install EAP-ttls
Hi. I have radius server with EAP-TLS and I'm tryin to install eap-ttls. HAve you a howto of eap-ttls. ___ Yahoo! Sorteos ¡Ya puedes comprar Lotería de Navidad! http://yahoo.ventura24.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: install EAP-ttls
=?iso-8859-1?q?santi=20baztan?= [EMAIL PROTECTED] wrote: I have radius server with EAP-TLS and I'm tryin to install eap-ttls. HAve you a howto of eap-ttls. You configure it, as it says in 'radiusd.conf'. After that, you have a client send it EAP-TTLS packets. It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap ttls and LDAP
Hi, I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? Can anyone can explain me the interest to use EAP TTLS + LDAP I dont want to use personnal certificate but only the login and ldap passwd of the personn Is TTLS+LDAP it a good solution to do that ??? Anyone have test it ??? Any recommandations ??? Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
On Wed, 10 Dec 2003, Arthur EBEL wrote: Hi, I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install Can anyone can explain me the interest to use EAP TTLS + LDAP I dont want to use personnal certificate but only the login and ldap passwd of the personn Is TTLS+LDAP it a good solution to do that ??? Yes it is. Anyone have test it ??? Any recommandations ??? It works out of the box. Just uncomment the necessary modules in the authorize/authenticate sections and configure the eap(tls/ttls) and ldap modules. Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Kostas Kalevras [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install And watch the server dies as soon as it receives an EAP-TTLS request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
Arthur EBEL [EMAIL PROTECTED] wrote: I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? You install a snapshot. You can't use EAP-TTLS with 0.9.3. I dont want to use personnal certificate but only the login and ldap passwd of the personn EAP-TTLS doesn't require personal certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : eap/ttls
Hi :-) I would like to know Where I can find the rlm_eap_ttls module and how to install it Have u dot an idea how to mix eap ttls and ldap authentication ??? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : jeudi 4 décembre 2003 19:14 À : [EMAIL PROTECTED] Objet : Re: eap/ttls David L Wolford [EMAIL PROTECTED] wrote: rlm_eap: Failed to link EAP-Type/ttls: file not found radiusd.conf[606]: eap: Module instantiation failed. In addition to removing the comments for ttls what other steps must be taken to enable eap/ttls? You've got to install the rlm_eap_ttls module. It should do that, though... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : eap/ttls
Arthur EBEL [EMAIL PROTECTED] wrote: I would like to know Where I can find the rlm_eap_ttls module and how to install it Grab the latstes CVS snapshot. Have you tried that? Have u dot an idea how to mix eap ttls and ldap authentication ??? You don't need to do anything special. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/ttls
I've been working on the eap/tls for our wireless network using freeradius-snapshot-2003118. The eap/tls works fine and now I want to try the eap/ttls so as to avoid the certificate management. When I go into radiusd.conf and uncomment out the eap/ttls stuff I get the following error when I try to run freeradius: Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/lx/orbit.pem tls: certificate_file = /etc/lx/orbit.pem tls: CA_file = /etc/lx/root.pem tls: private_key_password = iyagthkg tls: dh_file = /etc/lx/DH tls: random_file = /etc/lx/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls rlm_eap: Failed to link EAP-Type/ttls: file not found radiusd.conf[606]: eap: Module instantiation failed. In addition to removing the comments for ttls what other steps must be taken to enable eap/ttls? Thank you, dwolford - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls
David L Wolford [EMAIL PROTECTED] wrote: rlm_eap: Failed to link EAP-Type/ttls: file not found radiusd.conf[606]: eap: Module instantiation failed. In addition to removing the comments for ttls what other steps must be taken to enable eap/ttls? You've got to install the rlm_eap_ttls module. It should do that, though... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
Hello, I'm trying to set up a radius server here in my office to permit WLAN usage, and I really feel like I'm coming up against my limits of understanding on the technologies involved. I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but I'm running into some serious issues (most likely due to lack of clue on my part) getting it working. The server is a Debian testing install, with openssl compiled from source. The base station is a Linksys WRT-54G, although I haven't gotten to the point were I think there's a problem there. Here's my list of questions: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on the server running radiusd to connect to the WLAN, but I'm not quite sure how the auth protocol interacts with auth-types. I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, or does it only negotate access and let the base station generate a random key? Is there a knob in the config I need to set up for this? Thank you in advance for your patience. I'm sure I'll have more questions later. Thanks, -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
Chris Woodfield [EMAIL PROTECTED] wrote: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. Yes. But TTLS still requires a server certificate. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? You still need a server certificate. And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. See scripts/CA.all 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, Yes. Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
See scripts/CA.all Ran this, and it appears that everything worked right up until the end, when I got these errors: Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:whatever 23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 23119:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' ## tino:/usr/local/ssl/certs# Any idea what's happening? This is OpenSSL 0.9.7c. -C 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, Yes. Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html pgp0.pgp Description: PGP signature
Re: Problem with EAP-TTLS+AEGIS Client
Jason Haar [EMAIL PROTECTED] wrote: I'm amazed that the SSL code works at *all*. Have you looked at the GNU TLS code? - http://www.gnu.org/software/gnutls/ No time, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
Jason Haar [EMAIL PROTECTED] wrote: ..a bit off topic - but large certificates in general seem to be a problem with all sorts of SSL apps. I'm not surprised. I've run FreeRADIUS under 'valgrind', to catch buffer overflows, and reading uninitialized memory. Without any SSL code, it's fine. With OpenSSL (EAP-TLS, etc), there are tens of thousands of error messages. And when compiling FreeRADIUS against OpenSSL, there are large amounts of warnings about the broken SSL headers. I'm amazed that the SSL code works at *all*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS /etc/shadow
On Fri, 14 Nov 2003, Alan DeKok wrote: Ralf Paffrath [EMAIL PROTECTED] wrote: I set Auth-Type to System but no TTLS-tunnel session would be established and I got the following debugging output: ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'HUGO' sigh Did you READ what i wrote? I did READ what you wrote! I wasn't sure how to set Auth-Type to System for the tunneled user. ;-) Set Auth-Type to System for the tunneled user, The username inside of the tunnel IS different that the username outside of the tunnel, isn't it? Right! Now, I let: username Auth-Type := System and deleted DEFAULT Auth-Type :=System Fall-Through = Yes from users file. After configuring SecureW2 to set the username used for secure tunnel to [EMAIL PROTECTED] and let SecureW2 prompting for users credentials it's working. Now I can autenticate the tunneld user against /etc/shadow. Thanks Alan for the hints! Ralf. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, Nov 17, 2003 at 10:20:36AM -0500, Alan DeKok wrote: I'm amazed that the SSL code works at *all*. Have you looked at the GNU TLS code? - http://www.gnu.org/software/gnutls/ -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, Nov 10, 2003 at 05:18:34PM +0200, Kostas Kalevras wrote: Probably with small enough certificates to not worry about fragmentation. ..a bit off topic - but large certificates in general seem to be a problem with all sorts of SSL apps. We are running a full-blown internal CA, and so have done it right (IMHO) and have details such as what division a user is in, along with their email address, company name, city, country, etc. Apparently this makes our certs large, and as such we've hit every bug there is to hit with a variety of SSL/PKI products (not referring to FreeRADIUS here actually - more VPN related). We get comments back from vendors like your certs are too big - make them smaller and the problem will go away - as if that is even an option! Once you have decided *how* you want to run a PKI - down to what level of detail is within each cert - it's pretty bl**dy hard to change your mind later. Oh yeah - and we got a certain vendor whose name rhymes with ISCO whose routers won't use our certs as they are signed with a CA whose serial number is 0 - apparently zero isn't an integer (see RFCxxx). PKI still has a way to go before it's as useful as the hype makes it out to be. The technology is fine - but I get the feeling that quality control is limited due to the lack of implementations... Yup - waaay off topic :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS /etc/shadow
