install EAP-ttls

[santi baztan]

Hi.
I have radius server with EAP-TLS and I'm tryin to
install eap-ttls. HAve you a howto of eap-ttls.

___
Yahoo! Sorteos
¡Ya puedes comprar Lotería de Navidad!
http://yahoo.ventura24.es/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: install EAP-ttls

[Alan DeKok]

=?iso-8859-1?q?santi=20baztan?= [EMAIL PROTECTED] wrote:
 I have radius server with EAP-TLS and I'm tryin to
 install eap-ttls. HAve you a howto of eap-ttls.

  You configure it, as it says in 'radiusd.conf'.

  After that, you have a client send it EAP-TTLS packets.  It's that easy.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eap ttls and LDAP

[Arthur EBEL]

Hi, 
I am using freeradius 0.9.3 on a linux box
I have found the eap_ttls module in the CVS tree
How to install it ??? 

Can anyone can explain me the interest to use EAP TTLS + LDAP

I dont want to use personnal certificate but only the login and ldap passwd
of the personn

Is TTLS+LDAP it a good solution to do that ???

Anyone have test it ??? Any recommandations ???

Thanx



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap ttls and LDAP

[Kostas Kalevras]

On Wed, 10 Dec 2003, Arthur EBEL wrote:

 Hi,
 I am using freeradius 0.9.3 on a linux box
 I have found the eap_ttls module in the CVS tree
 How to install it ???

./configure
make
make install


 Can anyone can explain me the interest to use EAP TTLS + LDAP

 I dont want to use personnal certificate but only the login and ldap passwd
 of the personn

 Is TTLS+LDAP it a good solution to do that ???

Yes it is.


 Anyone have test it ??? Any recommandations ???

It works out of the box. Just uncomment the necessary modules in the
authorize/authenticate sections and configure the eap(tls/ttls) and ldap
modules.


 Thanx



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap ttls and LDAP

[Alan DeKok]

Kostas Kalevras [EMAIL PROTECTED] wrote:
  I am using freeradius 0.9.3 on a linux box
  I have found the eap_ttls module in the CVS tree
  How to install it ???
 
 ./configure
 make
 make install

  And watch the server dies as soon as it receives an EAP-TTLS request.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap ttls and LDAP

[Alan DeKok]

Arthur EBEL [EMAIL PROTECTED] wrote:
 I am using freeradius 0.9.3 on a linux box
 I have found the eap_ttls module in the CVS tree
 How to install it ??? 

  You install a snapshot.  You can't use EAP-TTLS with 0.9.3.

 I dont want to use personnal certificate but only the login and ldap passwd
 of the personn

  EAP-TTLS doesn't require personal certificates.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : eap/ttls

[Arthur EBEL]

Hi :-)

I would like to know Where I can find the rlm_eap_ttls module and how to
install it

Have u dot an idea how to mix eap ttls and ldap authentication ???

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Alan DeKok
Envoyé : jeudi 4 décembre 2003 19:14
À : [EMAIL PROTECTED]
Objet : Re: eap/ttls 


David L Wolford [EMAIL PROTECTED] wrote:
 rlm_eap: Failed to link EAP-Type/ttls: file not found
 radiusd.conf[606]: eap: Module instantiation failed.
 
 In addition to removing the comments for ttls what other steps must be 
 taken to enable eap/ttls?

  You've got to install the rlm_eap_ttls module.  It should do that,
though...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : eap/ttls

[Alan DeKok]

Arthur EBEL [EMAIL PROTECTED] wrote:
 I would like to know Where I can find the rlm_eap_ttls module and how to
 install it

  Grab the latstes CVS snapshot.  Have you tried that?

 Have u dot an idea how to mix eap ttls and ldap authentication ???

  You don't need to do anything special.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap/ttls

[David L Wolford]

I've been working on the eap/tls for our wireless network using
freeradius-snapshot-2003118. The eap/tls works fine and now I want to
try the eap/ttls so as to avoid the certificate management. When I go
into radiusd.conf and uncomment out the eap/ttls stuff I get the
following error when I try to run freeradius:

Module: Loaded eap
 eap: default_eap_type = tls
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /etc/lx/orbit.pem
 tls: certificate_file = /etc/lx/orbit.pem
 tls: CA_file = /etc/lx/root.pem
 tls: private_key_password = iyagthkg
 tls: dh_file = /etc/lx/DH
 tls: random_file = /etc/lx/random
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
rlm_eap: Failed to link EAP-Type/ttls: file not found
radiusd.conf[606]: eap: Module instantiation failed.

In addition to removing the comments for ttls what other steps must be
taken to enable eap/ttls?

Thank you,

dwolford


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap/ttls

[Alan DeKok]

David L Wolford [EMAIL PROTECTED] wrote:
 rlm_eap: Failed to link EAP-Type/ttls: file not found
 radiusd.conf[606]: eap: Module instantiation failed.
 
 In addition to removing the comments for ttls what other steps must be
 taken to enable eap/ttls?

  You've got to install the rlm_eap_ttls module.  It should do that,
though...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

newbie alert Freeradius, EAP-TTLS, and OpenSSL questions

[Chris Woodfield]

Hello, 

I'm trying to set up a radius server here in my office to permit WLAN usage, and I 
really feel like I'm coming up against my limits of understanding on the technologies 
involved. 

I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but 
I'm running into some serious issues (most likely due to lack of clue on my part) 
getting it working. The server is a Debian testing install, with openssl compiled 
from source. The base station is a Linksys WRT-54G, although I haven't gotten to 
the point were I think there's a problem there. 

Here's my list of questions:

1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been 
unable to successfully create a cert that freeradius likes. In the radiusd.conf file, 
there's an certificate_file argument, along with a CA_file argument. My understanding 
of the reason for this is that with EAP-TLS, authentication is done by certs alone - 
the user must have the server cert's public key loaded, and the user must present a 
public key signed by the CA.

But with TTLS, the client cert does not appear to be a requirement. Does that mean I 
can use a self-signed cert and not worry about the CA_file, or do I still need to 
create both? And if so, does anyone have a working openssl recipe to create these? So 
far I've been unsuccessful in creating anything other than a self-signed key.

2. I think I'm missing some understanding when it comes to the differences between 
authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, 
smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which 
authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on 
the 
server running radiusd to connect to the WLAN, but I'm not quite sure how the auth 
protocol interacts with auth-types. I have DEFAULT Auth-Type := Pam in my users 
file; 
do I need to do anything further depending on the auth protocol I use inside the 
ESP-TTLS tunnel (pap, chap, etc)?

3. I'm really, really in the dark when it comes to the key distribution mechanism. 
with 
EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the 
radius server handle that, or does it only negotate access and let the base station 
generate a random key? Is there a knob in the config I need to set up for this?

Thank you in advance for your patience. I'm sure I'll have more questions later.

Thanks,

-Chris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions

[Alan DeKok]

Chris Woodfield [EMAIL PROTECTED] wrote:
 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So
 far, I've been unable to successfully create a cert that freeradius
 likes. In the radiusd.conf file, there's an certificate_file argument,
 along with a CA_file argument. My understanding of the reason for this
 is that with EAP-TLS, authentication is done by certs alone - the user
 must have the server cert's public key loaded, and the user must
 present a public key signed by the CA.

  Yes.  But TTLS still requires a server certificate.

 But with TTLS, the client cert does not appear to be a
 requirement. Does that mean I can use a self-signed cert and not worry
 about the CA_file, or do I still need to create both?

  You still need a server certificate.

 And if so, does anyone have a working openssl recipe to create
 these? So far I've been unsuccessful in creating anything other than
 a self-signed key.

  See scripts/CA.all

 2. I think I'm missing some understanding when it comes to the
 differences between authentication protocols (pap, mschap, etc) and
 authentication mechanisms (users file, smbpasswd, sql, pam, etc). My
 ideal scenario is for TTLS to use PAM (which authenticates based on
 md5 hashes in /etc/shadow),

  Huh?  Why not just use 'System' authentication?

 I have DEFAULT Auth-Type := Pam in my users file; do I need to do
 anything further depending on the auth protocol I use inside the
 ESP-TTLS tunnel (pap, chap, etc)?

  CHAP won't work with passwords from /etc/passwd.  See the FAQ.

 3. I'm really, really in the dark when it comes to the key
 distribution mechanism. with EAP-TTLS and WPA, what system actually
 generates and distributes the WPA key? Does the radius server handle
 that,

  Yes.

 Is there a knob in the config I need to set up for this?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions

[Chris Woodfield]

   See scripts/CA.all

Ran this, and it appears that everything worked right up until the end, 
when I got these errors:


Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out 
cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever 
-passout pass:whatever
23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too 
long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
23119:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
+ echo -e '\n\t\t##\n'

##

tino:/usr/local/ssl/certs#

Any idea what's happening? This is OpenSSL 0.9.7c.

-C

 
  2. I think I'm missing some understanding when it comes to the
  differences between authentication protocols (pap, mschap, etc) and
  authentication mechanisms (users file, smbpasswd, sql, pam, etc). My
  ideal scenario is for TTLS to use PAM (which authenticates based on
  md5 hashes in /etc/shadow),
 
   Huh?  Why not just use 'System' authentication?
 
  I have DEFAULT Auth-Type := Pam in my users file; do I need to do
  anything further depending on the auth protocol I use inside the
  ESP-TTLS tunnel (pap, chap, etc)?
 
