subject:"RE\: EAP\-MD5 \?"

Re: eap-md5 using cisco

2003-10-13 Thread Raj Jadhav

You don't need anything to add in radiusd.conf, because it will take 
port information from /etc/services  it is clearly mentioned in 
radiusd.conf file.
It seems you are using md5 challenge form XP for authentication ; take 
care that you are using md5 as default eap. do not enable tls it is  
tedious and tricky.
test your radius configuration locally by radtest first.

sankpal_manisha wrote:

i am trying to authenticate winxp using cisco 1200 series ap and 
freeradius.

i am able to trace out that eap-request and eap-response messages are 
sent between winxp machine and cisco ap.

and radius -s -d output is as follows:

length=132
> User-Name ="test"
> NAS-IP-Address = 192.x.x.x
> Called-Station-Id = "00-20-a6-48-22-f7"
> Calling-Station-Id = "00-20-a6-4c-a9-a5"
> NAS-Identifier = "CTI-AP-2000"
> Framed-MTU = 1400
> NAS-Port-Type =Wireless-802.11
> EAP-Message = 0x0202000d0168656c706465736b
> Message-Authenticator =3D 0x66e088c10d28c82a8f08b1b283dca42f
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "attr_filter" returns noop
>   rlm_eap: EAP packet type notification id 2 length 13
>   rlm_eap: EAP Start not found
>   modcall[authorize]: module "eap" returns updated
> rlm_realm: No '@'  in User-Name =3D "helpdesk", 
looking up realm NUL=
L
>  ! ;   rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type Eap
> auth: type "EAP"
> modcall: entering group authenticate
>   rlm_eap: EAP packet type notification id 2 length 13
>   rlm_eap: EAP Start not found
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Sending Access-Challenge of id 110 to 192.x.x.x:1158
> EAP-Message = 0x010300060d20
> Message-Authenticator = 0x! 
> State = 
0x3913e3477fcb9f86ced7207700dfc54c9040313f49dfb963be36bd7adf9af0035595f=
ce8
> Finished request 0
> Going to the next request

my users file contains;

test Auth-Type:=EAP User-Password="test"

also in radiusd.conf i have specified bind_addr=192.x.x.x and port=1812 .

in clients.conf file i specified cisco ap's address and shared 
secret.Also i have made changes to cisco ap to support freeradius.

so,where should be problem?

i have searched mailing list but i cannot find answer.

thanks in advance

sorry for so long mail.

Click onthe image to chat with me

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-md5 using cisco

2003-10-10 Thread Alan DeKok

"sankpal_manisha" <[EMAIL PROTECTED]> wrote:
> i am trying to authenticate winxp using cisco 1200 series ap and freeradius.
...
>rlm_eap: processing type tls

  It doesn't look to me like it's doing EAP-MD5.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 question

2003-09-10 Thread Ronald Jochems

Hi Arthur,

It is that simple !
Thank you for pointing me into the right direction.
I setted the WEP keys manual in the AP, next to the Radius config. At the
moment only 64bits.
My WindowsXP is without SP1, so for the moment it is working, although i
want to move to EAP/TLS.

- Original Message -
From: "Artur Hecker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 12:36 PM
Subject: Re: EAP/MD5 question


> hi
>
>
> > I would like some help configuring my Freeradius.
> > I just started with Freeradius and i am not that familiar with
> > wireless/certificates so i thougt to start with EAP/MD5 isof EAP/TLS.
>
> your EAP/MD5 is working but check www.freeradius.org/doc/EAP-MD5.html
>
>
> > At this moment it looks like i can authenticate with my WinXP wireless
> > client with Radius.
>
> not on wireless if your WinXP is SP1 (or later)...
>
>
> > After this first step, i believe WEP keys need to be negotiated, but i
> > think i have that part missing/wrong.
>
> no, no WEP keys are EVER negotiated in EAP/MD5. sorry, you have to set
> those manually - the same in the AP and the STA.
>
>
> > My AP is configurable for 64 / 128 / 256 keys incombination with Radius.
> > Also no ip adress is provided, wich normally is dhcp. I guess this only
> > starts after WEP is enabled correctly.
>
> that's correct. and it doesn't work if something is wrong. 256 bit keys
> are not standard. your card should be from the same vendor then.
>
>
> > I tried several options from the documentation / newsgroup but i could
> > not find a satisfactory answer. Most use use EAP/TLS.
>
> because of dynamic WEP keys which are possible with EAP/TLS
>
>
> > Log from  Dlink950+ :
> > Sep 10 08:52:23 accesspoint Wireless PC connected   00-06-25-A8-1A-41^M
> > Sep 10 08:52:23 accesspoint EAP-Request/Identity   ^M
> > Sep 10 08:52:27 accesspoint EAP-Request/Identity   ^M
> > Sep 10 08:52:28 accesspoint EAP-Response/Identity   test^M
> > Sep 10 08:52:28 accesspoint EAP-Success   00-06-25-A8-1A-41^M
> > Sep 10 08:52:28 accesspoint Authentication success   00-06-25-A8-1A-41^M
>
> your EAP/MD5 is working.
>
>
> > Sending Access-Accept of id 6 to 192.168.1.50:1208
> > Service-Type = Framed-User
> > Framed-IP-Address = 192.168.1.60
> > EAP-Message = 0x03020004
> > Message-Authenticator = 0x
> > Finished request 1
>
> idem.
>
>
> -> set the WEP keys
>
>
>
> ciao
> artur
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 question

2003-09-10 Thread Artur Hecker

hi


I would like some help configuring my Freeradius.
I just started with Freeradius and i am not that familiar with 
wireless/certificates so i thougt to start with EAP/MD5 isof EAP/TLS.
your EAP/MD5 is working but check www.freeradius.org/doc/EAP-MD5.html


At this moment it looks like i can authenticate with my WinXP wireless 
client with Radius.
not on wireless if your WinXP is SP1 (or later)...


After this first step, i believe WEP keys need to be negotiated, but i 
think i have that part missing/wrong.
no, no WEP keys are EVER negotiated in EAP/MD5. sorry, you have to set 
those manually - the same in the AP and the STA.


My AP is configurable for 64 / 128 / 256 keys incombination with Radius.
Also no ip adress is provided, wich normally is dhcp. I guess this only 
starts after WEP is enabled correctly.
that's correct. and it doesn't work if something is wrong. 256 bit keys 
are not standard. your card should be from the same vendor then.


I tried several options from the documentation / newsgroup but i could 
not find a satisfactory answer. Most use use EAP/TLS.
because of dynamic WEP keys which are possible with EAP/TLS


Log from  Dlink950+ :
Sep 10 08:52:23 accesspoint Wireless PC connected   00-06-25-A8-1A-41^M
Sep 10 08:52:23 accesspoint EAP-Request/Identity   ^M
Sep 10 08:52:27 accesspoint EAP-Request/Identity   ^M
Sep 10 08:52:28 accesspoint EAP-Response/Identity   test^M
Sep 10 08:52:28 accesspoint EAP-Success   00-06-25-A8-1A-41^M
Sep 10 08:52:28 accesspoint Authentication success   00-06-25-A8-1A-41^M
your EAP/MD5 is working.


Sending Access-Accept of id 6 to 192.168.1.50:1208
Service-Type = Framed-User
Framed-IP-Address = 192.168.1.60
EAP-Message = 0x03020004
Message-Authenticator = 0x
Finished request 1
idem.

-> set the WEP keys



ciao
artur


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 and User-Password

2003-08-05 Thread Artur Hecker

hi


> An entry for an EAP user can look like this (say):
> 
> "joe"  Auth-Type := eap, User-Password == "hello"
> Session-Timeout = 300
> 
> (side note: is the Auth-Type := eap part really necessary? I would expect
> not since the eap module apparently adds the Auth-Type attribute to the
> config list regardless of what's included in the user entry)

it's not. set it to system or local before. it's more correct to let it
be set by authorize section. eap module in authorize will do so if it
finds relevant eap-message included.

 
> The users file man page says this about the == operator (applied to the
> User-Password attribute above):
> 
> "Attribute == Value"
> As a check item, it matches if the named attribute is present in the
> request, AND has the given value. Not allowed as a reply item.
> 
> And RFC 2269 says :
> 
> [Note 1] An Access-Request that contains either a User-Password or
>   CHAP-Password or ARAP-Password or one or more EAP-Message attributes
>   MUST NOT contain more than one type of those four attributes.
> 
> I take this to mean that the EAP-Message attribute and User-Password
> attribute are mutually exclusive, i.e. you can never have a User-Password
> attribute in a request if it has an EAP-Message attribute.

yes, they are: in the access-request. that's logical: user-password as
an attribute is only necessary when you use PAP. if CHAP is used,
CHAP-Password attribute is used instead, when EAP is used, EAP-Message
is used (since the method can contain more than just a "password"), etc.
that's so far very consistent.

the only problem you have is that you are generally confusing
User-Password check item in the user configuration with the attributes
sent in the Access-Request (which is not further suprising, since the
names are the same). The fact is that the Radius server never sends
Access-Requests except for proxying and the User-Password never appears
in the Access-Requests containing EAP-Message since it is only used
locally. thus, the both can not appear in the Access-Requests at the
same time, which is perfectly RFC conform.

now, for the probable reason: in EAP/MD5 you as a server receive the
EAP/Identity and issue the EAP/MD5-Challenge (both contained in the
EAP-Message attribute). then you get the answer back and this has to be
verified against some shared secret. you CAN probably stock this secret
in some special file, some new check item or something else. the guys
simply re-used User-Password. remark: CHAP-Password would have been
perhaps more logical since EAP/MD5 is almost identical to CHAP with MD5
*BUT* unfortunately CHAP-Passwords *are* sent in the Access-Replies and
are thus not local check items.

that's my understanding of the whole story. they just needed place where
to put the password in.

 
> The above user profile does indeed work on 0.8.1 for EAP-MD5. But it
> shouldn't work, as far as I can see, since we have a check item
> (User-Password) which does not technically match any attribute in the
> request (User-Password isn't even present, since the request contains an
> EAP-Message). The request should not make it past the authorization stage.
> Any comments?

it doesn't match any attributes in the request. BUT: the EAP-Message is
present and thus the message is treated by EAP-module (the Auth-Type is
explictly set to := EAP if EAP-Message is found). the latter happens to
look for the password in the User-password check item of the user
configuration.

now, try to find an RFC which prescribes where EAP-Message verificator
gets the user's password from. you probably won't since it's an
implementation issue and IETF is all about protocols.


ciao
artur

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 Client support for Win2k

2003-07-21 Thread diomedes

Hi,

http://support.microsoft.com/default.aspx?scid=kb;en-us;313664

Regards.

Omar.

idriss.mamodaly wrote:

Hi everybody

I would like to know where can i download a EAP-MD5 Client for Microsoft Windows 2000 ?

Thank you in advance, Best Regards,

Idriss MAMODALY 
Email1 : [EMAIL PROTECTED] 
Email2 : [EMAIL PROTECTED]

Accédez au courrier électronique de La Poste : www.laposte.net ; 
3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5

2003-06-18 Thread Artur Hecker

not after SP1


"Mauricio Rocael García Ocaña" wrote:
> 
> xp, XP 802.1X client  support EAP/MD5 for wireless links, only need you,
> setup this, in authentication,
> 
> we try
> att.
> Mauricio
> - Original Message -
> From: "Artur Hecker" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 18, 2003 11:29 AM
> Subject: Re: EAP/MD5
> 
> >
> > hello
> >
> >
> > > does it make sense to have a users file with MD5 passwords and try to
> > > authenticate XP wireless clients ?
> > > (configuration is 801.x wireless LAN 3com client, 3COM Access Point and
> > > linux freeradius server).
> >
> > almost. the users file has to contain clear text passwords, because
> > otherwise no verification is possible. and: the XP 802.1X client does
> > not support EAP/MD5 for wireless links anymore...
> >
> >
> > > if it does what should be the values of the attributes Auth-Type and
> > > User-Password  in the entry associated with the login name in the users
> file ?
> > > (login name and MD5 encrypted password doesn't work)
> >
> > you should take a look at the EAP-MD5 howto at
> >
> > http://www.freeradius.org/doc/EAP-MD5.html
> >
> >
> >  ... MD5 encrypted password _can't_ work.
> >
> >
> >
> > ciao
> > artur
> >
> >
> > --
> > Artur Hecker
> > Département Informatique et Réseaux, ENST Paris
> > http://www.infres.enst.fr/~hecker
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5

2003-06-18 Thread Puneet B


> xp, XP 802.1X client  support EAP/MD5 for wireless links, 
> only need you, setup this, in authentication,

Actually XP 802.1x client used to support EAP-MD5. Installation
of Service Pack 1 removed EAP-MD5 support for me (it added 
support for PEAP). EAP-MD5 is not recommended as its not safe 
and does not support key generation.
-Puneet

___
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5

2003-06-18 Thread Mauricio Rocael García Ocaña

xp, XP 802.1X client  support EAP/MD5 for wireless links, only need you,
setup this, in authentication,


we try
att.
Mauricio
- Original Message -
From: "Artur Hecker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 18, 2003 11:29 AM
Subject: Re: EAP/MD5


>
> hello
>
>
> > does it make sense to have a users file with MD5 passwords and try to
> > authenticate XP wireless clients ?
> > (configuration is 801.x wireless LAN 3com client, 3COM Access Point and
> > linux freeradius server).
>
> almost. the users file has to contain clear text passwords, because
> otherwise no verification is possible. and: the XP 802.1X client does
> not support EAP/MD5 for wireless links anymore...
>
>
> > if it does what should be the values of the attributes Auth-Type and
> > User-Password  in the entry associated with the login name in the users
file ?
> > (login name and MD5 encrypted password doesn't work)
>
> you should take a look at the EAP-MD5 howto at
>
> http://www.freeradius.org/doc/EAP-MD5.html
>
>
>  ... MD5 encrypted password _can't_ work.
>
>
>
> ciao
> artur
>
>
> --
> Artur Hecker
> Département Informatique et Réseaux, ENST Paris
> http://www.infres.enst.fr/~hecker
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5

2003-06-18 Thread Artur Hecker


hello


> does it make sense to have a users file with MD5 passwords and try to
> authenticate XP wireless clients ?
> (configuration is 801.x wireless LAN 3com client, 3COM Access Point and
> linux freeradius server).

almost. the users file has to contain clear text passwords, because
otherwise no verification is possible. and: the XP 802.1X client does
not support EAP/MD5 for wireless links anymore...

 
> if it does what should be the values of the attributes Auth-Type and
> User-Password  in the entry associated with the login name in the users file ?
> (login name and MD5 encrypted password doesn't work)

you should take a look at the EAP-MD5 howto at 

http://www.freeradius.org/doc/EAP-MD5.html


 ... MD5 encrypted password _can't_ work.

 

ciao
artur


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 and ldap

2003-06-05 Thread Mauricio Rocael García Ocaña




please send me the configs files, users, 
radius.conf clients, 
thanks
regards.
 
Mauricio

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: [EMAIL PROTECTED] 
  
  Sent: Sunday, May 04, 2003 7:23 AM
  Subject: EAP/MD5 and ldap
  
  Hello,
   
  I want to use EAP/MD5 and Ldap. EAP/MD5 
  config is ok, but ldap config is not Ok.
  Have you got example of radiusd.conf, users for 
  EAP/MD5 and Ldap.
   
  Thanks,

Re: EAP/MD5 authentication problem!

2003-03-28 Thread Narasimha Reddy Gujja

Hi
Thanks for the response. I have stopped using MD5 for authentication purpose. 
Now I am shifting towards EAP/TLS, hope this time i dont get any errors.

Thanks for the help
Reddy [EMAIL PROTECTED]

>hi
>
>what you've sent is the following:
>
>eap response identity
>md5 challenge

>then new eap response identity
>and new challenge issued by the server

>take a look at the EAP-Message attribute to approve this.
>
>so, from the server's point of view there was no problem. however, it=20
>never received the necessary response to its challenges.
>
>thus, the problem is either on your radius client (access device) or at=20
>your user (winXP). what are you trying to do exactly?
>
>
>ciao
>artur
>
>
>
Narasimha Reddy Gujja wrote:
> Hi Artur
>=20
> Iam sending the server debug output file.=20
>=20
> Iam trying to authenticate wireless users with XP system. My userbase i=
s in=20
> LDAP.
>=20
> Any suggestion will be great. Thanks in advance.
>=20
> radiusd -X -A*
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1=
814/udp.
> Ready to process requests.
> rad_recv: Access-Request packet from host 138.47.102.110:6001, id=3D13,=
=20
> length=3D119
> User-Name =3D "Bob"
> NAS-IP-Address =3D 138.47.102.110
> Called-Station-Id =3D "00-02-2d-47-23-58"
> Calling-Station-Id =3D "00-02-2d-50-a3-f3"
> NAS-Identifier =3D "RadiusAP"
> Framed-MTU =3D 1400
> NAS-Port-Type =3D Wireless-802.11
> EAP-Message =3D "\002\002\000\010\001Bob"
> Message-Authenticator =3D 0x108ee1364eaf6d73afd4fca020f4ce04
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
> users: Matched Bob at 3
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Sending Access-Challenge of id 13 to 138.47.102.110:6001
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Framed-Routing =3D Broadcast-Listen
> Framed-MTU =3D 1750
> Framed-Compression =3D Van-Jacobson-TCP-IP
> EAP-Message =3D "\001\r\000\026\004\020HU\235\272in;q~\373)$\30=
4*\360<"
> Message-Authenticator =3D 0x
> State =3D=20
> 0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce5=
9c2
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 13 with timestamp 3e8118e4
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host 138.47.102.110:6001, id=3D14,=
=20
> length=3D119
> User-Name =3D "Bob"
> NAS-IP-Address =3D 138.47.102.110
> Called-Station-Id =3D "00-02-2d-47-23-58"
> Calling-Station-Id =3D "00-02-2d-50-a3-f3"
> NAS-Identifier =3D "RadiusAP"
> Framed-MTU =3D 1400
> NAS-Port-Type =3D Wireless-802.11
> EAP-Message =3D "\002\002\000\010\001Bob"
> Message-Authenticator =3D 0x2b66e939f74c34a4a996282607247b8d
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
> users: Matched Bob at 3
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Sending Access-Challenge of id 14 to 138.47.102.110:6001
> Service-Type =3D Framed-User
> Framed-Protocol =3D PPP
> Framed-Routing =3D Broadcast-Listen
> Framed-MTU =3D 1750
> Framed-Compression =3D Van-Jacobson-TCP-IP
> EAP-Message =3D "\001\016\000\026\004\020J\347\0236\344K\371
> \277y\322u.#H\030\245"
> Message-Authenticator =3D 0x
> State =3D=20
> 0x8c23059409e8141abbacc10527ed7c20ec18813e310778ff5bce1ea5c9149793b998d=
f93
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 14 with timestamp 3e8118ec
> Nothing to do.  Sleeping until we see a request.
>=20
> 
>=20
> Thanks=20
> Reddy [EMAIL PROTECTED]
>=20
>=20
>=20
> -
> This mail sent through IMP: http://horde.o

Re: EAP/MD5 authentication problem!

