RE: EAP-TLS and MAC Authentication
> -Original Message- > John McDonnell wrote: > > I'm not doing any dynamic VLAN assignments over the wireless so I > really don't see any need for MAC authentication and just see it as > unneeded overhead. Is there any reason why I'm wrong with this > assumption? > > It never hurts. You can do *both* EAP && MAC auth at the same > time. I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization? > It stops people who share their passwords. If you do login > tracking, you can see if two MACs have logged in at the same time, > too. This was why I was originally going to enable both EAP and MAC but then wondered if it would just be overhead since I plan on going the certificate route. Right now, the only laptops we want to allow on the wireless network are the ones that we received from the Classrooms for the Future (CFF) grant. This summer I will be touching each of these computers (I'll be imaging all of the student laptops and updating the teacher ones individually) and will install the certificates during the procedure. > This stops a large percentage of bad behavior. > > If you're *not* tracking MACs right now, you have no idea who's > on your network. > > Alan DeKok. We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web. The goal of my updates to the wireless network over the summer is to make the network more secure without our users actually having to do anything different. Whether that's installing certificates or using PEAP with the username/password saved on the laptop, we don't currently want to make things more difficult for the teachers/students. Hopefully one of the updates my boss will be doing over the summer will be to get LDAP working properly at which point switching to TTLS or PEAP will become much more attractive than they currently are. I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated. -- John McDonnell Penn Cambria School District mcdon...@pcam.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
John McDonnell wrote: > I don't know if you have any experience with the 1100 series access points > from Cisco, but they have a setting called EAP and MAC authentication. I'm > not sure how it is implemented, but I would imagine I should just set it > to do EAP and have FR itself do the MAC check as part of the > authorization? Yes. Having AP's implement policies is a recipe for disaster. > We're not really tracking MACs per se right now, we only require the MAC > to be a valid MAC. We don't check for duplicates. Combined with using WEP, > it currently makes for a very unsecure network, hence why I want to switch > to using certificates. I've learned a lot about how RADIUS, and FR in > particular, works in the past year, but I still have a lot to learn. I > understand a new book on FR has been in the works, which would be a great > help I'm sure. In the meantime, I try to keep track of the users list and > do some reading (a lot of it outdated) on the web. I'm trying to find time to finish the book. :( > I suppose doing the MAC authentication wouldn't really add much overhead > at all if done by the FR server itself and not separate calls from the AP, > so I will look into how to do this. Any pointers or hints would greatly be > appreciated. raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius testing....
Hi, I have installed freeradius server in centos. I am trying to test with below mentioned command i am getting the error output as given below , Please help me out... I have created the username in the user file "bobCleartext-Password := "hello" *Command* # radtest bob bob localhost 1812 testing *Output* Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 147 socket 3 Regards, John Raja Network Engineer IP Extn : 500092 Te: 022-40609028 http://www.5paisa.com/Logo-change-signature.gif";> Confidentiality & Disclaimer: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are notencrypted and cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed arrive late or incomplete, or contain viruses. The sender, which includes India Infoline Limited and its group companies, will not be liable for any errors or ommissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius testing....
On 16/05/2010 10:26, John Raja wrote: Hi, I have installed freeradius server in centos. I am trying to test with below mentioned command i am getting the error output as given below , Please help me out... I have created the username in the user file "bobCleartext-Password := "hello" _Command_ # radtest bob bob localhost 1812 testing _Output_ Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 147 socket 3 Hi John, -- 3. DEBUGGING THE SERVER Run the server in debugging mode, (radiusd -X) and READ the output. We cannot emphasize this point strongly enough. The vast majority of problems can be solved by carefully reading the debugging output, which includes WARNINGs about common issues, and suggestions for how they may be fixed. -- Is the server running, is the shared secret correct, do you firewall traffic on the localhost interface? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius testing....
HI there, Are your sure that your freeradius server is up? Try to start freeradius in debug mode and make the radtest again: sudo freeradius -X radtest bob bob localhost 1812 testing If you get an error trying to start the server with "sudo freeradius -X" try to stop it and start+test again: killall freeradius sudo freeradius -X radtest bob bob localhost 1812 testing As James said you need to run in debug mode while tetsing...so you can check whats going on. Cheers, Shirkavand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory, PEAP and random works....
