Re: Freeradius + WPA2 + Windows Client

[Fajar A. Nugraha]

On Fri, Aug 20, 2010 at 10:05 AM, rrperez  wrote:
>
> Thanks for this response Fajar,
>
> It definitely make sense, now I'm trying to install Open1x, but I can't find
> a manual on how to configure this. Do you know some references that can help
> me configuring Open1x?

No, sorry. You might have better luck asking on Open1x list, or just
explore the options that the GUI provides.

I've tested wpa_supllicant for windows (second link on my original
mail) some time ago. The file README-Windows.txt has some
documentation on using it (if you like using command line), but you'd
probably want to stick with the GUI (which is pretty much
self-explanatory).

FWIW, officially my company uses Odyssey Access Client (there's trial
version available:
http://www.juniper.net/support/products/oac/ent/#sw) for Windows to
connect to connect to wireless network, using PEAP-GTC, authenticating
to Lotus Domino LDAP. I don't use it though, and simply use Ubuntu
Lucid with its built-in network-manager (which can connect just fine).

Whatever supplicant you use, if you want to go through PEAP-GTC route
like I do, you basically need to configure the supplicant client to
choose:
- 802.1X (or WPA2 enterprise if it's not available) wireless security
- EAP or EAP-PEAP, or PEAP authentication protocol (different
supplicant may use different terms)
- GTC or EAP-GTC inner authentication
you may also need to disable server certificate verification (since
most likely you'll be using self-signed certificate, at least for
testing purposes)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Encountering error when using "radius -X"

[kartik dadwal]

Hi Fabien,

I will try to follow your method. Can you tell me how to get rid on the
installation process that I have already done for freeradius?
So that I can re-install it using other ways.

I am a newbie so next question sound a little stupid but please still answer
it.
when you say 'radius binary .deb package', does '.deb' belongs to debian? I
have ubuntu (I know ubuntu is a spun off from debian!). The only other way I
know for installing something on my ubuntu us using "synaptic package
manager". Do you mean to say I can search for freeradius on synaptic manager
and install it from there as it takes care of all the dpendencies?

Thank you so much for your help!


On Thu, Aug 19, 2010 at 12:40 AM, Fabien COMBERNOUS
wrote:

> kartik dadwal wrote:
>
>> Hi,
>>
>> I have ubuntu 9.10. Can you please tell me
>> 1)Before running "radius -X" what all steps should be completed?
>> 2)what should be the subdirectory structure for freeradius and where it
>> should be formed in the directory structure?
>> 3)which sub directory should I give the "radius -X" command.
>>
>
> Before to try to give answers, do you really need to compile your own
> radius from sources ? Now you know that with radius binary .deb package,
> radius config is in /etc/freeradius directory. Can you consider to forget
> sources you downloaded ? If you can't, i never used the way you are
> following. You'll have to consided depends. And i have not enough time to
> try your way on a box.
>
>
>
>>
>> On Wed, Aug 18, 2010 at 7:05 AM, Fabien COMBERNOUS 
>> > fcombern...@kezia.com>> wrote:
>>
>>
>>In general you can get the list of the files from a deb package
>>with the command line :
>>$> dpkg -L 
>>Here we have :
>>$> dpkg -L freeradius | grep etc
>>/etc
>>/etc/pam.d
>>/etc/pam.d/radiusd
>>/etc/init.d
>>/etc/init.d/freeradius
>>/etc/freeradius
>>
>>
>
> --
> *Fabien COMBERNOUS*
> /unix system engineer/
> www.kezia.com 
> *Tel: +33 (0) 467 992 986*
> Kezia Group
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards
Kartik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Supplicant for Windows (XP, Vista and W7)

[rrperez]

Supplicant that will help me work PEAP/MS-CHAPv2, TTLS-PAP or PEAP/GTC.

I have configured Freeradius 2 with LDAP that store passwords in a different
hashing, not cleartext or NT/LM hash. Someone told me that supplicants can
make this work as a workaround for this protocols.
-- 
View this message in context: 
http://old.nabble.com/Supplicant-for-Windows-%28XP%2C-Vista-and-W7%29-tp29488428p29488975.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Supplicant for Windows (XP, Vista and W7)

[David Mitton]

Windows includes a supplicant that does a number of things.
Could you be a bit more specific in what functionality you are looking for?

Dave.


