutt, Justin M." wrote: > > Okay, new question: > > Now that I have the NAS talking to the RADIUS server properly, I need the RADIUS server to use something other than hard-coded passwords when it authenticates using Auth-Type := EAP. Here's an example from /usr/local/etc/raddb/users: > > gilpina Auth-Type := EAP > Port-Priority = Platinum, > Tunnel-Private-Group-Id = "201", > Tunnel-Type = 13, > Tunnel-Medium-Type = 6, > Service-Type = Framed, > NAS-Port-Type = Ethernet > > What would be the proper syntax for something like this: > > gilpinaAuth-Type := EAP, Password == PAM > > or > > gilpinaAuth-Type := EAP, Password == Unix > There are 2 types of EAP authentications that are currently supported by Freeradius 1. EAP-MD5 2. EAP-TLS The one which you tested is EAP-md5. It is just similar to CHAP authentication. It works only with PLAIN TEXT passwords. So if you have plain text password stored in files, database or LDAP, then it works. EAP-TLS is Certificate based authentication. -- (( )) | |.| HereUAre !! |_| (( Raghu )) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 seg fault on Solaris 8
> Siddharth Jeevan wrote: > (a) Can we not use Windows 2000 RRAS as NAS - if this is true? What Radius Server is independent of NAS. > will I have to do? Build another version of eap.c? My scenario I donot think so. I think there is a bug in rlm_eap that needs to be fixed. > requires me to send Auth request over PPP not 802.1x PPP or 802.1x doesnot matter. It should work on both. > (b) Does it appear to be another problem with the code in EAP module? Yes. It appears to me that my patch didnot fix the problem completely. If you are interested in identifying the problem, Place more debugging statements in eap_compose() and send the output. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
"Derek M. Harkness" wrote: > Thanks for the help! Here is my log (radiusd -X), this was captured on > a linux and I haven't had a chance to apply the patch yet, but I will. > Thanks, again. > Its just one line change from int to unsigned short. Let me know your findings with the patch. > Sending Access-Challenge of id 90 to 141.215.3.48:1126 > Service-Type = Framed-User > EAP-Message = > "\001Z\000\026\004\020J\347\0236\344K\371\277y\322u.#H\030\245" > Message-Authenticator = 0x > State = > 0xbb127c33d668ec1725a862f2e3195975dd599a3c9bbbfc5c5148b09728212c51e3dd3138 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 90 with timestamp 3c9a59dd > Nothing to do. Sleeping until we see a request. > Server sent the Access-Challenge, but never received any response from the AP. Most likely some configuration issue at the AP/supplicant. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
John Lindsay wrote: > I've just studied this with Cisco and I can steal a clear explanation from > the notes. EAP CLIENT(EC) > ACCESS POINT(AP) > RADIUS-SERVER(S) The comminication between EC & AP is wireless (EAPOL). The communication between AP & Radius is RADIUS with EAP payload encapsulated in EAP-Message attribute. 1. EC sends EAPOL-START to AP. 2. AP sends EAP/Identity request to EC 3. EC sends EAP/Identity response to AP. 4. AP frames the RADIUS Access-Request packet and EAP/Identity response payload in EAP-Message. 5. Radius sends Access-challenge to AP with EAP-MD5 challenge value. 6. AP extracts EAP and sends it to EC. 7. EC sends the Challenge response to AP (see CHAP(rfc1994) for details or rfc2284) 8. AP forwards it to Radius. 9. Radius sends EAP-Success/EAP-Failure to AP. 10. AP forwards it EC. > > To make it clear for everyone, the supplicant is the software on the client > (machine with the wireless card). > > The EAP process doesn't start until the client has associated with the > Access Point using Open authentication. If this process isn't crystal > clear you need to go away and gain understanding. > > Once the association is made the AP blocks all traffic that is not 802.1x > so although associated the connection only has value for EAP. Any EAP > traffic is passed to the radius server and any radius traffic is passed > back to the client. > > So, after the client has associated to the Access Point, the supplicant > starts the process for using EAP over LAN by asking the user for their > logon and password. > > Using 802.1x and EAP the supplicant sends the username and a one-way hash > of the password to the AP. No. See below > > The AP encapsulates the request and sends it to the RADIUS server. > > The radius server needs a plaintext password so that it can perform the > same one-way hash to determine that the password is correct. If it is, the > radius server issues an access challenge which goes back via to the AP to > the client. (my study guide says client but my brain says 'supplicant') > > The client sends the EAP response to the challenge via the AP to the RADIUS > server. > AP sends an EAP/Identity request to the supplicant. The supplicant then just sends only the User-Name to AP. AP then forwards this to Radius Server, Radius Server now sends EAP-Response with some random Challenge value. Supplicant then sends the challenge-response using the User-Password. See CHAP rfc1994 for details. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
"Derek M. Harkness" wrote: > > The segfault seem to only occur on the Solaris. I recompiled on a linux > box to test it, EAP auth still fails but at least the server doesn't die. > To figure out why EAP auth is failing, Can you post the server logs ? Have you got the chance to apply the patch I posted yesterday & check it on Solaris ? -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
Raghu wrote:
> So there is no way that Zero length EAP-packets are allowed.