2003-03-27 Thread freeradius mailing list

The auth-type is EAP.


On Thu, 27 Mar 2003, Narasimha Reddy Gujja wrote:

> Hi Artur
>
> Iam sending the server debug output file.
>
> Iam trying to authenticate wireless users with XP system. My userbase is in
> LDAP.
>
> Any suggestion will be great. Thanks in advance.
>
> radiusd -X -A*
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
> Ready to process requests.
> rad_recv: Access-Request packet from host 138.47.102.110:6001, id=13,
> length=119
> User-Name = "Bob"
> NAS-IP-Address = 138.47.102.110
> Called-Station-Id = "00-02-2d-47-23-58"
> Calling-Station-Id = "00-02-2d-50-a3-f3"
> NAS-Identifier = "RadiusAP"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = "\002\002\000\010\001Bob"
> Message-Authenticator = 0x108ee1364eaf6d73afd4fca020f4ce04
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
> users: Matched Bob at 3
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Sending Access-Challenge of id 13 to 138.47.102.110:6001
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Routing = Broadcast-Listen
> Framed-MTU = 1750
> Framed-Compression = Van-Jacobson-TCP-IP
> EAP-Message = "\001\r\000\026\004\020HU\235\272in;q~\373)$\304*\360<"
> Message-Authenticator = 0x
> State =
> 0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce59c2
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 13 with timestamp 3e8118e4
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host 138.47.102.110:6001, id=14,
> length=119
> User-Name = "Bob"
> NAS-IP-Address = 138.47.102.110
> Called-Station-Id = "00-02-2d-47-23-58"
> Calling-Station-Id = "00-02-2d-50-a3-f3"
> NAS-Identifier = "RadiusAP"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = "\002\002\000\010\001Bob"
> Message-Authenticator = 0x2b66e939f74c34a4a996282607247b8d
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "eap" returns updated
> users: Matched Bob at 3
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Sending Access-Challenge of id 14 to 138.47.102.110:6001
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-Routing = Broadcast-Listen
> Framed-MTU = 1750
> Framed-Compression = Van-Jacobson-TCP-IP
> EAP-Message = "\001\016\000\026\004\020J\347\0236\344K\371
> \277y\322u.#H\030\245"
> Message-Authenticator = 0x
> State =
> 0x8c23059409e8141abbacc10527ed7c20ec18813e310778ff5bce1ea5c9149793b998df93
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 14 with timestamp 3e8118ec
> Nothing to do.  Sleeping until we see a request.
>
> 
>
> Thanks
> Reddy [EMAIL PROTECTED]
>
>
>
> -
> This mail sent through IMP: http://horde.org/imp/
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 authentication problem!

2003-03-27 Thread Artur Hecker

hi

what you've sent is the following:

eap response identity
md5 challenge
then new eap response identity
and new challenge issued by the server
take a look at the EAP-Message attribute to approve this.

so, from the server's point of view there was no problem. however, it 
never received the necessary response to its challenges.

thus, the problem is either on your radius client (access device) or at 
your user (winXP). what are you trying to do exactly?

ciao
artur


Narasimha Reddy Gujja wrote:
Hi Artur

Iam sending the server debug output file. 

Iam trying to authenticate wireless users with XP system. My userbase is in 
LDAP.

Any suggestion will be great. Thanks in advance.

radiusd -X -A*
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 138.47.102.110:6001, id=13, 
length=119
User-Name = "Bob"
NAS-IP-Address = 138.47.102.110
Called-Station-Id = "00-02-2d-47-23-58"
Calling-Station-Id = "00-02-2d-50-a3-f3"
NAS-Identifier = "RadiusAP"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\002\000\010\001Bob"
Message-Authenticator = 0x108ee1364eaf6d73afd4fca020f4ce04
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "eap" returns updated
users: Matched Bob at 3
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 13 to 138.47.102.110:6001
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1750
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = "\001\r\000\026\004\020HU\235\272in;q~\373)$\304*\360<"
Message-Authenticator = 0x
State = 
0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce59c2
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 13 with timestamp 3e8118e4
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 138.47.102.110:6001, id=14, 
length=119
User-Name = "Bob"
NAS-IP-Address = 138.47.102.110
Called-Station-Id = "00-02-2d-47-23-58"
Calling-Station-Id = "00-02-2d-50-a3-f3"
NAS-Identifier = "RadiusAP"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\002\000\010\001Bob"
Message-Authenticator = 0x2b66e939f74c34a4a996282607247b8d
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "eap" returns updated
users: Matched Bob at 3
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 14 to 138.47.102.110:6001
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1750
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = "\001\016\000\026\004\020J\347\0236\344K\371
\277y\322u.#H\030\245"
Message-Authenticator = 0x
State = 
0x8c23059409e8141abbacc10527ed7c20ec18813e310778ff5bce1ea5c9149793b998df93
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 14 with timestamp 3e8118ec
Nothing to do.  Sleeping until we see a request.



Thanks 
Reddy [EMAIL PROTECTED]



-
This mail sent through IMP: http://horde.org/imp/
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 authentication problem!

2003-03-26 Thread Artur Hecker

hi

that's not very correct. eap/md5 is still supported for wired links for 
as much as i know. please provide input on that topic.

ciao
artur
Marco Teixeira wrote:
Do you have Service Pack 1 on XP ? If you do,
you should know that after XP SP1, microsoft
no longer supports EAP/MD5. Instead you should use
PEAP/MSCHAP i guess. There's a good tuturial on this
at the freeradius site.
Best regards

Marco


-Mensagem original-
De: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Em nome de 
Narasimha Reddy Gujja
Enviada: terça-feira, 25 de Março de 2003 17:57
Para: [EMAIL PROTECTED]
Assunto: EAP/MD5 authentication problem!

Hi All

I have enabled MAC based authentication for my wireless 
network using RADIUS 
and LDAP. Now I want to authenticate using EAP.
I have serveral doubts.

I configured my client machine to use 'EAP/MD5' and i 
configure the Access 
Point to use '802.1x'.

My problem is that the client(read XP system) machine is not 
authenticated by 
the server, it stays on asking to enter 
username and password, but is not authenticated.



Please look into my conf files and log and help me out.

Also how can i check for password in LDAP, instead in the users file.

It will be a great help and thanks for your patience.

**
*
***users
Bob   Auth-Type := EAP, User-Password = "public"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1750,
Framed-Compression = Van-Jacobsen-TCP-IP
**radiusd.conf
modules{
eap {
#default_eap_type = md5
# Supported EAP-types
md5 {
}


- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 authentication problem!

2003-03-26 Thread Artur Hecker

please provide server debug output.

we can't help you without.

read http://www.freeradius.org/doc/EAP-MD5.html

ciao
artur
Narasimha Reddy Gujja wrote:
Hi All

I have enabled MAC based authentication for my wireless network using RADIUS 
and LDAP. Now I want to authenticate using EAP.
I have serveral doubts.

I configured my client machine to use 'EAP/MD5' and i configure the Access 
Point to use '802.1x'.

My problem is that the client(read XP system) machine is not authenticated by 
the server, it stays on asking to enter 
username and password, but is not authenticated.



Please look into my conf files and log and help me out.

Also how can i check for password in LDAP, instead in the users file.

It will be a great help and thanks for your patience.

***
***users
Bob   Auth-Type := EAP, User-Password = "public"
 Service-Type = Framed-User,
 Framed-Protocol = PPP,
 Framed-Routing = Broadcast-Listen,
 Framed-MTU = 1750,
 Framed-Compression = Van-Jacobsen-TCP-IP
**radiusd.conf
modules{
eap {
 #default_eap_type = md5
 # Supported EAP-types
 md5 {
 }


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/MD5 authentication problem!

2003-03-25 Thread Marco Teixeira

Do you have Service Pack 1 on XP ? If you do,
you should know that after XP SP1, microsoft
no longer supports EAP/MD5. Instead you should use
PEAP/MSCHAP i guess. There's a good tuturial on this
at the freeradius site.

Best regards

Marco

> -Mensagem original-
> De: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] Em nome de 
> Narasimha Reddy Gujja
> Enviada: terça-feira, 25 de Março de 2003 17:57
> Para: [EMAIL PROTECTED]
> Assunto: EAP/MD5 authentication problem!
> 
> 
> Hi All
> 
> I have enabled MAC based authentication for my wireless 
> network using RADIUS 
> and LDAP. Now I want to authenticate using EAP.
> I have serveral doubts.
> 
> I configured my client machine to use 'EAP/MD5' and i 
> configure the Access 
> Point to use '802.1x'.
> 
> My problem is that the client(read XP system) machine is not 
> authenticated by 
> the server, it stays on asking to enter 
> username and password, but is not authenticated.
> 
> 
> 
> Please look into my conf files and log and help me out.
> 
> Also how can i check for password in LDAP, instead in the users file.
> 
> It will be a great help and thanks for your patience.
> 
> **
> *
> ***users
> Bob   Auth-Type := EAP, User-Password = "public"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-Routing = Broadcast-Listen,
>  Framed-MTU = 1750,
>  Framed-Compression = Van-Jacobsen-TCP-IP
> 
> **radiusd.conf
> modules{
> 
> eap {
>  #default_eap_type = md5
>  # Supported EAP-types
>  md5 {
>  }
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-24 Thread [EMAIL PROTECTED]

Hello,
finally I made EAP-MD5 authentication work. 
I thanks Artur and Joao for the helpful cooperation.
Only a question: what does "Auth-Type = System" mean? I.e. what does "System" mean?

Thanks a lot again,
emi



hi


 > challenge. EAP-MD5 specifies that supplicant, replying to the server
 > at the challenge, carries out a hash on the password and sends it to
 > the server. The server performs a hash on the password for that
 > supplicant in its database and compares the two hashed values. If
 > there's a matching the user is authenticated.  My doubt is: is there

that's not very precise.


 > a common key used to hash the password that have to be configured on
 > the server or this step is not necessary??

your explanation is not precise and so you have difficulties 
understanding it.

"the common key" which you are talking about *is* the password. the hash 
is actually performed on the received (unique) challenge, of course 
including the shared secret, i.e. the password, in order to make it 
impossible for somebody who doesn't know the password to produce the 
same response to the challenge.

server  user
username
<--

challenge   
gen. random chal.   --> md5(challenge+secret)
=:res

res
md5(challenge+secret)   <--
==res?

success
yes?-->
failure
no? -->



ciao
artur


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5-Challenge with Windows XP

2003-03-17 Thread Artur Hecker

hi


But how can I check the accounts against system accounts using EAP?
that's a good question. the answer is: you can't. for the same reason 
you can't use system accounts with CHAP. only hashes of the passwords 
are available for your system accounts. evidently, the hash of the 
password is not sufficient for CHAP like auth systems (like EAP/MD5). 
you need the clear text password at the moment of the verification of 
the challenge response.


[/etc/1x/1x.conf]
default : id = udo  #comment here
default : auth = EAP 
default : type = wireless 
default : pref = md5
ok, then xsupplicant does eap/md5 now. nice.

ciao
artur


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5-Challenge with Windows XP

2003-03-17 Thread Udo Mueller

Hallo Artur,

* Artur Hecker schrieb [17-03-03 15:14]:
> >I tried this one and changed radius.conf. Also I changed users-file
> >to this:
> >
> >udo Auth-Type := EAP, User-Password == "password"
> >Fall-Through = 1
> >
> >With these things authentication works with Windows XP and the log
> >of my AP shows it fine. Without User-Password == "pass" it doesn#t
> >work.
> 
> without any password it can't work, can it? :) well, i'm glad it helped.

:)
But how can I check the accounts against system accounts using EAP?

> >When I had it run with XP I tried it with my Debian -Linux and
> >xsupplicant.
> 
> xsupplicant does MD5? i didn't know that!!! are you sure?

[/etc/1x/1x.conf]
default : id = udo  #comment here
default : auth = EAP 
default : type = wireless 
default : pref = md5
default : chunk_size = 1398
default : random_file = /dev/random
default : first_auth = "/sbin/dhclient eth1"
default : after_auth = "/bin/echo I authenticated"

Sure. In the log it says: Authentication success and also in
/var/log/radiusd-freeradius/radius.log.

> >But my Debian gets the IP via DHCp without authenticating with
> >radius.
> >
> >When starting manually xsupplicant, authentication works fine, but
> >I think, I don't get a success message back to xsupplicant, so that
> >it can invoke dhclient eth1.
> 
> it can invoke whatever it wants, but the AP should be blocking 
> everything before Access Accept from the server.

With Windows XP it works: After Authentication Success Windows
tries to get (and get's!) an IP via DHCP.

> >Does anyone something about that or should I ask
> >open1x-xsupplicant-ML?
> > In the log of my DWL-900AP+ I can see the Auth-Success-Message.
> 
> whenever you obtain a response please send it to the list.

Sure, I will.

Gruss Udo

-- 
LINUX wird nie zum meistinstallierten System -
so oft wie man Win98 neu installieren darf!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5-Challenge with Windows XP

2003-03-17 Thread Artur Hecker

hi


I tried this one and changed radius.conf. Also I changed users-file
to this:
udo Auth-Type := EAP, User-Password == "password"
Fall-Through = 1
With these things authentication works with Windows XP and the log
of my AP shows it fine. Without User-Password == "pass" it doesn#t
work.
without any password it can't work, can it? :) well, i'm glad it helped.


When I had it run with XP I tried it with my Debian -Linux and
xsupplicant.
xsupplicant does MD5? i didn't know that!!! are you sure?


But my Debian gets the IP via DHCp without authenticating with
radius.
When starting manually xsupplicant, authentication works fine, but
I think, I don't get a success message back to xsupplicant, so that
it can invoke dhclient eth1.
it can invoke whatever it wants, but the AP should be blocking 
everything before Access Accept from the server.


Does anyone something about that or should I ask
open1x-xsupplicant-ML?
> In the log of my DWL-900AP+ I can see the Auth-Success-Message.

whenever you obtain a response please send it to the list.



ciao
artur
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5-Challenge with Windows XP

2003-03-17 Thread Udo Mueller

Hello Artur,

* Artur Hecker schrieb [17-03-03 12:02]:
> 
> i took a look and honestly i don't get it at the first glance.
> 
> anyway, the howto about which files are concerned is at 
> http://www.freeradius.org/doc/EAP-MD5.html

I tried this one and changed radius.conf. Also I changed users-file
to this:

udo Auth-Type := EAP, User-Password == "password"
Fall-Through = 1

With these things authentication works with Windows XP and the log
of my AP shows it fine. Without User-Password == "pass" it doesn#t
work.

> there is an updated version too, it will be online soon.

No need for me.

> if everything is configured correctly (which seems to be the case), then 
> something is wrong with the firmware. windows XP (before SP1 on the 
> wireless devices too) can answer the challenges correctly and freeradius 
> can verify those, so it's probable that the error is at the AP. you can 
> try to sniff on the wireless interface and compare to the wired one.

When I had it run with XP I tried it with my Debian -Linux and
xsupplicant.

But my Debian gets the IP via DHCp without authenticating with
radius.

When starting manually xsupplicant, authentication works fine, but
I think, I don't get a success message back to xsupplicant, so that
it can invoke dhclient eth1.

Does anyone something about that or should I ask
open1x-xsupplicant-ML?

In the log of my DWL-900AP+ I can see the Auth-Success-Message.

