Re: Problems with proxy if TTLS is used

2003-10-09 Thread Alan DeKok 
"Roman Janos" <[EMAIL PROTECTED]> wrote:
> Actually the question is other. Are there any plans to implement (or
> it is already implemented?) proxying functionality for EAP-TTLS
> tunneled authentication method (e.g. EAP-MD5,PAP,…) ?

  No.

> If not the TTLS implementation makes no sense.

  I disagree.

  If you care so much, then submit a patch to implement it.  If you're
not willing to submit a patch, or to pay someone else to write a
patch, then I guess you'll just have to wait for a patch.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problems with proxy if TTLS is used

2003-10-09 Thread Roman Janos 
Actually the question is other. Are there any plans to implement (or it is
already implemented?) proxying functionality for EAP-TTLS tunneled
authentication method (e.g. EAP-MD5,PAP,…) ?

If not the TTLS implementation makes no sense. I speak about the bindings
between the old authentication methods that can be deployed on whatever
legacy RADIUS server and use of FREERADIUS as a proxy to take advantage
about security in shared media environments.

Pleas comment.

Regards

Roman

> -Puvodní zpráva-
> Od: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] uživatele Alan DeKok
> Odesláno: 8. októbra 2003 19:06
> Komu: [EMAIL PROTECTED]
> Predmet: Re: Problems with proxy if TTLS is used
>
>
> fastbyte <[EMAIL PROTECTED]> wrote:
> > Is there any plans to implement proxying for EAP/TTLS in near future?
>
>   No.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

2003-10-08 Thread Alan DeKok 
fastbyte <[EMAIL PROTECTED]> wrote:
> Is there any plans to implement proxying for EAP/TTLS in near future?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

2003-10-07 Thread fastbyte 
Hello,

Is there any plans to implement proxying for EAP/TTLS in near future?

Sergio

Alan DeKok wrote:

"Roman Janos" <[EMAIL PROTECTED]> wrote:
 

I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
mode but only if the PAP/EAP-MD5 credentials
were on the same maschine.
If I try to put the user credentials on other freeradius server and try to
make proxing it don't go any more.
   

 The tunneled authentication request cannot currently be proxied to
another server.
 Alan DeKok.
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with proxy if TTLS is used

2003-10-07 Thread Alan DeKok 
"Roman Janos" <[EMAIL PROTECTED]> wrote:
> I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
> mode but only if the PAP/EAP-MD5 credentials
> were on the same maschine.
> 
> If I try to put the user credentials on other freeradius server and try to
> make proxing it don't go any more.

  The tunneled authentication request cannot currently be proxied to
another server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems with proxy if TTLS is used

2003-10-07 Thread Roman Janos 
Hi all,

I use freeradius-snapshot-20031003 version of FREERADIUS for testing
EAP-TTLS with it.
I try to make TTLS authentication. This is gone with PAP/EAP-MD5 in tunneled
mode but only if the PAP/EAP-MD5 credentials
were on the same maschine.

If I try to put the user credentials on other freeradius server and try to
make proxing it don't go any more.
There seems be a problem with proxing becouse no proxy request isn't send to
other radius server.

Below is useful listing (end part with eror and proxy setting). On other
second RADIUS server is TTLS radius server configured as client.

Please help.

--
rad_recv: Access-Request packet from host 10.0.0.173:1645, id=44, length=237
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "0007.85b3.63ac"
Calling-Station-Id = "000b.5f63.c145"
Message-Authenticator = 0xcf583fe883a5aa08b4aeadbd25ba0764
EAP-Message =
0x020600571580004d1703010048a022a4a5787533a644314a6f27a481deea37b5269793
31f24828f73e5b0791d0a73115ba87baee9ba7011c1f3ea98a14e497e6961991099590a610e9
78f1b72f68ee7f9034d820ce
NAS-Port-Type = Virtual
NAS-Port = 497
State = 0xd6c081b0b2fbf275d73554a94fbab8e9
NAS-IP-Address = 10.0.0.173
NAS-Identifier = "System_room_5510_AP1200"
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 87
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  TTLS: Got tunneled request
User-Name = "[EMAIL PROTECTED]"
User-Password = "kasslatter"
Freeradius-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
User-Name = "[EMAIL PROTECTED]"
User-Password = "kasslatter"
Freeradius-Proxied-To = 127.0.0.1
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
rlm_realm: Looking up realm "servprov.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "servprov.com"
rlm_realm: Adding Stripped-User-Name = "fritz"
rlm_realm: Proxying request from user fritz to realm servprov.com
rlm_realm: Adding Realm = "servprov.com"
rlm_realm: Preparing to proxy authentication request to realm
"servprov.com"
  modcall[authorize]: module "suffix" returns updated for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
  TTLS: Got tunneled reply RADIUS code 0
  TTLS: Rejecting tunneled user
 rlm_eap: Handler failed in EAP type 21
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request



proxy.conf:

realm servprov.com {
type= radius
authhost= 10.0.0.20:1812
accthost= 10.0.0.20:1813
secret  = radius_proxy
strip
}

--

regards

Roman


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html