>
> Probably, I am overlooking.
I am suspecting that it is something to do with Byte Ordering.
Please let me know if the following patch fixes the
problem or not, as I am not able to simulate the problem.
-Raghu
--- eap.c 2002/01/22 21:45:08 1.4
+++ eap.c 2002/03/21 03:36:13
@@ -357,7 +357,7 @@
int eap_wireformat(EAP_PACKET *reply)
{
eap_packet_t*hdr;
- int total_length = 0;
+ unsigned short total_length = 0;
if (reply == NULL) return EAP_INVALID;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
> > Still, the server shouldn't core dump. I completely agree that server should never core dump. > > The EAP module *should* check for that error condition, log a > complaint error message, and discard the EAP session. If EAP module finds an invalid EAP packet from any of the sub modules like EAP-MD5 then it always sends EAP-FAILURE to the client. So there is no way that Zero length EAP-packets are allowed. Probably, I am overlooking. Currently I am trying to simulate the problem here to fix it. The functions that are framing the EAP packet are eap_compose() & eap_wireformat() in eap.c -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 ?
"Derek M. Harkness" wrote: > > Okay here's the setup Cisco Aironet, Mac OSX, FreeRadius 0.5, eap-md5, > and a SegFault. > Sending Access-Challenge of id 0 to xxx.xxx.xxx.xxx:1027 > EAP-Message = > "\001\000\000\000\004\020\264\262\r\261\364\344\323X5\230\260\310\352\256\ > Segmentation fault Same problem is reported a week back. We need to figure out why EAP-Length is 0 and still it frames the EAP-packet. Since I am not able to reproduce the problem here on linux, If you can debug the problem and let us know your findings, together we can resolve this problem. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: > Sending Access-Challenge of id 29 to 64.214.69.235:5001 > EAP-Message = > "\001\035\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" > Message-Authenticator = 0x > State = > 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b > rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, > length=108 > EAP-Message = > "\002\035\000\032\004\020\364<\366\257\206F\017@Nb\tV\251.\314\334junk" > Message-Authenticator = 0x465a58897948e060466ca171349e5911 > NAS-IP-Address = 192.168.100.170 > User-Name = "junk" > State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 > Framed-MTU = 1400 > rlm_eap: State verification failed. Ok. The problem now is that Your 3com AP MODIFIED the State Attribute that Radius Server sent and replied. For some reason it stripped off the last bytes. Try to verify, why this is happening. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
> NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER > LOG. > 64.95.221.220-> 192.168.100.170 UDP D=1812 S=1812 LEN=108 > > Sending Access-Challenge of id 62 to 64.214.69.230:4916 > EAP-Message = > "\001>\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" > Message-Authenticator = 0x > State = > 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 > Finished request 0 > > It seems as though the 3com access point interprets this message as an > authentification failure and ends the conversation. It also displays an > message box "authentification failure" on the client side. What is the > contents of the message being sent back to the 3com access point? Does > anyone know a reason the 3com device will interpret the Challenge message as > a failure? > Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. Since there is no response received, I think there is some misconfiguration either on your AP or client. You might also want to check, what EAP-Types ( like EAP-MD5 ...) are supported by your 3com client & AP. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: > > Hi, > I am trying to setup a 3com wireless access point to authenticate to a > freeradius server. I have installed and configured the freeradius server as > well as the access point but when I try to authenticate I get the following > error: > rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, > length=69 > EAP-Message = "\002\004\000\n\001happy" > Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f > NAS-IP-Address = 192.168.100.170 > User-Name = "happy" > Framed-MTU = 1400 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No Password or CHAP-Password attribute in the request > auth: Failed to validate the user. You need to configure Auth-Type = EAP for the user "happy". Also configure EAP in authorize & authenticate sections of radiusd.conf > The part that I cannot figure is the phantom password. I am not sure if the > 3com client software is sending the password or the /etc/raddb/users file is > not setup correct. If anyone has had experience with 3com products in the > past any help would be greatly appreciated. Password is never sent over the wire in case of EAP. Your 3com client is sending an EAP message to the 3com Access point(AP) and the AP is framing the RADIUS packet with EAP in it. so Enabling EAP authentication in the RADIUS server will help you. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About RADIUS experimental support for EAP/TLS
>Hi everybody >I am not familiar with RADIUS server and I would like >to know more about it. >Could anybody explain me what is meant by RADIUS >experimental support for EAP/TLS? Is it currently in >experimentation or is it just a hypothesis? >thank you in advance EAP/TLS is not a highly tested. So It means Evaluate Yourself and share your experience. Comments, feedback, bugs, patches... are welcome. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP question