   CHAP won't work with passwords from /etc/passwd.  See the FAQ.
 
  3. I'm really, really in the dark when it comes to the key
  distribution mechanism. with EAP-TTLS and WPA, what system actually
  generates and distributes the WPA key? Does the radius server handle
  that,
 
   Yes.
 
  Is there a knob in the config I need to set up for this?
 
   No.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


pgp0.pgp
Description: PGP signature

Re: Problem with EAP-TTLS+AEGIS Client

[Alan DeKok]

Jason Haar [EMAIL PROTECTED] wrote:
I'm amazed that the SSL code works at *all*.
 
 Have you looked at the GNU TLS code? - http://www.gnu.org/software/gnutls/

  No time, sorry.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Alan DeKok]

Jason Haar [EMAIL PROTECTED] wrote:
 ..a bit off topic - but large certificates in general seem to be a problem
 with all sorts of SSL apps.

  I'm not surprised.  I've run FreeRADIUS under 'valgrind', to catch
buffer overflows, and reading uninitialized memory.  Without any SSL
code, it's fine.  With OpenSSL (EAP-TLS, etc), there are tens of
thousands of error messages.  And when compiling FreeRADIUS against
OpenSSL, there are large amounts of warnings about the broken SSL
headers.

  I'm amazed that the SSL code works at *all*.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS /etc/shadow

[Ralf Paffrath]

On Fri, 14 Nov 2003, Alan DeKok wrote:

 Ralf Paffrath [EMAIL PROTECTED] wrote:
  I set Auth-Type to System but no TTLS-tunnel session would be established
  and I got the following debugging output:
 
  ...
  modcall: group authorize returns updated for request 0
rad_check_password:  Found Auth-Type EAP
rad_check_password:  Found Auth-Type System
  Warning:  Found 2 auth-types on request for user 'HUGO'

   sigh  Did you READ what i wrote?

I did READ what you wrote!

I wasn't sure how to set Auth-Type to System for the tunneled user. ;-)

 Set Auth-Type to System for the tunneled user,

   The username inside of the tunnel IS different that the username
 outside of the tunnel, isn't it?

Right!

Now, I let:

username Auth-Type := System

and deleted

DEFAULT Auth-Type :=System
  Fall-Through = Yes

from users file.

After configuring SecureW2 to set the username used for secure tunnel to
[EMAIL PROTECTED] and let SecureW2 prompting for users credentials it's
working.

Now I can autenticate the tunneld user against /etc/shadow. Thanks Alan
for the hints!

Ralf.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Jason Haar]

On Mon, Nov 17, 2003 at 10:20:36AM -0500, Alan DeKok wrote:
   I'm amazed that the SSL code works at *all*.

Have you looked at the GNU TLS code? - http://www.gnu.org/software/gnutls/


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Jason Haar]

On Mon, Nov 10, 2003 at 05:18:34PM +0200, Kostas Kalevras wrote:
 Probably with small enough certificates to not worry about fragmentation.

..a bit off topic - but large certificates in general seem to be a problem
with all sorts of SSL apps.

We are running a full-blown internal CA, and so have done it right (IMHO)
and have details such as what division a user is in, along with their email
address, company name, city, country, etc. Apparently this makes our certs
large, and as such we've hit every bug there is to hit with a variety of
SSL/PKI products (not referring to FreeRADIUS here actually - more VPN
related). We get comments back from vendors like your certs are too big -
make them smaller and the problem will go away - as if that is even an
option! Once you have decided *how* you want to run a PKI - down to what
level of detail is within each cert - it's pretty bl**dy hard to change your
mind later. Oh yeah - and we got a certain vendor whose name rhymes with
ISCO whose routers won't use our certs as they are signed with a CA whose
serial number is 0 - apparently zero isn't an integer (see RFCxxx).

PKI still has a way to go before it's as useful as the hype makes it out to
be. The technology is fine - but I get the feeling that quality control is
limited due to the lack of implementations...

Yup - waaay off topic :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS /etc/shadow

[Ralf Paffrath]

 Ralf Paffrath [EMAIL PROTECTED] wrote:
  I'm running a snapshot version of freeradius with EAP/TTLS for authN.
  My supplicant is SecureW2. Everything works fine as long as I put in the
  plaintext user-password in users configuration file and didn' set
  Auth-Type, e.g. username User-Password == blabla.

   Ok...

  I absolutely don't like plaintext passwords in some files so I tried
  freeradius out to use /etc/shadow but with no success.

   Plain-text passwords aren't much of a problem from a security
 perspective.  They also allow you to do CHAP authentication, which is
 impossible with /etc/passwd.

  Auth-Type := EAP doesn't work:
  ...
  auth: type EAP
  modcall: entering group authenticate for request 5
  rlm_eap: EAP-Message not found

   Exactly.  Don't set Auth-Type := EAP.  EVER.

  Any idea?

   Set Auth-Type to System for the tunneled user, and read the
 debugging output of the server.  I note that you did NOT post that
 debugging output, which is the ONLY relevant thing here.

I set Auth-Type to System but no TTLS-tunnel session would be established
and I got the following debugging output:

...
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
  rad_check_password:  Found Auth-Type System
Warning:  Found 2 auth-types on request for user 'HUGO'
auth: type System
modcall: entering group authenticate for request 0
rlm_unix: Attribute User-Password is required for authentication.
  modcall[authenticate]: module unix returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
...

This output led me to the assumption that Auth-Type set to System is
wrong, so I set Auth-Type to EAP.

When I didn't set Auth-Type, e.g username User-Password blabla and set
DEFAULT Auth-Type += System
Fall-Through = YES

I can authenticate with plaintext password and with /etc/passwd , so I
got two valid passwords. With both passwords TTLS-tunnel sessions were
established, weird!

Ralf.


   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS /etc/shadow

[Alan DeKok]

Ralf Paffrath [EMAIL PROTECTED] wrote:
 I set Auth-Type to System but no TTLS-tunnel session would be established
 and I got the following debugging output:
 
 ...
 modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type EAP
   rad_check_password:  Found Auth-Type System
 Warning:  Found 2 auth-types on request for user 'HUGO'

  sigh  Did you READ what i wrote?

Set Auth-Type to System for the tunneled user,

  The username inside of the tunnel IS different that the username
outside of the tunnel, isn't it?  If not, then nothing will work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS /etc/shadow

[Ralf Paffrath]

I'm running a snapshot version of freeradius with EAP/TTLS for authN.
My supplicant is SecureW2. Everything works fine as long as I put in the
plaintext user-password in users configuration file and didn' set
Auth-Type, e.g. username User-Password == blabla.

I absolutely don't like plaintext passwords in some files so I tried
freeradius out to use /etc/shadow but with no success.

Auth-Type := EAP doesn't work:
...
auth: type EAP
modcall: entering group authenticate for request 5
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
  modcall[authenticate]: module eap returns fail for request 5
modcall: group authenticate returns fail for request 5
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Rejecting tunneled user

Any idea?

Ralf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS /etc/shadow

[Alan DeKok]

Ralf Paffrath [EMAIL PROTECTED] wrote:
 I'm running a snapshot version of freeradius with EAP/TTLS for authN.
 My supplicant is SecureW2. Everything works fine as long as I put in the
 plaintext user-password in users configuration file and didn' set
 Auth-Type, e.g. username User-Password == blabla.

  Ok...

 I absolutely don't like plaintext passwords in some files so I tried
 freeradius out to use /etc/shadow but with no success.

  Plain-text passwords aren't much of a problem from a security
perspective.  They also allow you to do CHAP authentication, which is
impossible with /etc/passwd.

 Auth-Type := EAP doesn't work:
 ...
 auth: type EAP
 modcall: entering group authenticate for request 5
 rlm_eap: EAP-Message not found

  Exactly.  Don't set Auth-Type := EAP.  EVER.

 Any idea?

  Set Auth-Type to System for the tunneled user, and read the
debugging output of the server.  I note that you did NOT post that
debugging output, which is the ONLY relevant thing here.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

On Mon, 10 Nov 2003, Kostas Kalevras wrote:

 Hello, we are facing a problem when trying to test EAP-TTLS with the
 Meetinghouse AEGIS Client

 We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS.

 freeradius latest cvs (two or three days old)
 Aegis 2.1.0
 OpenSSL 0.9.7c

 Unfortunately we haven't been able to find a sniffer capable of reporting the
 TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation.
 So I am mostly speculating what the problem is.

 As can be seen from the radiusd -X -xxx output after sending a TLS Hello with
 the server certificate the client returns with a TLS ACK. I am guessing that one
 TLS fragment got to the client and it is ACKing for another. Though the eap_tls
 module seems to not accept that ACK.
 From what i 've found the eaptls_ack_handler() never seems to be called. If it
 is an openssl or rlm_eap_tls module problem i don't know. From the documentation
 on openssl.org it seems that the handler will only be called if the received
 packet is ok so it can just be that the packet is malformed somehow.
 In any case I don't really know where to go from here. One thing that would help
 would be if someone confirmed that eap-ttls works with such a configuration.

OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c
which is never called. And now that i think of it (and read the EAP-TLS RFC):

EAP-Message = 0x021100061500

So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get
called for a packet like this (it isn't an actual TLS segment in any case). As a
result i don't think that the checks run in the eaptls_ack_handler() function
can actually work. I 've removed them and now the TTLS session works much better
(i do get a core dump just before sending back the Access-Accept but i 'll
probably figure that one out).


 tls {
 private_key_password = 
 private_key_file = /etc/1x/private.pem
 certificate_file = /etc/1x/cert.pem
 CA_file = /etc/1x/CA.pem
 dh_file = /etc/1x/DH
 random_file = /etc/1x/random
 fragment_size = 1024
 #   include_length = no
 }

 --
 Kostas Kalevras   Network Operations Center
 [EMAIL PROTECTED] National Technical University of Athens, Greece
 Work Phone:   +30 210 7721861
 'Go back to the shadow'   Gandalf

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Alan DeKok]

Kostas Kalevras [EMAIL PROTECTED] wrote:
 So we do get an EAP-TLS Fragment ACK. But the callback function will
 *never* get called for a packet like this (it isn't an actual TLS
 segment in any case). As a result i don't think that the checks run
 in the eaptls_ack_handler() function can actually work.

  Hm... I used the Aegis client to test the TTLS code, so it worked
for me...

 I 've removed them and now the TTLS session works much better (i do
 get a core dump just before sending back the Access-Accept but i 'll
 probably figure that one out).

  Do you have a patch, with a little more detailed explanation as to
what is going wrong, and why?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

On Mon, 10 Nov 2003, Alan DeKok wrote:

 Kostas Kalevras [EMAIL PROTECTED] wrote:
  So we do get an EAP-TLS Fragment ACK. But the callback function will
  *never* get called for a packet like this (it isn't an actual TLS
  segment in any case). As a result i don't think that the checks run
  in the eaptls_ack_handler() function can actually work.

   Hm... I used the Aegis client to test the TTLS code, so it worked
 for me...

Probably with small enough certificates to not worry about fragmentation.


  I 've removed them and now the TTLS session works much better (i do
  get a core dump just before sending back the Access-Accept but i 'll
  probably figure that one out).

   Do you have a patch, with a little more detailed explanation as to
 what is going wrong, and why?

I am attaching the patch (though it just makes eaptls_ack_handler to return
immediately).

Let me try and outline the problem.

For TLS fragments the client will respond with an EAP-TTLS message with only one
zero data byte. This signifies a fragment ACK.
In eap_tls we have registered eaptls_msg as a callback function for all tls
messages which will set various variables like

state-info.origin = (unsigned char)write_p;
state-info.content_type = (unsigned char)content_type;
state-info.record_len = len;
state-info.version = msg_version;

Though since this one byte packet is *not* an actual TLS packet this function
will not run in this case. Nevertheless, eaptls_ack_handler currently will use
these variables to determine the nature of the received packet. As a result it
will fail and kill the EAP-TTLS (or EAP-TLS for that matter) session.
So the way i see it the fix is to just make eaptls_ack_handler a dummy function
which will just return EAPTLS_REQUEST. Though i don't know the eap module that
well to be sure that this is the correct solution.


   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' GandalfIndex: eap_tls.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c,v
retrieving revision 1.18
diff -u -r1.18 eap_tls.c
--- eap_tls.c   23 Oct 2003 22:04:09 -  1.18
+++ eap_tls.c   10 Nov 2003 15:09:02 -
@@ -214,6 +214,12 @@
tls_session_t *tls_session;
 
tls_session = (tls_session_t *)handler-opaque;
+   if (tls_session == NULL){
+   radlog(L_ERR, rlm_eap_tls: Unexpected ACK received);
+   return EAPTLS_FAIL;
+   }
+   return EAPTLS_REQUEST;
+
if ((tls_session == NULL) ||
(tls_session-info.origin == 0)) {
radlog(L_ERR, rlm_eap_tls: Unexpected ACK received);

Re: Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

On Mon, 10 Nov 2003, Kostas Kalevras wrote:

 OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c
 which is never called. And now that i think of it (and read the EAP-TLS RFC):

 EAP-Message = 0x021100061500

 So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get
 called for a packet like this (it isn't an actual TLS segment in any case). As a
 result i don't think that the checks run in the eaptls_ack_handler() function
 can actually work. I 've removed them and now the TTLS session works much better
 (i do get a core dump just before sending back the Access-Accept but i 'll
 probably figure that one out).

For the core dump now:

Loaded symbols for /usr/libexec/ld-elf.so.1
#0  0x2844b337 in eaptls_gen_mppe_keys (reply_vps=0x81169b8, s=0x809ec00,
prf_label=0x14 Address 0x14 out of bounds)
at mppe_keys.c:136
136 memcpy(p, s-s3-client_random, SSL3_RANDOM_SIZE);
(gdb) print s
$1 = (struct ssl_st *) 0x809ec00
(gdb) print s-s2
$2 = (struct ssl2_state_st *) 0x8117400
(gdb) print s-s3
$3 = (struct ssl3_state_st *) 0x0

In other words the s-s3 structure is NULL. I 've added a few debug statements
in rlm_eap_tls and rlm_eap_ttls and it seems to always be NULL. I don't know why
though. In any case that one is causing the core dumps. If there are no
objections i can add a few checks in eaptls_gen_mppe_keys() and
eapttls_gen_challenge() for s-s3 being NULL

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Alan DeKok]

Kostas Kalevras [EMAIL PROTECTED] wrote:
 For the core dump now:
...
 (gdb) print s-s2
 $2 = (struct ssl2_state_st *) 0x8117400
 (gdb) print s-s3
 $3 = (struct ssl3_state_st *) 0x0
 
 In other words the s-s3 structure is NULL.

  See RFC 2716, top of page 3.  TLS version 1 is required.  See
ssl/ssl.h, SSLv3 is pretty much TLS version 1.

  So the TLS session SHOULD have been rejected, as soon as the client
tried to use SSLv2.  This may be a failure in the EAP-TLS code.

  Hmm...  See: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,
line 185:

   /*
*   Set ctx_options
*/
   ctx_options |= SSL_OP_NO_SSLv2;
   ctx_options |= SSL_OP_NO_SSLv3;


  So SSLv2 and SSLv3 should NOT be used.  Ever.

 In any case that one is causing the core dumps. If there are no
 objections i can add a few checks in eaptls_gen_mppe_keys() and
 eapttls_gen_challenge() for s-s3 being NULL

  I'd say add a few checks to the TLS module, eaptls_process(), so
that at it returns FAILED if s-s3 == NULL.  That will prevent the
core dump, but it will also prevent your client from working.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

On Mon, 10 Nov 2003, Alan DeKok wrote:

 Kostas Kalevras [EMAIL PROTECTED] wrote:
  For the core dump now:
 ...
  (gdb) print s-s2
  $2 = (struct ssl2_state_st *) 0x8117400
  (gdb) print s-s3
  $3 = (struct ssl3_state_st *) 0x0
 
  In other words the s-s3 structure is NULL.

   See RFC 2716, top of page 3.  TLS version 1 is required.  See
 ssl/ssl.h, SSLv3 is pretty much TLS version 1.

   So the TLS session SHOULD have been rejected, as soon as the client
 tried to use SSLv2.  This may be a failure in the EAP-TLS code.

   Hmm...  See: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,
 line 185:

/*
 * Set ctx_options
 */
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;


   So SSLv2 and SSLv3 should NOT be used.  Ever.

OK now i am getting really puzzled. I did this little change:

eap_tls.c, line 680

DEBUG2(  rlm_eap_tls: processing TLS);
if (tls_session-ssl)
DEBUG(rlm_eap_tls: Version:
%s,SSL_get_version(tls_session-ssl));

and i get:

Mon Nov 10 18:33:14 2003 : Debug:   rlm_eap_tls: processing TLS
Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1


Man page for SSL_get_version:
returns the name of the protocol used for the connection ssl.

Unfortunately i don't have a sniffer capable of returning the TLS session
details from within the EAP message conversation.

So /me puzzled


  In any case that one is causing the core dumps. If there are no
  objections i can add a few checks in eaptls_gen_mppe_keys() and
  eapttls_gen_challenge() for s-s3 being NULL

   I'd say add a few checks to the TLS module, eaptls_process(), so
 that at it returns FAILED if s-s3 == NULL.  That will prevent the
 core dump, but it will also prevent your client from working.

It's rather strange since i am also using the AEGIS client. How can i be so
damn lucky and hit on all errors? :-)


   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Alan DeKok]

Kostas Kalevras [EMAIL PROTECTED] wrote:
 and i get:
 
 Mon Nov 10 18:33:14 2003 : Debug:   rlm_eap_tls: processing TLS
 Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1

  Which should be fine.  So I'm a little congfused as to why s-s3 is
NULL.  OpenSSL versions, maybe?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

On Mon, 10 Nov 2003, Alan DeKok wrote:

 Kostas Kalevras [EMAIL PROTECTED] wrote:
  and i get:
 
  Mon Nov 10 18:33:14 2003 : Debug:   rlm_eap_tls: processing TLS
  Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1

   Which should be fine.  So I'm a little congfused as to why s-s3 is
 NULL.  OpenSSL versions, maybe?

Yes that was it.
rlm_eap_{ttls,tls} was using the correct version but the radiusd binary was
compiled with the older ones. Now all is working fine. Thanks a lot for your
help.


   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS Proxying

[Fastbyte]

Is there any news on proxying EAP/TTLS? Does the thing work?

p.s. in last discussion on mailing list Alan has said that this
 don´t work.
thanks

Sergio - Srdjan Vemic



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS Proxying

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 Is there any news on proxying EAP/TTLS? Does the thing work?
 
 p.s. in last discussion on mailing list Alan has said that this
   don´t work.

  There has been no announcement that it works, so it still doesn't
work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with EAP-TTLS+AEGIS Client

[Kostas Kalevras]

Hello, we are facing a problem when trying to test EAP-TTLS with the
Meetinghouse AEGIS Client

We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS.

freeradius latest cvs (two or three days old)
Aegis 2.1.0
OpenSSL 0.9.7c

Unfortunately we haven't been able to find a sniffer capable of reporting the
TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation.
So I am mostly speculating what the problem is.

As can be seen from the radiusd -X -xxx output after sending a TLS Hello with
the server certificate the client returns with a TLS ACK. I am guessing that one
TLS fragment got to the client and it is ACKing for another. Though the eap_tls
module seems to not accept that ACK.
From what i 've found the eaptls_ack_handler() never seems to be called. If it
is an openssl or rlm_eap_tls module problem i don't know. From the documentation
on openssl.org it seems that the handler will only be called if the received
packet is ok so it can just be that the packet is malformed somehow.
In any case I don't really know where to go from here. One thing that would help
would be if someone confirmed that eap-ttls works with such a configuration.

tls {
private_key_password = 
private_key_file = /etc/1x/private.pem
certificate_file = /etc/1x/cert.pem
CA_file = /etc/1x/CA.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
#   include_length = no
}

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalfrad_recv: Access-Request packet from host 147.102.247.20:1812, id=45, length=102
NAS-IP-Address = 147.102.247.20
NAS-Port-Type = Async
User-Name = papage
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = 00-00-86-33-52-43
EAP-Message = 0x020e000b01706170616765
Message-Authenticator = 0x33b1b4adac3a64f2951c083441512065
Sun Nov  9 21:52:25 2003 : Debug: modcall: entering group authorize for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from preprocess 
(rlm_preprocess) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module preprocess returns ok 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for 
request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from chap 
(rlm_chap) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module chap returns noop for 
request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for 
request 40
Sun Nov  9 21:52:25 2003 : Debug:   rlm_eap: EAP packet type response id 14 length 11
Sun Nov  9 21:52:25 2003 : Debug:   rlm_eap: No EAP Start, assuming it's an on-going 
EAP conversation
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module eap returns updated 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) 
for request 40
Sun Nov  9 21:52:25 2003 : Debug: rlm_realm: No '@' in User-Name = papage, 
looking up realm NULL
Sun Nov  9 21:52:25 2003 : Debug: rlm_realm: No such realm NULL
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from suffix 
(rlm_realm) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module suffix returns noop 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling files (rlm_files) 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from files 
(rlm_files) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module files returns 
notfound for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) 
for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authorize]: returned from mschap 
(rlm_mschap) for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modcall[authorize]: module mschap returns noop 
for request 40
Sun Nov  9 21:52:25 2003 : Debug: modcall: group authorize returns updated for request 
40
Sun Nov  9 21:52:25 2003 : Debug:   rad_check_password:  Found Auth-Type EAP
Sun Nov  9 21:52:25 2003 : Debug: auth: type EAP
Sun Nov  9 21:52:25 2003 : Debug: modcall: entering group authenticate for request 40
Sun Nov  9 21:52:25 2003 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 40
Sun Nov  9 21:52:25 2003 : Debug:   rlm_eap: EAP Identity
Sun Nov

some configuration problems in EAP/TTLS and EAP/PEAP in freeradius

   I have downloaded the newest version of 
freeradius,freeradius-snapshot-20031030.tar.gz.
And I want to use ttls and peap to authenticate ,but i don't know how can 
I configure
the /freeradius folder/etc/raddb/user file .
   Would you like to give me some suggestions about my problems?
   thanks!
   wkynwkyn

_
 MSN Explorer:   http://explorer.msn.com/lccn  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: some configuration problems in EAP/TTLS and EAP/PEAP in freeradius

[Alan DeKok]

=?gb2312?B?0rsgxao=?= [EMAIL PROTECTED] wrote:
  And I want to use ttls and peap to authenticate ,but i don't know how can 
 I configure
  the /freeradius folder/etc/raddb/user file .

  For examples of configuring TLS, see:

http://www.freeradius.org/doc/

  You need TLS for TTLS  PEAP.  After that, just supply username 
password, and TTLS/PEAP will work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius Snapshot 28102203: EAP/TTLS with PAP tunnel.

[gcass]

Hi all,

i succesfully compiled the 28/10 snapshot on a Slackware linux 9.1, which
has openssl 0.9.7b included into the distro. I tried to use EAP/TTLS method
and succeded only using MD5 as tunnel type. Does FreeRadius support EAP/TTLS
with PAP ??? I really need it !! I need to exchange clear password because
the authentication is demanded to a LDAP Server.

Thanks
Giancarlo


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Snapshot 28102203: EAP/TTLS with PAP tunnel.

[Alan DeKok]

[EMAIL PROTECTED] wrote:
 I tried to use EAP/TTLS method
 and succeded only using MD5 as tunnel type. Does FreeRadius support EAP/TTLS
 with PAP ??? I really need it !!

  Yes.  Did you try reading the WEB page, or try using PAP with TTLS?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segfault using EAP/TTLS.

[Guillaume THIBAUX]

Hi all,

This is my first post here, I hope it will be done the right way.

I'm using the latest freeradius snapshot to authenticate wireless users with 
EAP-TTLS. I have 2 AP, a Cisco Aironet 1100 series and a Netgear ME103. The 
client part runs under WinXP with the MeetingHouse EAP/TTLS client (Aegis).

I've already been able to get the system to function under a Redhat 8. But I 
installed it on a Redhat 7.1, and now I've got the ttls module segfaulting 
after establishement of the ttls tunnel. I'm a little bit lost because all 
parameters are so similar between the 2 configurations, and even if it was a 
configuration mistake from my part, I doubt that the freeradius should 
segfault in those cases.

A little more details about the conditions :
Here is the exact version, radiusd: FreeRADIUS Version 1.0.0-pre0, for host 
i686-pc-linux-gnu, built on Oct  9 2003 at 10:53:02
I desactivated LDAP, sql.. to try to isolate the problem. So in this 
configuration I only have a local user localuser in files.
Here is the end of the output of a radiusd -X :
--
[...]
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled 
attributes.

  TTLS: Got tunneled request
EAP-Message = 0x020e016c6f63616c75736572
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Got tunneled identity of localuser
  TTLS: Setting default EAP type for tunneled EAP session.
Segmentation fault
--
Tell me if you need the full log to diagnosticate..

Here are some informations about the segfault, gdb found this :
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17319)]
0x401fbf13 in eapttls_process (request=0x8120710, tls_session=0x8110070) at 
ttls.c:675
675   vp-lvalue = t-default_eap_type;
(gdb) 

Thank you for your help.
-- 
Guitou  /  Guillaume THIBAUX


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segfault using EAP/TTLS.

[Alan DeKok]

Guillaume THIBAUX [EMAIL PROTECTED] wrote:
 I've already been able to get the system to function under a Redhat 8. But I 
 installed it on a Redhat 7.1, and now I've got the ttls module segfaulting 
 after establishement of the ttls tunnel. I'm a little bit lost because all 
 parameters are so similar between the 2 configurations, and even if it was a 
 configuration mistake from my part, I doubt that the freeradius should 
 segfault in those cases.
...
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 1024 (LWP 17319)]
 0x401fbf13 in eapttls_process (request=0x8120710, tls_session=0x8110070) at 
 ttls.c:675
 675   vp-lvalue = t-default_eap_type;

  My first guess would be that you installed the server on top of an
older version, and didn't update the dictionaries.

  Look at the line above 675, it tries to create an attribute
EAP-Type.  Ensure that you have this in your dictionaries, and that
/etc/raddb/dictionary includes the ones in /usr/share/freeradius

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segfault using EAP/TTLS.

[Guillaume THIBAUX]

On Friday 10 October 2003 17:08, Alan DeKok wrote:
   My first guess would be that you installed the server on top of an
 older version, and didn't update the dictionaries.

   Look at the line above 675, it tries to create an attribute
 EAP-Type.  Ensure that you have this in your dictionaries, and that
 /etc/raddb/dictionary includes the ones in /usr/share/freeradius

You're the man! :) You guessed right, I upgraded an older freeradius on this 
machine and the new version was still refering to the old dictionary file.
I changed the include path in /etc/raddb/dictionary and it works well now..

Thanks a lot for your help and thank you for all your work on this project.
-- 
Guitou  /  Guillaume THIBAUX


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS.

[Raj Jadhav]

Hi
Anybody has implemented EAP-TTLS, or more details on how to implement EAP
TTLS with PAP?
I am facing a problem with an ISP has old legacy platform with Merit RADIUS
and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. 
IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I
enter my username and password through 802.1x Ethernet switch by XP client
with md5 challenge. FreeRADIUS debug says MD5 challenge failure
It means my Free RADIUS server is not understanding passwords of users.
How can I convert the crypto passwords in IBM LDAP to MD5 passwords.
Or same thing can be used with EAP-TTLS??
I am confused
Thanks in advance
Raj Jadhav



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS.