Gruss Udo

-- 
LINUX wird nie zum meistinstallierten System -
so oft wie man Win98 neu installieren darf!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5-Challenge with Windows XP

2003-03-17 Thread Artur Hecker

[BEGIN]
Info: rlm_eap: processing type md5
Info: rlm_eap_md5: Issuing Challenge
Auth: Login OK: [udo/] (from client 192.168.0.50 port 0 
cli 00-02-2D-52-C7-67)
Info: rlm_eap: Request found, released from the list
Info: rlm_eap: EAP_TYPE - md5
Info: rlm_eap: processing type md5
Info: rlm_eap_md5: Challenge failed
Auth: Login OK: [udo/] (from client 192.168.0.50 port 0 
cli 00-02-2D-52-C7-67)
[END]
with radius -xxSXt stdout I get:


hi Udo

i took a look and honestly i don't get it at the first glance.

anyway, the howto about which files are concerned is at 
http://www.freeradius.org/doc/EAP-MD5.html

there is an updated version too, it will be online soon.

if everything is configured correctly (which seems to be the case), then 
something is wrong with the firmware. windows XP (before SP1 on the 
wireless devices too) can answer the challenges correctly and freeradius 
can verify those, so it's probable that the error is at the AP. you can 
try to sniff on the wireless interface and compare to the wired one.

otherwise you can take a look at the EAP/MD5 standard (RFC 2284) and 
re-count the values...

ciao
artur
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-13 Thread Artur Hecker

hi

> challenge. EAP-MD5 specifies that supplicant, replying to the server
> at the challenge, carries out a hash on the password and sends it to
> the server. The server performs a hash on the password for that
> supplicant in its database and compares the two hashed values. If
> there's a matching the user is authenticated.  My doubt is: is there
that's not very precise.

> a common key used to hash the password that have to be configured on
> the server or this step is not necessary??
your explanation is not precise and so you have difficulties 
understanding it.

"the common key" which you are talking about *is* the password. the hash 
is actually performed on the received (unique) challenge, of course 
including the shared secret, i.e. the password, in order to make it 
impossible for somebody who doesn't know the password to produce the 
same response to the challenge.

server  user
username
<--
challenge   
gen. random chal.   -->  md5(challenge+secret)
=:res
res
md5(challenge+secret)   <--
==res?
success
yes?-->
failure
no? -->


ciao
artur
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-13 Thread [EMAIL PROTECTED]

Hi,
thanks your help I think I'm on the right way to get my system run. Now the algorithm 
seems start but there are problem on the challenge. EAP-MD5 specifies that supplicant, 
replying to the server at the challenge, carries out a hash on the password and sends 
it to the server. The server performs a hash on the password for that supplicant in 
its database and compares the two hashed values. If there's a matching the user is 
authenticated.  My doubt is: is there a common key used to hash the password that have 
to be configured on the server or this step is not necessary??

thanks very much ,
emi






i think you should really either:

1. relaunche ./configure and rebuild the server giving the good prefixes
for the config files

- OR -

2. launch your radiusd with:
strace radiusd 2>&1 | grep radiusd.conf

you will see which config file it is really using.


ciao
artur


[EMAIL PROTECTED] wrote:
 > Hi, I'm continuing having problems. Althought I modified radiusd.conf
 > the log coming with radiusd -X shows that also the commented items
 > are considered by the server (for example MS-CHAP is commented but
 > the server however load and instantiate it). It seems the server
 > reads a previous and an unmodified version of radiusd.conf instead of
 > new radiusd.conf. The steps I follow are: 1- modify radiusd.conf 2-
 > in the command line give the command radiusd -X
 >
 > what do you think??
 >
 > thanks, emi
 >
 >
 >
 >
 >
 >> Hello Emi,
 >
 >
 >> Were you able to get your system runing? :)
 >
 >
 >
 >> Regards,
 >
 >
 >
 >> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To:
 >> [EMAIL PROTECTED] To: "freeradius-users"
 >> <[EMAIL PROTECTED]> Subject: Re: EAP-MD5 auth
 >> failure Date: Wed,  5 Mar 2003 17:26:44 +0100
 >>
 >> Thank you very very much Joao, I hope using your files I'll be able
 >> to run my system. This has been very kindly for you, thanks, emi
 >>
 >>
 >>
 >> Emi,
 >>
 >> I just sent you my config files for freeradius working with the
 >> 1100 Cisco AP. Hope this can help! :)
 >>
 >>
 >> Joao
 >>
 >>
 >>> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To:
 >>> [EMAIL PROTECTED] To: "freeradius-users"
 >>> <[EMAIL PROTECTED]> Subject: Re: EAP-MD5 auth
 >>> failure Date: Wed,  5 Mar 2003 10:54:45 +0100
 >>>
 >>> hi, in my trials this morning I was very surprised reading the
 >>> log generated
 >>
 >>> from radiusd -X to run the server. Although I configured
 >>> radiusd.conf
 >>
 >>> commenting every module than eap and followed Artur directives
 >>> for "authorize" and  "authenticate", in the log appeare messages
 >>> indicating that even pap, chap, ms-chap modules are loaded and
 >>> instantieted.  Maybe this is the reason my server doesn't work
 >>> properly for my purpose, i.e. EAP-MD5 authentication. Have you
 >>> some ideas about this strange happening?
 >>>
 >>> Thank you very much, emi
 >>
 >
 > _ The
 > new MSN 8: advanced junk mail protection and 2 months FREE*
 > http://join.msn.com/?page=features/junkmail
 >
 >
 > - List info/subscribe/unsubscribe? See
 > http://www.freeradius.org/list/users.html
 >
 >
 >
 > - List info/subscribe/unsubscribe? See
 > http://www.freeradius.org/list/users.html


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-11 Thread Artur Hecker

i think you should really either:

1. relaunche ./configure and rebuild the server giving the good prefixes
for the config files
- OR -

2. launch your radiusd with:
strace radiusd 2>&1 | grep radiusd.conf
you will see which config file it is really using.

ciao
artur
[EMAIL PROTECTED] wrote:
> Hi, I'm continuing having problems. Althought I modified radiusd.conf
> the log coming with radiusd -X shows that also the commented items
> are considered by the server (for example MS-CHAP is commented but
> the server however load and instantiate it). It seems the server
> reads a previous and an unmodified version of radiusd.conf instead of
> new radiusd.conf. The steps I follow are: 1- modify radiusd.conf 2-
> in the command line give the command radiusd -X
>
> what do you think??
>
> thanks, emi
>
>
>
>
>
>> Hello Emi,
>
>
>> Were you able to get your system runing? :)
>
>
>
>> Regards,
>
>
>
>> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To:
>> [EMAIL PROTECTED] To: "freeradius-users"
>> <[EMAIL PROTECTED]> Subject: Re: EAP-MD5 auth
>> failure Date: Wed,  5 Mar 2003 17:26:44 +0100
>>
>> Thank you very very much Joao, I hope using your files I'll be able
>> to run my system. This has been very kindly for you, thanks, emi
>>
>>
>>
>> Emi,
>>
>> I just sent you my config files for freeradius working with the
>> 1100 Cisco AP. Hope this can help! :)
>>
>>
>> Joao
>>
>>
>>> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To:
>>> [EMAIL PROTECTED] To: "freeradius-users"
>>> <[EMAIL PROTECTED]> Subject: Re: EAP-MD5 auth
>>> failure Date: Wed,  5 Mar 2003 10:54:45 +0100
>>>
>>> hi, in my trials this morning I was very surprised reading the
>>> log generated
>>
>>> from radiusd -X to run the server. Although I configured
>>> radiusd.conf
>>
>>> commenting every module than eap and followed Artur directives
>>> for "authorize" and  "authenticate", in the log appeare messages
>>> indicating that even pap, chap, ms-chap modules are loaded and
>>> instantieted.  Maybe this is the reason my server doesn't work
>>> properly for my purpose, i.e. EAP-MD5 authentication. Have you
>>> some ideas about this strange happening?
>>>
>>> Thank you very much, emi
>>
>
> _ The
> new MSN 8: advanced junk mail protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-11 Thread [EMAIL PROTECTED]

Hi,
I'm continuing having problems. Althought I modified radiusd.conf the log coming with 
radiusd -X shows that also the commented items are considered by the server (for 
example MS-CHAP is commented but the server however load and instantiate it). It seems 
the server reads a previous and an unmodified version of radiusd.conf instead of new 
radiusd.conf. The steps I follow are:
1- modify radiusd.conf
2- in the command line give the command radiusd -X

what do you think??

thanks,
emi




>Hello Emi,

>Were you able to get your system runing? :)


>Regards,


>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Wed,  5 Mar 2003 17:26:44 +0100
>
>Thank you very very much Joao, I hope using your files I'll be able to run 
>my system.
>This has been very kindly for you,
>thanks,
>emi
>
>
>
>Emi,
>
>I just sent you my config files for freeradius working with the 1100 Cisco
>AP. Hope this can help! :)
>
>
>Joao
>
> >From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: "freeradius-users" <[EMAIL PROTECTED]>
> >Subject: Re: EAP-MD5 auth failure
> >Date: Wed,  5 Mar 2003 10:54:45 +0100
> >
> >hi,
> >in my trials this morning I was very surprised reading the log generated
> >from radiusd -X to run the server. Although I configured radiusd.conf
> >commenting every module than eap and followed Artur directives for
> >"authorize" and  "authenticate", in the log appeare messages indicating
> >that even pap, chap, ms-chap modules are loaded and instantieted.  Maybe
> >this is the reason my server doesn't work properly for my purpose, i.e.
> >EAP-MD5 authentication.
> >Have you some ideas about this strange happening?
> >
> >Thank you very much,
> >emi

_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-07 Thread Joao Santos

Hello Emi,

Were you able to get your system runing? :)

Regards,

From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "freeradius-users" <[EMAIL PROTECTED]>
Subject: Re: EAP-MD5 auth failure
Date: Wed,  5 Mar 2003 17:26:44 +0100
Thank you very very much Joao, I hope using your files I'll be able to run 
my system.
This has been very kindly for you,
thanks,
emi

Emi,

I just sent you my config files for freeradius working with the 1100 Cisco
AP. Hope this can help! :)
Joao

>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Wed,  5 Mar 2003 10:54:45 +0100
>
>hi,
>in my trials this morning I was very surprised reading the log generated
>from radiusd -X to run the server. Although I configured radiusd.conf
>commenting every module than eap and followed Artur directives for
>"authorize" and  "authenticate", in the log appeare messages indicating
>that even pap, chap, ms-chap modules are loaded and instantieted.  Maybe
>this is the reason my server doesn't work properly for my purpose, i.e.
>EAP-MD5 authentication.
>Have you some ideas about this strange happening?
>
>Thank you very much,
>emi
_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-md5 faq update

2003-03-07 Thread Artur Hecker

ok, sorry

didn't want to hurry you, just in case the address wasn't correct.


thanks,
artur



Alan DeKok wrote:
> 
> Artur Hecker <[EMAIL PROTECTED]> wrote:
> > a dumb question: i've sent you an updated version of the eap-md5 faq
> > some days ago. did you get it or did i choose a wrong address?
> 
>   I got it, I've just been over-whelmed with issues lately.
> (Including my ISP going off of the net for ~8 hours, due to electrical
> upgrades)
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-md5 faq update

2003-03-06 Thread Alan DeKok

Artur Hecker <[EMAIL PROTECTED]> wrote:
> a dumb question: i've sent you an updated version of the eap-md5 faq
> some days ago. did you get it or did i choose a wrong address?

  I got it, I've just been over-whelmed with issues lately.
(Including my ISP going off of the net for ~8 hours, due to electrical
upgrades)

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread Artur Hecker

i have no idea where your config file is. just make something like
strace | grep "radiusd.conf" and see...

[EMAIL PROTECTED] wrote:
No, I don't. Could you tell me which is the file and how to change it?
I thank you very much,
emi

you do not change the config file of the server in question?

[EMAIL PROTECTED] wrote:

hi,
in my trials this morning I was very surprised reading the log generated from radiusd -X to run the
server. Although I configured radiusd.conf commenting every module than eap and followed Artur directives
for "authorize" and "authenticate", in the log appeare messages indicating that even
pap, chap, ms-chap modules are loaded and instantieted. Maybe this is the reason my server doesn't work
properly for my purpose, i.e. EAP-MD5 authentication.
Have you some ideas about this strange happening?
Thank you very much,
emi

I followed your suggestion but I'm continuing having problems.
I configured radiusd.conf as Arthur's advice, clients.conf (I suppose correctly). In
users file I put my user as follow:
pippo Auth-Type := Local User-Password == "pippo" (I must comment all other users or
last DEFAULT entries can remain uncommented??).
Now is there any other item to configure inside radiusd.conf file? Are there further
files in raddb directory it's necessary to configure to enable EAP-MD5? If yes could
you report me a sample of configuration?.

no, there are no other files concerned as those mentioned in the FAQ.

check the following points:
- assure that the eap-md5 module is correct and loaded during radiusd
startup (try ldd on the module, look at the init sequence in debug mode
of radiusd, etc.)
- if that doesn't change anything, you could try explicitly setting
Auth-Type := EAP in the user configuration file. that would set the
Auth-Type independently of the authorization section. the eap module
still should be in the authenticate section though (remove all the rest
for test purposes)

Sorry for these continuous questions, but is important for me make the system to work.
Thank you very much and regards,

no problem.

ciao
artur

--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread [EMAIL PROTECTED]

No, I don't. Could you tell me which is the file and how to change it?
I thank you very much,

emi


you do not change the config file of the server in question?



[EMAIL PROTECTED] wrote:
> hi,
> in my trials this morning I was very surprised reading the log generated from 
> radiusd -X to run the server. Although I configured radiusd.conf commenting every 
> module than eap and followed Artur directives for "authorize" and  "authenticate", 
> in the log appeare messages indicating that even pap, chap, ms-chap modules are 
> loaded and instantieted.  Maybe this is the reason my server doesn't work properly 
> for my purpose, i.e. EAP-MD5 authentication.
> Have you some ideas about this strange happening?
> 
> Thank you very much,
> emi
> 
> 
> 
> hi
> 
> 
> 
>>I followed your suggestion but I'm continuing having problems.
>>I configured radiusd.conf as Arthur's advice, clients.conf (I suppose correctly). In 
>>users file I put my user as follow:
>>pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all other users 
>>or last DEFAULT entries can remain uncommented??).
>>Now is there any other item to configure inside radiusd.conf file? Are there further 
>>files in raddb directory it's necessary to configure to enable EAP-MD5? If yes could 
>>you report me a sample of configuration?.
> 
> 
> 
> no, there are no other files concerned as those mentioned in the FAQ.
> 
> check the following points:
> - assure that the eap-md5 module is correct and loaded during radiusd
> startup (try ldd on the module, look at the init sequence in debug mode
> of radiusd, etc.)
> - if that doesn't change anything, you could try explicitly setting
> Auth-Type := EAP in the user configuration file. that would set the
> Auth-Type independently of the authorization section. the eap module
> still should be in the authenticate section though (remove all the rest
> for test purposes)
> 
> 
> 
>>Sorry for these continuous questions, but is important for me make the system to 
>>work.
>>Thank you very much and regards,
> 
> 
> no problem.
> 
> 
> ciao
> artur
> 
> 


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread Artur Hecker

you do not change the config file of the server in question?

[EMAIL PROTECTED] wrote:
hi,
in my trials this morning I was very surprised reading the log generated from radiusd -X to run the
server. Although I configured radiusd.conf commenting every module than eap and followed Artur directives
for "authorize" and "authenticate", in the log appeare messages indicating that even
pap, chap, ms-chap modules are loaded and instantieted. Maybe this is the reason my server doesn't work
properly for my purpose, i.e. EAP-MD5 authentication.
Have you some ideas about this strange happening?
Thank you very much,
emi

no, there are no other files concerned as those mentioned in the FAQ.

Sorry for these continuous questions, but is important for me make the system to work.
Thank you very much and regards,

no problem.

ciao
artur

--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread [EMAIL PROTECTED]

Thank you very very much Joao, I hope using your files I'll be able to run my system.
This has been very kindly for you,
thanks,
emi



Emi,

I just sent you my config files for freeradius working with the 1100 Cisco 
AP. Hope this can help! :)


Joao

>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Wed,  5 Mar 2003 10:54:45 +0100
>
>hi,
>in my trials this morning I was very surprised reading the log generated 
>from radiusd -X to run the server. Although I configured radiusd.conf 
>commenting every module than eap and followed Artur directives for 
>"authorize" and  "authenticate", in the log appeare messages indicating 
>that even pap, chap, ms-chap modules are loaded and instantieted.  Maybe 
>this is the reason my server doesn't work properly for my purpose, i.e. 
>EAP-MD5 authentication.
>Have you some ideas about this strange happening?
>
>Thank you very much,
>emi

_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread Joao Santos

Emi,

I just sent you my config files for freeradius working with the 1100 Cisco 
AP. Hope this can help! :)

Joao

From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "freeradius-users" <[EMAIL PROTECTED]>
Subject: Re: EAP-MD5 auth failure
Date: Wed,  5 Mar 2003 10:54:45 +0100
hi,
in my trials this morning I was very surprised reading the log generated 
from radiusd -X to run the server. Although I configured radiusd.conf 
commenting every module than eap and followed Artur directives for 
"authorize" and  "authenticate", in the log appeare messages indicating 
that even pap, chap, ms-chap modules are loaded and instantieted.  Maybe 
this is the reason my server doesn't work properly for my purpose, i.e. 
EAP-MD5 authentication.
Have you some ideas about this strange happening?

Thank you very much,
emi
_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-05 Thread [EMAIL PROTECTED]

hi,
in my trials this morning I was very surprised reading the log generated from radiusd 
-X to run the server. Although I configured radiusd.conf commenting every module than 
eap and followed Artur directives for "authorize" and  "authenticate", in the log 
appeare messages indicating that even pap, chap, ms-chap modules are loaded and 
instantieted.  Maybe this is the reason my server doesn't work properly for my 
purpose, i.e. EAP-MD5 authentication.
Have you some ideas about this strange happening?

Thank you very much,
emi



hi


> I followed your suggestion but I'm continuing having problems.
> I configured radiusd.conf as Arthur's advice, clients.conf (I suppose correctly). In 
> users file I put my user as follow:
> pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all other users 
> or last DEFAULT entries can remain uncommented??).
> Now is there any other item to configure inside radiusd.conf file? Are there further 
> files in raddb directory it's necessary to configure to enable EAP-MD5? If yes could 
> you report me a sample of configuration?.


no, there are no other files concerned as those mentioned in the FAQ.

check the following points:
- assure that the eap-md5 module is correct and loaded during radiusd
startup (try ldd on the module, look at the init sequence in debug mode
of radiusd, etc.)
- if that doesn't change anything, you could try explicitly setting
Auth-Type := EAP in the user configuration file. that would set the
Auth-Type independently of the authorization section. the eap module
still should be in the authenticate section though (remove all the rest
for test purposes)


> Sorry for these continuous questions, but is important for me make the system to 
> work.
> Thank you very much and regards,

no problem.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-04 Thread Artur Hecker

hi


> I followed your suggestion but I'm continuing having problems.
> I configured radiusd.conf as Arthur's advice, clients.conf (I suppose correctly). In 
> users file I put my user as follow:
> pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all other users 
> or last DEFAULT entries can remain uncommented??).
> Now is there any other item to configure inside radiusd.conf file? Are there further 
> files in raddb directory it's necessary to configure to enable EAP-MD5? If yes could 
> you report me a sample of configuration?.


no, there are no other files concerned as those mentioned in the FAQ.

check the following points:
- assure that the eap-md5 module is correct and loaded during radiusd
startup (try ldd on the module, look at the init sequence in debug mode
of radiusd, etc.)
- if that doesn't change anything, you could try explicitly setting
Auth-Type := EAP in the user configuration file. that would set the
Auth-Type independently of the authorization section. the eap module
still should be in the authenticate section though (remove all the rest
for test purposes)


> Sorry for these continuous questions, but is important for me make the system to 
> work.
> Thank you very much and regards,

no problem.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-04 Thread [EMAIL PROTECTED]

I thank you very much for this important contribution. I hope this isn't a problem for 
you!
Thanks in advance, regards

Emi



Hello Emi,

I just commented out everything that wasn't needed for the EAP-MD5 
authentication in the authenticate and authorize sections (so basically I 
just left the items on the EAP-MD5 HOW-TO uncommented). The users file 
didn't pose any problems for me. I just copied an example included in the 
users user called "John Doe" and changed the username. Other than that I 
left it completely untouched.

I can not access the system right now, but if you want I can send you my 
config files tomorrow.


Regards,
João

>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Tue,  4 Mar 2003 11:45:04 +0100
>
>Hello,
>I followed your suggestion but I'm continuing having problems.
>I configured radiusd.conf as Arthur's advice, clients.conf (I suppose 
>correctly). In users file I put my user as follow:
>pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all 
>other users or last DEFAULT entries can remain uncommented??).
>Now is there any other item to configure inside radiusd.conf file? Are 
>there further files in raddb directory it's necessary to configure to 
>enable EAP-MD5? If yes could you report me a sample of configuration?.
>
>Sorry for these continuous questions, but is important for me make the 
>system to work.
>Thank you very much and regards,
>
>emi
>
>
>
>
>Hi!
>
>I was having exactly the same problem as you, and tried to follow Arthur's
>advice, and it worked. Some other module was probably interfering (I wasn't
>able to find out exactly which one).
>
>Still following Arthur's advice, try to create a user in the users file,
>following the examples!
>
>
>Thx Arthur! :)
>
>
>Joao Santos
>
> >From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: "freeradius-users" <[EMAIL PROTECTED]>
> >Subject: Re: EAP-MD5 auth failure
> >Date: Mon,  3 Mar 2003 18:35:48 +0100
> >
> >my user is configured as follow:   pippo   Auth-Type := Local,
> >User-Password == pippo
> >
> >
> >i would put the eap module as the last one in authorize and as the only
> >one in the authenticate, just like in the faq. why don't you begin with
> >a _simple_ configuration and add things later? why are you using a huge
> >one with 10 modules in every section?
> >
> >and then, is your user configured properly? Auth-Type := Local?
> >
> >ciao
> >artur
>
>
>_
>The new MSN 8: advanced junk mail protection and 2 months FREE*
>http://join.msn.com/?page=features/junkmail
>
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
>
>
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html


_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-04 Thread Joao Santos

Hello Emi,

I just commented out everything that wasn't needed for the EAP-MD5 
authentication in the authenticate and authorize sections (so basically I 
just left the items on the EAP-MD5 HOW-TO uncommented). The users file 
didn't pose any problems for me. I just copied an example included in the 
users user called "John Doe" and changed the username. Other than that I 
left it completely untouched.

I can not access the system right now, but if you want I can send you my 
config files tomorrow.

Regards,
João
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "freeradius-users" <[EMAIL PROTECTED]>
Subject: Re: EAP-MD5 auth failure
Date: Tue,  4 Mar 2003 11:45:04 +0100
Hello,
I followed your suggestion but I'm continuing having problems.
I configured radiusd.conf as Arthur's advice, clients.conf (I suppose 
correctly). In users file I put my user as follow:
pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all 
other users or last DEFAULT entries can remain uncommented??).
Now is there any other item to configure inside radiusd.conf file? Are 
there further files in raddb directory it's necessary to configure to 
enable EAP-MD5? If yes could you report me a sample of configuration?.

Sorry for these continuous questions, but is important for me make the 
system to work.
Thank you very much and regards,

emi



Hi!

I was having exactly the same problem as you, and tried to follow Arthur's
advice, and it worked. Some other module was probably interfering (I wasn't
able to find out exactly which one).
Still following Arthur's advice, try to create a user in the users file,
following the examples!
Thx Arthur! :)

Joao Santos

>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Mon,  3 Mar 2003 18:35:48 +0100
>
>my user is configured as follow:   pippo   Auth-Type := Local,
>User-Password == pippo
>
>
>i would put the eap module as the last one in authorize and as the only
>one in the authenticate, just like in the faq. why don't you begin with
>a _simple_ configuration and add things later? why are you using a huge
>one with 10 modules in every section?
>
>and then, is your user configured properly? Auth-Type := Local?
>
>ciao
>artur
_
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-04 Thread [EMAIL PROTECTED]

Hello,
I followed your suggestion but I'm continuing having problems.
I configured radiusd.conf as Arthur's advice, clients.conf (I suppose correctly). In 
users file I put my user as follow:
pippo  Auth-Type := Local  User-Password == "pippo" (I must comment all other users or 
last DEFAULT entries can remain uncommented??).
Now is there any other item to configure inside radiusd.conf file? Are there further 
files in raddb directory it's necessary to configure to enable EAP-MD5? If yes could 
you report me a sample of configuration?.

Sorry for these continuous questions, but is important for me make the system to work.
Thank you very much and regards,

emi




Hi!

I was having exactly the same problem as you, and tried to follow Arthur's 
advice, and it worked. Some other module was probably interfering (I wasn't 
able to find out exactly which one).

Still following Arthur's advice, try to create a user in the users file, 
following the examples!


Thx Arthur! :)


Joao Santos

>From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "freeradius-users" <[EMAIL PROTECTED]>
>Subject: Re: EAP-MD5 auth failure
>Date: Mon,  3 Mar 2003 18:35:48 +0100
>
>my user is configured as follow:   pippo   Auth-Type := Local, 
>User-Password == pippo
>
>
>i would put the eap module as the last one in authorize and as the only
>one in the authenticate, just like in the faq. why don't you begin with
>a _simple_ configuration and add things later? why are you using a huge
>one with 10 modules in every section?
>
>and then, is your user configured properly? Auth-Type := Local?
>
>ciao
>artur


_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-03 Thread Joao Santos

Hi!

I was having exactly the same problem as you, and tried to follow Arthur's 
advice, and it worked. Some other module was probably interfering (I wasn't 
able to find out exactly which one).

Still following Arthur's advice, try to create a user in the users file, 
following the examples!

Thx Arthur! :)

Joao Santos

From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "freeradius-users" <[EMAIL PROTECTED]>
Subject: Re: EAP-MD5 auth failure
Date: Mon,  3 Mar 2003 18:35:48 +0100
my user is configured as follow:   pippo   Auth-Type := Local, 
User-Password == pippo

i would put the eap module as the last one in authorize and as the only
one in the authenticate, just like in the faq. why don't you begin with
a _simple_ configuration and add things later? why are you using a huge
one with 10 modules in every section?
and then, is your user configured properly? Auth-Type := Local?

ciao
artur


_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 auth failure

2003-03-03 Thread [EMAIL PROTECTED]

my user is configured as follow:   pippo   Auth-Type := Local, User-Password == pippo


i would put the eap module as the last one in authorize and as the only 
one in the authenticate, just like in the faq. why don't you begin with 
a _simple_ configuration and add things later? why are you using a huge 
one with 10 modules in every section?

and then, is your user configured properly? Auth-Type := Local?

ciao
artur


[EMAIL PROTECTED] wrote:
> yes I also think there's something wrong in the configuration. I put in attach my 
> authorize/authenticate section configuration. Where do you think I'm getting wrong??
> 
> Thank you very much for your help!!
> emi
> 
> 
> 
> 
> hi
> 
> comments inline.
> 
> 
>>I'm trying to authenticate a client with EAP-MD5. I followed directives coming from 
>>the link
>> 
>>http://www.freeradius.org/doc/EAP-MD5.html,  but I have some problems. In attach is 
>>reported the output of radiusd -X. Could someone give a little look to it and help 
>>me to understand the meaning of those messages? I don't understand for example why 
>>there are message related to rlm_chap whereas rlm_eap is not mentioned.
>>
>>Thanks in advance,
>>
>>emi
> 
> 
> 
> i think that your authenticate/authorize sections are not properly 
> configured since the eap module is not involved in request processing.
> 
> check the configuration.
> 
> ciao
> artur
> 
> 
> 
> 
> 
> 
>>
>>
>>rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144
>>User-Name = "pippo"
>>Cisco-AVPair = "ssid=tsunami"
>>NAS-IP-Address = 172.31.71.202
>>Called-Station-Id = "000bfd04198e"
>>Calling-Station-Id = "000b46563147"
>>NAS-Identifier = "AP1200-04198e"
>>NAS-Port = 37
>>Framed-MTU = 1400
>>NAS-Port-Type = Wireless-802.11
>>EAP-Message = "\002\002\000\n\001pippo"
>>Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1
>>modcall: entering group authorize
>>  modcall[authorize]: module "preprocess" returns ok
>>rlm_chap: Could not find proper Chap-Password attribute in request
>>  modcall[authorize]: module "chap" returns noop
>>  modcall[authorize]: module "mschap" returns notfound
>>  modcall[authorize]: module "eap" returns updated
>>rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
>>rlm_realm: No such realm NULL
>>  modcall[authorize]: module "suffix" returns noop
>>users: Matched pippo at 65
>>  modcall[authorize]: module "files" returns ok
>>modcall: group authorize returns updated
>>  rad_check_password:  Found Auth-Type EAP
>>  rad_check_password:  Found Auth-Type Local
>>Warning:  Found 2 auth-types on request for user 'pippo'
>>auth: type Local
>>auth: No User-Password or CHAP-Password attribute in the request
>>auth: Failed to validate the user.
>>Delaying request 4 for 1 seconds
>>Finished request 4
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 186 to 172.31.71.202:1212
>>Waking up in 4 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 4 ID 186 with timestamp 3e63636b
>>Nothing to do.  Sleeping until we see a request.
> 
> 
> 
> 
> 
> 
> modules {...
> # Extensible Authentication Protocol
>   #
>   #  For all EAP related authentications 
>   eap {
>   # Invoke the default supported EAP type when
>   # EAP-Identity response is received
>   #   default_eap_type = md5
> 
>   # Default expiry time to clean the EAP list,
>   # It is maintained to co-relate the
>   # EAP-response for each EAP-request sent.
>   #   timer_expire = 60
> 
>   # Supported EAP-types
> 
>   default_eap_type=md5
> md5 {
>   }
> 
> 
> authorize {
>   #
>   #  The preprocess module takes care of sanitizing some bizarre
>   #  attributes in the request, and turning them into attributes
>   #  which are more standard.
>   #
>   #  It takes care of processing the 'raddb/hints' and the
>   #  'raddb/huntgroups' files.
>   #
>   #  It also adds a Client-IP-Address attribute to the request.
>   preprocess
>   
>   #
>   #  The chap module will set 'Auth-Type := CHAP' if we are
>   #  handling a CHAP request and Auth-Type has not already been set
>   chap
> 
>   #
>   #  If the users are logging in with an MS-CHAP-Challenge
>   #  attribute for authentication, the mschap module will find
>   #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
>   #  to the request, which will cause the server

Re: EAP-MD5 auth failure

2003-03-03 Thread Artur Hecker

i would put the eap module as the last one in authorize and as the only 
one in the authenticate, just like in the faq. why don't you begin with 
a _simple_ configuration and add things later? why are you using a huge 
one with 10 modules in every section?

and then, is your user configured properly? Auth-Type := Local?

ciao
artur
[EMAIL PROTECTED] wrote:
yes I also think there's something wrong in the configuration. I put in attach my authorize/authenticate section configuration. Where do you think I'm getting wrong??

Thank you very much for your help!!
emi


hi

comments inline.


I'm trying to authenticate a client with EAP-MD5. I followed directives coming from the link

http://www.freeradius.org/doc/EAP-MD5.html,  but I have some problems. In attach is reported the output of radiusd -X. Could someone give a little look to it and help me to understand the meaning of those messages? I don't understand for example why there are message related to rlm_chap whereas rlm_eap is not mentioned.

Thanks in advance,

emi


i think that your authenticate/authorize sections are not properly 
configured since the eap module is not involved in request processing.

check the configuration.

ciao
artur







rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144
   User-Name = "pippo"
   Cisco-AVPair = "ssid=tsunami"
   NAS-IP-Address = 172.31.71.202
   Called-Station-Id = "000bfd04198e"
   Calling-Station-Id = "000b46563147"
   NAS-Identifier = "AP1200-04198e"
   NAS-Port = 37
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   EAP-Message = "\002\002\000\n\001pippo"
   Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
 modcall[authorize]: module "chap" returns noop
 modcall[authorize]: module "mschap" returns notfound
 modcall[authorize]: module "eap" returns updated
   rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
   rlm_realm: No such realm NULL
 modcall[authorize]: module "suffix" returns noop
   users: Matched pippo at 65
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
 rad_check_password:  Found Auth-Type Local
Warning:  Found 2 auth-types on request for user 'pippo'
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 186 to 172.31.71.202:1212
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 186 with timestamp 3e63636b
Nothing to do.  Sleeping until we see a request.






modules {...
# Extensible Authentication Protocol
	#
	#  For all EAP related authentications 
	eap {
		# Invoke the default supported EAP type when
		# EAP-Identity response is received
		#	default_eap_type = md5

# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
#   timer_expire = 60
		# Supported EAP-types

default_eap_type=md5
md5 {
}
authorize {
#
#  The preprocess module takes care of sanitizing some bizarre
#  attributes in the request, and turning them into attributes
#  which are more standard.
#
#  It takes care of processing the 'raddb/hints' and the
#  'raddb/huntgroups' files.
#
#  It also adds a Client-IP-Address attribute to the request.
preprocess

#
#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been set
chap
#
#  If the users are logging in with an MS-CHAP-Challenge
#  attribute for authentication, the mschap module will find
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
#  to the request, which will cause the server to then use
#  the mschap module for authentication.
mschap
counter
attr_filter
	eap

suffix
files
etc_smbpasswd
# The ldap module will set Auth-Type to LDAP if it has not already been set
	ldap
}
   

authenticate {
  #
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The

Re: EAP-MD5 auth failure

2003-03-03 Thread [EMAIL PROTECTED]

yes I also think there's something wrong in the configuration. I put in attach my 
authorize/authenticate section configuration. Where do you think I'm getting wrong??

Thank you very much for your help!!
emi




hi

comments inline.

> I'm trying to authenticate a client with EAP-MD5. I followed directives coming from 
> the link
>  
> http://www.freeradius.org/doc/EAP-MD5.html,  but I have some problems. In attach is 
> reported the output of radiusd -X. Could someone give a little look to it and help 
> me to understand the meaning of those messages? I don't understand for example why 
> there are message related to rlm_chap whereas rlm_eap is not mentioned.
> 
> Thanks in advance,
> 
> emi


i think that your authenticate/authorize sections are not properly 
configured since the eap module is not involved in request processing.

check the configuration.

ciao
artur





> 
> 
> 
> rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144
> User-Name = "pippo"
> Cisco-AVPair = "ssid=tsunami"
> NAS-IP-Address = 172.31.71.202
> Called-Station-Id = "000bfd04198e"
> Calling-Station-Id = "000b46563147"
> NAS-Identifier = "AP1200-04198e"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = "\002\002\000\n\001pippo"
> Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
>   modcall[authorize]: module "chap" returns noop
>   modcall[authorize]: module "mschap" returns notfound
>   modcall[authorize]: module "eap" returns updated
> rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched pippo at 65
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns updated
>   rad_check_password:  Found Auth-Type EAP
>   rad_check_password:  Found Auth-Type Local
> Warning:  Found 2 auth-types on request for user 'pippo'
> auth: type Local
> auth: No User-Password or CHAP-Password attribute in the request
> auth: Failed to validate the user.
> Delaying request 4 for 1 seconds
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 186 to 172.31.71.202:1212
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 186 with timestamp 3e63636b
> Nothing to do.  Sleeping until we see a request.


-- 
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules {...
# Extensible Authentication Protocol
#
#  For all EAP related authentications 
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
#   default_eap_type = md5

# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
#   timer_expire = 60

# Supported EAP-types

default_eap_type=md5
md5 {
}


authorize {
#
#  The preprocess module takes care of sanitizing some bizarre
#  attributes in the request, and turning them into attributes
#  which are more standard.
#
#  It takes care of processing the 'raddb/hints' and the
#  'raddb/huntgroups' files.
#
#  It also adds a Client-IP-Address attribute to the request.
preprocess

#
#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been set
chap

#
#  If the users are logging in with an MS-CHAP-Challenge
#  attribute for authentication, the mschap module will find
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
#  to the request, which will cause the server to then use
#  the mschap module for authentication.
mschap

counter
attr_filter

eap

suffix
files
etc_smbpasswd


# The ldap module will set Auth-Type to LDAP if it has not already been set
ldap
}
   


authenticate {
  #
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The

Re: EAP-MD5 auth failure

2003-03-03 Thread Artur Hecker

hi

comments inline.

I'm trying to authenticate a client with EAP-MD5. I followed directives coming from the link
 
http://www.freeradius.org/doc/EAP-MD5.html,  but I have some problems. In attach is reported the output of radiusd -X. Could someone give a little look to it and help me to understand the meaning of those messages? I don't understand for example why there are message related to rlm_chap whereas rlm_eap is not mentioned.

Thanks in advance,

emi


i think that your authenticate/authorize sections are not properly 
configured since the eap module is not involved in request processing.

check the configuration.

ciao
artur






rad_recv: Access-Request packet from host 172.31.71.202:1212, id=186, length=144
User-Name = "pippo"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 172.31.71.202
Called-Station-Id = "000bfd04198e"
Calling-Station-Id = "000b46563147"
NAS-Identifier = "AP1200-04198e"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\002\000\n\001pippo"
Message-Authenticator = 0x66fe8b278590ec51c42880de858063e1
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
  modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "pippo", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched pippo at 65
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
  rad_check_password:  Found Auth-Type Local
Warning:  Found 2 auth-types on request for user 'pippo'
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 186 to 172.31.71.202:1212
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 186 with timestamp 3e63636b
Nothing to do.  Sleeping until we see a request.


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 in Windows XP Problem..

2002-12-03 Thread Artur Hecker


hi

> from the beginning again not worked. I am in trouble, I guess we need an
> update for the FAQ!!

that's definitely true anyway...

see later.


> **rad_recv:
> Access-Request packet from host 192.168.91.102:192, id=1, length=110
>  User-Name = "bob"
>  NAS-IP-Address = 192.168.91.102
>  Called-Station-Id = "00022d034186"
>  Calling-Station-Id = "00022d176e31"
>  NAS-Identifier = "Orinoco 2"
>  NAS-Port-Type = Wireless-802.11
>  Framed-MTU = 1400
>  EAP-Message = "\002\001\000\010\001bob"
>  Message-Authenticator = 0x5e92e3b76a8cdda96c86e7f5a0759f5f
> modcall: entering group authorize
>modcall[authorize]: module "preprocess" returns ok
>  users: Matched bob at 2
>modcall[authorize]: module "files" returns ok
>modcall[authorize]: module "eap" returns updated
> modcall: group authorize returns updated
>rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>modcall[authenticate]: module "eap" returns ok
> modcall: group authenticate returns ok
> Login OK: [bob/] (from client AP102 port 0 cli
> 00022d176e31)
> Sending Access-Challenge of id 1 to 192.168.91.102:192
>  EAP-Message =
> "\001\002\000\026\004\020\352\214\347=\276$Cu\372O9\324\232R\341\267"
>  Message-Authenticator = 0x
>  State =
> 0xe70a7e23ec5636d88fdcd2041a5c50ad5de1ec3d7d399bf7817221bdb074a18416ece725
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 1 with timestamp 3dece15d
> Nothing to do.  Sleeping until we see a request.


that's all? where is the next request of your XP i.e. the response to
the challenge? find out what is happening to it. does XP say something?
can you provide some eap logs of your orinoco AP (if it can do that...)
otherwise try to sniff at the wireless interface (ethereal), what's
going on there?

strange problem.


ciao
artur


-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 in Windows XP Problem..

2002-12-03 Thread Tamer Demir

Hi Artur,

I have read and done what the EAP/MD5 FAQ says but unfortunately it did not 
worked. Next I tried all other combinations again not worked. So I started 
from the beginning again not worked. I am in trouble, I guess we need an 
update for the FAQ!!


Below are the simplified users,radius.conf and "radiusd -X" output file

Regards,
Tamer


Users File:
*\
[root@radius raddb]# cat users
#
bob Auth-Type := Local, User-Password = "hello"

DEFAULT Auth-Type := System
Fall-Through = 1

DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

# On no match, the user is denied access.
*

Radius.conf file:

[root@radius raddb]# cat radiusd.conf
#   request.  See 'doc/variables.txt' for more information.

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE  ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
#   default_eap_type = md5
#   timer_expire = 60
md5 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE  ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${co

Re: EAP/MD5 in Windows XP Problem..

2002-12-02 Thread Artur Hecker

hi tamer

read the EAP/MD5 FAQ.

the solution: get rid of the Reply-Message incuded by xlat in the
Challenge.


and by the way what's all this mess with the Framed-MTU?

greetings
artur




Tamer Demir wrote:
> 
> After the radius server send the challenge, XP does not send respond and
> stays in the authentication state. Do you know any solution?
> 
> I am doing both MAC address and user authantication, The Windows XP asks a
> user name and password when I wrote this, XP is stucks at authenticating
> state! (In the XP ptions I chosed MD5 challenge...)
> 
> Config files:
> 
> users:
> **
> #my user
> tamer   Auth-Type := EAP, User-Password = "demir"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-Routing = Broadcast-Listen,
>  Framed-MTU = 1750,
>  Framed-Compression = Van-Jacobsen-TCP-IP
> 
> #Orinoco Card Cisca
> 00022d-034186   Auth-Type := Local, User-Password == "secret"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-Routing = Broadcast-Listen,
>  Framed-MTU = 1500,
>  Framed-Compression = Van-Jacobsen-TCP-IP
> **
> 
> radius.conf:
> **
> user = root
> group = root
> modules {
>unix {
>  cache = yes
>  cache_reload = 600
>  passwd = /etc/passwd
>  shadow = /etc/shadow
>  group = /etc/group
>  radwtmp = ${logdir}/radwtmp
>  }
>   eap {
>  #default_eap_type = md5
>  # Supported EAP-types
>  md5 {
>  }
> ..
> }
> authorize {
> eap
> preprocess
> files
> suffix
> }
> authenticate {
>  eap
>  unix
> }
> accounting {
>  detail
>  unix
>  radutmp
> 
> }
> session {
>  radutmp
> }
> **
> 
> Output:
> 
> *
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/sql.conf
>   main: prefix = "/usr/local"
>   main: localstatedir = "/usr/local/var"
>   main: logdir = "/usr/local/var/log/radius"
>   main: libdir = "/usr/local/lib"
>   main: radacctdir = "/usr/local/var/log/radius/radacct"
>   main: hostname_lookups = no
>   main: max_request_time = 30
>   main: cleanup_delay = 5
>   main: max_requests = 1024
>   main: delete_blocked_requests = 0
>   main: port = 0
>   main: allow_core_dumps = no
>   main: log_stripped_names = yes
>   main: log_file = "/usr/local/var/log/radius/radius.log"
>   main: log_auth = yes
>   main: log_auth_badpass = yes
>   main: log_auth_goodpass = yes
>   main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>   main: user = "root"
>   main: group = "root"
>   main: usercollide = no
>   main: lower_user = "no"
>   main: lower_pass = "no"
>   main: nospace_user = "no"
>   main: nospace_pass = "no"
>   main: checkrad = "/usr/local/sbin/checkrad"
>   main: proxy_requests = yes
>   proxy: retry_delay = 5
>   proxy: retry_count = 3
>   proxy: synchronous = no
>   proxy: default_fallback = yes
>   proxy: dead_time = 120
>   proxy: servers_per_realm = 15
>   security: max_attributes = 200
>   security: reject_delay = 1
>   security: status_server = no
>   main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded eap
>   eap: default_eap_type = "md5"
>   eap: timer_expire = 60
> rlm_eap: Loaded and initialized the type md5
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
>   preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
>   preprocess: hints = "/usr/local/etc/raddb/hints"
>   preprocess: with_ascend_hack = no
>   preprocess: ascend_channels_per_line = 23
>   preprocess: with_ntdomain_hack = no
>   preprocess: with_specialix_jetstream_hack = no
>   preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded files
>   files: usersfile = "/usr/local/etc/raddb/users"
>   files: acctusersfile = "/usr/local/etc/raddb/acct_users"
>   files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>   files: compat = "no"
> [/usr/local/etc/raddb/users]:90 WARNING! Changing 'User-Password =' to
> 'User-Password ==' ?for comparing RADIUS attribute in check item list for
> user tamer
> Module: Instantiated files (files)
> Module: Loaded realm
>   realm: format = "suffix"
>   realm: delimiter = "@"
> Module: Instantiated realm (suf

Re: EAP-MD5. Problems with XP Client

2002-10-15 Thread Artur Hecker


hi

> I didn´t realize about the problem because I am using authentication with an 
>ethernet card and a Switch as Authenticator.
> 
> Indeed, MD5 disappers with XP SP1 in Wireless cards, but not in Ethernet ones.  

it's bizar, even if i perfectly understand why md5 is not good enough. 
md5 is defined in the basic EAP rfc as a must, so actually, if eap/md5 
is not available, the XP SP1 is not compliant with the RFC, right? :)

and even if it is hardly sufficient, etc., it's still a feature more... 
in the same manner one could decide not to use WEP because it's 
completely broken.

> Probably Microsoft wants to promote his authentication protocols. (You have to user 
>MS-CHAP over PEAP instead of MD5).
> Another reason probably is that with EAP-MD5 you can´t use the rekeying 
>functionality, soy they force you to use PEAP that always uses TLS as Tunneling 
>protocol, any derive then ciphersuit password to implement Rekeying.

probably, and of course, it gives you mutual auth...

but still : i couldn't verify your error... i have to look for the old 
log files, but i don't believe i still have them. and the department 
here doesn't have any old xp anymore...


ciao

artur


-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5. Problems with XP Client

2002-10-15 Thread Fernandez, Jorge







Arthur, I didn´t realize about the problem because I am using authentication with an ethernet card and a Switch as Authenticator.Indeed, MD5 disappers with XP SP1 in Wireless cards, but not in Ethernet ones.   Probably Microsoft wants to promote his authentication protocols. (You have to user MS-CHAP over PEAP instead of MD5). Another reason probably is that with EAP-MD5 you can´t use the rekeying functionality, soy they force you to use PEAP that always uses TLS as Tunneling protocol, any derive then ciphersuit password to implement Rekeying.   RegardsJorge.  - Hi Jorge I'm sorry, i wanted to test out what you wrote about two weeks ago because i finally found some time.  > First of all, c1 and c2 are two consecutive Hex numbers. I got them  > for the ID field in the EAP message.> I have captured the traffic between the AP and the XP client and I  > think (never 100% sure) that the NAS is working right  because > it has copied exactly the EAP packet from Radius extension to > EAPOL message.> > The NAS also maintain the EAP-ID field, so the id number is  > different in the EAP-Success message. Well, as I said, I wanted to see what happens in my case and to my great surprise, I couldn't find EAP/MD5 in my XP anymore - after the installation of SP1 for XP it seems to have disappeared. I have PEAP and TLS now, PEAP seems to be some MS system, based upon MSCHAPv2 and providing certificates and mutual auth support... Does anyone have some ideas on that?  So, Jorge, i can't test it for the moment...  Ciaoartur   -- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507    46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr  ENST Paris  - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 









Partial
thread listing: 


 Re: EAP-MD5.
 Problems with XP Client, (continued) 
 
  
   Artur
   Hecker 
   
Tim D. McCracken

   
  
 
 unsubscribe
 Alen Sarkinovic
 


Possible follow-ups 


 
  Alen
  Sarkinovic 
 
 bug
 in 0.7.1 (sql_fetch_row),
 User for Free Radius mail list

Re: EAP-MD5. Problems with XP Client

2002-10-14 Thread Artur Hecker



Hi Jorge

I'm sorry, i wanted to test out what you wrote about two weeks ago 
because i finally found some time.


> First of all, c1 and c2 are two consecutive Hex numbers. I got them 
 > for the ID field in the EAP message.
> I have captured the traffic between the AP and the XP client and I 
 > think (never 100% sure) that the NAS is working right  because
 > it has copied exactly the EAP packet from Radius extension to
 > EAPOL message.
> 
> The NAS also maintain the EAP-ID field, so the id number is 
 > different in the EAP-Success message.

Well, as I said, I wanted to see what happens in my case and to my great 
surprise, I couldn't find EAP/MD5 in my XP anymore - after the 
installation of SP1 for XP it seems to have disappeared. I have PEAP and 
TLS now, PEAP seems to be some MS system, based upon MSCHAPv2 and 
providing certificates and mutual auth support...

Does anyone have some ideas on that?


So, Jorge, i can't test it for the moment...


Ciao
artur



-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 Accounting Question

2002-10-14 Thread Kostas Kalevras


On Mon, 14 Oct 2002, Yang,Yung-Chi wrote:

> Dear All:
>
> I have a question about EAP-MD5 accounting.
> I have already setup my radius server (Freeradius0.7.1).
> I use EAP-MD5 authentication method, and it works.
> But i can't see any accounting report in my server.
> For instance, /usr/local/var/log/radius/radacct/.. .
> I want to do accounting with EAP-MD5 authentication method.
> Do somebody know how to solve this problem.

If you have configured your nas to do accounting the authencation method is
irrelevant. Fix your accounting configuration on the nas.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5. Problems with XP Client

2002-10-08 Thread Fernandez, Jorge







Hi Arthur, First of all, c1 and c2 are two consecutive Hex numbers. I got them for the ID field in the EAP message.I have captured the traffic between the AP and the XP client and I think (never 100% sure) that the NAS is working right  because it has copied exactly the EAP packet from Radius extension to EAPOL message.The NAS also maintain the EAP-ID field, so the id number is different in the EAP-Success message. Jorge --hi > I am not sure, but I thing that is a problem with the EAP Id field in> the EAP-Success frame. Here you have a resume of the conversation> writing into parenthesis the eap id.> > NAS RADIUS> --> RAD-Req/EAP-Resp(id=1) >> <-- RAD-Chall/EAP-Req (id=c1) <> --> RAD-Req/EAP-Resp (id=c1) -->> <-- RAD-Acept/EAP-Success (id=c2)-->> > I have checked with other radius rervers and the conversation is as> follows.> > NAS     RADIUS> --> RAD-Req/EAP-Resp(id=1) >> <-- RAD-Chall/EAP-Req (id=c1) <> --> RAD-Req/EAP-Resp (id=c1) -->> <-- RAD-Acept/EAP-Success (id=c1)--> i know what you want to say, i.e. i see these c1 and c2 differencies,but where have you got it from? what is this c1, c2 stuff anyway? justtwo different variables? can you point out exactly these differencies inthe server log or is it impossible to see? can you see it when sniffingthe traffic between server and client?  > PS. I don't know if it is necessary, but here there is a copy of> ./radiusd -X log. Regards. server-log looks very good and if i understand what you are saying, wecould even conclude that the radius part works out great, right? the NASopens the port on the receive of the RADIUS Access-Accept packet. so, you say the included EAP message is kind of wrong. can you see thelogs of your AP or sniff the traffic between the supplicant and theclient?  ciaoartur -- Artur Heckerartur[at]hecker.info

Re: EAP-MD5. Problems with XP Client

2002-10-08 Thread Artur Hecker


hi

> I am not sure, but I thing that is a problem with the EAP Id field in
> the EAP-Success frame. Here you have a resume of the conversation
> writing into parenthesis the eap id.
> 
> NAS RADIUS
> --> RAD-Req/EAP-Resp(id=1) >
> <-- RAD-Chall/EAP-Req (id=c1) <
> --> RAD-Req/EAP-Resp (id=c1) -->
> <-- RAD-Acept/EAP-Success (id=c2)-->
> 
> I have checked with other radius rervers and the conversation is as
> follows.
> 
> NAS RADIUS
> --> RAD-Req/EAP-Resp(id=1) >
> <-- RAD-Chall/EAP-Req (id=c1) <
> --> RAD-Req/EAP-Resp (id=c1) -->
> <-- RAD-Acept/EAP-Success (id=c1)-->

i know what you want to say, i.e. i see these c1 and c2 differencies,
but where have you got it from? what is this c1, c2 stuff anyway? just
two different variables? can you point out exactly these differencies in
the server log or is it impossible to see? can you see it when sniffing
the traffic between server and client?