On 8/19/2010 11:22 PM, rrperez wrote:


Hi,

Does anyone knows a supplicant that might work on windows platforms such as
XP, Vista and Windows 7?
--


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Supplicant for Windows (XP, Vista and W7)

[rrperez]

Hi,

Does anyone knows a supplicant that might work on windows platforms such as
XP, Vista and Windows 7?
-- 
View this message in context: 
http://old.nabble.com/Supplicant-for-Windows-%28XP%2C-Vista-and-W7%29-tp29488428p29488428.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[rrperez]

Thanks for this response Fajar,

It definitely make sense, now I'm trying to install Open1x, but I can't find
a manual on how to configure this. Do you know some references that can help
me configuring Open1x?
-- 
View this message in context: 
http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p29488375.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[rrperez]

Thanks for the response Alan,

I have downloaded Open1x in my windows client, but I don't know how to
configure it...
-- 
View this message in context: 
http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29488293.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using unlang to control ldap module

[John Doppke]

Is there a way I can conditionally change the config items in the ldap module, 
so that

if NAS-Port-Type = "Wireless" then access_attr = "X"


-John


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Flaky AP or borked Config? EAP-PEAP

[Alan DeKok]

Nolan King wrote:
> This is the manufacturer of the "broken AP" 
> http://skypilot.trilliantinc.com/
> 
> Skypilot was an indie manufacturer, recently purchased by trilliant. not sure 
> who makes their hardware now- the tdm, one radio-many antennas approach has 
> worked well for my muni mesh. they used to have a forum where i whined about 
> the lack of EAP-TLS support to no avail, i think the forum is dead since the 
> trilliant purchase.
> 
> wireless security, 802.1x mentioned in these docs:
> http://skypilot.trilliantinc.com/pdf/wp_WirelessSecurity.pdf 
> http://skypilot.trilliantinc.com/pdf/ds_SkyExtenderPlus.pdf 
> 
> only mention i could find specifically excluding EAP-TLS method is here, on 
> page 25:
> http://skypilot.trilliantinc.com/support/documents/SkyAccess_DualBand_Installation_Guide.pdf
>  

  It takes a special kind of dedication to make PEAP work, but to break
EAP-TLS.  i.e. you have to write *extra* code in the AP to look for
EAP-TLS.  Then, you have to do something different from PEAP.

  If the AP manufacturer instead supported EAP (*any* kind), then PEAP
would work.  TTLS would work.  TLS would work.  EAP-FAST would work.

  I've seen RADIUS servers that do this kind of thing (Merit).  It's
good for everyone that no one uses those products any more.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Flaky AP or borked Config? EAP-PEAP

[Nolan King]

This is the manufacturer of the "broken AP" 
http://skypilot.trilliantinc.com/

Skypilot was an indie manufacturer, recently purchased by trilliant. not sure 
who makes their hardware now- the tdm, one radio-many antennas approach has 
worked well for my muni mesh. they used to have a forum where i whined about 
the lack of EAP-TLS support to no avail, i think the forum is dead since the 
trilliant purchase.

wireless security, 802.1x mentioned in these docs:
http://skypilot.trilliantinc.com/pdf/wp_WirelessSecurity.pdf 
http://skypilot.trilliantinc.com/pdf/ds_SkyExtenderPlus.pdf 

only mention i could find specifically excluding EAP-TLS method is here, on 
page 25:
http://skypilot.trilliantinc.com/support/documents/SkyAccess_DualBand_Installation_Guide.pdf
 


Nolan



>>> On 8/18/2010 at 5:34 PM, in message <4c6c7c0d.7030...@deployingradius.com>,
Alan DeKok  wrote:
> David Mitton wrote:
>> Apart from the OP's particular problem, you can be assured that
>> there are APs that unfortunately do care about the EAP method in use.
> 
>   We should put a list of them on the Wiki as "broken APs".  It's
> ridiculous for them to be inspecting the EAP transport later.
> 
>> Certainly EAP-TLS should be supported, as it's one of the only 5 EAP
>> methods tested by the WiFi Alliance.
>> 
>> But perhaps you missed my presentation:
>> 
>> http://www.ietf.org/proceedings/66/slides/emu-4/sld1.htm 
> 
>   I didn't make it to that IETF.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius pap ldap

[Walter Breno]

hi, i'm newbie on freeradius and i have some problems to configure my
freeradius-2.1.9.
i sucessfully configured my freeradius to authenticate using a mysql
database, but i can't make it authenticate using a openLDAP server, i need
to make my 3com 5800G switches to authenticate on freeradius server using
macbased auth, if somebody have some experience with that or some
documentation i'll appreciate.

thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Runtime-Change of Reply-Message or Group-Membership

[Kneissl Christian]

Hello!