[Kostas Kalevras]

On Thu, 9 Oct 2003, Raj Jadhav wrote:

 Hi
 Anybody has implemented EAP-TTLS, or more details on how to implement EAP
 TTLS with PAP?
 I am facing a problem with an ISP has old legacy platform with Merit RADIUS
 and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP.
 IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I
 enter my username and password through 802.1x Ethernet switch by XP client
 with md5 challenge. FreeRADIUS debug says MD5 challenge failure
 It means my Free RADIUS server is not understanding passwords of users.
 How can I convert the crypto passwords in IBM LDAP to MD5 passwords.

You can't. EAP-MD5 is the same as CHAP. See:

http://www.freeradius.org/faq/#4.4
http://www.freeradius.org/faq/#5.11

 Or same thing can be used with EAP-TTLS??
 I am confused
 Thanks in advance
 Raj Jadhav



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.

[Antonia Kujundzic]

 Francisco Javier Martinez Martinez [EMAIL PROTECTED] wrote:
  I want to know if it is possible to make work the following scenario:
  AP : Cisco Aironet 1100 or similar
  Client-supplicant: Windows 2K /XP and cisco client.
  EAP: TTLS
  Authentication server: FreeRadius.
 
   I've used XP with a Cisco 350, and a non-Cisco client.  From what I
 recall, the Cisco client doesn't do TTLS, so that would appear to be a
 show-stopper.

There is a free Windows client for EAP-TTLS.
www.alfa-arriss.com
I've used it with Cisco client and it worked fine.

Antonia

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.

[Artur Hecker]

hi

Antonia Kujundzic wrote:
There is a free Windows client for EAP-TTLS.
www.alfa-arriss.com
I've used it with Cisco client and it worked fine.
hey, thanks, excellent! they really still produce freeware out there? :)

(small correction to the link, it is actually www.alfa-ariss.com).

ciao
artur
ps the size of the whole 85k. another proof for alan's statement about 
the the straightforward  easy TTLS implementation. otherwise they would 
hardly give it for free :)



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap-ttls pap can't work with aegis client

[george]

I have tested eap-ttls with freeradius and client is aegis, the ms-chap, ms-chap-v2 
and eap-md5 is work, but it seems the pap and chap isn't work, here is the message 
from radiusd(using eap-ttls-pap), thanks !

rad_recv: Access-Request packet from host 192.168.102.1:1200, id=187, length=281
EAP-Message = 
0x027b006c1580006217030100183a14f67f8fde6b4b1d02e5224ceccd80d3ab2425d32b17030100400fffe387d3edb5fc712b6e29492e410bbd8fb4457bf19a7bde6f4d8ebe40439da8871e1abaabf15e3783cb4ba34a97faf7fe2a8e69734e09ac105340d4a8bea6
User-Name = test
NAS-Identifier = IPONE_AG2000_KT
NAS-IP-Address = 192.168.102.1
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Service-Type = Framed-User
Framed-MTU = 1400
Connect-Info = CONNECT 11Mbps 802.11b
Calling-Station-Id = 00-60-b3-6a-38-7f
Called-Station-Id = 00-07-13-40-00-7c
State = 0x8675b25f15e3b78950a070be27e214c8
Message-Authenticator = 0xfe666e934d24293a78b6577a5bde650d
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
  rlm_eap: EAP packet type response id 123 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched test at 114
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.

  TTLS: Got tunneled request
User-Name = test
User-Password = test
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
User-Name = test
User-Password = test
Freeradius-Proxied-To = 127.0.0.1
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched test at 114
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
  modcall[authenticate]: module eap returns fail
modcall: group authenticate returns fail
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
Service-Type = Framed-User
Idle-Timeout = 2000
Session-Timeout = 2
  TTLS: Rejecting tunneled user
 rlm_eap: Handler failed in EAP type 21
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 35 for 1 seconds
Finished request 35
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 187 to 192.168.102.1:1200
EAP-Message = 0x047b0004
Message-Authenticator = 0x
--


Best Regard

george
~?????0~??b+?b?¥

Re: eap-ttls pap can't work with aegis client

[Alan DeKok]

george [EMAIL PROTECTED] wrote:
 I have tested eap-ttls with freeradius and client is aegis, the
 ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap
 isn't work, here is the message from radiusd(using eap-ttls-pap),
 thanks !

  PAP  CHAP work fine with the Aegis client.  You've broken your
local configuration, to disable PAP  CHAP.

  modcall[authorize]: module suffix returns noop
 users: Matched test at 114

  You've set 'Auth-Type := EAP' here, for this user.  Don't do that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.

[Francisco Javier Martinez Martinez]

Hello.

My apologies if my question is redundant or had been make before (I had 
readed the list´s messages and didn`t found anything).

I want to know if it is possible to make work the following scenario:
AP : Cisco Aironet 1100 or similar
Client-supplicant: Windows 2K /XP and cisco client.
EAP: TTLS
Authentication server: FreeRadius.
If itiis possible anyone had made or know where could I get a howto guide?

Thanks in advance.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Anyone get FreeRadius + CIsco Aironet 1100 AP + Cisco client under WinXP or 2K to work with EAP-TTLS.

[Alan DeKok]

Francisco Javier Martinez Martinez [EMAIL PROTECTED] wrote:
 I want to know if it is possible to make work the following scenario:
 AP : Cisco Aironet 1100 or similar
 Client-supplicant: Windows 2K /XP and cisco client.
 EAP: TTLS
 Authentication server: FreeRadius.

  I've used XP with a Cisco 350, and a non-Cisco client.  From what I
recall, the Cisco client doesn't do TTLS, so that would appear to be a
show-stopper.

 If itiis possible anyone had made or know where could I get a howto guide?

  Read the TLS guide, and ignore the discussion about client
certificates.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Fastbyte]

Hi Michael,

that´s right. Is there any possibility to do such thing in freeradius?
And the rest of problem  is to see in inner authentification in log file
a real username.


Michael Brown wrote:

This thread from the radiator list may shed some light on the situation:

http://www.open.com.au/archives/radiator/2003-08/msg00084.html

Quoting Fastbyte [EMAIL PROTECTED]:


I use Odyssey client, and the problem is that in log is only anonymous 
user. In freeradius -X -A its possible to see which user is getting 
authe´d but in log files is only anonymous.



Michael Brown


 mikro network solutions  *  http://www.mikro-net.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

---
Sergio


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS logging

[Fastbyte]

Hi,

is there any logging done in TTLS?

---
Sergio


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuration questions for FreeRadius with EAP/TTLS and LDAP

[Alan DeKok]

Nic Bernstein [EMAIL PROTECTED] wrote:
 I can see from the comments in the radiusd.conf file how to tell the
 radius server where to find which certificate(s) to use for EAP/TLS
 operation, but how does one specify what certificate to use for (the
 initial TLS phase of) the EAP/TTLS operation?

  It uses the TLS certificates, as configured in the TLS module.

 When using LDAP for authentication, passwords are not necessarily in
 clear text.  Am I to understand the above to mean that I must store my
 passwords in LDAP in clear text for EAP to work?

  For EAP-MD5, and EAP-TTLS with tunneled CHAP, MS-CHAP, and EAP-MD5.

 If anyone is successfully using EAP/TTLS, especially in concert with
 LDAP, I would certainly appreciate some configuration examples.

  You shouldn't have to do anything special to get TTLS working with
LDAP.  Get LDAP working, uncomment the TTLS module, and the tunneled
authentication request will use the pre-existing LDAP configuration.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 is there any logging done in TTLS?

  What kind of logging are you looking for?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Fastbyte]

Just the normal auth log of the ttls challenge; i see the tls log in the 
detail auth_log, but nothing of the inner authentication protocoll. I 
need username and logintime.

Alan DeKok wrote:

Fastbyte [EMAIL PROTECTED] wrote:

is there any logging done in TTLS?


  What kind of logging are you looking for?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

---
Sergio


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 Just the normal auth log of the ttls challenge; i see the tls log in the 
 detail auth_log, but nothing of the inner authentication protocoll. I 
 need username and logintime.

  That should be logged when the tunneled authentication request is
processed.  That request looks like just another request from a
client, so all logging should be done.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Fastbyte]

I use Odyssey client, and the problem is that in log is only anonymous 
user. In freeradius -X -A its possible to see which user is getting 
authe´d but in log files is only anonymous.

Alan DeKok wrote:

Fastbyte [EMAIL PROTECTED] wrote:

Just the normal auth log of the ttls challenge; i see the tls log in the 
detail auth_log, but nothing of the inner authentication protocoll. I 
need username and logintime.


  That should be logged when the tunneled authentication request is
processed.  That request looks like just another request from a
client, so all logging should be done.
  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

---
Regards, MfG, Dist.Saluti,
Sergio - Srdjan Vemic, CEO
Chief Executive Office, FutureBrain
[EMAIL PROTECTED]

+-+
| FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy   |
| Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014  |
| [EMAIL PROTECTED],   w w w . f u t u r e b r a i n . i t  |
+-+


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Fastbyte]

Ok the auth request is beeing logged into the detail log (auth_detail) 
but only with the anonymous user and looks like this:

Packet-Type = Access-Request
Fri Sep 12 17:13:19 2003
User-Name = anonymous
NAS-IP-Address = 192.168.2.220
Called-Station-Id = 0030bd965f14
Calling-Station-Id = 0030bd97d313
NAS-Identifier = 0030bd965f14
NAS-Port = 87
Framed-MTU = 1400
State = 0x5611f831363f85a702c738c261c2b189
NAS-Port-Type = Wireless-802.11
EAP-Message = 
0x0204003f158000351703010030e56b0eed1cbf43a372f441195e90c01ce5a402b658d408cb5b6b1b014dbbfaadedeae45c
779f692579e2764ba522c184
Message-Authenticator = 0x86b281dfbf1024da1a5ccd4e38a34539
Client-IP-Address = 192.168.2.220

The part i see in the radius -X -A looks as follows:

 TTLS: Got tunneled reply RADIUS code 2
Framed-IP-Address = 192.168.2.23
Exec-Program-Wait = my_exec_postauth
Session-Timeout = 1800
EAP-Message = 0x03010004
Message-Authenticator = 0x
User-Name = tobi
  TTLS: Got tunneled Access-Accept
This part in the logs is never apearing, neither in auth_log or in 
detail_log.