> PS. I don't know if it is necessary, but here there is a copy of
> ./radiusd -X log. Regards.

server-log looks very good and if i understand what you are saying, we
could even conclude that the radius part works out great, right? the NAS
opens the port on the receive of the RADIUS Access-Accept packet.

so, you say the included EAP message is kind of wrong. can you see the
logs of your AP or sniff the traffic between the supplicant and the
client?


ciao
artur

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 fails to authenticate users

2002-09-20 Thread Alan DeKok


"Fernandez, Jorge" <[EMAIL PROTECTED]> wrote:
> Is possible to change the State attribute max length in freeradius?
> (I know is a workaround to solve the problem temporally)

  Sure.  Edit the source code, and submit a patch to the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 fails to authenticate users

2002-09-20 Thread Artur Hecker


hi jorge


it's definitely possible to change the maximum length of the State
attribute by changing the provided source code. however, i have no idea
on how to do it exactly.

perhaps Alan could help. or you could try to take a look yourself, it
can't be difficult.


ciao
artur



-- 
_
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 fails to authenticate users

2002-09-19 Thread Alan DeKok


Artur Hecker <[EMAIL PROTECTED]> wrote:
> take a look at the state attributes. your NAS is truncating the State
> attribute which was issued by Radius to 64 hexadecimal characters, i.e.
> 256bit (64*4):
> 
> issued:
> 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f
> 
> received:
> 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf

  The software on your NAS must have been written by the same people
who wrote the Merit RADIUS server.

> i have no idea if this behaviour is RFC-correct or not. the problem
> doesn't or didn't occur with other radius servers, probably because
> their state attributes are always/were by chance shorter.

  Mangling the State attribute is explicitely prohibited by the RFC's.

> Raghu, Alan, what do you think? are the state attributes too long or is
> the NAS firmware broken?

  I wouldn't object to making the State attribute shorter, but the NAS
is definitely broken.

> Jorge: you can try to take a look in the radius RFC if you can find a
> limitation for the state attribute...

  http://www.freeradius.org/rfc/attributes.html

  and click on 'State'.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 fails to authenticate users

2002-09-19 Thread Artur Hecker


hi Jorge


the user line should read :=System or :=Local, since you have eap as
last module in the authorize section. but this is not the point.

take a look at the state attributes. your NAS is truncating the State
attribute which was issued by Radius to 64 hexadecimal characters, i.e.
256bit (64*4):

issued:
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f

received:
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf


i have no idea if this behaviour is RFC-correct or not. the problem
doesn't or didn't occur with other radius servers, probably because
their state attributes are always/were by chance shorter.

Raghu, Alan, what do you think? are the state attributes too long or is
the NAS firmware broken?

Jorge: you can try to take a look in the radius RFC if you can find a
limitation for the state attribute... you can also try a firmware
update.


ciao

artur



original message:


Hi, 

 

I´m trying to perform 802.1X authentication using freeradius and the
EAP-MD5 authentication method, but I am experimenting
some problems.

 

First, the supplicant I´m using is XP native supplicant.

The Authenticator is a Enterasys Matrix E1

 

I have read hundreds of mails looking for a similar problem and I
haven´t found any one. Also I have read the /doc/EAP-MD5
document form freeradius page.

Also I have to say that I have test the solution using other Radius
Servers (SteelBelted and MS-IAS) and all tests have worked OK
with them.

 

So, I think I am configuring something wrong in freeradius. So, can
anybody help me, please?

 

Regards.

 

Jorge.

 

The configuration is the following one

 

 *** User file ***

I have tried with 3 different users with 3 different Auth-Types. (Local,
System and EAP) The single one that has worked (Has
recognize EAP and radius has issued a Chellege-String) has been EAP

 

 luisAuth-Type :=eap, User-Password =="hello"

 

 

** radiusd.conf ***

 

   eap {

default_eap_type = md5

md5 {

}

}

 

 

authorize {

preprocess

files

eap

}

 

authenticate {

eap

}

 

* radiusd -X * LOG

 

[root@satanas sbin]# ./radiusd -X

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Config:   including file: /usr/local/radius/etc/raddb/proxy.conf

Config:   including file: /usr/local/radius/etc/raddb/clients.conf

Config:   including file: /usr/local/radius/etc/raddb/snmp.conf

Config:   including file: /usr/local/radius/etc/raddb/sql.conf

 main: prefix = "/usr/local/radius"

 main: localstatedir = "/usr/local/radius/var"

 main: logdir = "/usr/local/radius/var/log/radius"

 main: libdir = "/usr/local/radius/lib"

 main: radacctdir = "/usr/local/radius/var/log/radius/radacct"

 main: hostname_lookups = no

read_config_files:  reading dictionary

read_config_files:  reading clients

read_config_files:  reading realms

read_config_files:  reading naslist

 main: max_request_time = 30

 main: cleanup_delay = 5

 main: max_requests = 1024

 main: delete_blocked_requests = 0

 main: port = 0

 main: allow_core_dumps = no

 main: log_stripped_names = no

 main: log_auth = no

 main: log_auth_badpass = no

 main: log_auth_goodpass = no

 main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"

 main: user = "(null)"

 main: group = "(null)"

 main: usercollide = no

 main: lower_user = "no"

 main: lower_pass = "no"

 main: nospace_user = "no"

 main: nospace_pass = "no"

 main: proxy_requests = yes

 proxy: retry_delay = 5

 proxy: retry_count = 3

 proxy: synchronous = no

 proxy: default_fallback = yes

 proxy: dead_time = 120

 security: max_attributes = 200

 security: reject_delay = 1

 main: debug_level = 0

read_config_files:  entering modules setup

Module: Library search path is /usr/local/radius/lib

Module: Loaded eap 

 eap: default_eap_type = "md5"

 eap: timer_expire = 60

rlm_eap: Loaded and initialized the type md5

Module: Instantiated eap (eap) 

Module: Loaded preprocess 

 preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"

 preprocess: hints = "/usr/local/radius/etc/raddb/hints"

 preprocess: with_ascend_hack = no

 preprocess: ascend_channels_per_line = 23

 preprocess: with_ntdomain_hack = no

 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no

Module: Instantiated preprocess (preprocess) 

Module: Loaded files 

 files: usersfile = "/usr/local/radius/etc/raddb/users"

 files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"

 files: compat = "no"

Module: Instantiated files (files) 

Module: Loaded realm 

 realm: format = "suffix"

 realm: delimiter = "@"

Module: Instantiated realm (suffix) 

Module: Loaded detail 

 detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail"

 detail: detailperm = 384

 detail: dirperm = 493

 detail: locking = no

Module: Instantiated detail (detail) 

Module: Loaded radutmp 

 radutmp: filename = "/usr/l

Re: EAP/MD5,CHAP O.K - PAP Fails

2002-09-09 Thread Kostas Kalevras


On Mon, 9 Sep 2002, [iso-8859-1] Jürgen Weiß wrote:

> High List
>
> I have problem concerning freeradius 0.7 on an RedHat 7.3 Operating
> system.
> EAP/MD5 and Chap works fine in conjunction with LDAP. But PAP
> authentification fails.
> Any hints or suggestions where I make an mistake !
>
> ## Start: radiusd.conf #
>
>
>
> modules {
>
>  ...
>
>  eap {
>   md5 {
>   }
>  }
>
>  chap {
>  }
>
>  mschap {
>   authtype = MS-CHAP
>  }
>
>  pap {
>   encryption_scheme = clear
>  }
>
>  ldap {
>   server = "ldap.uni-oldenburg.de"
>   identity = "cn=..."
>   password = ...
>   basedn = "ou=Radius,ou=Account,dc=uni-oldenburg,dc=de"
>   filter = "(uid=%u)"
>   start_tls = no
>   dictionary_mapping = ${raddbdir}/ldap.attrmap
>   ldap_connections_number = 15
>   password_attribute = userPassword
>   timeout = 4
>   timelimit = 3
>   net_timeout = 1
>  }
>
>  ...
> }
>
>
>
> authorize {
>  preprocess
>  chap
>  ldap
>  eap
>
>
> }
>
>
> authenticate {
>  eap
>  authtype CHAP {
>   chap
>  }
>  authtype PAP {
>   pap
>  }
>
> }
>
> 
>
> ## End: radiusd.conf #
> ## Start: users  #
>
> DEFAULT Auth-Type := Local
>  Fall-Through = 1
> DEFAULT Auth-Type := System
>  Fall-Through = 1
>
> ## End:: users  #

Hint 1: You don't have the files module listed in your authorize section.

Hint 2: You don't set the Auth-Type to PAP.

Hint 3: Don't use the := operator for Auth-Type. CHAP will not work if you do
that

I would suggest something like this:

authorize{
  preprocess
  chap
  eap
  files
  ldap
}

users:

DEFAULT Auth-Type = PAP

or you could just leave the users file blank, add the ldap module in the
authenticate section and let it handle the PAP requests.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 / FreeRadius / LDAP / NDS

2002-09-02 Thread Kostas Kalevras

On Tue, 3 Sep 2002, Stefan Winterling wrote:

> My user doesn't contain a userpassword attribute, so I have to create one.

Well the ldap server needs *some* attribute that contains the user password
for bind operations to work. Try to find which one it is. Or just create a new
one to use for chap, that's your call.

>
> Another question:
> For EAP-MD5 the password must be availale in plaintext. But i don't want send
> plaintext passwords over LDAP resp. it's not possible by my LDAP-Database. How
> can I solve this with FreeRadius excepting LDAPS?
>

I don't quite understand why you can't have plaintext passwords. In any case if
you can't then you will have to create a new attribute that will hold the user
chap password and make sure it changes when the user password changes.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 / FreeRadius / LDAP / NDS

2002-09-02 Thread Stefan Winterling


My user doesn't contain a userpassword attribute, so I have to create one.

Another question:
For EAP-MD5 the password must be availale in plaintext. But i don't want send 
plaintext passwords over LDAP resp. it's not possible by my LDAP-Database. How can I 
solve this with FreeRadius excepting LDAPS? 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 / FreeRadius / LDAP / NDS

2002-08-30 Thread Kostas Kalevras


On Fri, 30 Aug 2002, Stefan Winterling wrote:

> My ldap server is a novell nw5.1 nds. In the schema i can't see a
> userPassword Attribute for user-class, but i think it's standard !?
> I can't imagine that it is possible to get plaintext password from ldap server !?
> So, how can EAP-MD5 work with ldap when I need plaintext passwords to build a hash?
>

So find out what password attribute your user entries contain and use that. Do
they even contain a user password attribute?


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 / FreeRadius / LDAP / NDS

2002-08-30 Thread Stefan Winterling


My ldap server is a novell nw5.1 nds. In the schema i can't see a userPassword 
Attribute for user-class, but i think it's standard !?
I can't imagine that it is possible to get plaintext password from ldap server !?
So, how can EAP-MD5 work with ldap when I need plaintext passwords to build a hash?

Here is my radius logfile with ldap_debug = 3:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/radius/etc/raddb/clients.conf
 main: prefix = "/usr/local/radius"
 main: localstatedir = "/usr/local/radius/var"
 main: logdir = "/usr/local/radius/var/log/radius"
 main: libdir = "/usr/local/radius/lib"
 main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
 main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
 main: max_request_time = 30
 main: cleanup_delay = 10
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = yes
 main: log_stripped_names = yes
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
 main: bind_address = 192.168.10.130 IP address [192.168.10.130]
 main: user = "root"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded eap
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
 tls: private_key_file = "/usr/local/openssl/ssl/certs/cert-srv.pem"
 tls: certificate_file = "/usr/local/openssl/ssl/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/openssl/ssl/certs/cacert.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/usr/src/802/cert/dh"
 tls: random_file = "/usr/src/802/cert/random"
 tls: fragment_size = 500
 tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded LDAP
 ldap: server = "192.168.10.230"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: ldap_cache_timeout = 0
 ldap: ldap_cache_size = 0
 ldap: identity = "CN=admin,OU=CW,OU=KIP,O=DE"
 ldap: start_tls = no
 ldap: password = "admin"
 ldap: basedn = "OU=CW,OU=KIP,O=DE"
 ldap: filter = "(givenName=%U)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: access_group = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 3
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file 
/usr/local/radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP npSessionsAllowed mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP userPasswd mapped to RADIUS User-Password
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Call

Re: EAP-MD5 / FreeRadius / LDAP / NDS

2002-08-29 Thread Kostas Kalevras

On Wed, 28 Aug 2002, Stefan Winterling wrote:

> Hi to all,
>
> i know, there are already many postings about this topic, but i didn't get it work. 
>So please help me!!
>
> I want to authenticate users via EAP-MD5 and LDAP in a NDS. But seems, that rlm_ldap 
>doesnt get a password from nds !?
>
> Can anybody help me?
>
> Thx!

Try making an ldapsearch to the ldap server with the same credentials and
filter. Do you see the userpassword attribute? Do you see anything in the ldap
server logs? What ldap library are you using?
Try increasing the debug level (ldap_debug) in the ldap module.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 with Redhat Linux & FreeRADIUS

2002-06-14 Thread Wayne Ying-Jui Lee


Hello,

I have the impression that the open1x only support EAP/TLS.

Sincerely,

- Original Message - 
From: "Tay Shwu Ying" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 14, 2002 9:28 AM
Subject: Re: EAP/MD5 with Redhat Linux & FreeRADIUS


> I am actually trying to find an opensource authenticator for my AR as well. 
> Will be looking at Open1x from http://www.open1x.org/.
> Wonder if this can work with FreeRadius on Linux 7.2 for EAP/MD5?




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 with Redhat Linux & FreeRADIUS

2002-06-13 Thread Tay Shwu Ying


Hi Wayne,

I am actually trying to find an opensource authenticator for my AR as well. 
Will be looking at Open1x from http://www.open1x.org/.
Wonder if this can work with FreeRadius on Linux 7.2 for EAP/MD5?

Thank you very much.
Xie Xie Ni.

Cheers,
Shwu Ying



 > Hello all,
 >
 > Has someone ever tried EAP/MD5 working with RadHat Linux 7.2 and
 > FreeRADIUS? Please help ...

Hello, It works. and which authenticator you used? 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 with Redhat Linux & FreeRADIUS

2002-06-13 Thread Wayne Ying-Jui Lee


From: "Tay Shwu Ying" <[EMAIL PROTECTED]>


> Hello all,
> 
> Has someone ever tried EAP/MD5 working with RadHat Linux 7.2 and 
> FreeRADIUS? Please help ...

Hello,

It works.
and which authenticator you used?

Sincerely,
--
Wayne Ying-Jui Lee
http://www.elites.org/~waynelee




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 on Solaris 8...

2002-05-17 Thread Ricardo Stella

Sparc Ultra 10...  I'll try tomorrow's snapshot...

Thanks for your help...

Alan DeKok wrote:
> 
> Ricardo Stella <[EMAIL PROTECTED]> wrote:
> > So I grabbed the latest snapshot (20020517) and it doesn't compile at
> > all...
> 
> Cross-platform programming is a pain.  Which platform are
> you building it on?
> 
>   I've committed something which should fix it, so the current CVS, or
> tonight's snapshot should work.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

begin:vcard 
adr;dom:;;;Lawrenceville;NJ;08648;
adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648;
n:Stella;Ricardo
tel;fax:1-208-330-8297
tel;work:1-609-896-5000 x7436
x-mozilla-html:FALSE
url:http://poseidon.rider.edu
org:Rider University;O.I.T.
version:2.1
title:Manager
x-mozilla-cpt:;-3024
fn:Ricardo Stella
end:vcard

Re: EAP/MD5 on Solaris 8...

2002-05-17 Thread Alan DeKok

Ricardo Stella <[EMAIL PROTECTED]> wrote:
> So I grabbed the latest snapshot (20020517) and it doesn't compile at
> all...

Cross-platform programming is a pain.  Which platform are
you building it on?

  I've committed something which should fix it, so the current CVS, or
tonight's snapshot should work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 with XP & FreeRADIUS

2002-05-04 Thread Wayne Ying-Jui Lee


Hello,

 Thank you. It works with XP and FreeEADIUS using EAP/MD5.
We found the problem from "EAP's id". Supplicant(Windows XP) is
disturbed by EAP's id.
AP -> XP EAP/Request identity (id=1)
XP -> AP -> FR   EAP/Response identity/RADIUS Access  Request (id=1)
and FR RADIUS/challenge (id also is 1), XP is confused and sends
EAP/Reponse identity again. The AP's vendor has fixed it by changing
initial EAP/Request identity EAP id to 0. :p
But it works fine with XP and Win2k RADIUS.

 Sigh...
Although EAP/MD5 is insecure, it's convenient to use for general users.

Because dynamic generation of WEP keys needed in some vendors' AP
 is not supported in FR, I can't use EAP/TLS. :~~
 (EAP module doesnot send "MS-MPPE.." with the Access-Accept packet)
 Any good news about dynamic generation of WEP keys ? :)

 Thank you very much.


 Sincerely,
 --
 Wayne Ying-Jui Lee

> - Original Message -
> From: "McNutt, Justin M." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, April 24, 2002 7:30 PM
> Subject: RE: EAP/MD5 with XP & FreeRADIUS
>
>
> > Has someone ever tried EAP/MD5 working with Windows XP
> > and FreeRADIUS?
>
> Yes.  It works... if configured properly on both sides.
>
> > I found something strange..
> > "EAPOL start" -> Identity Request and Reply.
> > After FreeRADIUS sends "challenge" and Access Point
> > forwards it, it
> > seems XP doesn't
> > understand "challenge"  and XP sends "identity reply" again
> > The authentication procedure becomes a loop and wouldn't end.
>
> What does your RADIUS configuration look like?  Specifically:
>
> 1)  Do you have EAP enabled in your radius.conf file?
>
> 2)  Do you have the NAS (the Access Point) defined in your clients.conf
file
> (along with the correct shared secret)?
>
> 3)  What does this user's entry look like in the users file?
>
> > Is it a problem of Windows XP?
> > It's ok if I use XP + Windows 2000 RADIUS.
> > Excuse me for disturbing us. Thank you.
>
> Not a problem.  It's most likely the configuration on one side or another.
> Several people have been able to get EAP/MD5 to work with Windows XP.
>
> One thing to remember, though:  EAP/MD5 is a rather insecure method of
doing
> things, even with Windows 2000 RADIUS, because each user's password is
> stored on the RADIUS server in a decryptable (or even cleartext!) format.
> It is better to use EAP/TLS, which also works with FreeRADIUS and Windows
> XP.
>
> --J
>
>



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 with XP & FreeRADIUS

2002-05-04 Thread Wayne Ying-Jui Lee


Hello,

Thank you. It works with XP and FreeEADIUS using EAP/MD5.
We found the problem from "EAP's id".

Although EAP/MD5 is insecure, it's convenient to use for general users. :)

Because dynamic generation of WEP keys needed in some vendors' AP
is not supported in FR, I can't use EAP/TLS.
(EAP module doesnot send "MS-MPPE.." with the Access-Accept packet)
Any good news? :)

Thank you very much.


Sincerely,
--
Wayne Ying-Jui Lee (§õ^·ç)
http://www.elites.org/~waynelee


- Original Message -
From: "McNutt, Justin M." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 24, 2002 7:30 PM
Subject: RE: EAP/MD5 with XP & FreeRADIUS


> Has someone ever tried EAP/MD5 working with Windows XP
> and FreeRADIUS?

Yes.  It works... if configured properly on both sides.

> I found something strange..
> "EAPOL start" -> Identity Request and Reply.
> After FreeRADIUS sends "challenge" and Access Point
> forwards it, it
> seems XP doesn't
> understand "challenge"  and XP sends "identity reply" again
> The authentication procedure becomes a loop and wouldn't end.

What does your RADIUS configuration look like?  Specifically:

1)  Do you have EAP enabled in your radius.conf file?

2)  Do you have the NAS (the Access Point) defined in your clients.conf file
(along with the correct shared secret)?

3)  What does this user's entry look like in the users file?

> Is it a problem of Windows XP?
> It's ok if I use XP + Windows 2000 RADIUS.
> Excuse me for disturbing us. Thank you.

Not a problem.  It's most likely the configuration on one side or another.
Several people have been able to get EAP/MD5 to work with Windows XP.

One thing to remember, though:  EAP/MD5 is a rather insecure method of doing
things, even with Windows 2000 RADIUS, because each user's password is
stored on the RADIUS server in a decryptable (or even cleartext!) format.
It is better to use EAP/TLS, which also works with FreeRADIUS and Windows
XP.

--J

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/MD5 with XP & FreeRADIUS

2002-04-24 Thread McNutt, Justin M.


> Has someone ever tried EAP/MD5 working with Windows XP 
> and FreeRADIUS?

Yes.  It works... if configured properly on both sides.

> I found something strange..
> "EAPOL start" -> Identity Request and Reply.
> After FreeRADIUS sends "challenge" and Access Point 
> forwards it, it
> seems XP doesn't
> understand "challenge"  and XP sends "identity reply" again
> The authentication procedure becomes a loop and wouldn't end.

What does your RADIUS configuration look like?  Specifically:

1)  Do you have EAP enabled in your radius.conf file?

2)  Do you have the NAS (the Access Point) defined in your clients.conf file (along 
with the correct shared secret)?

3)  What does this user's entry look like in the users file?

> Is it a problem of Windows XP?
> It's ok if I use XP + Windows 2000 RADIUS.
> Excuse me for disturbing us. Thank you.

Not a problem.  It's most likely the configuration on one side or another.  Several 
people have been able to get EAP/MD5 to work with Windows XP.

One thing to remember, though:  EAP/MD5 is a rather insecure method of doing things, 
even with Windows 2000 RADIUS, because each user's password is stored on the RADIUS 
server in a decryptable (or even cleartext!) format.  It is better to use EAP/TLS, 
which also works with FreeRADIUS and Windows XP.

--J

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-05 Thread Alan DeKok

Ken Roser <[EMAIL PROTECTED]> wrote:
> Why do you have to write messages such as this?

  My experience has been that unless I ask for specific information
about a problem, then that information is rarely posted to the list.

  This means that someone has run into a problem, they've said
publicly that there's a problem, but they're not interested in getting
it fixed, or in helping other people fix it.  That's incredibly
annoying, as I hope you'll understand.

  I fail to understand why you said that a problem existed, but you
didn't show interest in getting it fixed.  And I also fail to
understand why you got upset when I pointed out that discrepancy.

>  All I did was ask if something was fixed and I volunteered to do
> any work necessary to resolve it.  It this had been declared fixed
> and I still had a problem I sure would have posted errors.  I don't
> appreciate this type of reaction from you.

I'm sorry if I offended you.

  The EAP related SEGV on Solaris has been fixed, and has been
reported to the list as fixed.

  Your other comment about "the CVS build wouldn't even compile" is
what prompted my response.  If it won't compile, DESCRIBE why it won't
compile, otherwise it won't be fixed!

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-04 Thread Ken Roser

Alan,
Why do you have to write messages such as this?  All I did was ask if something was 
fixed and I volunteered to do any work necessary to resolve it.  It this had  been 
declared
fixed and I still had a problem I sure would have posted errors.  I don't appreciate 
this type of reaction from you.

Alan DeKok wrote:

> Ken Roser <[EMAIL PROTECTED]> wrote:
> > Has this segmentation fault on Solaris 8 been fixed yet?  I tried to build last  
>night's CVS build but it wouldn't even compile.  I'm still using version .5 as a 
>result.
>
>   Errors are... ??
>
>   No one can do anything to help you if you say "stuff went wrong",
> and give no useful information.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-04 Thread Ken Roser

I used today's (04/04/2002) snapshot and everything is working great as far as EAP/MD5 
is concerned.

In order to get it to build though, I had to rename the modules/rlm_ippool directory 
to something that didn't start with rlm_ in order to get the build to skip building 
this
module which would fail to build otherwise.

Raghu wrote:

> Ken Roser wrote:
> >
> > Has this segmentation fault on Solaris 8 been fixed yet?  I tried to build last  
>night's CVS build but it wouldn't even compile.  I'm still using version .5 as a 
>result.
> >
> > If it hasn't been fixed, let me know what needs to be done and I'll be glad to 
>assist in the debugging.
> >
>
> Seg fault is already fixed.
>
> Try to compile and run the freeradius from
> the latest CVS snapshots and post your feedback.
>
> --
>  (( ))
>|
>  |.|  HereUAre !!
>  |_|  (( Raghu ))
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-04 Thread Alan DeKok


Ken Roser <[EMAIL PROTECTED]> wrote:
> Has this segmentation fault on Solaris 8 been fixed yet?  I tried to build last  
>night's CVS build but it wouldn't even compile.  I'm still using version .5 as a 
>result.

  Errors are... ??

  No one can do anything to help you if you say "stuff went wrong",
and give no useful information.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-03 Thread Raghu


Ken Roser wrote:
> 
> Has this segmentation fault on Solaris 8 been fixed yet?  I tried to build last  
>night's CVS build but it wouldn't even compile.  I'm still using version .5 as a 
>result.
> 
> If it hasn't been fixed, let me know what needs to be done and I'll be glad to 
>assist in the debugging.
> 

Seg fault is already fixed.

Try to compile and run the freeradius from 
the latest CVS snapshots and post your feedback.


-- 
 (( ))
   |  
 |.|  HereUAre !!
 |_|  (( Raghu ))

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-04-03 Thread Ken Roser


Has this segmentation fault on Solaris 8 been fixed yet?  I tried to build last  
night's CVS build but it wouldn't even compile.  I'm still using version .5 as a 
result.

If it hasn't been fixed, let me know what needs to be done and I'll be glad to assist 
in the debugging.

Alan DeKok wrote:

> "Siddharth Jeevan" <[EMAIL PROTECTED]> wrote:
> > When I try to run freeradius with EAP-MD5 as the auth-type, I get a
> > segmentation fault. I applied the changes Raghu had suggested in the
> > eap_wireformat method in the file.c on 03/21/2002, but that would not
> > help me.
>
>   Try grabbing the CVS snapshot from tonight.  I've committed those
> changes to the head, along with a few others that I think Radhu didn't
> post.
>
>   If that still core dumps, then a stack backtrace would help.  See
> 'doc/bugs'
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5: Password sources

2002-04-02 Thread Artur Hecker



hello


> I don't understand where this restriction comes from.  Once the FreeRADIUS server 
>gets the
> password from the NAS, what prevents it from checking that password against 
>/etc/shadow, 
> PAM, another RADIUS server, or whatever?

in fact, it's not a restriction of freeradius. it's a necessary
restriction of the CHAP (and EAP-MD5, which is basically the same).

the problem is that the client doesn't send a password which the server
can check against whatever in whichever way. the client sends an
authentication string (i'm not going to be very precise, it's the
principal which we are talking about) produced by the user basically out
of user's identity, the challenge sent before by the server, etc. and of
course the password itself. what's good about this authentication string
is that you can't guess whatever information has been taken to create it
by just looking at the result (it's usually a cryptographic hash built
using MD5, so a one-way function with rare collisions). the second good
thing about it: it's very improbable, that you will be successful in
producing the same result just using some crap instead of values used by
the user.

so, the only way to verify such an authentication string on the server
side is to re-compute it the same way the client did. the only
(theoretical) way to do so is to have the same input values and to
process them in the same order and in the same concatenation through the
same algorithm (MD5). then you compare the results. if they don't match
- the user loses. if they do, the server sends the accept message.

so, the server needs the unencrypted password.


hope this helps.

artur


-- 
Artur Hecker Groupe Accès et Mobilité
[EMAIL PROTECTED]Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MD5: Password sources

2002-04-02 Thread McNutt, Justin M.


> There are 2 types of EAP authentications that are currently 
> supported by
> Freeradius
> 1. EAP-MD5
> 2. EAP-TLS
> 
> The one which you tested is EAP-md5. It is just similar to CHAP
> authentication.
> It works only with PLAIN TEXT passwords. 
> So if you have plain text password stored in files, database or LDAP,
> then it works.
> 
> EAP-TLS is Certificate based authentication. 

I don't understand where this restriction comes from.  Once the FreeRADIUS server gets 
the password from the NAS, what prevents it from checking that password against 
/etc/shadow, PAM, another RADIUS server, or whatever?

--J

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5: Password sources

2002-04-01 Thread Raghu

"McNutt, Justin M." wrote:
> 
> Okay, new question:
> 
> Now that I have the NAS talking to the RADIUS server properly, 
I need the RADIUS server to use something other than hard-coded
passwords 
when it authenticates using Auth-Type := EAP.  Here's an example from
/usr/local/etc/raddb/users:
> 
> gilpina Auth-Type := EAP
> Port-Priority = Platinum,
> Tunnel-Private-Group-Id = "201",
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Service-Type = Framed,
> NAS-Port-Type = Ethernet
> 
> What would be the proper syntax for something like this:
> 
> gilpinaAuth-Type := EAP, Password == PAM
> 
> or
> 
> gilpinaAuth-Type := EAP, Password == Unix
> 

There are 2 types of EAP authentications that are currently supported by
Freeradius
1. EAP-MD5
2. EAP-TLS

The one which you tested is EAP-md5. It is just similar to CHAP
authentication.
It works only with PLAIN TEXT passwords. 
So if you have plain text password stored in files, database or LDAP,
then it works.

EAP-TLS is Certificate based authentication. 

-- 
 (( ))
   |  
 |.|  HereUAre !!
 |_|  (( Raghu ))

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MD5 - Can't seem to get it working.

2002-04-01 Thread McNutt, Justin M.


Never mind.  I'm a dumb ass.  I had a duplicate entry for this NAS in 
/usr/local/etc/raddb/clients which was screwing things up (it had a different shared 
secret).

So I'm stupid.  It works fine.  I'm going home.  :-P

--J

> -Original Message-
> From: McNutt, Justin M. 
> Sent: Monday, April 01, 2002 3:32 PM
> To: [EMAIL PROTECTED]
> Subject: EAP-MD5 - Can't seem to get it working.
> 
> 
> We always get this:
> 
> Mon Apr  1 15:14:24 2002 : Error: Received packet from 
> 128.206.95.215 with invalid Message-Authenticator!
> 
> The password is hard-coded into the users profile in the 
> raddb file and we've quadruple-checked the RADIUS shared 
> secret.  The NAS is a Nortel Business Policy Switch 2000 and 
> the EAP client is a Windows XP laptop (username gilpina, 
> password datiswak, domain [NULL]).  Server is a Slackware 7.1 
> box running FreeRADIUS 0.5 (release version).
> 
> Ideas?
> 
> Here's the section of the /usr/local/etc/raddb/users file for 
> this user:
> 
> gilpina Auth-Type := EAP, User-Password == "datiswak"
> Port-Priority = Platinum,
> Tunnel-Private-Group-Id = "201",
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Service-Type = Framed,
> NAS-Port-Type = Ethernet
> 
> Here's what "radiusd -X -y" shows:
> 
> Module: Instantiated unix (unix) 
> Module: Loaded preprocess 
>  preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
>  preprocess: hints = "/usr/local/etc/raddb/hints"
>  preprocess: with_ascend_hack = no
>  preprocess: ascend_channels_per_line = 23
>  preprocess: with_ntdomain_hack = no
>  preprocess: with_specialix_jetstream_hack = no
>  preprocess: with_cisco_vsa_hack = no
> Module: Instantiated prepro^[[A^[[A
> root@dnps-linux1:/var/log/radius# killall radiusd
> root@dnps-linux1:/var/log/radius# cd
> root@dnps-linux1:~# cat radiusd.debug.log 
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/sql.conf
>  main: prefix = "/usr/local"
>  main: localstatedir = "/var"
>  main: logdir = "/var/log/radius"
>  main: libdir = "/usr/local/lib"
>  main: radacctdir = "/var/log/radius/radacct"
>  main: hostname_lookups = no
> read_config_files:  reading dictionary
> read_config_files:  reading clients
> read_config_files:  reading realms
> read_config_files:  reading naslist
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 10240
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_auth = yes
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/var/run/radiusd.pid"
>  main: user = "root"
>  main: group = "root"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  security: max_attributes = 200
>  security: reject_delay = 1
>  main: debug_level = 0
> read_config_files:  entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded eap 
>  eap: default_eap_type = "md5"
>  eap: timer_expire = 60
> rlm_eap: Loaded and initialized the type md5
> Module: Instantiated eap (eap) 
> Module: Loaded Pam 
>  pam: pam_auth = "radiusd"
> Module: Instantiated pam (pam) 
> Module: Loaded System 
>  unix: cache = yes
>  unix: passwd = "/etc/passwd"
>  unix: shadow = "/etc/shadow"
>  unix: group = "/etc/group"
>  unix: radwtmp = "/var/log/radius/radwtmp"
>  unix: usegroup = no
>  unix: cache_reload = 600
> HASH:  Reinitializing hash structures and lists for caching...
>   HASH:  user root found in hashtable bucket 11726
>   HASH:  user bin found in hashtable bucket 86651
>   HASH:  user daemon found in hashtable bucket 11668
>   HASH:  user adm found in hashtable bucket 26466
>   HASH:  user lp found in hashtable bucket 54068
>   HASH:  user sync found in hashtable bucket 42895
>   HASH:  user shutdown found in hashtable bucket 71746
>   HASH:  user halt found in hashtable bucket 7481
>   HASH:  user mail found in hashtable bucket 79471
>   HASH:  user news found in hashtable bucket 5375
>   HASH:  user uucp found in hashtable bucket 38541
>   HASH:  user operator found in hashtable bucket 21748
>   HASH:  user games found in hashtable bucket 47657
>   HASH:  user ftp found in hashtable bucket 56226
>   HASH:  user gdm found in hashtable bucket 50360
>   HASH:  user nobody found in hashtable bucket 99723
>   HASH:  user mcnuttj found in hashtable bucket 94877
>   HASH:  user rohrss found in hashtable bucket 6971
>

Re: EAP-MD5 seg fault on Solaris 8

2002-03-25 Thread Alan DeKok

"Siddharth Jeevan" <[EMAIL PROTECTED]> wrote:
> When I try to run freeradius with EAP-MD5 as the auth-type, I get a
> segmentation fault. I applied the changes Raghu had suggested in the
> eap_wireformat method in the file.c on 03/21/2002, but that would not
> help me.

  Try grabbing the CVS snapshot from tonight.  I've committed those
changes to the head, along with a few others that I think Radhu didn't
post.

  If that still core dumps, then a stack backtrace would help.  See
'doc/bugs'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 seg fault on Solaris 8

2002-03-25 Thread Raghu

> Siddharth Jeevan wrote:

> (a) Can we not use Windows 2000 RRAS as NAS - if this is true? What

Radius Server is independent of NAS.

> will I have to do? Build another version of eap.c? My scenario

I donot think so. I think there is a bug in rlm_eap that needs to be
fixed.

> requires me to send Auth request over PPP not 802.1x

PPP or 802.1x doesnot matter. It should work on both.

> (b) Does it appear to be another problem with the code in EAP module?

Yes. It appears to me that my patch didnot fix the problem completely.
If you are interested in identifying the problem,
Place more debugging statements in eap_compose() and send the output.

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Raghu


"Derek M. Harkness" wrote:

> Thanks for the help!  Here is my log (radiusd -X), this was captured on
> a linux and I haven't had a chance to apply the patch yet, but I will.
> Thanks, again.
>

Its just one line change from int to unsigned short.
Let me know your findings with the patch.
 
> Sending Access-Challenge of id 90 to 141.215.3.48:1126
>  Service-Type = Framed-User
>  EAP-Message =
> "\001Z\000\026\004\020J\347\0236\344K\371\277y\322u.#H\030\245"
>  Message-Authenticator = 0x
>  State =
> 0xbb127c33d668ec1725a862f2e3195975dd599a3c9bbbfc5c5148b09728212c51e3dd3138
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 90 with timestamp 3c9a59dd
> Nothing to do.  Sleeping until we see a request.
> 

Server sent the Access-Challenge, 
but never received any response from the AP.

Most likely some configuration issue at the AP/supplicant.

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness

On Thursday, March 21, 2002, at 01:15  PM, Raghu wrote:

> To figure out why EAP auth is failing, Can you post the server logs ?
>
> Have you got the chance to apply the patch I posted yesterday
> & check it on Solaris ?

Thanks for the help!  Here is my log (radiusd -X), this was captured on 
a linux and I haven't had a chance to apply the patch yet, but I will.  
Thanks, again.

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
  main: prefix = "/usr/local"
  main: localstatedir = "/usr/local/var"
  main: logdir = "/usr/local/var/log/radius"
  main: libdir = "/usr/local/lib"
  main: radacctdir = "/usr/local/var/log/radius/radacct"
  main: hostname_lookups = no
read_config_files:  reading dictionary
read_config_files:  reading clients
read_config_files:  reading realms
read_config_files:  reading naslist
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_auth = no
  main: log_auth_badpass = no
  main: log_auth_goodpass = no
  main: pidfile = "/usr/local/var/run/radiusd.pid"
  main: user = "root"
  main: group = "root"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 3
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 120
  security: max_attributes = 200
  security: reject_delay = 1
  main: debug_level = 0
read_config_files:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded eap
  eap: default_eap_type = "md5"
  eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded System
  unix: cache = yes
  unix: passwd = "/etc/passwd"
  unix: shadow = "/etc/shadow"
  unix: group = "/etc/group"
  unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
  unix: usegroup = no
  unix: cache_reload = 600
HASH:  Reinitializing hash structures and lists for caching...
   HASH:  user root found in hashtable bucket 11726
   HASH:  user daemon found in hashtable bucket 11668
   HASH:  user bin found in hashtable bucket 86651
   HASH:  user sys found in hashtable bucket 64201
   HASH:  user sync found in hashtable bucket 42895
   HASH:  user games found in hashtable bucket 47657
   HASH:  user man found in hashtable bucket 50534
   HASH:  user lp found in hashtable bucket 54068
   HASH:  user mail found in hashtable bucket 79471
   HASH:  user news found in hashtable bucket 5375
   HASH:  user uucp found in hashtable bucket 38541
   HASH:  user proxy found in hashtable bucket 7806
   HASH:  user majordom found in hashtable bucket 55433
   HASH:  user postgres found in hashtable bucket 19301
   HASH:  user www-data found in hashtable bucket 84448
   HASH:  user backup found in hashtable bucket 3418
   HASH:  user msql found in hashtable bucket 14409
   HASH:  user operator found in hashtable bucket 21748
   HASH:  user list found in hashtable bucket 91138
   HASH:  user irc found in hashtable bucket 2346
   HASH:  user gnats found in hashtable bucket 75017
   HASH:  user nobody found in hashtable bucket 99723
   HASH:  user dharknes found in hashtable bucket 9858
   HASH:  user postfix found in hashtable bucket 23093
   HASH:  user identd found in hashtable bucket 77172
   HASH:  user mysql found in hashtable bucket 46314
   HASH:  user mars$ found in hashtable bucket 60823
   HASH:  user dlannom found in hashtable bucket 51787
   HASH:  user bbrother found in hashtable bucket 97762
   HASH:  user lboyd found in hashtable bucket 50904
   HASH:  user jim found in hashtable bucket 51842
HASH:  Stored 31 entries from /etc/passwd
HASH:  Stored 47 entries from /etc/group
Module: Instantiated unix (unix)
Module: Loaded preprocess
  preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
  preprocess: hints = "/usr/local/etc/raddb/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
  realm: format = "suffix"
  realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
  files: usersfile = "/usr/local/etc/raddb/users"
  files: acctusersfile = "/usr/local/etc/raddb/acct_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
  detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
  detail: detailperm = 384
  detail: dirperm = 493
Module: Insta

Re: EAP-MD5 ?

2002-03-21 Thread Raghu

John Lindsay wrote:

> I've just studied this with Cisco and I can steal a clear explanation from
> the notes.

EAP CLIENT(EC)  >  ACCESS POINT(AP)  > RADIUS-SERVER(S)

The comminication between EC & AP is wireless (EAPOL).
The communication between AP & Radius is RADIUS 
with EAP payload encapsulated in EAP-Message attribute.

1. EC sends EAPOL-START to AP.
2. AP sends EAP/Identity request to EC
3. EC sends EAP/Identity response to AP.
4. AP frames the RADIUS Access-Request packet and 
EAP/Identity response payload in EAP-Message.
5. Radius sends Access-challenge to AP with
EAP-MD5 challenge value.
6. AP extracts EAP and sends it to EC.
7. EC sends the Challenge response to AP
   (see CHAP(rfc1994) for details or rfc2284)
8. AP forwards it to Radius.
9. Radius sends EAP-Success/EAP-Failure to AP.
10. AP forwards it EC.

> 
> To make it clear for everyone, the supplicant is the software on the client
> (machine with the wireless card).
> 
> The EAP process doesn't start until the client has associated with the
> Access Point using Open authentication.  If this process isn't crystal
> clear you need to go away and gain understanding.
> 
> Once the association is made the AP blocks all traffic that is not 802.1x
> so although associated the connection only has value for EAP.  Any EAP
> traffic is passed to the radius server and any radius traffic is passed
> back to the client.
> 
> So, after the client has associated to the Access Point, the supplicant
> starts the process for using EAP over LAN by asking the user for their
> logon and password.
> 
> Using 802.1x and EAP the supplicant sends the username and a one-way hash
> of the password to the AP.

No. See below

> 
> The AP encapsulates the request and sends it to the RADIUS server.
> 
> The radius server needs a plaintext password so that it can perform the
> same one-way hash to determine that the password is correct.  If it is, the
> radius server issues an access challenge which goes back via to the AP to
> the client. (my study guide says client but my brain says 'supplicant')
> 
> The client sends the EAP response to the challenge via the AP to the RADIUS
> server.
> 

AP sends an EAP/Identity request to the supplicant.
The supplicant then just sends only the User-Name to AP.

AP then forwards this to Radius Server, 
Radius Server now sends EAP-Response with some random Challenge value.

Supplicant then sends the challenge-response using the User-Password.
See CHAP rfc1994 for details.

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Alan DeKok

John Lindsay <[EMAIL PROTECTED]> wrote:
> I've just studied this with Cisco and I can steal a clear explanation from 
> the notes.
...

  Nice.  I've added it to 'doc/rlm_eap' (If you don't mind).  Any
documentation on 'how it works' is useful.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness


Thanks for the detailed explanation this is what I've been looking for 
but have been unable to locate.

Derek

On Thursday, March 21, 2002, at 03:57  PM, John Lindsay wrote:

> I've just studied this with Cisco and I can steal a clear explanation 
> from the notes.
>
> To make it clear for everyone, the supplicant is the software on the 
> client (machine with the wireless card).
>
> The EAP process doesn't start until the client has associated with the 
> Access Point using Open authentication.  If this process isn't crystal 
> clear you need to go away and gain understanding.
>
> Once the association is made the AP blocks all traffic that is not 
> 802.1x so although associated the connection only has value for EAP.  
> Any EAP traffic is passed to the radius server and any radius traffic 
> is passed back to the client.
>
> So, after the client has associated to the Access Point, the supplicant 
> starts the process for using EAP over LAN by asking the user for their 
> logon and password.
>
> Using 802.1x and EAP the supplicant sends the username and a one-way 
> hash of the password to the AP.
>
> The AP encapsulates the request and sends it to the RADIUS server.
>
> The radius server needs a plaintext password so that it can perform the 
> same one-way hash to determine that the password is correct.  If it is, 
> the radius server issues an access challenge which goes back via to the 
> AP to the client. (my study guide says client but my brain says 
> 'supplicant')
>
> The client sends the EAP response to the challenge via the AP to the 
> RADIUS server.
>
> If the response is valid the RADIUS server sends a success message and 
> the session WEP key (EAP over wireless) to the client via the AP.  The 
> same session WEP key is also sent to the AP in the success packet.
>
> The client and the AP then begin using session WEP keys. The WEP key 
> used for multicasts is then sent from the AP to the client.  It is 
> encrypted using the session WEP key.
>
>
> --
> John Lindsay - Engineering Services Manager
> Internode Professional Access
> ph +61 8 8223 2999 fx +61 8 8223 1777
> 31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000
>
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread John Lindsay

At 03:21 AM 22/03/02, Alan DeKok wrote:
>"Derek M. Harkness" <[EMAIL PROTECTED]> wrote:
> > Okay so if I'm following this correctly and from my understanding of RFC
> > 2869, EAP doesn't simply "encrypt" or wrap the normal radius process.
> > With that said where does the authentication information come from?
>
>   From EAP magic.  It just gets transported in a RADIUS packet.
>
>   EAP *replaces* the normal username/password authentication.

I've just studied this with Cisco and I can steal a clear explanation from 
the notes.

To make it clear for everyone, the supplicant is the software on the client 
(machine with the wireless card).

The EAP process doesn't start until the client has associated with the 
Access Point using Open authentication.  If this process isn't crystal 
clear you need to go away and gain understanding.

Once the association is made the AP blocks all traffic that is not 802.1x 
so although associated the connection only has value for EAP.  Any EAP 
traffic is passed to the radius server and any radius traffic is passed 
back to the client.

So, after the client has associated to the Access Point, the supplicant 
starts the process for using EAP over LAN by asking the user for their 
logon and password.

Using 802.1x and EAP the supplicant sends the username and a one-way hash 
of the password to the AP.

The AP encapsulates the request and sends it to the RADIUS server.

The radius server needs a plaintext password so that it can perform the 
same one-way hash to determine that the password is correct.  If it is, the 
radius server issues an access challenge which goes back via to the AP to 
the client. (my study guide says client but my brain says 'supplicant')

The client sends the EAP response to the challenge via the AP to the RADIUS 
server.

If the response is valid the RADIUS server sends a success message and the 
session WEP key (EAP over wireless) to the client via the AP.  The same 
session WEP key is also sent to the AP in the success packet.

The client and the AP then begin using session WEP keys. The WEP key used 
for multicasts is then sent from the AP to the client.  It is encrypted 
using the session WEP key.

--
John Lindsay - Engineering Services Manager
Internode Professional Access
ph +61 8 8223 2999 fx +61 8 8223 1777
31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Raghu

"Derek M. Harkness" wrote:
> 
> The segfault seem to only occur on the Solaris.  I recompiled on a linux
> box to test it, EAP auth still fails but at least the server doesn't die.
> 

To figure out why EAP auth is failing, Can you post the server logs ?

Have you got the chance to apply the patch I posted yesterday 
& check it on Solaris ?

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Alan DeKok


"Derek M. Harkness" <[EMAIL PROTECTED]> wrote:
> Okay so if I'm following this correctly and from my understanding of RFC 
> 2869, EAP doesn't simply "encrypt" or wrap the normal radius process.  
> With that said where does the authentication information come from?

  From EAP magic.  It just gets transported in a RADIUS packet.

  EAP *replaces* the normal username/password authentication.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness



On Thursday, March 21, 2002, at 10:44  AM, Alan DeKok wrote:

>   PAM authenticates username/passwords.  My understanding of EAP is
> that if you're doing EAP authentication over RADIUS, then there may
> not be a username/password in the RADIUS packet.
>
>   Therefore you can't do PAM authentication with EAP.
>
>   Ok.. 0.5 also has rlm_krb5. :)
>
>   I don't know enough about EAP to know how it does authorization.
> But from reading RFC 2869 (RADIUS extensions, including EAP), it
> loooks to me like EAP is mainly for authentication, and that
> "onld-style" RADIUS username/password attributes don't appear in
> RADIUS packets with EAP.

Okay so if I'm following this correctly and from my understanding of RFC 
2869, EAP doesn't simply "encrypt" or wrap the normal radius process.  
With that said where does the authentication information come from?

Derek


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Alan DeKok

"McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> The EAP client (Aironet, BPS2K, etc.) authenticates to FreeRADIUS, but
> FreeRADIUS itself needs authoritative information somewhere, hence PAM. 

  PAM authenticates username/passwords.  My understanding of EAP is
that if you're doing EAP authentication over RADIUS, then there may
not be a username/password in the RADIUS packet.

  Therefore you can't do PAM authentication with EAP.

> I, for example, wish to authenticate users against a Kerberos server, so
> my unix machines use PAM and pam_krb5.so.

  Ok.. 0.5 also has rlm_krb5. :)

> So with FreeRADIUS, I should (hopefully) be able to use the Kerberos
> server (via PAM) to *authenticate* users, but use the raddb/users
> database to *authorize* users (EAP attributes).

  I don't know enough about EAP to know how it does authorization.
But from reading RFC 2869 (RADIUS extensions, including EAP), it
loooks to me like EAP is mainly for authentication, and that
"onld-style" RADIUS username/password attributes don't appear in
RADIUS packets with EAP.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-MD5 ?

2002-03-21 Thread McNutt, Justin M.


>   Again, I don't understand why you have it set up to do PAM
> authentication, in addition to EAP.  It should do one OR the other.

Actually, I'm planning to do this myself...

The EAP client (Aironet, BPS2K, etc.) authenticates to FreeRADIUS, but FreeRADIUS 
itself needs authoritative information somewhere, hence PAM.  I, for example, wish to 
authenticate users against a Kerberos server, so my unix machines use PAM and 
pam_krb5.so.

So with FreeRADIUS, I should (hopefully) be able to use the Kerberos server (via PAM) 
to *authenticate* users, but use the raddb/users database to *authorize* users (EAP 
attributes).

--J

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Alan DeKok

"Derek M. Harkness" <[EMAIL PROTECTED]> wrote:
> If I don't do the Auth-Type := EAP then pam complains that I need a 
> User-Password field which the wireless AP appears to not be passing.

  Why are you doing PAM authentication when the wireless AP is trying
to do EAP?

> Again without the order change the eap auth requests never seem to be 
> processed.  During the auth process I get module eap returned updated 
> and then pam complains that I don't have a User-Password field. 

  Again, I don't understand why you have it set up to do PAM
authentication, in addition to EAP.  It should do one OR the other.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness


The segfault seem to only occur on the Solaris.  I recompiled on a linux 
box to test it, EAP auth still fails but at least the server doesn't die.

Derek

On Wednesday, March 20, 2002, at 09:21  PM, Alan DeKok wrote:

> Raghu <[EMAIL PROTECTED]> wrote:
>> Same problem is reported a week back.
>> We need to figure out why EAP-Length is 0
>> and still it frames the EAP-packet.
>
>   Still, the server shouldn't core dump.
>
>   The EAP module *should* check for that error condition, log a
> complaint error message, and discard the EAP session.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness


I'm attempting to use the same radius server to authentication both my 
vpn and wireless.  I'm using Pam because the unix box running the radius 
server is using nis.

Derek

On Thursday, March 21, 2002, at 09:58  AM, Alan DeKok wrote:

> "Derek M. Harkness" <[EMAIL PROTECTED]> wrote:
>> If I don't do the Auth-Type := EAP then pam complains that I need a
>> User-Password field which the wireless AP appears to not be passing.
>
>   Why are you doing PAM authentication when the wireless AP is trying
> to do EAP?
>
>> Again without the order change the eap auth requests never seem to be
>> processed.  During the auth process I get module eap returned updated
>> and then pam complains that I don't have a User-Password field.
>
>   Again, I don't understand why you have it set up to do PAM
> authentication, in addition to EAP.  It should do one OR the other.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-21 Thread Derek M. Harkness

On Wednesday, March 20, 2002, at 07:03  PM, Alan DeKok wrote:

>   You shouldn't need to do that.  The EAP authentication should be
> picked automatically.
>
>   That is, by using 'Auth-Type := EAP', you make *every*
> authentication use EAP, even if they didn't ask for it.
>

If I don't do the Auth-Type := EAP then pam complains that I need a 
User-Password field which the wireless AP appears to not be passing.

>> In radiusd.conf under authenticate in moved eap to the top of the list.
>
>   The order shouldn't matter, so that's OK.

Again without the order change the eap auth requests never seem to be 
processed.  During the auth process I get module eap returned updated 
and then pam complains that I don't have a User-Password field.  I know 
the radius server is working with my account information since I can use 
it to auth my vpn gateway.

>
>   Look at the core dump using gdb, to see where/why it dies.  See
> 'doc/bugs', I think.

Thanks for the information I will check it out!

Derek

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 ?

2002-03-20 Thread Raghu


Raghu wrote:

> So there is no way that Zero length EAP-packets are allowed.
> 
> Probably, I am overlooking.

I am suspecting that it is something to do with Byte Ordering.

Please let me know if the following patch fixes the
problem or not, as I am not able to simulate the problem.

-Raghu


--- eap.c   2002/01/22 21:45:08 1.4
+++ eap.c   2002/03/21 03:36:13
@@ -357,7 +357,7 @@
 int eap_wireformat(EAP_PACKET *reply)
 {
eap_packet_t*hdr;
-   int total_length = 0;
+   unsigned short  total_length = 0;
 
if (reply == NULL) return EAP_INVALID;

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 2 >

1 - 100 of 104 matches

Mail list logo