I have the following situation:
If a user has some special attributes which I can check for example in the 
authorize section (eg. user is in baduser-Table), I would need to change the 
reply message once for the actual dialin-session. I think changing his 
usergroup-memberhip for the actual session would be the best way for doing 
that. So is there a way to temporarily change the usergroup for the 
reply-message in runtime?

Best regards,

Christian Kneissl


O?. Ferngas Netz GmbH, Sitz Linz, FN 293793 z (LG Linz)

Diese Nachricht ist vertraulich und nur f?r den/die Adressaten bestimmt. Falls 
Sie diese Nachricht irrt?mlich erhalten haben, verst?ndigen Sie bitte den 
Absender und l?schen Sie diese Nachricht sowie s?mtliche Anh?nge. Gem?? dem 
Telekommunikationsgesetz 2003 ist eine Weiterleitung an Unbefugte und/oder die 
Verwendung f?r irgendwelche Zwecke verboten.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[Alan Buxey]

Hi,

> I have windows clients so do I need to download supplicant for windows?

Open1X or SecureW2 are 2 quick options for you. the first one is free.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[Fajar A. Nugraha]

On Thu, Aug 19, 2010 at 3:42 PM, rrperez  wrote:
>
> Sorry for the inconvenience Alan, I'm just a student and currently
> studying/exploring radius servers.
>

You seem to be selectively ignoring some sugesstions though. It's fine
if you REALLY know what you're doing, but this does not seem to be the
case.


>
> Now I changed all the configuration back to default and make the some
> configuration to make ldap works.
>
> Here is the debug and it is quite different from the previous one:

Here's some things you need to take note of:
(1) If you configure clients to use PEAPv0/EAP-MSCHAPv2 (or sometimes
refered to as PEAP only), it does not supply plain-text/cleartext
password
(2) authenticating to Lotus Domino requires that you supply plain-text
password, since Lotus stores password using some propietary
hash/encryption
(3) One of the EAP methods that can send plain-text password is
PEAP-GTC (others on this list have suggested TTLS-PAP)
(4) Windows by itself does not support PEAP-GTC or TTLS-PAP
(5) Thus, you need third-party supplicant to have Windows be able to
use EAP methods which sends cleartext password.

Does this make sense so far?
Have you use any third-party supplicant and configure them to do
either PEAP-GTC or TTLS-PAP? If yes, the password that you typed when
authenticating should show up in the debug log (which doesn't seem to
be the case).

See
http://wiki.freeradius.org/Extensible_Authentication_Protocol
http://lists.freeradius.org/pipermail/freeradius-users/2010-August/msg00297.html

Commercial supplicant is also available:
http://www.ciscosystems.com/en/US/products/ps7034/products_configuration_example09186a0080734afc.shtml


-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[rrperez]

Thanks for the quick response Peter and Stefan,

Can you specifically tell me what do I need to make this TTLS-PAP?

I have windows clients so do I need to download supplicant for windows?
-- 
View this message in context: 
http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29479742.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[rrperez]

Sorry for the inconvenience Alan, I'm just a student and currently
studying/exploring radius servers.

Now I changed all the configuration back to default and make the some
configuration to make ldap works.

Here is the debug and it is quite different from the previous one:

rad_recv: Access-Request packet from host 10.96.100.205 port 1494, id=0,
length=143
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d33e0019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0xcffe22481a4058a92af0247cdbeb03ec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 1494
EAP-Message =
0x0106002b1900170301002091954e9ec07cc3ca9afa609b287aea0248a1a1fbb2fe6ad3ccf1ea09fba06e11
Message-Authenticator = 0x
State = 0x37e5184d32e3019d0fd828625cb2b12f
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 1496, id=0,
length=196
User-Name = "kim.almarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0x37e5184d32e3019d0fd828625cb2b12f
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206003b19001703010030b116207fd585e2b669e3f77de44fc303752534eacf129c6be70a929f6c0f467eac807a801d321cd3fbee1078fefb5fcc
Message-Authenticator = 0xa31d5cd12cca50d02ad850f9eb1f0ff8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - kim.almarez
[peap] Got tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
server  {
  PEAP: Got tunneled identity of kim.almarez
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to kim.almarez
Sending tunneled request
EAP-Message = 0x02060010016b696d2e616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kim.almarez"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for kim.almarez
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  expand: %{User-Name} -> kim.almarez
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kim.almarez)
[ldap]  expand: O=SMPRIME -> O=SMPRIME
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user kim.almarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunn

Re: Lotus Notes Encryption

[Stefan Winter]

 Hi,

It will mean that you will need to change your clients to get it 
working (installing a different supplicant rather than the standard 
windows one), and that the clients will talk to the access point over 
SSL (TTLS) but since it's using PAP the password is sent not hashed or 
encrypted.  So then when the NAS (Wireless access point) talks to 
FreeRadius and sends the password not encrypted or hashed.


Uh, that last part is not true. The NAS doesn't see or transmit any 
passwords in the clear. The TLS tunnel spans from the client to the 
RADIUS server. The RADIUS server will then see the clear-text password, 
*no one else*. It's a popular urban legend that TTLS sends clear text 
passwords, but it's not true.


Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[Peter Lambrechtsen]

On Thu, Aug 19, 2010 at 7:42 PM, rrperez  wrote:

>
> Thanks for the quick response Peter,
>
> >It means that your clients will send the password to the radius server in
> >cleartext rather than PEAP encrypting them. There isn't any way to
> >authenticate against your Notes box with anything other than a cleartext
> >password.
>
> I somewhat understand what your pointing at, but I don't know how to do
> this. My goal is to authenticate the users stored in notes ldap for my
> wireless network. Is it possible for me to do this?
>

Yes, I think Stefan more than answered the process you will need to take:

google for "supplicant TTLS-PAP". There are numerous products for numerous
platforms.

It will mean that you will need to change your clients to get it working
(installing a different supplicant rather than the standard windows one),
and that the clients will talk to the access point over SSL (TTLS) but since
it's using PAP the password is sent not hashed or encrypted.  So then when
the NAS (Wireless access point) talks to FreeRadius and sends the password
not encrypted or hashed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[Alan DeKok]

rrperez wrote:
> I just commented out the pap and uncomment the ldap in the default and like
> I said, it is working fine but with windows client, it fails the
> authentication protocol which is mschapv2.

  Nonsense.  The output you posted showed an "mschapv2" module.  There
is *no* such module in the default server configuration.

  I don't think you're intentionally misleading us.  I *do* think you're
not paying attention to what you're doing, and you're not paying
attention to the messages on this list.

> My configuration is about freeradius authenticating its users from a domino
> ldap directory. If I uncomment the pap in the default, the server will
> perform pap authentication instead of ldap. I want an ldap authentication
> rather than pap because it is only the possible way for me to authenticate
> in the domino ldap.

  You've said that lots.  Repeating yourself like that is another sign
that you're not paying attention.

> By using this method, doing radtest on linux platforms within local network
> works. But with windows clients n the wireless authentication fails because
> it uses EAP-MSCHAPv2. (This is also the same if I use pap authentication)
> 
> I just want to know if there are any EAP protocol aside from MSCHAPv2 that
> will work on windows clients?

  Read the messages on this list.  Your questions have been asked, and
answered many times.

  Now stop asking questions.  *All* of the questions you've asked have
been answered already.  Go back and read the responses.  If you keep
asking the same questions, you will be admitting that you're not reading
the responses, and that you're wasting everyones time.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[rrperez]

Thanks for the quick response Peter,

>It means that your clients will send the password to the radius server in
>cleartext rather than PEAP encrypting them. There isn't any way to
>authenticate against your Notes box with anything other than a cleartext
>password.

I somewhat understand what your pointing at, but I don't know how to do
this. My goal is to authenticate the users stored in notes ldap for my
wireless network. Is it possible for me to do this?
-- 
View this message in context: 
http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29479316.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Encountering error when using "radius -X"

[Fabien COMBERNOUS]

kartik dadwal wrote:

Hi,

I have ubuntu 9.10. Can you please tell me
1)Before running "radius -X" what all steps should be completed?
2)what should be the subdirectory structure for freeradius and where 
it should be formed in the directory structure?

3)which sub directory should I give the "radius -X" command.


Before to try to give answers, do you really need to compile your own 
radius from sources ? Now you know that with radius binary .deb package, 
radius config is in /etc/freeradius directory. Can you consider to 
forget sources you downloaded ? If you can't, i never used the way you 
are following. You'll have to consided depends. And i have not enough 
time to try your way on a box.





On Wed, Aug 18, 2010 at 7:05 AM, Fabien COMBERNOUS 
mailto:fcombern...@kezia.com>> wrote:



In general you can get the list of the files from a deb package
with the command line :
$> dpkg -L 
Here we have :
$> dpkg -L freeradius | grep etc
/etc
/etc/pam.d
/etc/pam.d/radiusd
/etc/init.d
/etc/init.d/freeradius
/etc/freeradius




--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com 
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[rrperez]

Thanks for the response Alan,

I just commented out the pap and uncomment the ldap in the default and like
I said, it is working fine but with windows client, it fails the
authentication protocol which is mschapv2.

My configuration is about freeradius authenticating its users from a domino
ldap directory. If I uncomment the pap in the default, the server will
perform pap authentication instead of ldap. I want an ldap authentication
rather than pap because it is only the possible way for me to authenticate
in the domino ldap.

By using this method, doing radtest on linux platforms within local network
works. But with windows clients n the wireless authentication fails because
it uses EAP-MSCHAPv2. (This is also the same if I use pap authentication)

I just want to know if there are any EAP protocol aside from MSCHAPv2 that
will work on windows clients?
-- 
View this message in context: 
http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p29479260.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[Peter Lambrechtsen]

On Thu, Aug 19, 2010 at 6:38 PM, rrperez  wrote:

>
> Thanks for the quick response Stefan.
>
> Regarding with practicality issues, its not a problem. I want to try all
> the
> possibility for me to be able to make this work.
>
> >Due to that, PEAP and Notes *will not work*. You could possibly remedy
> >this with a windows client that speaks TTLS-PAP instead. But that's
> >extra software to install and may or may not be practical for you.
>
> I'm not familiar with the TTLS-PAP protocol and using PAP for
> authentication
> might make my server not work again with regards to LDAP, but still I want
> to give it a try. And also what are these "softwares" that will help me
> work
> this TTLS-PAP protocol?
>

It means that your clients will send the password to the radius server in
cleartext rather than PEAP encrypting them.  There isn't any way to
authenticate against your Notes box with anything other than a cleartext
password.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Lotus Notes Encryption

[Stefan Winter]

 Hi,

google for "supplicant TTLS-PAP". There are numerous products for 
numerous platforms.


Stefan

Am 19.08.2010 08:38, schrieb rrperez:

Thanks for the quick response Stefan.

Regarding with practicality issues, its not a problem. I want to try all the
possibility for me to be able to make this work.


Due to that, PEAP and Notes *will not work*. You could possibly remedy
this with a windows client that speaks TTLS-PAP instead. But that's
extra software to install and may or may not be practical for you.

I'm not familiar with the TTLS-PAP protocol and using PAP for authentication
might make my server not work again with regards to LDAP, but still I want
to give it a try. And also what are these "softwares" that will help me work
this TTLS-PAP protocol?



--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + WPA2 + Windows Client

[Alan DeKok]

rrperez wrote:
> The error in the debug shows:
> 
> [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform
> requested action.

  You edited the default configuration and broke it.  Don't do that.

> I've used peap and ttls as default eap type but it goes with the same error. 
> 
> I really need help for this matter.

  Stop breaking the configuration.  It's really not that hard to get the
server up and running.  Most of the problems you're running into are
because you're destroying the configuration, creating problems for
yourself, and then asking us to help you fix them.

  The best help we can offer is to tell you: stop breaking the
configuration.

  I have no idea what you think you're doing, but stop it.  It's wasting
your time, and ours.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + WPA2 + Windows Client

[rrperez]

I have configured a Freeradius 2 server that authenticates on ldap for
wireless network connection.

While testing, the radtest sends access-accept locally with linux platforms
but when I try to test it using the router, it fails.

The error in the debug shows:

[mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.

I've used peap and ttls as default eap type but it goes with the same error. 

I really need help for this matter.


-- 
View this message in context: 
http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p29479107.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html