Overriding Auth Type in Post Auth
Hi,
In another recent email Alan mentioned that you cannot override a reject in
Post-Auth
post-auth {
Post-Auth-Type REJECT {
# attr_filter.access_reject
Auth-Type := Accept
}
}
It's too late to over-ride the reject at that point.
I want to implement something differently.
I want to override an Accept to a Reject in post-auth (using rlm_perl).
I got the impression from another email that that is possible.
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I
want to do things like check the users CAP.
Use post-auth.
The way this sounds, is that you can change an Accept into a Reject, but not
the other way around in post-auth.
Or am I confused?
Thanks,
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP searches
I am setting up freeradius 2.1.6 and seem to be stuck on how do I go about
setting up my ldap module to search multiple basedn if the user is not found
in the first? I have four that I need to search in my LDAP tree but cannot
figure out the correct way to make it search more than one. I feel like this
is probably something simple I'm missing but can't seem to see it atm.
Hi,
I have two instances defined in modules/ldap
ldap ldap_staff {
...
basedn = ou=staff, ...
..
}
ldap ldap_student {
...
basedn = ou=student, ...
..
}
Then, in authorise section,
ldap_staff
if (ok) {
whatever stuff you need
}
else {
ldap_student
if (ok) {
whatever other stuff you need
}
else {
reject
}
}
#
In my case the stuff returns cisco av pairs to control the switches. The
usert is rejected if they don't exist in either the staff or the student ou.
Hope this helps,
Leighton
---
This transmission is confidential and may be legally privileged. If you receive
it in error, please notify us immediately by e-mail and remove it from your
system. If the content of this e-mail does not relate to the business of the
University of Huddersfield, then we do not endorse it and will accept no
liability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with PEAP/MSCHAPv2
hello, I have found some errors in my freeradius server logs. It seems that some clients are having problems to authenticate againts them. I'm using PEAP/MSCHAPv2 with the latest freeradius version and SUSE OS. Mon Mar 29 14:20:56 2010 : Error: TLS Alert write:fatal:protocol version Mon Mar 29 14:20:56 2010 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Mon Mar 29 14:20:56 2010 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. I have debuged the servers and when this error appears there are differences in the TLS negotiation of PEAP: example of succesful negotiation: [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 05aa], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED example of unsuccesful negotiation: [peap] processing EAP-TLS TLS Length 109 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello C [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 05aa], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] Unknown TLS version [length 0002] TLS Alert write:fatal:protocol version [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version num ber SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS I will look if something is bad configured in the user's wifi profile, but does anybody have this problem previously? Thanks, -- Christian Pinedo Zamalloa (zako) PGP keyID: 0x828D0C80 Fingerprint: 7BFF 4105 F46B 7977 BD96 348C 1007 4FF8 828D 0C80 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with PEAP/MSCHAPv2
Hi, What OS is the client machine running? It would seem like an issue with the client to me. Regards, Matt Harlum On 31/03/2010, at 8:31 PM, Christian Pinedo Zamalloa wrote: wrong version num ber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Schaffer is not in the office
I will be out of the office starting Wed 03/31/2010 and will not return until Thu 04/01/2010. I will have limited email and voicemail access during the week at the Phoenix Contact Kickoff meetings. If this is an urgent issue, please contact our Tech Support group at 800-586-5525. Thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/30 Julien Savoie julien.sav...@usainteanne.ca:
Check if you have this enabled in radiusd.conf
mschap {
with_ntdomain_hack = yes
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
and proxy.conf
realm DEFAULT {
strip
}
If you only have one domain this will work. If you have different domains
you'll need to setup the individual realms. Sounds like in your case you
don't though.
Hi Julien, file /etc/raddb/modules/mschap is as original one. I use
no domain, only user+password. Sorry, but I forget the subject before.
Thanks in advance!
Sergio Belkin wrote:
There are a few log entries like as as follows
Auth: Login incorrect (rlm_ldap: User not found):
[QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via
TLS tunnel)
Please could you help me to find a fix?
-
--
--
Open Kairos http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
Sergio Belkin wrote:
and proxy.conf
realm DEFAULT {
strip
}
If you only have one domain this will work. If you have different domains
you'll need to setup the individual realms. Sounds like in your case you
don't though.