Hi,
I have a strange problem. I try to authenticate users againts AD, it's
seems to be a typical deployment of freeradius.
But it's works randomly.
When it's don't works , the mschap/NTLM auth success, the server send a
access-challenge, I see on the cisco aironet the access-challenge come
back to the client and no reply from the client and the connection stucks:
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/MRSLAP03571.domain.priv
with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=MRSLAP03571$
expand: %{mschap:NT-Domain} -> DOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN} -> --domain=DOMAIN
mschap2: 60
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=923aaffd82c69093
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=a7e9503bed0bfedf055e9e32e241e391ccb0dd649fe09bbe
Exec-Program output: NT_KEY: 2254EC3D1B726196286DA65965D5D411
Exec-Program-Wait: plaintext: NT_KEY: 2254EC3D1B726196286DA65965D5D411
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637
Message-Authenticator = 0x
State = 0xe713faa1e618e0bc40c4047c03951291
PEAP: Processing from tunneled session code 0x1e9e490 11
EAP-Message =
0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637
Message-Authenticator = 0x
State = 0xe713faa1e618e0bc40c4047c03951291
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
} # server inner-tunnel
Sending Access-Challenge of id 103 to port 1645
EAP-Message =
0x010b004a1900170301003fd5c3f845006343c8072ae98874a3df6bc8c3594e045b31fe7220a5c44b269eac3e3cdf6f48de5d3066feeb70a8f1d958e6b25c5f7ead1fa5c9064b89cc24a6
Message-Authenticator = 0x
State = 0x5d184007551359eef79a3370536543a0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 95 with timestamp +56
Cleaning up request 1 ID 96 with timestamp +56
Cleaning up request 2 ID 97 with timestamp +56
I have already checked the XP extension is present on the certificate
server:
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
##
#
# ! WARNINGS for Windows compatibility !
#
##
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-
I use :
freeradius 2.0.4
samba 3.2.5
cisco aironet 1240
I have tried other version of samba: 3.2.15 and 3.4.8 and freeradius 2.1.8
The samba / winbbind stuff seems to work correctly ( Tests wbinfo,
ntlm_auth OK)
I have the same issue with other XP / windows 7 supplicants.
I think I have checked correctly the howto:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I don't think I'm the first with the same problem so please help me
before I'm going crazy :)
Thanks a lot for any information.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with existing MySQL database
Quentin Smith wrote: > However, when I run freeradius -X, it appears that for some reason > that setting is erased. The following is the pertinent output: Read the rest of the debug output. Which files is it reading? Which one contains the SQL configuration? Which one did you edit? > I'm guessing the SQL query error is related to the fact that > authorize_check_query is now an empty string, but I'm not sure why > that's the case. You edited it locally. The default configuration doesn't have this issue. Find out which file was edited, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory, PEAP and random works....
Hi, > freeradius 2.0.4 > samba 3.2.5 > cisco aironet 1240 you want to run the latest SAMBA but are happy with older FR? FreeRADIUS 2.1.8 with SAMBA 3.0.37 should be a good combo. you might also want to try much recent SAMBA though as they may have reverted/changed the behaviour issue (3.5.2) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP's with WPA sending Accounting info.
Hi List. I have been trying to get some Cisco 1130AG's to work with freeradius. I have go them to authentcate but can not get them to send accounting data. I think i has somthing to with with the peap tunnel. as i remember seeing it listed some where. My question is how do others to accounting on WPA wireless clients? There is accounting stuff that i have setup in the cisco AP but it doesnt seems to do anything. Can any one please point me in the right direction? Thanks Andrew Paternoster -- Andrew Paternoster Senior System Engineer GPK Computers Pty Ltd T 1300 854 223 F 1300 854 228 Did you know that you can now log faults just by sending an email to supp...@gpk.net.au --- The information contained in or accompanying this e-mail is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this e-mail in error, please notify us immediately. Any views or opinions presented are those solely of the author and do not necessarily represent those of GPK Computers Pty Ltd.. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this e-mail, the company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