Ralf Paffrath [EMAIL PROTECTED] wrote: I'm running a snapshot version of freeradius with EAP/TTLS for authN. My supplicant is SecureW2. Everything works fine as long as I put in the plaintext user-password in users configuration file and didn' set Auth-Type, e.g. username User-Password == blabla. Ok... I absolutely don't like plaintext passwords in some files so I tried freeradius out to use /etc/shadow but with no success. Plain-text passwords aren't much of a problem from a security perspective. They also allow you to do CHAP authentication, which is impossible with /etc/passwd. Auth-Type := EAP doesn't work: ... auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP-Message not found Exactly. Don't set Auth-Type := EAP. EVER. Any idea? Set Auth-Type to System for the tunneled user, and read the debugging output of the server. I note that you did NOT post that debugging output, which is the ONLY relevant thing here. I set Auth-Type to System but no TTLS-tunnel session would be established and I got the following debugging output: ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'HUGO' auth: type System modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. ... This output led me to the assumption that Auth-Type set to System is wrong, so I set Auth-Type to EAP. When I didn't set Auth-Type, e.g username User-Password blabla and set DEFAULT Auth-Type += System Fall-Through = YES I can authenticate with plaintext password and with /etc/passwd , so I got two valid passwords. With both passwords TTLS-tunnel sessions were established, weird! Ralf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS /etc/shadow
Ralf Paffrath [EMAIL PROTECTED] wrote: I set Auth-Type to System but no TTLS-tunnel session would be established and I got the following debugging output: ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'HUGO' sigh Did you READ what i wrote? Set Auth-Type to System for the tunneled user, The username inside of the tunnel IS different that the username outside of the tunnel, isn't it? If not, then nothing will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS /etc/shadow
I'm running a snapshot version of freeradius with EAP/TTLS for authN. My supplicant is SecureW2. Everything works fine as long as I put in the plaintext user-password in users configuration file and didn' set Auth-Type, e.g. username User-Password == blabla. I absolutely don't like plaintext passwords in some files so I tried freeradius out to use /etc/shadow but with no success. Auth-Type := EAP doesn't work: ... auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 5 modcall: group authenticate returns fail for request 5 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Rejecting tunneled user Any idea? Ralf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS /etc/shadow
Ralf Paffrath [EMAIL PROTECTED] wrote: I'm running a snapshot version of freeradius with EAP/TTLS for authN. My supplicant is SecureW2. Everything works fine as long as I put in the plaintext user-password in users configuration file and didn' set Auth-Type, e.g. username User-Password == blabla. Ok... I absolutely don't like plaintext passwords in some files so I tried freeradius out to use /etc/shadow but with no success. Plain-text passwords aren't much of a problem from a security perspective. They also allow you to do CHAP authentication, which is impossible with /etc/passwd. Auth-Type := EAP doesn't work: ... auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP-Message not found Exactly. Don't set Auth-Type := EAP. EVER. Any idea? Set Auth-Type to System for the tunneled user, and read the debugging output of the server. I note that you did NOT post that debugging output, which is the ONLY relevant thing here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Kostas Kalevras wrote: Hello, we are facing a problem when trying to test EAP-TTLS with the Meetinghouse AEGIS Client We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS. freeradius latest cvs (two or three days old) Aegis 2.1.0 OpenSSL 0.9.7c Unfortunately we haven't been able to find a sniffer capable of reporting the TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation. So I am mostly speculating what the problem is. As can be seen from the radiusd -X -xxx output after sending a TLS Hello with the server certificate the client returns with a TLS ACK. I am guessing that one TLS fragment got to the client and it is ACKing for another. Though the eap_tls module seems to not accept that ACK. From what i 've found the eaptls_ack_handler() never seems to be called. If it is an openssl or rlm_eap_tls module problem i don't know. From the documentation on openssl.org it seems that the handler will only be called if the received packet is ok so it can just be that the packet is malformed somehow. In any case I don't really know where to go from here. One thing that would help would be if someone confirmed that eap-ttls works with such a configuration. OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c which is never called. And now that i think of it (and read the EAP-TLS RFC): EAP-Message = 0x021100061500 So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get called for a packet like this (it isn't an actual TLS segment in any case). As a result i don't think that the checks run in the eaptls_ack_handler() function can actually work. I 've removed them and now the TTLS session works much better (i do get a core dump just before sending back the Access-Accept but i 'll probably figure that one out). tls { private_key_password = private_key_file = /etc/1x/private.pem certificate_file = /etc/1x/cert.pem CA_file = /etc/1x/CA.pem dh_file = /etc/1x/DH random_file = /etc/1x/random fragment_size = 1024 # include_length = no } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
Kostas Kalevras [EMAIL PROTECTED] wrote: So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get called for a packet like this (it isn't an actual TLS segment in any case). As a result i don't think that the checks run in the eaptls_ack_handler() function can actually work. Hm... I used the Aegis client to test the TTLS code, so it worked for me... I 've removed them and now the TTLS session works much better (i do get a core dump just before sending back the Access-Accept but i 'll probably figure that one out). Do you have a patch, with a little more detailed explanation as to what is going wrong, and why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get called for a packet like this (it isn't an actual TLS segment in any case). As a result i don't think that the checks run in the eaptls_ack_handler() function can actually work. Hm... I used the Aegis client to test the TTLS code, so it worked for me... Probably with small enough certificates to not worry about fragmentation. I 've removed them and now the TTLS session works much better (i do get a core dump just before sending back the Access-Accept but i 'll probably figure that one out). Do you have a patch, with a little more detailed explanation as to what is going wrong, and why? I am attaching the patch (though it just makes eaptls_ack_handler to return immediately). Let me try and outline the problem. For TLS fragments the client will respond with an EAP-TTLS message with only one zero data byte. This signifies a fragment ACK. In eap_tls we have registered eaptls_msg as a callback function for all tls messages which will set various variables like state-info.origin = (unsigned char)write_p; state-info.content_type = (unsigned char)content_type; state-info.record_len = len; state-info.version = msg_version; Though since this one byte packet is *not* an actual TLS packet this function will not run in this case. Nevertheless, eaptls_ack_handler currently will use these variables to determine the nature of the received packet. As a result it will fail and kill the EAP-TTLS (or EAP-TLS for that matter) session. So the way i see it the fix is to just make eaptls_ack_handler a dummy function which will just return EAPTLS_REQUEST. Though i don't know the eap module that well to be sure that this is the correct solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' GandalfIndex: eap_tls.c === RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c,v retrieving revision 1.18 diff -u -r1.18 eap_tls.c --- eap_tls.c 23 Oct 2003 22:04:09 - 1.18 +++ eap_tls.c 10 Nov 2003 15:09:02 - @@ -214,6 +214,12 @@ tls_session_t *tls_session; tls_session = (tls_session_t *)handler-opaque; + if (tls_session == NULL){ + radlog(L_ERR, rlm_eap_tls: Unexpected ACK received); + return EAPTLS_FAIL; + } + return EAPTLS_REQUEST; + if ((tls_session == NULL) || (tls_session-info.origin == 0)) { radlog(L_ERR, rlm_eap_tls: Unexpected ACK received);