>Nope. Triple-checked the shared secret. They match. > >Only one RADIUS server in this setup, not separate auth and acct (or did I >misunderstand your suggestion?). If shared secret is right then we need to figure out, where the problem is. Can you send the radius logs. As Alan suggested can you also verify that Nortel switch that you are using is rfc 2869 compliant for Message Authenticator. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP question
>[Date] Error: Received packet from 128.206.95.215 with invalid >Message-Authenticator! >[Date] Info: Sending duplicate authentication reply to client >128.206.95.215:1026 - ID: 63 Looks like Shared secret problem. You might also want to verify if auth & acct have different shared secrets. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WinXP/Cisco/Freeradius - Configuring 802.1X Port-Based Authentication
Hi Hajo, Try running radiusd from src/main and check with gdb. A second look at the logs posted, shows a weird thing like, EAP packet length is 0 (EAP-Message = "\001$\000\000\004\020 ) but there are a bunch of EAP-Messages created. This should never happen. So I would like to find out the root cause of this problem. If possible try to send all the info like logs, configurations, OS etc -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WinXP/Cisco/Freeradius - Configuring 802.1X Port-Based Authentication
>does anybody have "dot1x port-based authentication" up and running for
>WinXP/Cisco Catalyst/Freeradius ? (see
>http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1216ea2/scg/swg8
>021x.htm#10608). I have a LAN-connection in WinXP configured with 802.1x
>enabled using EAP-MD5. Set up the radius-settings on a Catalyst 6009 and
>enabled dot1x ("port-control auto"). The Freeradius (latest
>nightly-snapshot) is running with the new EAP-MD5 module (thanks a lot for
>this work). After startup WinXP prompts for Username/Password to
>authenticate for the LAN-connection. The Freeradius debug-ouput is the
>following:
Looks like a configuration problem.
Can you send the radiusd.conf.
>Freeradius sends about 40 EAP-Messages until it fails with a core dump.
Can you use GDB on the core and send the output.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UTF-8
Hi, does FreeRadius support usernames encoded in UTF-8 ? I would like usernames such as j=F6rg and har=E4ld to be authenticated. If yes, which version of FreeRadius should I = download ? Thanks, Raghu Seshadri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UTF-8
Hi, does FreeRadius support usernames encoded in UTF-8 ? I would like usernames such as jörg and haräld to be authenticated. If yes, which version of FreeRadius should I download ? Thanks, Raghu Seshadri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supporting Password,PAP,CHAP,MS-CHAP,MS-CHAP2,EAP-MD5
> eap {
# This "eap" section should not be empty &
# should always contain atleast one (or more) subsections
# with any supported eap-type (currently only MD5).
# It is so, because EAP alone cannot perform authentications,
# Any one of the eap-types handles authentications.
#Add md5 subsection for EAP-MD5 authentication.
md5 {
}
> }
>
> # authtype EAP {
> # eap
> #
> # For some reason when trying to insert this
> # module I get this error "Module: Loaded eap
> # radiusd.conf[383]: eap: Module instantiation
> # failed.
> # }
>
> }
Once you add the above subsection, this error message should
go off.
let me know if the problem still exists.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A Query
anitha sarathy wrote: > 1. Can i setup a 802.11x compatible AP with radius > Auth and then use freeradius ? Will the setup work ? No. Probably list members might have a better answer to this question. > 2. I saw some EAP related attributes in the Freeradius > source package .. is it fully implemented ? EAP module, as such is still not there in Freeradius to perform authentications. It should be comming soon, but I am not sure when. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/freeradius
>> But these patches never got checked into CVS, > No, *some* of the patches never go into CVS. >> as there is no one to review/comment on these patches. > No, *I* said I would review and comment on the patches. I did. I >even applied some. > It would help for you to re-submit the patches, too. See: I am sorry I do see some of the patches got checked in. Recently, I have not seen the latest code. > One reason I haven't added all of the EAP patches is that I'm not >completely happy with them all. If you are interested in having a >dialogue about them, please post patches and messages to the list. I agree. Only the good patches should be checked in and not all the *crap* that I write. I can re-start the work on EAP and send messages to the list. If you can send in your comments, I am open to all your feedback to redesign/restructure/redo. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/freeradius
Hi Mark, Sorry, EAP is still not there in freeradius. I submitted patches for Radius extensions support, which are the key requirements for EAP over Radius ( rfc2869). But these patches never got checked into CVS, as there is no one to review/comment on these patches. If you are aware of these Requirements (ie rfc2869), please send in your comments to freeradius, it helps to make their way to CVS. once these patches are checked in, any of us can start impementing EAP (rfc2284) -Raghu Marko Myllynen wrote: > Dear Raghu, > > I noticed from freeradius mailing lists that you have made some > EAP/freeradius patches. Could you tell me are those patches already > checked in the CVS? grep'ing EAP listed only few #define's in the headers > and I can't figure is the EAP support already in place? > > -- > Marko Myllynen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