Alan DeKok wrote:

Fastbyte [EMAIL PROTECTED] wrote:

I use Odyssey client, and the problem is that in log is only anonymous
user. In freeradius -X -A its possible to see which user is getting
authe'd but in log files is only anonymous.


  WHICH log files are getting WHAT logged?  Can you please be a little
more specific, I'm not a mind reader.  I get the feeling that you're
going out of your way to refuse to provide any useful information in
your messages.
  As I said before, the tunneled authentication request is just
another authentication request for the server.  So any and all
authentication logging done for normal requests is done for the
tunneled requests.
  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

---
Regards, MfG, Dist.Saluti,
Sergio - Srdjan Vemic, CEO
Chief Executive Office, FutureBrain
[EMAIL PROTECTED]

+-+
| FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy   |
| Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014  |
| [EMAIL PROTECTED],   w w w . f u t u r e b r a i n . i t  |
+-+


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 Ok the auth request is beeing logged into the detail log (auth_detail) 
 but only with the anonymous user and looks like this:
...

  OK...

 The part i see in the radius -X -A looks as follows:
 
   TTLS: Got tunneled reply RADIUS code 2
  Framed-IP-Address = 192.168.2.23
  Exec-Program-Wait = my_exec_postauth
  Session-Timeout = 1800
  EAP-Message = 0x03010004
  Message-Authenticator = 0x
  User-Name = tobi
TTLS: Got tunneled Access-Accept
 
 This part in the logs is never apearing, neither in auth_log or in 
 detail_log.

  Are you sure?  As I've said repeatedly, the tunneled request is just
another request.  So that 'tobi' User-Name should be seen in the
'detail' file, just like in the 'anonymous' user is seen there.

  I don't want to sound stupid, but have you looked for user 'tobi' in
the detail log?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Fastbyte]

Hi Alan,

Sure, I´m sure and I have looked. Should i send the whole file (don´t 
want to spam the list) maybe you could find it. ;) Sorry but that´s the 
truth..

Hope that we will find a solution for this glitch...

Alan DeKok wrote:

Fastbyte [EMAIL PROTECTED] wrote:

Ok the auth request is beeing logged into the detail log (auth_detail) 
but only with the anonymous user and looks like this:
...

  OK...


The part i see in the radius -X -A looks as follows:

 TTLS: Got tunneled reply RADIUS code 2
Framed-IP-Address = 192.168.2.23
Exec-Program-Wait = my_exec_postauth
Session-Timeout = 1800
EAP-Message = 0x03010004
Message-Authenticator = 0x
User-Name = tobi
  TTLS: Got tunneled Access-Accept
This part in the logs is never apearing, neither in auth_log or in 
detail_log.


  Are you sure?  As I've said repeatedly, the tunneled request is just
another request.  So that 'tobi' User-Name should be seen in the
'detail' file, just like in the 'anonymous' user is seen there.
  I don't want to sound stupid, but have you looked for user 'tobi' in
the detail log?
  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--

---
Regards, MfG, Dist.Saluti,
Sergio - Srdjan Vemic, CEO
Chief Executive Office, FutureBrain
[EMAIL PROTECTED]

+-+
| FutureBrain GmbH/Srl,Via Palade 97/u,I-39012 Merano(BZ),Italy   |
| Phone: +390473201457, Fax: +390473201437, Cell.: +393356057014  |
| [EMAIL PROTECTED],   w w w . f u t u r e b r a i n . i t  |
+-+


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 Sure, I'm sure and I have looked.

  Then I don't know what the problem is.  I see no reason why the
'detail' module would log the outer request, and not the inner one.

  Paret of the issue may be I don't know what you mean when you say
auth_log and detail_log.  There are no such log files distributed
with the server, or configured in the server by default.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS logging

[Michael Brown]

This thread from the radiator list may shed some light on the situation:

http://www.open.com.au/archives/radiator/2003-08/msg00084.html

Quoting Fastbyte [EMAIL PROTECTED]:

 
 I use Odyssey client, and the problem is that in log is only anonymous 
 user. In freeradius -X -A its possible to see which user is getting 
 authe´d but in log files is only anonymous.
 


Michael Brown



 mikro network solutions  *  http://www.mikro-net.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuration questions for FreeRadius with EAP/TTLS and LDAP

[Nic Bernstein]

We are trying to configure freeradius-snapshot-20030911 to use EAP/TTLS
with LDAP (OpenLDAP 2.0.27).  I have a few questions, however.

I can see from the comments in the radiusd.conf file how to tell the
radius server where to find which certificate(s) to use for EAP/TLS
operation, but how does one specify what certificate to use for (the
initial TLS phase of) the EAP/TTLS operation?

Also, the file doc/rlm_eap states:
  The radius server needs a plaintext password so that it can perform
  the same one-way hash to determine that the password is correct.

When using LDAP for authentication, passwords are not necessarily in
clear text.  Am I to understand the above to mean that I must store my
passwords in LDAP in clear text for EAP to work?

If anyone is successfully using EAP/TTLS, especially in concert with
LDAP, I would certainly appreciate some configuration examples.

Thanks in advance,
-nic 
-- 
Nic Bernstein [EMAIL PROTECTED]
Onlight llc.  www.onlight.com
757 North Water Streetv. 414.272.4477
Milwaukee, Wisconsin  53202   f. 414.290.0335


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem FreeRadius EAP/TTLS and MySQL

[Fastbyte]

Hi,

1046 means PW_NO_SUCH_ATTRIBUTE, so imho it means that the value of the 
sql field attribute Password is false, but after changing it to 
User-Password i get the same error.. whats the right attribute?

radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'XXX' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = 'XXX' ORDER BY id
rlm_sql_mysql: MYSQL check_error: 1046 received
rlm_sql_getvpdata: database query error
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module sql returns fail
modcall: group authorize returns fail

--
Sergio
FutureBrain


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem FreeRadius EAP/TTLS and MySQL

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote;
 1046 means PW_NO_SUCH_ATTRIBUTE, so imho it means that the value of the 
 sql field attribute Password is false, but after changing it to 
 User-Password i get the same error.. whats the right attribute?

  That all depends on what you want.

 radcheck WHERE Username = 'XXX' ORDER BY id
 rlm_sql_mysql: MYSQL check_error: 1046 received

  That is a MySQL error, and has nothing to do with FreeRADIUS.  See
what '1046' means to MySQL

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS problem with EAP/MD5

[Fastbyte]

Hi ppl,

i have problem with implementing of EAP/TTLS on freeradius, i have setup 
auth in EAP/TTLS to EAP/MD5 and this is my error:

modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
  rlm_eap: EAP Identity
 rlm_eap: No such EAP type 4
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
looking at the source i have seen that the problem is in following lines:

#eap.c

if ((default_eap_type  PW_EAP_MD5) ||
(default_eap_type  PW_EAP_MAX_TYPES) ||
(inst-types[default_eap_type] == NULL)) {
DEBUG2( rlm_eap: No such EAP type %d,
   default_eap_type);
return EAP_INVALID;
}
looking at eap.h have seen that PW_EAP_MD5 value is 4.

Anyone has some idea?



Sergio,
FutureBrain






 follows freeradius log 
rad_recv: Access-Request packet from host 192.168.2.254:2051, id=0, 
length=193
	User-Name = tobi
	NAS-IP-Address = 192.168.2.254
	Called-Station-Id = 0030bd96618f
	Calling-Station-Id = 0030bd97d2f8
	NAS-Identifier = 0030bd96618f
	NAS-Port = 189
	Framed-MTU = 1400
	State = 0x52c82cce680f4e775d5e00ab17705d2f
	NAS-Port-Type = Wireless-802.11
	EAP-Message = 
0x0204003f158000351703010030d38d75a57f3413419cb84a5afea774b0c58547ba2544163213b71c06082b522a18d5f79ea4d77e85ffc94fe8069de8ff
	Message-Authenticator = 0xfaf781eca6accfb78d59d841524e9f7d
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
  rlm_eap: EAP packet type response id 4 length 63
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated
rlm_realm: No '@' in User-Name = tobi, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 152
users: Matched tobi at 215
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled 
attributes.

  TTLS: Got tunneled request
EAP-Message = 0x020901746f6269
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Got tunneled identity of tobi
  TTLS: Setting default EAP type for tunneled EAP session.
  TTLS: Sending tunneled request
EAP-Message = 0x020901746f6269
Freeradius-Proxied-To = 127.0.0.1
User-Name = tobi
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module chap returns noop
  rlm_eap: EAP packet type response id 0 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated
rlm_realm: No '@' in User-Name = tobi, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 152
users: Matched tobi at 215
  modcall[authorize]: module files returns ok
  modcall[authorize]: module mschap returns noop
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
  rlm_eap: EAP Identity
 rlm_eap: No such EAP type 4
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
EAP-Message = 0x0404
Message-Authenticator = 0x
  TTLS: Rejecting tunneled user
 rlm_eap: Handler failed in EAP type 21
  TTLS: Freeing handler for user tobi
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
rl_next:  returning NULL
Waking up in 6 seconds...


--



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS problem with EAP/MD5

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 i have problem with implementing of EAP/TTLS on freeradius, i have setup 
 auth in EAP/TTLS to EAP/MD5 and this is my error:
...
   rlm_eap: No such EAP type 4

  It looks like you don't have the 'md5' sub-module configured inside
of the 'eap' module.  Either you've deleted it, or you've re-ordered
the list of sub-modules.

 looking at the source i have seen that the problem is in following lines:
 
 #eap.c
 
   if ((default_eap_type  PW_EAP_MD5) ||
   (default_eap_type  PW_EAP_MAX_TYPES) ||
   (inst-types[default_eap_type] == NULL)) {
...
 looking at eap.h have seen that PW_EAP_MD5 value is 4.

  Well.. The value of PW_EAP_MD5 is NOT less than PW_EAP_MD5, and it's
not MORE than the valur of PW_EAP_MAX_TYPES, so by the process of
elimination, it means that the last test is the one which is failing.

  Include a configuration entry for 'md5', just like the default
'radiusd.conf'.  List 'ttls' after 'md5', just like the default
'radiusd.conf'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS on FreeRadius

[Ping Zhou]

I'm working on it.

From: Fastbyte [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: EAP/TTLS on FreeRadius
Date: Wed, 27 Aug 2003 22:14:24 +0200
Does anyone already workin on EAP/TTLS for FreeRadius

Sergio



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TTLS on FreeRadius

[Fastbyte]

When it will be ready for alfa or beta test?

Ping Zhou wrote:

I'm working on it.

From: Fastbyte [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: EAP/TTLS on FreeRadius
Date: Wed, 27 Aug 2003 22:14:24 +0200
Does anyone already workin on EAP/TTLS for FreeRadius

Sergio



- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Best regards,
Sergio Srdjan Vemic
Chief Executive Officer - CEO
+
| FutureBrain GmbH/Srl
| Via Palade 101 A/B, I-39012 Merano (BZ)
| Tel.+390473201457 Fax.+390473201437
+


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WORKING: EAP-TTLS on FreeRadius

[Alan DeKok]

Fastbyte [EMAIL PROTECTED] wrote:
 Does anyone already workin on EAP/TTLS for FreeRadius

  I'm happy to announce that EAP-TTLS support has just been added to
FreeRADIUS.  This functionality will NOT be in 0.9.1, but it will be
in the latest CVS snapshots, as of Friday morning.

  People using anonymous CVS can get the module now, via:

cvs update -d src/modules/rlm_eap/types/rlm_eap_ttls
cvs update raddb/radiusd.conf.in

  The module has been tested with tunneled PAP, CHAP, MS-CHAP, and
EAP-MD5.  Wireless clients which are known to work are Funk, Aegis,
and others whose names I forget.  Xsupplicant has not been tested.

  If you have any questions or comments, please post them here.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS on FreeRadius

[Fastbyte]

Does anyone already workin on EAP/TTLS for FreeRadius

Sergio



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS and EAP-PEAP support

[Janko Kersnik]

Hello,

do you have any information, when will you support 
EAP-TTLS and EAP-PEAP. As it can be seen from 
developers mailing list you are doing something on it.

Best regards,

Janko Kersnik
ARNES


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS and EAP-PEAP support

[Alan DeKok]

Janko Kersnik [EMAIL PROTECTED] wrote:
 do you have any information, when will you support 
 EAP-TTLS and EAP-PEAP. As it can be seen from 
 developers mailing list you are doing something on it.

  Lots of people have said they're working on TTLS  PEAP.  So far, no
one has submitted patches.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS and EAP-PEAP support

[Janko Kersnik]

Hello,

do you have any information, when will you support 
EAP-TTLS and EAP-PEAP. As it can be seen from 
developers mailing list you are doing something on it.

Best regards,

Janko Kersnik
ARNES



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP // EAP-TTLS Support

[Alan DeKok]

Ted Ma [EMAIL PROTECTED] wrote:
   We are currently porting FreeRadius to uClinux. From the lists (devel and 
 user) I see that a couple of people have started on the implementation of 
 both PEAP and EAP/TTLS. We can add bodies for both developement and testing 
 to the group(s).

  Sounds good to me.

   Has any code / architecure for the modification to the upper layer (so tls 
 can be shared) been done? I'm just trying to get a sense of how far along 
 the projects have gotten.

  People have talked about it, but so far no one has posted patches
for anything.

   From the lists, I can't tell if there is a coordinated plan for the new 
 protocol support.

  There isn't.

   BTW our company has previously funded other Open source projects, so if we 
 can help accelerate the effort, let us know.

  That may help speed things up.  I'd like to see PEAP and TTLS in
before the 1.0 release, if at all possible.

 Alan,
   I wasn't sure if I should have posted to the devel list or the user list. 
 If you think that it should go to the devel list, I will post there as 
 well.

  Further messages should go to -devel.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP // EAP-TTLS Support

[Ted Ma]

Hi,
	We are currently porting FreeRadius to uClinux. From the lists (devel and 
user) I see that a couple of people have started on the implementation of 
both PEAP and EAP/TTLS. We can add bodies for both developement and testing 
to the group(s).

	Has any code / architecure for the modification to the upper layer (so tls 
can be shared) been done? I'm just trying to get a sense of how far along 
the projects have gotten.

	From the lists, I can't tell if there is a coordinated plan for the new 
protocol support.

	BTW our company has previously funded other Open source projects, so if we 
can help accelerate the effort, let us know.

Alan,
	I wasn't sure if I should have posted to the devel list or the user list. 
If you think that it should go to the devel list, I will post there as 
well.

		...MaTed

--
Ted Ma
Arcturus Networks Inc.
100-116 Spadina Ave.
416-621-0125 x206
Toronto, Ontario


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PEAP [Was RE: EAP-TTLS]

[Alan DeKok]

Mayank Upadhyay [EMAIL PROTECTED] wrote:
 On a related note, is anyone considering writing an EAP-PEAP module?

  Have you tried looking through the list archives for the past week?

 PEAP is essentially MS-CHAPv2 tunneled inside of EAP-TLS.

  It was.  It's not any longer.  It's EAP inside of EAP-TLS

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS

[Nirmala Bulusu]

Hi,

I have been working with xsupplicant and free radius on redhat 8.2

I could successfully set-up the eap-tls config.

Now I want to test EAP-TTLS protocol on free radius using xsupplicant 
as the client software. The latest version of Xsuplicant has the 
EAP-TTLS protocol.
However the current freeradius cvs version I am working on does'nt 
seem to support the TTLS protocol. Want to know if any one is working 
on the free radius code right now
for implementing EAP-TTLS. And if it in the future will support it. 
Would greatly help if anyone could give suggestions regarding the 
server side code for EAP-TTLS.

Thanks and Regards
BN
 
  
  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-PEAP [Was RE: EAP-TTLS]

[Mayank Upadhyay]

On a related note, is anyone considering writing an EAP-PEAP module?
PEAP is essentially MS-CHAPv2 tunneled inside of EAP-TLS. Conceptually,
it's similar to HTTPS on the web where the server is authenticated using
its certificate, and the user with a password.

Windows XP and most RADIUS vendors support PEAP.

-Mayank

-Original Message-


Message: 7
From: Nirmala Bulusu [EMAIL PROTECTED]
Subject: Re: EAP-TTLS
To: [EMAIL PROTECTED]
Date: Fri, 20 Jun 2003 15:01:00 -0600
Reply-To: [EMAIL PROTECTED]

Hi,

I have been working with xsupplicant and free radius on redhat 8.2

I could successfully set-up the eap-tls config.

Now I want to test EAP-TTLS protocol on free radius using xsupplicant 
as the client software. The latest version of Xsuplicant has the 
EAP-TTLS protocol.
However the current freeradius cvs version I am working on does'nt 
seem to support the TTLS protocol. Want to know if any one is working 
on the free radius code right now
for implementing EAP-TTLS. And if it in the future will support it. 
Would greatly help if anyone could give suggestions regarding the 
server side code for EAP-TTLS.

Thanks and Regards
BN
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TTLS authentication

[Skull]

Hi all,
i'm searching for a way to authenticate some wireless users via TTLS 
(for this is the only auth method allowed by these particular supplicants).
Looking thru freeradius i'm not able to find out anything about it.
Can anyone confirm about that?
In this case, what I could use for this task?
This must run on a linux RH 7.3, and the number of clients it has to 
manage does not justify the acquisition of a licenced server like aegis.
So, something not free could be considered, but it must not cost too 
much... ;-)

Thanks...

--
Emanuele Balla  aka Skull -  Public Key #661E5CBF on www.keyserver.com
+--+
And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports
on it, you know they are just evil lies. (By Linus Torvalds)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: EAP-TTLS

Alan DeKok,

Thanks Alan.

Jeson
[EMAIL PROTECTED]
2003-05-30

=== 2003-05-29 09:02:00 ===

=?GB2312?Q?=CD=F5=D6=BE=D0=C0?= [EMAIL PROTECTED] wrote:
 Does FreeRADIUS supprot EAP-TTLS and PEAP?

  It's not in the list of features on the web site, so my guess would
be no.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS

Dear All,


Does FreeRADIUS supprot EAP-TTLS and PEAP?

Thanks in advance.

  Jeson
[EMAIL PROTECTED]
2003-05-29



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS

[Alan DeKok]

=?GB2312?Q?=CD=F5=D6=BE=D0=C0?= [EMAIL PROTECTED] wrote:
 Does FreeRADIUS supprot EAP-TTLS and PEAP?

  It's not in the list of features on the web site, so my guess would
be no.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP TTLS Support

[Bret Jordan]

Just wondering if TTLS support is on the road map for freeradius or if 
anyone is working on this...

Thanks
Bret
--
~~~
Bret Jordan   Dean's Office
Computer Administrator   College of Engineering
801.585.3765 University of Utah
[EMAIL PROTECTED]
~~~
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS

[Daniele Brevi]

Hi at all,

I have a question. Someone is working to develop the EAP-TTLS support for Freeradius?

Thanks

Daniele Brevi



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[Chuck Phillips]

--On Wednesday, January 02, 2002 2:42 PM -0500 [EMAIL PROTECTED] wrote:

 Brandon Saunders [EMAIL PROTECTED] wrote:
 I am testing my wireless access point against a test freeradius server
 complied with the EAP module.  I am using the UNIX user files as the
 authentication source.  When a client tries to authenticate, the access
 point sends the EAP message encapsulated in RADIUS.

   Right now, the server only supports EAP-MD5.

   You'll have to do PAP authentication to authenticate against
 /etc/passwd.

   If you're using the radius 'users' file, then EAP-MD5 should work.


Could you elaborate on this so that even I can understand? Are you saying
I can use /etc/passwd if I have the users file set up right? Or are you
saying that I have to add each user to the users file individually?


In my Users file I have this:

DEFAULT  Auth-Type := EAP


Here is the debugging output from radiusd:


rad_recv: Access-Request packet from host 129.24.17.184:1338, id=128, length=121
User-Name = chuckp
NAS-IP-Address = cirt-0045.unm.edu
Called-Station-Id = 0040963204c3
Calling-Station-Id = 004096355da6
NAS-Identifier = cirttest
NAS-Port = 29
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = \002%\000\013\001chuckp
Message-Authenticator = 0xf5c85910439187275e1b45b3f892fbb2
modcall: entering group authorize
  modcall[authorize]: module eap returns updated
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 1
  modcall[authorize]: module files returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
rlm_eap: Invalid user, authentication failed
  modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect: [chuckp] (from nas wless port 29 cli 004096355da6)
Sending Access-Reject of id 128 to 129.24.17.185:1338




chuck
[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[aland]

Chuck Phillips [EMAIL PROTECTED] wrote:
If you're using the radius 'users' file, then EAP-MD5 should work.
 
 Could you elaborate on this so that even I can understand? Are you saying
 I can use /etc/passwd if I have the users file set up right?

  No.  You need to supply a plain-text password.

 Or are you saying that I have to add each user to the users file
 individually?

  For now, yes.

 In my Users file I have this:
 
 DEFAULT  Auth-Type := EAP

  And where, exactly is the password that is used for each user to
authenticate?

  You need to supply a plain-text password.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[Yuan Yuan]

Now I am working on EAP/TLS intergration with Freeraduis. Would you please 
tell me whether Freeradius support EAP/TLS? 

where can I download the EAP/TLS module? please give me some advice on this.
I really need this information! thank very much!

On Monday 14 January 2002 12:00 pm, you wrote:
 --On Wednesday, January 02, 2002 2:42 PM -0500 [EMAIL PROTECTED] 
wrote:
  Brandon Saunders [EMAIL PROTECTED] wrote:
  I am testing my wireless access point against a test freeradius server
  complied with the EAP module.  I am using the UNIX user files as the
  authentication source.  When a client tries to authenticate, the access
  point sends the EAP message encapsulated in RADIUS.
 
Right now, the server only supports EAP-MD5.
 
You'll have to do PAP authentication to authenticate against
  /etc/passwd.
 
If you're using the radius 'users' file, then EAP-MD5 should work.

 Could you elaborate on this so that even I can understand? Are you saying
 I can use /etc/passwd if I have the users file set up right? Or are you
 saying that I have to add each user to the users file individually?


 In my Users file I have this:

 DEFAULT  Auth-Type := EAP


 Here is the debugging output from radiusd:


 rad_recv: Access-Request packet from host 129.24.17.184:1338, id=128,
 length=121 User-Name = chuckp
 NAS-IP-Address = cirt-0045.unm.edu
 Called-Station-Id = 0040963204c3
 Calling-Station-Id = 004096355da6
 NAS-Identifier = cirttest
 NAS-Port = 29
 Framed-MTU = 1400
 NAS-Port-Type = Wireless-802.11
 EAP-Message = \002%\000\013\001chuckp
 Message-Authenticator = 0xf5c85910439187275e1b45b3f892fbb2
 modcall: entering group authorize
   modcall[authorize]: module eap returns updated
   modcall[authorize]: module preprocess returns ok
   modcall[authorize]: module suffix returns ok
 users: Matched DEFAULT at 1
   modcall[authorize]: module files returns ok
 modcall: group authorize returns updated
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
 modcall: entering group authenticate
 rlm_eap: Invalid user, authentication failed
   modcall[authenticate]: module eap returns invalid
 modcall: group authenticate returns invalid
 auth: Failed to validate the user.
 Login incorrect: [chuckp] (from nas wless port 29 cli 004096355da6)
 Sending Access-Reject of id 128 to 129.24.17.185:1338




 chuck
 [EMAIL PROTECTED]


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[aland]

Yuan Yuan [EMAIL PROTECTED] wrote:
 Now I am working on EAP/TLS intergration with Freeraduis. Would you please 
 tell me whether Freeradius support EAP/TLS? 

  No, it doesn't.  Sorry.

  As always, patches are welcome.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[Yuan Yuan]

but Freeraduis does support EAP, and can be compiled with EAP module, right?


On Monday 14 January 2002 02:11 pm, you wrote:
 Yuan Yuan [EMAIL PROTECTED] wrote:
  Now I am working on EAP/TLS intergration with Freeraduis. Would you
  please tell me whether Freeradius support EAP/TLS?

   No, it doesn't.  Sorry.

   As always, patches are welcome.

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/Password File problems - EAP-TTLS - Tru64

[Yuan Yuan]

oh, Thanks

would you please tell where can I find the EAP-MD5 module? 

On Monday 14 January 2002 02:24 pm, you wrote:
 Yuan Yuan [EMAIL PROTECTED] wrote:
  but Freeraduis does support EAP, and can be compiled with EAP module,
  right?

   Yes.  But right now, it only supports EAP-MD5.

   Alan DeKok.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/Password File problems - EAP-TTLS - Tru64

 I am newcomer to this mailing list.
 I am studying on radius authentication method, and want to know where 
can I find the EAP-MD5 module.
 Now I hope that I can test aboe module.
 Please let me know.

-Original Message-
From: [EMAIL PROTECTED] [mailto:freeradius-users-
[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, January 15, 2002 4:36 AM
To: [EMAIL PROTECTED]
Subject: Re: EAP/Password File problems - EAP-TTLS - Tru64 


Yuan Yuan [EMAIL PROTECTED] wrote:
 would you please tell where can I find the EAP-MD5 module? 

  Look in the tar file.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: EAP/Password File problems - EAP-TTLS - Tru64

[aland]

Brandon Saunders [EMAIL PROTECTED] wrote:
 I am testing my wireless access point against a test freeradius server 
 complied with the EAP module.  I am using the UNIX user files as the 
 authentication source.  When a client tries to authenticate, the access 
 point sends the EAP message encapsulated in RADIUS.

  Right now, the server only supports EAP-MD5.

  You'll have to do PAP authentication to authenticate against
/etc/passwd.

  If you're using the radius 'users' file, then EAP-MD5 should work.

  The RADIUS server 
 should then do a challenge and respond, but nothing is sent back but and 
 access reject.  Upon looking at the log files, it appears that the server 
 is trying to do the authentication without the password.  I get log lines 
 that look like:
 
 Fri Dec 28 10:51:51 2001 : Auth: Login incorrect: [test/no Password 
 attribute] (from nas HDLwireless port 29 cli 004096501888)

  You haven't configured it to use EAP for authentication.

  Configuring EAP in 'radiusd.conf' *allows* the server to use EAP,
but it does not tell the server which requests get authenticated via
EAP, and which do not.
 
 Anyone have any ideas why the challenge and respond is getting sent back?
 I know EAP support is still in development, could this be a bug?
 Do I have something setup wrong?  I will send out my configuration file if 
 anyone thinks it will be of help.

  Search the list archives for a message on getting EAP working.
 
 I am currently just working with EAP-MD5.  Has anyone considered 
 implementing EAP-TTLS?

  It's a lot of work.

 I am also interested in running freeradius on Alpha/Tru64.  I appears to 
 compile OK, but I am having some linking problems.

  Then do:

./configure --disable-shared

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html