Hi Julien, file /etc/raddb/modules/mschap is as original one. I use
no domain, only user+password. Sorry, but I forget the subject before.
Then you want to by default strip any realm/domain information off the
request. Information provided should be sufficient.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Handling dynamic IPs for clients
Hi all, I have several clients connected to my freeradius server, but these clients have dynamic IPs. I have setup scripts on the clients for sending their IPs to the server and scripts on the server to restart freeradius when an IP address has changed. The problem is that there is always someone that won't be able to be authenticated because the client's IP hasn't been refreshed on the server. Is anybody in a similar situation? If so, do you have a better solution? Thanks. -- Fahd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple EAP-TLS modules with different certificates
Hi,
I'm about to change the CA of my radius server certificate. At the same
time I've installed a new wifi network and plan to change the SSID as
well (authentication is EAP-TTLS or EAP-PEAP).
In order to avoid a complete breakout when I change the certificate of
my radius server (because a manual operation is required on the
supplicant side to select the new CA), I'd like to configure FR so that:
* when the WiFi client connects to the SSID1, the server uses the old
certificate and key,
* and when the client uses the SSID2, the radius server uses the new
certificate and key
Is this possible ?
I've already tried such a configuration by:
* defining 2 eap modules let's say eapOld and eapNew (each with its
own key and cert)
* making sure that depending on the SSID, the access-point sets a
different NAS-Identifier (let's say ID1 and ID2) in the Access-request
* in the virtual FR server, I've used unlang to run either eap module:
in authorize:
if (%{request:NAS-Identifier} == ID1) {
eapOld {
ok = return
}
if (%{request:NAS-Identifier} == ID2) {
eapNew {
ok = return
}
in authenticate:
Auth-Type eapNew {
eapNew
}
Auth-Type eapOld {
eapOld
}
in eap.conf: the two eap modules only differ from their certificate/key,
they redirect to the same inner-tunnel virtual server.
The result so far is that with such setup my wireless clients can't
connect at all when they check the certificate, but can connect when
they don't (no matter what setup is done on the client side). Of course
I've installed the 2 certificates on the client to check this.
A quick look at FR debug logs confirms, as far as I can read them, that
the client is refusing the radius server certificate.
Is there a client tool to check which certificate is used by FR ?
Have I missed something in the setup ?
I've tried to turn on Windows EAP log, but they aren't very easy to read
as far as TLS/TTLS/PEAP authentication is concerned !
Environement: FR is 2.1.1, client used Windows XP SP3 and Windows 7.
Thanks a lot for your ideas, proposals, ...
Best regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/31 Julien Savoie julien.sav...@usainteanne.ca:
Sergio Belkin wrote:
and proxy.conf
realm DEFAULT {
strip
}
If you only have one domain this will work. If you have different
domains
you'll need to setup the individual realms. Sounds like in your case you
don't though.
Hi Julien, file /etc/raddb/modules/mschap is as original one. I use
no domain, only user+password. Sorry, but I forget the subject before.
Then you want to by default strip any realm/domain information off the
request. Information provided should be sufficient.
Really thanks, but the problem is that users use their personal
notebooks, they are students, not employees, so Windows login
usernames are not the same that ldap ones. It seems that Vista wants
to use SSO and sends their credential before. Because of that subject
is somewhat OT, but I guess that someone here was run into that
problem... thanks in advance!
--
--
Open Kairos http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP.. stuck on validating identity..
Hi,
I have freeradius for WPA2 Enterprise authentification in small
network in library, it is stable version (2.0.4) on Debian Lenny
compiled from sources with OpenSSL support..
Everything seems to be OK, but when I try to connect to AP from laptop
with Windows XP after I enter name and password I am stuck on
Validating identity, same on Ubuntu machine...
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
This is what freeradius -X gives me when I try to connect to AP:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.3.1 port 1291, id=0,
length=123
User-Name = pokus
NAS-IP-Address = 192.168.3.1
Called-Station-Id = 00259c523046
Calling-Station-Id = 001e650eb532
NAS-Identifier = 00259c523046
NAS-Port = 9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a01706f6b7573
Message-Authenticator = 0x634f3b088572fda3a12eca56ed6035b9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = pokus, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [pokus/via Auth-Type = Accept] (from client router port 9
cli 001e650eb532)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.3.1 port 1291
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +59
Ready to process requests.