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Kostas Kalevras wrote: OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c which is never called. And now that i think of it (and read the EAP-TLS RFC): EAP-Message = 0x021100061500 So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get called for a packet like this (it isn't an actual TLS segment in any case). As a result i don't think that the checks run in the eaptls_ack_handler() function can actually work. I 've removed them and now the TTLS session works much better (i do get a core dump just before sending back the Access-Accept but i 'll probably figure that one out). For the core dump now: Loaded symbols for /usr/libexec/ld-elf.so.1 #0 0x2844b337 in eaptls_gen_mppe_keys (reply_vps=0x81169b8, s=0x809ec00, prf_label=0x14 Address 0x14 out of bounds) at mppe_keys.c:136 136 memcpy(p, s-s3-client_random, SSL3_RANDOM_SIZE); (gdb) print s $1 = (struct ssl_st *) 0x809ec00 (gdb) print s-s2 $2 = (struct ssl2_state_st *) 0x8117400 (gdb) print s-s3 $3 = (struct ssl3_state_st *) 0x0 In other words the s-s3 structure is NULL. I 've added a few debug statements in rlm_eap_tls and rlm_eap_ttls and it seems to always be NULL. I don't know why though. In any case that one is causing the core dumps. If there are no objections i can add a few checks in eaptls_gen_mppe_keys() and eapttls_gen_challenge() for s-s3 being NULL -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
Kostas Kalevras [EMAIL PROTECTED] wrote: For the core dump now: ... (gdb) print s-s2 $2 = (struct ssl2_state_st *) 0x8117400 (gdb) print s-s3 $3 = (struct ssl3_state_st *) 0x0 In other words the s-s3 structure is NULL. See RFC 2716, top of page 3. TLS version 1 is required. See ssl/ssl.h, SSLv3 is pretty much TLS version 1. So the TLS session SHOULD have been rejected, as soon as the client tried to use SSLv2. This may be a failure in the EAP-TLS code. Hmm... See: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c, line 185: /* * Set ctx_options */ ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; So SSLv2 and SSLv3 should NOT be used. Ever. In any case that one is causing the core dumps. If there are no objections i can add a few checks in eaptls_gen_mppe_keys() and eapttls_gen_challenge() for s-s3 being NULL I'd say add a few checks to the TLS module, eaptls_process(), so that at it returns FAILED if s-s3 == NULL. That will prevent the core dump, but it will also prevent your client from working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: For the core dump now: ... (gdb) print s-s2 $2 = (struct ssl2_state_st *) 0x8117400 (gdb) print s-s3 $3 = (struct ssl3_state_st *) 0x0 In other words the s-s3 structure is NULL. See RFC 2716, top of page 3. TLS version 1 is required. See ssl/ssl.h, SSLv3 is pretty much TLS version 1. So the TLS session SHOULD have been rejected, as soon as the client tried to use SSLv2. This may be a failure in the EAP-TLS code. Hmm... See: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c, line 185: /* * Set ctx_options */ ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; So SSLv2 and SSLv3 should NOT be used. Ever. OK now i am getting really puzzled. I did this little change: eap_tls.c, line 680 DEBUG2( rlm_eap_tls: processing TLS); if (tls_session-ssl) DEBUG(rlm_eap_tls: Version: %s,SSL_get_version(tls_session-ssl)); and i get: Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: processing TLS Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1 Man page for SSL_get_version: returns the name of the protocol used for the connection ssl. Unfortunately i don't have a sniffer capable of returning the TLS session details from within the EAP message conversation. So /me puzzled In any case that one is causing the core dumps. If there are no objections i can add a few checks in eaptls_gen_mppe_keys() and eapttls_gen_challenge() for s-s3 being NULL I'd say add a few checks to the TLS module, eaptls_process(), so that at it returns FAILED if s-s3 == NULL. That will prevent the core dump, but it will also prevent your client from working. It's rather strange since i am also using the AEGIS client. How can i be so damn lucky and hit on all errors? :-) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
Kostas Kalevras [EMAIL PROTECTED] wrote: and i get: Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: processing TLS Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1 Which should be fine. So I'm a little congfused as to why s-s3 is NULL. OpenSSL versions, maybe? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: and i get: Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: processing TLS Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1 Which should be fine. So I'm a little congfused as to why s-s3 is NULL. OpenSSL versions, maybe? Yes that was it. rlm_eap_{ttls,tls} was using the correct version but the radiusd binary was compiled with the older ones. Now all is working fine. Thanks a lot for your help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS Proxying
Is there any news on proxying EAP/TTLS? Does the thing work? p.s. in last discussion on mailing list Alan has said that this don´t work. thanks Sergio - Srdjan Vemic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS Proxying
Fastbyte [EMAIL PROTECTED] wrote: Is there any news on proxying EAP/TTLS? Does the thing work? p.s. in last discussion on mailing list Alan has said that this don´t work. There has been no announcement that it works, so it still doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TTLS+AEGIS Client
Hello, we are facing a problem when trying to test EAP-TTLS with the Meetinghouse AEGIS Client We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS. freeradius latest cvs (two or three days old) Aegis 2.1.0 OpenSSL 0.9.7c Unfortunately we haven't been able to find a sniffer capable of reporting the TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation. So I am mostly speculating what the problem is. As can be seen from the radiusd -X -xxx output after sending a TLS Hello with the server certificate the client returns with a TLS ACK. I am guessing that one TLS fragment got to the client and it is ACKing for another. Though the eap_tls module seems to not accept that ACK. From what i 've found the eaptls_ack_handler() never seems to be called. If it is an openssl or rlm_eap_tls module problem i don't know. From the documentation on openssl.org it seems that the handler will only be called if the received packet is ok so it can just be that the packet is malformed somehow. In any case I don't really know where to go from here. One thing that would help would be if someone confirmed that eap-ttls works with such a configuration. tls { private_key_password = private_key_file = /etc/1x/private.pem certificate_file = /etc/1x/cert.pem CA_file = /etc/1x/CA.pem dh_file = /etc/1x/DH random_file = /etc/1x/random fragment_size = 1024 # include_length = no } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalfrad_recv: Access-Request packet from host 147.102.247.20:1812, id=45, length=102 NAS-IP-Address = 147.102.247.20 NAS-Port-Type = Async User-Name = papage Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-00-86-33-52-43 EAP-Message = 0x020e000b01706170616765 Message-Authenticator = 0x33b1b4adac3a64f2951c083441512065 Sun Nov 9 21:52:25 2003 : Debug: modcall: entering group authorize for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module preprocess returns ok for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module chap returns noop for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: EAP packet type response id 14 length 11 Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module eap returns updated for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 40 Sun Nov 9 21:52:25 2003 : Debug: rlm_realm: No '@' in User-Name = papage, looking up realm NULL Sun Nov 9 21:52:25 2003 : Debug: rlm_realm: No such realm NULL Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module suffix returns noop for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling files (rlm_files) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module files returns notfound for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module mschap returns noop for request 40 Sun Nov 9 21:52:25 2003 : Debug: modcall: group authorize returns updated for request 40 Sun Nov 9 21:52:25 2003 : Debug: rad_check_password: Found Auth-Type EAP Sun Nov 9 21:52:25 2003 : Debug: auth: type EAP Sun Nov 9 21:52:25 2003 : Debug: modcall: entering group authenticate for request 40 Sun Nov 9 21:52:25 2003 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 40 Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: EAP Identity Sun Nov
some configuration problems in EAP/TTLS and EAP/PEAP in freeradius
I have downloaded the newest version of freeradius,freeradius-snapshot-20031030.tar.gz. And I want to use ttls and peap to authenticate ,but i don't know how can I configure the /freeradius folder/etc/raddb/user file . Would you like to give me some suggestions about my problems? thanks! wkynwkyn _ MSN Explorer: http://explorer.msn.com/lccn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: some configuration problems in EAP/TTLS and EAP/PEAP in freeradius
=?gb2312?B?0rsgxao=?= [EMAIL PROTECTED] wrote: And I want to use ttls and peap to authenticate ,but i don't know how can I configure the /freeradius folder/etc/raddb/user file . For examples of configuring TLS, see: http://www.freeradius.org/doc/ You need TLS for TTLS PEAP. After that, just supply username password, and TTLS/PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Snapshot 28102203: EAP/TTLS with PAP tunnel.
Hi all, i succesfully compiled the 28/10 snapshot on a Slackware linux 9.1, which has openssl 0.9.7b included into the distro. I tried to use EAP/TTLS method and succeded only using MD5 as tunnel type. Does FreeRadius support EAP/TTLS with PAP ??? I really need it !! I need to exchange clear password because the authentication is demanded to a LDAP Server. Thanks Giancarlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Snapshot 28102203: EAP/TTLS with PAP tunnel.
[EMAIL PROTECTED] wrote: I tried to use EAP/TTLS method and succeded only using MD5 as tunnel type. Does FreeRadius support EAP/TTLS with PAP ??? I really need it !! Yes. Did you try reading the WEB page, or try using PAP with TTLS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault using EAP/TTLS.
Hi all, This is my first post here, I hope it will be done the right way. I'm using the latest freeradius snapshot to authenticate wireless users with EAP-TTLS. I have 2 AP, a Cisco Aironet 1100 series and a Netgear ME103. The client part runs under WinXP with the MeetingHouse EAP/TTLS client (Aegis). I've already been able to get the system to function under a Redhat 8. But I installed it on a Redhat 7.1, and now I've got the ttls module segfaulting after establishement of the ttls tunnel. I'm a little bit lost because all parameters are so similar between the 2 configurations, and even if it was a configuration mistake from my part, I doubt that the freeradius should segfault in those cases. A little more details about the conditions : Here is the exact version, radiusd: FreeRADIUS Version 1.0.0-pre0, for host i686-pc-linux-gnu, built on Oct 9 2003 at 10:53:02 I desactivated LDAP, sql.. to try to isolate the problem. So in this configuration I only have a local user localuser in files. Here is the end of the output of a radiusd -X : -- [...] modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x020e016c6f63616c75736572 Freeradius-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of localuser TTLS: Setting default EAP type for tunneled EAP session. Segmentation fault -- Tell me if you need the full log to diagnosticate.. Here are some informations about the segfault, gdb found this : Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 17319)] 0x401fbf13 in eapttls_process (request=0x8120710, tls_session=0x8110070) at ttls.c:675 675 vp-lvalue = t-default_eap_type; (gdb) Thank you for your help. -- Guitou / Guillaume THIBAUX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault using EAP/TTLS.
Guillaume THIBAUX [EMAIL PROTECTED] wrote: I've already been able to get the system to function under a Redhat 8. But I installed it on a Redhat 7.1, and now I've got the ttls module segfaulting after establishement of the ttls tunnel. I'm a little bit lost because all parameters are so similar between the 2 configurations, and even if it was a configuration mistake from my part, I doubt that the freeradius should segfault in those cases. ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 17319)] 0x401fbf13 in eapttls_process (request=0x8120710, tls_session=0x8110070) at ttls.c:675 675 vp-lvalue = t-default_eap_type; My first guess would be that you installed the server on top of an older version, and didn't update the dictionaries. Look at the line above 675, it tries to create an attribute EAP-Type. Ensure that you have this in your dictionaries, and that /etc/raddb/dictionary includes the ones in /usr/share/freeradius Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault using EAP/TTLS.
On Friday 10 October 2003 17:08, Alan DeKok wrote: My first guess would be that you installed the server on top of an older version, and didn't update the dictionaries. Look at the line above 675, it tries to create an attribute EAP-Type. Ensure that you have this in your dictionaries, and that /etc/raddb/dictionary includes the ones in /usr/share/freeradius You're the man! :) You guessed right, I upgraded an older freeradius on this machine and the new version was still refering to the old dictionary file. I changed the include path in /etc/raddb/dictionary and it works well now.. Thanks a lot for your help and thank you for all your work on this project. -- Guitou / Guillaume THIBAUX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS.
Hi Anybody has implemented EAP-TTLS, or more details on how to implement EAP TTLS with PAP? I am facing a problem with an ISP has old legacy platform with Merit RADIUS and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I enter my username and password through 802.1x Ethernet switch by XP client with md5 challenge. FreeRADIUS debug says MD5 challenge failure It means my Free RADIUS server is not understanding passwords of users. How can I convert the crypto passwords in IBM LDAP to MD5 passwords. Or same thing can be used with EAP-TTLS?? I am confused Thanks in advance Raj Jadhav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS.
On Thu, 9 Oct 2003, Raj Jadhav wrote: Hi Anybody has implemented EAP-TTLS, or more details on how to implement EAP TTLS with PAP? I am facing a problem with an ISP has old legacy platform with Merit RADIUS and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I enter my username and password through 802.1x Ethernet switch by XP client with md5 challenge. FreeRADIUS debug says MD5 challenge failure It means my Free RADIUS server is not understanding passwords of users. How can I convert the crypto passwords in IBM LDAP to MD5 passwords. You can't. EAP-MD5 is the same as CHAP. See: http://www.freeradius.org/faq/#4.4 http://www.freeradius.org/faq/#5.11 Or same thing can be used with EAP-TTLS?? I am confused Thanks in advance Raj Jadhav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.
Francisco Javier Martinez Martinez [EMAIL PROTECTED] wrote: I want to know if it is possible to make work the following scenario: AP : Cisco Aironet 1100 or similar Client-supplicant: Windows 2K /XP and cisco client. EAP: TTLS Authentication server: FreeRadius. I've used XP with a Cisco 350, and a non-Cisco client. From what I recall, the Cisco client doesn't do TTLS, so that would appear to be a show-stopper. There is a free Windows client for EAP-TTLS. www.alfa-arriss.com I've used it with Cisco client and it worked fine. Antonia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.
hi Antonia Kujundzic wrote: There is a free Windows client for EAP-TTLS. www.alfa-arriss.com I've used it with Cisco client and it worked fine. hey, thanks, excellent! they really still produce freeware out there? :) (small correction to the link, it is actually www.alfa-ariss.com). ciao artur ps the size of the whole 85k. another proof for alan's statement about the the straightforward easy TTLS implementation. otherwise they would hardly give it for free :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls pap can't work with aegis client
I have tested eap-ttls with freeradius and client is aegis, the ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap isn't work, here is the message from radiusd(using eap-ttls-pap), thanks ! rad_recv: Access-Request packet from host 192.168.102.1:1200, id=187, length=281 EAP-Message = 0x027b006c1580006217030100183a14f67f8fde6b4b1d02e5224ceccd80d3ab2425d32b17030100400fffe387d3edb5fc712b6e29492e410bbd8fb4457bf19a7bde6f4d8ebe40439da8871e1abaabf15e3783cb4ba34a97faf7fe2a8e69734e09ac105340d4a8bea6 User-Name = test NAS-Identifier = IPONE_AG2000_KT NAS-IP-Address = 192.168.102.1 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Service-Type = Framed-User Framed-MTU = 1400 Connect-Info = CONNECT 11Mbps 802.11b Calling-Station-Id = 00-60-b3-6a-38-7f Called-Station-Id = 00-07-13-40-00-7c State = 0x8675b25f15e3b78950a070be27e214c8 Message-Authenticator = 0xfe666e934d24293a78b6577a5bde650d modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP packet type response id 123 length 108 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched test at 114 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = test User-Password = test Freeradius-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = test User-Password = test Freeradius-Proxied-To = 127.0.0.1 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched test at 114 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail modcall: group authenticate returns fail auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 Service-Type = Framed-User Idle-Timeout = 2000 Session-Timeout = 2 TTLS: Rejecting tunneled user rlm_eap: Handler failed in EAP type 21 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 187 to 192.168.102.1:1200 EAP-Message = 0x047b0004 Message-Authenticator = 0x -- Best Regard george ~?????0~??b+?b?¥
Re: eap-ttls pap can't work with aegis client
george [EMAIL PROTECTED] wrote: I have tested eap-ttls with freeradius and client is aegis, the ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap isn't work, here is the message from radiusd(using eap-ttls-pap), thanks ! PAP CHAP work fine with the Aegis client. You've broken your local configuration, to disable PAP CHAP. modcall[authorize]: module suffix returns noop users: Matched test at 114 You've set 'Auth-Type := EAP' here, for this user. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.
Hello. My apologies if my question is redundant or had been make before (I had readed the list´s messages and didn`t found anything). I want to know if it is possible to make work the following scenario: AP : Cisco Aironet 1100 or similar Client-supplicant: Windows 2K /XP and cisco client. EAP: TTLS Authentication server: FreeRadius. If itiis possible anyone had made or know where could I get a howto guide? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.
Francisco Javier Martinez Martinez [EMAIL PROTECTED] wrote: I want to know if it is possible to make work the following scenario: AP : Cisco Aironet 1100 or similar Client-supplicant: Windows 2K /XP and cisco client. EAP: TTLS Authentication server: FreeRadius. I've used XP with a Cisco 350, and a non-Cisco client. From what I recall, the Cisco client doesn't do TTLS, so that would appear to be a show-stopper. If itiis possible anyone had made or know where could I get a howto guide? Read the TLS guide, and ignore the discussion about client certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Hi Michael, that´s right. Is there any possibility to do such thing in freeradius? And the rest of problem is to see in inner authentification in log file a real username. Michael Brown wrote: This thread from the radiator list may shed some light on the situation: http://www.open.com.au/archives/radiator/2003-08/msg00084.html Quoting Fastbyte [EMAIL PROTECTED]: I use Odyssey client, and the problem is that in log is only anonymous user. In freeradius -X -A its possible to see which user is getting authe´d but in log files is only anonymous. Michael Brown mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS logging
Hi, is there any logging done in TTLS? --- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions for FreeRadius with EAP/TTLS and LDAP
Nic Bernstein [EMAIL PROTECTED] wrote: I can see from the comments in the radiusd.conf file how to tell the radius server where to find which certificate(s) to use for EAP/TLS operation, but how does one specify what certificate to use for (the initial TLS phase of) the EAP/TTLS operation? It uses the TLS certificates, as configured in the TLS module. When using LDAP for authentication, passwords are not necessarily in clear text. Am I to understand the above to mean that I must store my passwords in LDAP in clear text for EAP to work? For EAP-MD5, and EAP-TTLS with tunneled CHAP, MS-CHAP, and EAP-MD5. If anyone is successfully using EAP/TTLS, especially in concert with LDAP, I would certainly appreciate some configuration examples. You shouldn't have to do anything special to get TTLS working with LDAP. Get LDAP working, uncomment the TTLS module, and the tunneled authentication request will use the pre-existing LDAP configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Fastbyte [EMAIL PROTECTED] wrote: is there any logging done in TTLS? What kind of logging are you looking for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Just the normal auth log of the ttls challenge; i see the tls log in the detail auth_log, but nothing of the inner authentication protocoll. I need username and logintime. Alan DeKok wrote: Fastbyte [EMAIL PROTECTED] wrote: is there any logging done in TTLS? What kind of logging are you looking for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Fastbyte [EMAIL PROTECTED] wrote: Just the normal auth log of the ttls challenge; i see the tls log in the detail auth_log, but nothing of the inner authentication protocoll. I need username and logintime. That should be logged when the tunneled authentication request is processed. That request looks like just another request from a client, so all logging should be done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
I use Odyssey client, and the problem is that in log is only anonymous user. In freeradius -X -A its possible to see which user is getting authe´d but in log files is only anonymous. Alan DeKok wrote: Fastbyte [EMAIL PROTECTED] wrote: Just the normal auth log of the ttls challenge; i see the tls log in the detail auth_log, but nothing of the inner authentication protocoll. I need username and logintime. That should be logged when the tunneled authentication request is processed. That request looks like just another request from a client, so all logging should be done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Regards, MfG, Dist.Saluti, Sergio - Srdjan Vemic, CEO Chief Executive Office, FutureBrain [EMAIL PROTECTED] +-+ | FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy | | Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014 | | [EMAIL PROTECTED], w w w . f u t u r e b r a i n . i t | +-+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Ok the auth request is beeing logged into the detail log (auth_detail) but only with the anonymous user and looks like this: Packet-Type = Access-Request Fri Sep 12 17:13:19 2003 User-Name = anonymous NAS-IP-Address = 192.168.2.220 Called-Station-Id = 0030bd965f14 Calling-Station-Id = 0030bd97d313 NAS-Identifier = 0030bd965f14 NAS-Port = 87 Framed-MTU = 1400 State = 0x5611f831363f85a702c738c261c2b189 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204003f158000351703010030e56b0eed1cbf43a372f441195e90c01ce5a402b658d408cb5b6b1b014dbbfaadedeae45c 779f692579e2764ba522c184 Message-Authenticator = 0x86b281dfbf1024da1a5ccd4e38a34539 Client-IP-Address = 192.168.2.220 The part i see in the radius -X -A looks as follows: TTLS: Got tunneled reply RADIUS code 2 Framed-IP-Address = 192.168.2.23 Exec-Program-Wait = my_exec_postauth Session-Timeout = 1800 EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = tobi TTLS: Got tunneled Access-Accept This part in the logs is never apearing, neither in auth_log or in detail_log. Alan DeKok wrote: Fastbyte [EMAIL PROTECTED] wrote: I use Odyssey client, and the problem is that in log is only anonymous user. In freeradius -X -A its possible to see which user is getting authe'd but in log files is only anonymous. WHICH log files are getting WHAT logged? Can you please be a little more specific, I'm not a mind reader. I get the feeling that you're going out of your way to refuse to provide any useful information in your messages. As I said before, the tunneled authentication request is just another authentication request for the server. So any and all authentication logging done for normal requests is done for the tunneled requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Regards, MfG, Dist.Saluti, Sergio - Srdjan Vemic, CEO Chief Executive Office, FutureBrain [EMAIL PROTECTED] +-+ | FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy | | Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014 | | [EMAIL PROTECTED], w w w . f u t u r e b r a i n . i t | +-+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Fastbyte [EMAIL PROTECTED] wrote: Ok the auth request is beeing logged into the detail log (auth_detail) but only with the anonymous user and looks like this: ... OK... The part i see in the radius -X -A looks as follows: TTLS: Got tunneled reply RADIUS code 2 Framed-IP-Address = 192.168.2.23 Exec-Program-Wait = my_exec_postauth Session-Timeout = 1800 EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = tobi TTLS: Got tunneled Access-Accept This part in the logs is never apearing, neither in auth_log or in detail_log. Are you sure? As I've said repeatedly, the tunneled request is just another request. So that 'tobi' User-Name should be seen in the 'detail' file, just like in the 'anonymous' user is seen there. I don't want to sound stupid, but have you looked for user 'tobi' in the detail log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Hi Alan, Sure, I´m sure and I have looked. Should i send the whole file (don´t want to spam the list) maybe you could find it. ;) Sorry but that´s the truth.. Hope that we will find a solution for this glitch... Alan DeKok wrote: Fastbyte [EMAIL PROTECTED] wrote: Ok the auth request is beeing logged into the detail log (auth_detail) but only with the anonymous user and looks like this: ... OK... The part i see in the radius -X -A looks as follows: TTLS: Got tunneled reply RADIUS code 2 Framed-IP-Address = 192.168.2.23 Exec-Program-Wait = my_exec_postauth Session-Timeout = 1800 EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = tobi TTLS: Got tunneled Access-Accept This part in the logs is never apearing, neither in auth_log or in detail_log. Are you sure? As I've said repeatedly, the tunneled request is just another request. So that 'tobi' User-Name should be seen in the 'detail' file, just like in the 'anonymous' user is seen there. I don't want to sound stupid, but have you looked for user 'tobi' in the detail log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Regards, MfG, Dist.Saluti, Sergio - Srdjan Vemic, CEO Chief Executive Office, FutureBrain [EMAIL PROTECTED] +-+ | FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy | | Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014 | | [EMAIL PROTECTED], w w w . f u t u r e b r a i n . i t | +-+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
Fastbyte [EMAIL PROTECTED] wrote: Sure, I'm sure and I have looked. Then I don't know what the problem is. I see no reason why the 'detail' module would log the outer request, and not the inner one. Paret of the issue may be I don't know what you mean when you say auth_log and detail_log. There are no such log files distributed with the server, or configured in the server by default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS logging
This thread from the radiator list may shed some light on the situation: http://www.open.com.au/archives/radiator/2003-08/msg00084.html Quoting Fastbyte [EMAIL PROTECTED]: I use Odyssey client, and the problem is that in log is only anonymous user. In freeradius -X -A its possible to see which user is getting authe´d but in log files is only anonymous. Michael Brown mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration questions for FreeRadius with EAP/TTLS and LDAP
We are trying to configure freeradius-snapshot-20030911 to use EAP/TTLS with LDAP (OpenLDAP 2.0.27). I have a few questions, however. I can see from the comments in the radiusd.conf file how to tell the radius server where to find which certificate(s) to use for EAP/TLS operation, but how does one specify what certificate to use for (the initial TLS phase of) the EAP/TTLS operation? Also, the file doc/rlm_eap states: The radius server needs a plaintext password so that it can perform the same one-way hash to determine that the password is correct. When using LDAP for authentication, passwords are not necessarily in clear text. Am I to understand the above to mean that I must store my passwords in LDAP in clear text for EAP to work? If anyone is successfully using EAP/TTLS, especially in concert with LDAP, I would certainly appreciate some configuration examples. Thanks in advance, -nic -- Nic Bernstein [EMAIL PROTECTED] Onlight llc. www.onlight.com 757 North Water Streetv. 414.272.4477 Milwaukee, Wisconsin 53202 f. 414.290.0335 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem FreeRadius EAP/TTLS and MySQL
Hi, 1046 means PW_NO_SUCH_ATTRIBUTE, so imho it means that the value of the sql field attribute Password is false, but after changing it to User-Password i get the same error.. whats the right attribute? radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'XXX' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'XXX' ORDER BY id rlm_sql_mysql: MYSQL check_error: 1046 received rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns fail modcall: group authorize returns fail -- Sergio FutureBrain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem FreeRadius EAP/TTLS and MySQL
Fastbyte [EMAIL PROTECTED] wrote; 1046 means PW_NO_SUCH_ATTRIBUTE, so imho it means that the value of the sql field attribute Password is false, but after changing it to User-Password i get the same error.. whats the right attribute? That all depends on what you want. radcheck WHERE Username = 'XXX' ORDER BY id rlm_sql_mysql: MYSQL check_error: 1046 received That is a MySQL error, and has nothing to do with FreeRADIUS. See what '1046' means to MySQL Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS problem with EAP/MD5
Hi ppl, i have problem with implementing of EAP/TTLS on freeradius, i have setup auth in EAP/TTLS to EAP/MD5 and this is my error: modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: EAP Identity rlm_eap: No such EAP type 4 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. looking at the source i have seen that the problem is in following lines: #eap.c if ((default_eap_type PW_EAP_MD5) || (default_eap_type PW_EAP_MAX_TYPES) || (inst-types[default_eap_type] == NULL)) { DEBUG2( rlm_eap: No such EAP type %d, default_eap_type); return EAP_INVALID; } looking at eap.h have seen that PW_EAP_MD5 value is 4. Anyone has some idea? Sergio, FutureBrain follows freeradius log rad_recv: Access-Request packet from host 192.168.2.254:2051, id=0, length=193 User-Name = tobi NAS-IP-Address = 192.168.2.254 Called-Station-Id = 0030bd96618f Calling-Station-Id = 0030bd97d2f8 NAS-Identifier = 0030bd96618f NAS-Port = 189 Framed-MTU = 1400 State = 0x52c82cce680f4e775d5e00ab17705d2f NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204003f158000351703010030d38d75a57f3413419cb84a5afea774b0c58547ba2544163213b71c06082b522a18d5f79ea4d77e85ffc94fe8069de8ff Message-Authenticator = 0xfaf781eca6accfb78d59d841524e9f7d modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP packet type response id 4 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = tobi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched tobi at 215 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x020901746f6269 Freeradius-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of tobi TTLS: Setting default EAP type for tunneled EAP session. TTLS: Sending tunneled request EAP-Message = 0x020901746f6269 Freeradius-Proxied-To = 127.0.0.1 User-Name = tobi modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = tobi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 users: Matched tobi at 215 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: EAP Identity rlm_eap: No such EAP type 4 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 EAP-Message = 0x0404 Message-Authenticator = 0x TTLS: Rejecting tunneled user rlm_eap: Handler failed in EAP type 21 TTLS: Freeing handler for user tobi rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request rl_next: returning NULL Waking up in 6 seconds... -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS problem with EAP/MD5
Fastbyte [EMAIL PROTECTED] wrote: i have problem with implementing of EAP/TTLS on freeradius, i have setup auth in EAP/TTLS to EAP/MD5 and this is my error: ... rlm_eap: No such EAP type 4 It looks like you don't have the 'md5' sub-module configured inside of the 'eap' module. Either you've deleted it, or you've re-ordered the list of sub-modules. looking at the source i have seen that the problem is in following lines: #eap.c if ((default_eap_type PW_EAP_MD5) || (default_eap_type PW_EAP_MAX_TYPES) || (inst-types[default_eap_type] == NULL)) { ... looking at eap.h have seen that PW_EAP_MD5 value is 4. Well.. The value of PW_EAP_MD5 is NOT less than PW_EAP_MD5, and it's not MORE than the valur of PW_EAP_MAX_TYPES, so by the process of elimination, it means that the last test is the one which is failing. Include a configuration entry for 'md5', just like the default 'radiusd.conf'. List 'ttls' after 'md5', just like the default 'radiusd.conf' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS on FreeRadius
I'm working on it. From: Fastbyte [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: EAP/TTLS on FreeRadius Date: Wed, 27 Aug 2003 22:14:24 +0200 Does anyone already workin on EAP/TTLS for FreeRadius Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS on FreeRadius
When it will be ready for alfa or beta test? Ping Zhou wrote: I'm working on it. From: Fastbyte [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: EAP/TTLS on FreeRadius Date: Wed, 27 Aug 2003 22:14:24 +0200 Does anyone already workin on EAP/TTLS for FreeRadius Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best regards, Sergio Srdjan Vemic Chief Executive Officer - CEO + | FutureBrain GmbH/Srl | Via Palade 101 A/B, I-39012 Merano (BZ) | Tel.+390473201457 Fax.+390473201437 + - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WORKING: EAP-TTLS on FreeRadius
Fastbyte [EMAIL PROTECTED] wrote: Does anyone already workin on EAP/TTLS for FreeRadius I'm happy to announce that EAP-TTLS support has just been added to FreeRADIUS. This functionality will NOT be in 0.9.1, but it will be in the latest CVS snapshots, as of Friday morning. People using anonymous CVS can get the module now, via: cvs update -d src/modules/rlm_eap/types/rlm_eap_ttls cvs update raddb/radiusd.conf.in The module has been tested with tunneled PAP, CHAP, MS-CHAP, and EAP-MD5. Wireless clients which are known to work are Funk, Aegis, and others whose names I forget. Xsupplicant has not been tested. If you have any questions or comments, please post them here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS on FreeRadius
Does anyone already workin on EAP/TTLS for FreeRadius Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and EAP-PEAP support
Hello, do you have any information, when will you support EAP-TTLS and EAP-PEAP. As it can be seen from developers mailing list you are doing something on it. Best regards, Janko Kersnik ARNES - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and EAP-PEAP support
Janko Kersnik [EMAIL PROTECTED] wrote: do you have any information, when will you support EAP-TTLS and EAP-PEAP. As it can be seen from developers mailing list you are doing something on it. Lots of people have said they're working on TTLS PEAP. So far, no one has submitted patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and EAP-PEAP support
Hello, do you have any information, when will you support EAP-TTLS and EAP-PEAP. As it can be seen from developers mailing list you are doing something on it. Best regards, Janko Kersnik ARNES - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP // EAP-TTLS Support
Ted Ma [EMAIL PROTECTED] wrote: We are currently porting FreeRadius to uClinux. From the lists (devel and user) I see that a couple of people have started on the implementation of both PEAP and EAP/TTLS. We can add bodies for both developement and testing to the group(s). Sounds good to me. Has any code / architecure for the modification to the upper layer (so tls can be shared) been done? I'm just trying to get a sense of how far along the projects have gotten. People have talked about it, but so far no one has posted patches for anything. From the lists, I can't tell if there is a coordinated plan for the new protocol support. There isn't. BTW our company has previously funded other Open source projects, so if we can help accelerate the effort, let us know. That may help speed things up. I'd like to see PEAP and TTLS in before the 1.0 release, if at all possible. Alan, I wasn't sure if I should have posted to the devel list or the user list. If you think that it should go to the devel list, I will post there as well. Further messages should go to -devel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP // EAP-TTLS Support
Hi, We are currently porting FreeRadius to uClinux. From the lists (devel and user) I see that a couple of people have started on the implementation of both PEAP and EAP/TTLS. We can add bodies for both developement and testing to the group(s). Has any code / architecure for the modification to the upper layer (so tls can be shared) been done? I'm just trying to get a sense of how far along the projects have gotten. From the lists, I can't tell if there is a coordinated plan for the new protocol support. BTW our company has previously funded other Open source projects, so if we can help accelerate the effort, let us know. Alan, I wasn't sure if I should have posted to the devel list or the user list. If you think that it should go to the devel list, I will post there as well. ...MaTed -- Ted Ma Arcturus Networks Inc. 100-116 Spadina Ave. 416-621-0125 x206 Toronto, Ontario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP [Was RE: EAP-TTLS]
Mayank Upadhyay [EMAIL PROTECTED] wrote: On a related note, is anyone considering writing an EAP-PEAP module? Have you tried looking through the list archives for the past week? PEAP is essentially MS-CHAPv2 tunneled inside of EAP-TLS. It was. It's not any longer. It's EAP inside of EAP-TLS Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
Hi, I have been working with xsupplicant and free radius on redhat 8.2 I could successfully set-up the eap-tls config. Now I want to test EAP-TTLS protocol on free radius using xsupplicant as the client software. The latest version of Xsuplicant has the EAP-TTLS protocol. However the current freeradius cvs version I am working on does'nt seem to support the TTLS protocol. Want to know if any one is working on the free radius code right now for implementing EAP-TTLS. And if it in the future will support it. Would greatly help if anyone could give suggestions regarding the server side code for EAP-TTLS. Thanks and Regards BN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP [Was RE: EAP-TTLS]
On a related note, is anyone considering writing an EAP-PEAP module? PEAP is essentially MS-CHAPv2 tunneled inside of EAP-TLS. Conceptually, it's similar to HTTPS on the web where the server is authenticated using its certificate, and the user with a password. Windows XP and most RADIUS vendors support PEAP. -Mayank -Original Message- Message: 7 From: Nirmala Bulusu [EMAIL PROTECTED] Subject: Re: EAP-TTLS To: [EMAIL PROTECTED] Date: Fri, 20 Jun 2003 15:01:00 -0600 Reply-To: [EMAIL PROTECTED] Hi, I have been working with xsupplicant and free radius on redhat 8.2 I could successfully set-up the eap-tls config. Now I want to test EAP-TTLS protocol on free radius using xsupplicant as the client software. The latest version of Xsuplicant has the EAP-TTLS protocol. However the current freeradius cvs version I am working on does'nt seem to support the TTLS protocol. Want to know if any one is working on the free radius code right now for implementing EAP-TTLS. And if it in the future will support it. Would greatly help if anyone could give suggestions regarding the server side code for EAP-TTLS. Thanks and Regards BN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS authentication
Hi all, i'm searching for a way to authenticate some wireless users via TTLS (for this is the only auth method allowed by these particular supplicants). Looking thru freeradius i'm not able to find out anything about it. Can anyone confirm about that? In this case, what I could use for this task? This must run on a linux RH 7.3, and the number of clients it has to manage does not justify the acquisition of a licenced server like aegis. So, something not free could be considered, but it must not cost too much... ;-) Thanks... -- Emanuele Balla aka Skull - Public Key #661E5CBF on www.keyserver.com +--+ And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports on it, you know they are just evil lies. (By Linus Torvalds) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP-TTLS
Alan DeKok, Thanks Alan. Jeson [EMAIL PROTECTED] 2003-05-30 === 2003-05-29 09:02:00 === =?GB2312?Q?=CD=F5=D6=BE=D0=C0?= [EMAIL PROTECTED] wrote: Does FreeRADIUS supprot EAP-TTLS and PEAP? It's not in the list of features on the web site, so my guess would be no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS
Dear All, Does FreeRADIUS supprot EAP-TTLS and PEAP? Thanks in advance. Jeson [EMAIL PROTECTED] 2003-05-29 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
=?GB2312?Q?=CD=F5=D6=BE=D0=C0?= [EMAIL PROTECTED] wrote: Does FreeRADIUS supprot EAP-TTLS and PEAP? It's not in the list of features on the web site, so my guess would be no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TTLS Support
Just wondering if TTLS support is on the road map for freeradius or if anyone is working on this... Thanks Bret -- ~~~ Bret Jordan Dean's Office Computer Administrator College of Engineering 801.585.3765 University of Utah [EMAIL PROTECTED] ~~~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS
Hi at all, I have a question. Someone is working to develop the EAP-TTLS support for Freeradius? Thanks Daniele Brevi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
--On Wednesday, January 02, 2002 2:42 PM -0500 [EMAIL PROTECTED] wrote: Brandon Saunders [EMAIL PROTECTED] wrote: I am testing my wireless access point against a test freeradius server complied with the EAP module. I am using the UNIX user files as the authentication source. When a client tries to authenticate, the access point sends the EAP message encapsulated in RADIUS. Right now, the server only supports EAP-MD5. You'll have to do PAP authentication to authenticate against /etc/passwd. If you're using the radius 'users' file, then EAP-MD5 should work. Could you elaborate on this so that even I can understand? Are you saying I can use /etc/passwd if I have the users file set up right? Or are you saying that I have to add each user to the users file individually? In my Users file I have this: DEFAULT Auth-Type := EAP Here is the debugging output from radiusd: rad_recv: Access-Request packet from host 129.24.17.184:1338, id=128, length=121 User-Name = chuckp NAS-IP-Address = cirt-0045.unm.edu Called-Station-Id = 0040963204c3 Calling-Station-Id = 004096355da6 NAS-Identifier = cirttest NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = \002%\000\013\001chuckp Message-Authenticator = 0xf5c85910439187275e1b45b3f892fbb2 modcall: entering group authorize modcall[authorize]: module eap returns updated modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 1 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Invalid user, authentication failed modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect: [chuckp] (from nas wless port 29 cli 004096355da6) Sending Access-Reject of id 128 to 129.24.17.185:1338 chuck [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
Chuck Phillips [EMAIL PROTECTED] wrote: If you're using the radius 'users' file, then EAP-MD5 should work. Could you elaborate on this so that even I can understand? Are you saying I can use /etc/passwd if I have the users file set up right? No. You need to supply a plain-text password. Or are you saying that I have to add each user to the users file individually? For now, yes. In my Users file I have this: DEFAULT Auth-Type := EAP And where, exactly is the password that is used for each user to authenticate? You need to supply a plain-text password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
Now I am working on EAP/TLS intergration with Freeraduis. Would you please tell me whether Freeradius support EAP/TLS? where can I download the EAP/TLS module? please give me some advice on this. I really need this information! thank very much! On Monday 14 January 2002 12:00 pm, you wrote: --On Wednesday, January 02, 2002 2:42 PM -0500 [EMAIL PROTECTED] wrote: Brandon Saunders [EMAIL PROTECTED] wrote: I am testing my wireless access point against a test freeradius server complied with the EAP module. I am using the UNIX user files as the authentication source. When a client tries to authenticate, the access point sends the EAP message encapsulated in RADIUS. Right now, the server only supports EAP-MD5. You'll have to do PAP authentication to authenticate against /etc/passwd. If you're using the radius 'users' file, then EAP-MD5 should work. Could you elaborate on this so that even I can understand? Are you saying I can use /etc/passwd if I have the users file set up right? Or are you saying that I have to add each user to the users file individually? In my Users file I have this: DEFAULT Auth-Type := EAP Here is the debugging output from radiusd: rad_recv: Access-Request packet from host 129.24.17.184:1338, id=128, length=121 User-Name = chuckp NAS-IP-Address = cirt-0045.unm.edu Called-Station-Id = 0040963204c3 Calling-Station-Id = 004096355da6 NAS-Identifier = cirttest NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = \002%\000\013\001chuckp Message-Authenticator = 0xf5c85910439187275e1b45b3f892fbb2 modcall: entering group authorize modcall[authorize]: module eap returns updated modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 1 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Invalid user, authentication failed modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect: [chuckp] (from nas wless port 29 cli 004096355da6) Sending Access-Reject of id 128 to 129.24.17.185:1338 chuck [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
Yuan Yuan [EMAIL PROTECTED] wrote: Now I am working on EAP/TLS intergration with Freeraduis. Would you please tell me whether Freeradius support EAP/TLS? No, it doesn't. Sorry. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
but Freeraduis does support EAP, and can be compiled with EAP module, right? On Monday 14 January 2002 02:11 pm, you wrote: Yuan Yuan [EMAIL PROTECTED] wrote: Now I am working on EAP/TLS intergration with Freeraduis. Would you please tell me whether Freeradius support EAP/TLS? No, it doesn't. Sorry. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/Password File problems - EAP-TTLS - Tru64
oh, Thanks would you please tell where can I find the EAP-MD5 module? On Monday 14 January 2002 02:24 pm, you wrote: Yuan Yuan [EMAIL PROTECTED] wrote: but Freeraduis does support EAP, and can be compiled with EAP module, right? Yes. But right now, it only supports EAP-MD5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/Password File problems - EAP-TTLS - Tru64
I am newcomer to this mailing list. I am studying on radius authentication method, and want to know where can I find the EAP-MD5 module. Now I hope that I can test aboe module. Please let me know. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 15, 2002 4:36 AM To: [EMAIL PROTECTED] Subject: Re: EAP/Password File problems - EAP-TTLS - Tru64 Yuan Yuan [EMAIL PROTECTED] wrote: would you please tell where can I find the EAP-MD5 module? Look in the tar file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html.+-wèþ˱Êâmïî˱Êâmäzm§ÿðÃëyêÚv+¬¢¸?+-þë®Èm
Re: EAP/Password File problems - EAP-TTLS - Tru64
Brandon Saunders [EMAIL PROTECTED] wrote: I am testing my wireless access point against a test freeradius server complied with the EAP module. I am using the UNIX user files as the authentication source. When a client tries to authenticate, the access point sends the EAP message encapsulated in RADIUS. Right now, the server only supports EAP-MD5. You'll have to do PAP authentication to authenticate against /etc/passwd. If you're using the radius 'users' file, then EAP-MD5 should work. The RADIUS server should then do a challenge and respond, but nothing is sent back but and access reject. Upon looking at the log files, it appears that the server is trying to do the authentication without the password. I get log lines that look like: Fri Dec 28 10:51:51 2001 : Auth: Login incorrect: [test/no Password attribute] (from nas HDLwireless port 29 cli 004096501888) You haven't configured it to use EAP for authentication. Configuring EAP in 'radiusd.conf' *allows* the server to use EAP, but it does not tell the server which requests get authenticated via EAP, and which do not. Anyone have any ideas why the challenge and respond is getting sent back? I know EAP support is still in development, could this be a bug? Do I have something setup wrong? I will send out my configuration file if anyone thinks it will be of help. Search the list archives for a message on getting EAP working. I am currently just working with EAP-MD5. Has anyone considered implementing EAP-TTLS? It's a lot of work. I am also interested in running freeradius on Alpha/Tru64. I appears to compile OK, but I am having some linking problems. Then do: ./configure --disable-shared Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html