Re: EAP-TLS problem
Jason Haar <[EMAIL PROTECTED]> wrote: > The only way I've found to get it to work is to manually ... > There must be a cleaner way... Besides moving to another distro ;-) Find out what is in 0.9.7b, which isn't in 0.9.6, and create patches for FreeRADIUS to work with 0.9.6. The server can get better only if people submit patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On Thu, Aug 28, 2003 at 01:16:18AM +1000, Paul Hampson wrote: > Was this because you linked against one, but tried to run against > the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's > EAP-TLS? This wouldn't be a Redhat machine would it? For better or worse, Redhat still insists on pushing out patched openssl-0.96 stuff instead of the current 0.97 tree - which FreeRADIUS docs as being a REQUIREMENT to get it working. As just about every third app these days is linked against OpenSSL, it's basically impossible to replace the RH OpenSSL install with 0.97 - leaving FreeRADIUS in a hard place. The only way I've found to get it to work is to manually compile and install 0.97 under (say) /usr/local/ssl-0.97b, then move all the /usr/lib 0.96 libraries aside, rename /usr/include/openssl to something else, and put symlinks in to the 0.97 stuff. Then compile FreeRADIUS, but run it under LD_LIBRARY_PATH=/usr/local/ssl-0.97b/lib. Oh yeah, and don't forget to reverse out all those renames afterwards otherwise you'll have one hell of a broken system There must be a cleaner way... Besides moving to another distro ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
pankaj Goel <[EMAIL PROTECTED]> wrote: > Yeah it makes sense, but I am using the same > compilation and run-time varibales for both the 0.8.1 > and cvs version like > LD_LIBRAY_PATH=/usr/local/openssl/lib > > THe following libs are inluded when i do a > > ldd /usr/local/sbin/radiusd > /lib/libssl.so.0.9.7a => /lib/libssl.so.0.9.7a You need 0.9.7b, don't ask me why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS problem
--- Paul Hampson <[EMAIL PROTECTED]> wrote: > > From: Fabrice Beauvir > > Sent: Thursday, 28 August 2003 12:47 AM > > > pankaj Goel wrote: > > > > >TLS_accept: before/accept initialization > > >Segmentation fault > > > I got the same thing with using wrong libcrypto > (0.9.6 instead 0.9.7) > > shared library. > > > Check your LD_LIBRARY_PATH > > Was this because you linked against one, but tried > to run against > the other, or is there a problem between OpenSSL > 0.9.6 and FreeRADIUS's > EAP-TLS? > > -- Yeah it makes sense, but I am using the same compilation and run-time varibales for both the 0.8.1 and cvs version like LD_LIBRAY_PATH=/usr/local/openssl/lib THe following libs are inluded when i do a ldd /usr/local/sbin/radiusd /lib/libssl.so.0.9.7a => /lib/libssl.so.0.9.7a (0x40017000) /lib/libcrypto.so.0.9.7a => /lib/libcrypto.so.0.9.7a (0x4004c000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40151000) libnsl.so.1 => /lib/libnsl.so.1 (0x4017e000) libresolv.so.2 => /lib/libresolv.so.2 (0x40193000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0x401a6000) libradius-0.9-pre.so => /usr/local//lib/libradius-0.9-pre.so (0x401b3000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0x401c5000) libdl.so.2 => /lib/libdl.so.2 (0x401cc000) libc.so.6 => /lib/tls/libc.so.6 (0x4200) libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x401cf000) libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x401e3000) libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x40241000) libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x40251000) libz.so.1 => /usr/lib/libz.so.1 (0x40253000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) Pankaj. > = > Paul "TBBle" Hampson > Bubblesworth Pty Ltd (ABN: 51 095 284 361) > [EMAIL PROTECTED] > > This is a one line proof...if we start > sufficiently far to the left. > -- Cambridge University Math Department > - > Random signature generator 3.0 by Paul "TBBle" > Hampson > = > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS problem
> From: Fabrice Beauvir > Sent: Thursday, 28 August 2003 12:47 AM > pankaj Goel wrote: > > >TLS_accept: before/accept initialization > >Segmentation fault > I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7) > shared library. > Check your LD_LIBRARY_PATH Was this because you linked against one, but tried to run against the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's EAP-TLS? -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
pankaj Goel wrote: TLS_accept: before/accept initialization Segmentation fault I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7) shared library. Check your LD_LIBRARY_PATH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS PROBLEM
Hi, Follow the steps of this articule abaut dinamic libraries http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm good luck omar. wen-hong wrote: > Fri Aug 8 14:13:30 2003 : Info: Using deprecated naslist file. Support > for this will go away soon. > Fri Aug 8 14:13:30 2003 : Info: Using deprecated clients file. Support > for this will go away soon. > Fri Aug 8 14:13:30 2003 : Info: Using deprecated realms file. Support > for this will go away soon. > Fri Aug 8 14:13:30 2003 : Error: rlm_eap: Failed to link EAP-Type/tls: > file not found > Fri Aug 8 14:13:30 2003 : Error: radiusd.conf[596]: eap: Module > instantiation failed. > why it can not link to eap-tlsĀ”H > Please help me,thanks... > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur Antti Mattila wrote: I tried certificates from Adam Sulmicki's cert.tgz packet. I set the server date to 28.2 and on the laptop to 28.2. (the certificate is valid from and expires on that day). And the EAP/TLS authentication worked! I finally got: Sending Access-Accept of id 50 to 194.142.202.102:6001 MS-MPPE-Recv-Key = 0x60b16b18235e7a9fde64aabf7ddb3248540cb7dcaff967454af4c39270ae1607 MS-MPPE-Send-Key = 0x7236809f4cc3667478644304136783a2604a5a3607d9215f279aa97edcfeac2c EAP-Message = 0x03090004 Message-Authenticator = 0x But the certificate problem still remains. The certificate generated with the script which came from Freeradius package says on the w2k machine(on the certificate path):"The certificate has a non-valid digital signature" I think this is the problem. The Adam's certificate seems fine on the computer. We will try different OpenSSL versions (we used the versions required in Ken Roser's guide, the SNAP was of course newer) but if this doesn't work we'll try to generate the certificates with Novell Certificate server that we are using. If it doesn't produce certificate files needed for Freeradius we need to buy somebody to make the certificates with OpenSSL for us. Fortunately the certificates must be generated only once. So if we get a working certificate set we don't have to buy a consultant to do the stuff ever again. Best regards: Antti Mattila - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
>you can DEFINITLY use openssl in order to produce valid certificates, >both for windows AND freeradius (which uses openssl). > >the certification path is not valid probably because the root >certificate which you installed under windows expired. > > >ciao >artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
that's why i'm trying to reassure you. it probably has nothing to do with the version of openssl. every suite has to produce compliant certificates. the certificate format is mandated by its form. just verify all the certificates you installed. it's a small error somewhere. ciao artur Antti Mattila wrote: you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Problem
hi the thread name is actually wrong since this is not a problem in EAP-TLS. > I have a wireless network with cisco aironet 350 AP and a cisco card > and I use win xp as > supplicant. > If I don't use (in win XP) the "the key is provided for me > automatically" it's all ok. nice, so EAP-TLS is working just fine. what you want is dynamic wep keys. > When I enable that option I have same problems, the authentication is > ok the cisco ap write > status="EAP Authenticated, BOOTP/DHCP" but it's not possible take the > ip address with the DHCP > and the connection is not enable, the cisco aironet client utilities > indicate that the radio > connection is good. exactly, because the WEP keys are not the same at the supplicant and the client (ap). > I have read that in the authentication exchange freeradius send the > session key (with MPPE) at > the AP. > It's possible that I have not configured the cisco AP or Freeradius in > the right manner. very probably even. in the future requests, please provide the version of freeradius and the complete debug output (radiusd -s -X). however, you have a good basis for succeeding, so further requests might not be necessary :-) your EAP-TLS authentication works fine, you say. congratulation, since that's the "difficult" part of the whole story. now just grab the newest version of FR available, compile the rlm_eap_tls, verify that you have some *mppe*.c files in the concerned directory and that there are no compilation/linking errors. then, start the new server and look at the radiusd -s -X output. if the Access-Accept sent to the AP350 contains two MPPE-*-Key attributes with values, everything should be ok for freeradius so far (when updating, update the dictionaries too). then, you only need to alter the config of the AP350 appropriately (activate encryption and either provide a wep-key in the Slot1 or set the broadcast key rotation interval to >0). greetings artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem - "rlm_eap: State verification failed"
Sebastian Rieger <[EMAIL PROTECTED]> wrote: > The messages look quite ok, but as soon as the secand request is > handeled EAP is complainig about "rlm_eap: State verification > failed.". As I looked out for the State Attribute of the last > message, I found it some chars shorter than it was in the message > before. That's the problem. > tried to adjust the fragment size, but could'nt solve the > problem. The packet has a length of 144 bytes, so it should not be a > big deal with (standard) 1024 byte fragments. The fragment size isn't the problem. The problem is that the RADIUS client is chopping the state off at 16 bytes. This means that the RADIUS client isn't implementing the RFC's properly. You have two choices: 1. Edit the rlm_eap code so that it generates a state which is only 16 bytes. This MAY be feasible. 2. Complain to whoever wrote the RADIUS client, and tell them to fix their software so that it actually implements the RADIUS RFC's, instead of being broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem - "rlm_eap: State verification failed"
Sebastian Rieger wrote: > > Hi there! > > I've got a big prob. Thanks to the excellent howto of Adam Sulmicki, I finally > managed to move back from my Win2k RADIUS towards freeRADIUS. I'm using > freeRADIUS with eap tls enabled (cvs snaptshot 2002-04-08), a 3Com 8000 WLAN > AP and xsupplicant under Linux to auth via 802.1x/EAP-TLS. > > The messages look quite ok, but as soon as the secand request is handeled EAP > is complainig about "rlm_eap: State verification failed.". As I looked out > for the State Attribute of the last message, I found it some chars shorter > than it was in the message before. I tried to adjust the fragment size, but > could'nt solve the problem. The packet has a length of 144 bytes, so it > should not be a big deal with (standard) 1024 byte fragments. State Attribute has nothing to do with the Fragment size. Fragment size is meant for EAP-TLS packet only. > State = > 0x3df30ad930886ee1c76b2ec405f54c47455db43c219ab001a93e6b8dfbf601baf54db839 > rad_recv: Access-Request packet from host 134.76.4.7:1812, id=12, length=144 > State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219a The problem is here. Radius Server is sending Access-Challenge packet with State Attribute. During the Challenge response, Your AP should send the same State Attribute UN-MODIFIED. Find out why your AP is truncating this Value. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