To me it seems that name/password was accepted so I have no clue where
is the problem..
Thank you in advance for any help..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
Sergio Belkin wrote: Really thanks, but the problem is that users use their personal notebooks, they are students, not employees, so Windows login usernames are not the same that ldap ones. It seems that Vista wants to use SSO and sends their credential before. Because of that subject is somewhat OT, but I guess that someone here was run into that problem... thanks in advance! Then what you have is a windows configuration problem and not a freeradius problem. I'd suggest google for howto instructions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple EAP-TLS modules with different certificates
Thibault Le Meur wrote: In order to avoid a complete breakout when I change the certificate of my radius server (because a manual operation is required on the supplicant side to select the new CA), I'd like to configure FR so that: * when the WiFi client connects to the SSID1, the server uses the old certificate and key, * and when the client uses the SSID2, the radius server uses the new certificate and key Is this possible ? Yes. Others use multiple certs multiple EAP modules. The result so far is that with such setup my wireless clients can't connect at all when they check the certificate, but can connect when they don't (no matter what setup is done on the client side). Of course I've installed the 2 certificates on the client to check this. A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate. I don't think that's in the debug log. Is there a client tool to check which certificate is used by FR ? wireshark might do it. Have I missed something in the setup ? Did you test each piece in isolation before putting it all together? I've tried to turn on Windows EAP log, but they aren't very easy to read as far as TLS/TTLS/PEAP authentication is concerned ! They're horrible... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with PEAP/MSCHAPv2
Christian Pinedo Zamalloa wrote: hello, I have found some errors in my freeradius server logs. It seems that some clients are having problems to authenticate againts them. I'm using PEAP/MSCHAPv2 with the latest freeradius version and SUSE OS. Mon Mar 29 14:20:56 2010 : Error: TLS Alert write:fatal:protocol version Mon Mar 29 14:20:56 2010 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Mon Mar 29 14:20:56 2010 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. The client is likely doing TLS v1.1, and the OpenSSL libraries don't support it. i.e. the client is *ignoring* TLS negotiation. They're broken. Tell the vendor to fix them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling dynamic IPs for clients
Fahd Kasri wrote: Hi all, I have several clients connected to my freeradius server, but these clients have dynamic IPs. I have setup scripts on the clients for sending their IPs to the server and scripts on the server to restart freeradius when an IP address has changed. The problem is that there is always someone that won't be able to be authenticated because the client's IP hasn't been refreshed on the server. Is anybody in a similar situation? If so, do you have a better solution? Read raddb/sites-available/dynamic-clients Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Isn't Listening
Just wanted to thank everyone for their help. I've gotten the issue resolved. Apparently Freeradius was working 100%, what wasn't working, however, was my Cisco routing. We had our network worked on several weeks back, and all seemed to be working ok, but it never dawned on me to check if my Cisco AS5400 could ping out to the freeradius server or not (it couldn't). So after talking with our Cisco guy and straightening the issue out, all works well. Thanks so much for your help! -Randall On Mon, Mar 29, 2010 at 7:54 PM, Tim Sylvester tim.sylves...@networkradius.com wrote: I just confirmed that my server does have no firewall. The way I tested this is: *ON THE SERVER* tcpdump udp port 1812 *ON THE CLIENT* nc -u xx.xx.xx.xx 1812 mash the keyboard repeatedly to send fake packets When I do this I send some raw packets to my radius server on port 1812 for testing, and my tcpdump output shows each packet being received just fine. So I don't think this is a firewall issue. Run radtest on the server to verify that the server actually works – radtest bob badpassword localhost 1 shared secret. Then run radtest from another client that is on the same network that the AS5400 is on. My guess is that there is a firewall in front of your Linux server running FreeRADIUS. Rackspace typically puts a Cisco ASA firewall in front of a customer’s Linux server. When you ran the nc test, was the system that you ran nc from on the same network with the Linux server running FreeRADIUS? They both might have been behind the same firewall. Check with Rackspace to see if there is a Cisco Firewall in front of your Linux server. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and
setting paths and passwords to certificates (generated with make
script in /etc/freeradius/certs, so they should be OK) and addresses
of clients.
And what did you put in SQL?
expand: %{User-Name} - pokus
rlm_sql (sql): sql_set_user escaped user -- 'pokus'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM
radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Why did you put Auth-Type = Accept in SQL?
It's breaking the server. Delete it.
What should be there?
Beacuse I don't know I am using Daloradius web interafce for adding data to
database, so I just loaded default daloradius sql which was intendet
(according to readme od daloradius) for 2.X Freeradius... and added accounts
in web interface...
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me
Accept-Accept only on correct login and password so I think that it's not that
SQL...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you for answer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: Why did you put Auth-Type = Accept in SQL? It's breaking the server. Delete it. What should be there? The user's password? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... shrug I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP checking certificate CN for WiMAX
Hi,
In WiMAX certificate CN apparently contains MAC address and model name
of the device for example FF1234567890 USB1234.
WiMAX standard says and I quote The MAC (from the CN) SHALL be
compared with the MAC
address in the Calling-Station-Id of the RADIUS Access Request message.
If they do not match the authentication
SHALL be rejected.
I tried to use check_cert_cn inside eap.conf this way
check_cert_cn = %{Calling-Station-Id}
obviously doesn't work because the CN also contains Model name
check_cert_cn =~ /^%{Calling-Station-Id} .*/i
doesn't work as well because of syntax error
is this the correct way or there's a better way?
Thanks for your help.
Victor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA2 802.1X PEAPv0/EAP-MSCHAPv2
Greetings! I am at a road block here. I know setting up WPA2 Enterprise PEAPv0/EAP-MSCHAPv2 / 802.1X should be simple. It just isn't working! Perhaps I am suffering from green screen syndrome :) I have followed directions from: http://tldp.org/HOWTO/html_single/8021X-HOWTO/ Aside from mschap being in the etcdir/raddb/modules directory and needing to enable mppe, the instructions are fairly straight forward. The certificates are generated from our certificate store. I'm trying a less complicated set up before moving on to OpenLDAP/Kerberos. During the build process, I made sure that OpenSSL was available. LDD shows that it is linked: # ldd /usr/local/sbin/radiusd /usr/local/sbin/radiusd: libfreeradius-radius-2.1.8.so = /usr/local/lib/freeradius-2.1.8/libfreeradius-radius-2.1.8.so (0x280b3000) libcrypt.so.2 = /lib/libcrypt.so.2 (0x280d5000) libltdl.so.7 = /usr/local/lib/libltdl.so.7 (0x280ed000) libssl.so.5 = /usr/local/lib/libssl.so.5 (0x280f7000) libcrypto.so.5 = /usr/local/lib/libcrypto.so.5 (0x2813e000) libpthread.so.1 = /usr/lib/libpthread.so.1 (0x282af000) libc.so.5 = /lib/libc.so.5 (0x282d3000) libz.so.2 = /lib/libz.so.2 (0x283ad000) The client computers are laptops running OpenSUSE 11.2 x86_64. Knetworkmanager is being used to configure the wireless security. the settings are: Security: WPA/WPA2 Enterprise Authentication: Protected EAP (PEAP) Anonymous Identity: blank CA Certificate: /etc/ssl/certs/ca.pem PEAP Version: Version 0 Inner Authentication: MSCHAPv2 Username: billgates Password: 98502 The users file contains: billgates User-Password := 98502 What I get on the test laptop in wpa_supplicant: Associated with 00:00:00:c0:ff:ee CTRL-EVENT-EAP-STARTED EAP Authentication started OpenSSL: tls_connection_ca_cert - Failed to parse ca_cert_blob error:0D0680A8:ASN1 encoding routines: ASN1_CHECK_TLEN:wrong tag openSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error TLS: Failed to set TLS connection parameters EAP-PEAP: Failed to initialize SSL. EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP) CTRL-EVENT-DISCONNECTED - Disconnect Event - Remove keys (this is repeated in the log several times) Debug Output: FreeRADIUS Version 2.1.8 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap
