openLDAP authorization with PAP authentication

[Jay Ludlow]

I have a working RADIUS server for localhost lookup, but when I try and 
authenticate with my HP Procurve 420 Wireless Access Point using these wireless 
connection methods with Ubuntu 10.04LTS:

Wireless Security: WPA & WPA2 Enterprise


Authentication: Tunneled TLS | Protected EAP (PEAP)


Anonymous Identity: (Blank)


CA Certificate: (None)


Inner Authentication: PAP, MSCHAP, MSCHAPv2, CHAP | MSCHAPv2, MD5, GTC


Username: guest


Password: userpasswd

I get the following result:

FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Feb 22 
2012 at 14:59:35

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 

PARTICULAR PURPOSE. 

You may redistribute copies of FreeRADIUS under the terms of the 

GNU General Public License v2. 

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/ldap.rpmnew

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/rediswho

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/ldap

including configuration file /etc/raddb/modules/otp

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/ntlm_auth

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/redis

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/cui

including configuration file /etc/raddb/modules/mschap.bak

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/pap.rpmnew

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/modules/smsotp

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/soh

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/dynamic_clients

including configuration file /etc/raddb/modules/opendirectory

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/ldap.rpmnew.original

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/replicate

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/control-socket

including configuration file /etc/raddb/sites-enabled/default.original

including configuration file /etc/raddb/sites-enabled/inner-tunnel

main {

user = "radiusd"

group = "radiusd"

allow_core_dumps = no

}

including dictionary file /etc/raddb/dictionary

main {

name = "radiusd"

prefix = "/usr"

localstatedir = "/var"

sbindir = "/usr/sbin"

logdir = "/var/log/radius"

run_dir = "/var/run/radiusd"

libdir = "/usr/lib64/freeradius"

radacctdir = "/var/log/radius/radacct"

ho

Re: Fwd: ldap-radius integration

[John Dennis]

On 03/30/2012 05:46 PM, Stefan Winter wrote:

Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.

 Original Message 
Subject:ldap-radius integration
Date:   Fri, 30 Mar 2012 12:35:53 -0700
From:   exu...@gmail.com
To: stefan.win...@restena.lu



could you give me some refrence material or the steps involved in integrating 
radius and ldap?
Iam stuck with the error
[ldap] bind as 
cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN 
to 127.0.0.1:389
   [ldap] waiting for bind result ...
   [ldap] LDAP login failed: check identity, password settings in ldap section 
of radiusd.conf




cant understand how to proceed..!


Then get a book on LDAP and read it, or use Google to find any of the 
dozens of tutorials on LDAP and read it. It's your job to learn the 
material, not our job as volunteers to spoon feed you the answers.


I say this in part because the answer to your question is so glaringly 
obvious if you have even the most rudimentary understanding of ldap 
authentication and password formats. So acquire the knowledge and answer 
the question yourself, how do you think we learned it? BTW this has 
nothing to do with FreeRADIUS, it's basic LDAP usage.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: ldap-radius integration

[Stefan Winter]

>
> could you give me some refrence material or the steps involved in integrating 
> radius and ldap?
> Iam stuck with the error
> [ldap] bind as 
> cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN 
> to 127.0.0.1:389
>   [ldap] waiting for bind result ...
>   [ldap] LDAP login failed: check identity, password settings in ldap section 
> of radiusd.conf
> cant understand how to proceed..!
> PS: Im using ubuntu 11.10
>

You need to tell FreeRADIUS login credentials for your LDAP
administrator account. According to the query, the username for that is
"Manager" and the LDAP server is "radius.example.com".

I believe these are the default (shipped) values that come with
FreeRADIUS. Replace them with the *real* login details of your LDAP
admin account.

In general: *read* the debug output and *apply common sense*.

Greetings,

Stefan Winter

P.S.: your Operating System is irrelevant for this error.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: ldap-radius integration

[Stefan Winter]

Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.

 Original Message 
Subject:ldap-radius integration
Date:   Fri, 30 Mar 2012 12:35:53 -0700
From:   exu...@gmail.com
To: stefan.win...@restena.lu



could you give me some refrence material or the steps involved in integrating 
radius and ldap?
Iam stuck with the error
[ldap] bind as 
cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN 
to 127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] LDAP login failed: check identity, password settings in ldap section 
of radiusd.conf
cant understand how to proceed..!
PS: Im using ubuntu 11.10

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: point to a new radius server for about 500 clients

[Asif Iqbal]

On Fri, Mar 30, 2012 at 1:46 PM, Alan Buxey  wrote:
> Hi,
>
>> I have about 500 radius clients that are authenticating against 2
>> radius servers 192.168.1.10 and 192.168.2.10.
>>
>> We have a need to use new radius servers that are on different network
>> 10.0.1.10 and 10.0.2.10.
>>
>> How do I force the radius clients to authenticate against the new
>> radius servers short from changing the
>> IP of the radius server on the all about 500 clients?
>
> you can proxy the requests to those new serversbut if the old servers
> are to go, then you have no option than to edit the config of those clients
> or put some funky redirect system on the network

yep.. being replaced. got a suggestion in #freeradius to use nat on
the firewall.
since all radius servers, new and old one, are behind firewalls

>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: point to a new radius server for about 500 clients

[Alan Buxey]

Hi,

> I have about 500 radius clients that are authenticating against 2
> radius servers 192.168.1.10 and 192.168.2.10.
> 
> We have a need to use new radius servers that are on different network
> 10.0.1.10 and 10.0.2.10.
> 
> How do I force the radius clients to authenticate against the new
> radius servers short from changing the
> IP of the radius server on the all about 500 clients?

you can proxy the requests to those new serversbut if the old servers
are to go, then you have no option than to edit the config of those clients
or put some funky redirect system on the network

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

point to a new radius server for about 500 clients

[Asif Iqbal]

I have about 500 radius clients that are authenticating against 2
radius servers 192.168.1.10 and 192.168.2.10.

We have a need to use new radius servers that are on different network
10.0.1.10 and 10.0.2.10.

How do I force the radius clients to authenticate against the new
radius servers short from changing the
IP of the radius server on the all about 500 clients?

Thanks

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 followed by a smsotp authentication

[Thomas Glanzmann]

Hello Alan,

> Any idea what freeradius does different here?

the only difference I see here is that radius has a hex number in the
state field while the propietary has digits. I assume that is why my
propiertary client chokes.

I'll try to configure freeradius to produce digits as well and retry and
also file a bug report with the propiertary vendor.

Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 followed by a smsotp authentication

[Thomas Glanzmann]

Hallo Alan,
here is the nordic edge radius server pcap:
http://upload.glanzmann.de/radius.pcap

here is the freeradius server pcap:

http://upload.glanzmann.de/freeradius.pcap

What I don't get is, when I compare the two 'Access-Challenges' they look very
similar to me. However my propiertary radius client does not send another
packet after I typed in the otp.

Any idea what freeradius does different here?

Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAPv2 followed by a smsotp authentication

[Thomas Glanzmann]

Hello Alan,

>   PAP.  And only PAP.  And sometimes not even there.

I now installed a commercial radius server (Nordic Edge) which supports
it and I sniffed a successful exchange. You can find it here:

http://upload.glanzmann.de/radius.pcap

Could you please let me know if it is possible to configure freeradius
that it behaves the same way? If this is not possible I assume to stack
'pap' on top of rlm_example. In that case can you please let me know
what do I need to configure in order to have pap and rlm_example on top?

Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 7:37 PM, mimir
 wrote:
> Hi Fajar,
>
> I also think that option. But, I can not configure it.
>
> I set up realms same in proxy.conf. But, how can we point it to
> sites-available/copy-acct-to-home-server ?

Basically you need to configure sites-available/default to write to
different detail files (e.g. /var/log/radius/detail1,
/var/log/radius/detai2, etc.). Then you setup several copies of
sites-available/copy-acct-to-home-server (changing files and server
names as necessary, of course), each reading a different file (note
the line "filename = ${radacctdir}/detail". Change that). Then don't
forget to create links on sites-enabled :)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + MySQL + DHCP Opt82

[IVB]

Fajar A. Nugraha-2 wrote
> 
> On Fri, Mar 30, 2012 at 6:12 PM, IVB  wrote:
> 
>> Agent-Circuit-Id = 0x000403fc0001
> 
> let's start with that one.
> 
>>  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),
> 
> Does that work?
> 

No. And this is the problem.


Fajar A. Nugraha-2 wrote
> 
> Shouldn't it be something like
> 
> ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ),
> 
> ?
> 

0x000403fc0001 and x'000403fc0001' are synonyms (as written in MySQL
documentation). But I check both variants - without success.


Fajar A. Nugraha-2 wrote
> 
> Another alternative is to insert something like this (note the operator)
> 
> ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, ':=' ),
> 
> ... and then on authorize section add something like this (just for check)
> 
> if ( (request:User-Name == "00:12:23:56:78:9A") &&
> (control:Agent-Circuit-ID != "%{request:Agent-Circuit-ID}") ) {
>update control {
>   Auth-Type := "Reject"
>   }
> }
> 
> then use debug mode again. It should print out what it recognize
> control:Agent-Circuit-ID (which is from db) and
> request:Agent-Circuit-ID. Then you just need to edit entry on db to
> match what's on the request.
> 
> 
OK, I'll try this and write results.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606635.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[mimir]

I forgot to add. 

preacct also worked :)

Thanks.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606585.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[mimir]

Hi Fajar,

I also think that option. But, I can not configure it.

I set up realms same in proxy.conf. But, how can we point it to
sites-available/copy-acct-to-home-server ?

How can we configure it? I can only see explanation of config file comments.

Thanks,

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606529.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: understanding

[Alan Buxey]

Hi,

> I apologize for bothering you. I thought that somewhere might be a how-to to 
> solve this.

yes, there are plenty of HOW-TOs - they all say to check the RADIUS server cert
and configure the client properly - you are asking why.  why?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: understanding

[Phil Mayers]

On 30/03/12 12:51, Heinrich, Sebastian wrote:

I apologize for bothering you. I thought that somewhere might be a how-to to 
solve this.


Unfortunately there's nothing to "solve". This is just how PEAP/MSCHAP 
works; there is a server cert, and for it to be secure, you must 
validate it.


There are other EAP methods, that don't require pre-provisioned trust 
(e.g. EAP-SRP, EAP-EKE). But no-one supports them :o(

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Alan Buxey]

Hi,

> thanks for the brief reply.
> I also think that the problem is that the NAS is asking the supplicant for
> the password several times, before finally receiving the user's entry and
> sending to radius.
> I would like to solve the problem but since nobody yet find an answer. I
> don't know what to do next.

turn on full AAA debugging on the NAS ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + MySQL + DHCP Opt82

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 6:12 PM, IVB  wrote:

> Agent-Circuit-Id = 0x000403fc0001

let's start with that one.

>  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),

Does that work? Shouldn't it be something like

( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ),

?


Another alternative is to insert something like this (note the operator)

( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, ':=' ),

... and then on authorize section add something like this (just for check)

if ( (request:User-Name == "00:12:23:56:78:9A") &&
(control:Agent-Circuit-ID != "%{request:Agent-Circuit-ID}") ) {
   update control {
  Auth-Type := "Reject"
  }
}

then use debug mode again. It should print out what it recognize
control:Agent-Circuit-ID (which is from db) and
request:Agent-Circuit-ID. Then you just need to edit entry on db to
match what's on the request.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: understanding

[Alan Buxey]

Hi,

> We don't want to install certificates on the clients, but the problem

in that case, just get your RADIUS server signed by a CA that is already
on the clientssomething like Thawte, Verisign etc. ie spend some money.

if you dont want to spend some money, use your own self-signed CA (closed-loop
authentication) and use a client deployment tool to get the CA onto the systems
(this is trivial with GPO in an activedirectory controlled domain).


think of the RADIUS server cert like that for an online bank.


when you go to an online bak web site, the HTTPS is via a known certificate that
your client trustsand DNS can be used to map the name requested to an IP
addressand the name of the server matches your request and the certificate
name matches the DNS entry. you can even use DNSSEC to ensure that the IP you
got was handed out by the domain you wanted...  all good.

with RADIUS there is no layer 3 activity etc for the client...no DNS available 
etc..
so you can only take what you are given by the RADIUS server...and then match 
that
to your local rules/settings - so, you verify the server cert, verify the CN
you were given..and finally , verify the CA that sent that cert.

> used for the active directory. So is it only secure to connect to the AD
> when checking the certificates? Or is there another possibility to make
> it secure without installing certificates? 

you can connect to the AD when checking the cert or when not checking the cert.
if you do the former, then you are secure... if you dont check the CA then why 
even
bother with 802.1X or security at all - you are leaving your network wide open 
to attack
and abuse... i'll set up a rogue AP and just harvest peoples 
credentials...which I'll
them use to access all the bits I need (there are live CD distros with such 
tools ready
to go using internal wireless card on a laptop).  - of course, when I say I'll 
set up, thats
hypothetical...i have better things to do ;-)


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: understanding

[Heinrich, Sebastian]

I apologize for bothering you. I thought that somewhere might be a how-to to 
solve this.
Thank you for help.

I wish you nice weekend.

Best Regards from Germany

Sebastian Heinrich
Techn. DV 


Aluminium Oxid Stade GmbH
Johann-Rathje-Köser-Straße
21683 Stade

email  s.heinr...@aos-stade.de
webhttp://www.aos-stade.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 5:40 PM, mimir
 wrote:
> Hello,
>
> I added same definition to acct_users
>
> DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm +=
> TEST2,Replicate-To-Realm += TEST3
>
> and it worked :)

The earlier error is is probably my fault then. It might need to go on
preacct section instead of accouting? It's been quite a while since I
tested it. It'd be good if you can test on preacct and report the
result :)

> I wonder another thing. Is it possible to get log/error or sth else if one
> of the replicated servers  do not response?

Nope. Replicate is send-and-forget kind-a-thing.

If you REALLY want RELIABLE proxying setup, you need to use detail
module to write to 3 different detail file, and basically configure 3
instances of sites-available/copy-acct-to-home-server. I wouldn't
recommend it unless it's ABSOLUTELY necessary.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + MySQL + DHCP Opt82

[IVB]

Debug mode help me nothing.

When I try to connect without Agent-* attributes in DB, I see in debug
output 'User found in radcheck table' after performing "check" SQL. And
finally I login successfully.

When I try to connect with Agent-* attributes in DB, I don't see message
'User found in radcheck table' after "check" SQL, and "reply" SQL don't
executed. And finally I don't login.

But I don't see in debug output what exactly was returned in SQL query.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606432.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: understanding

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 5:23 PM, Phil Mayers  wrote:
> However: I'm sure everyone will agree with me when I say:
>
> YOU SHOULD CONFIGURE YOUR CLIENTS TO CHECK THE CERTIFICATE.

Exactly :)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Phil Mayers]

On 30/03/12 11:58, Morris, Andi wrote:

Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where
to turn next with this, especially as you are seeing the same issue
with different network hardware.


Well, you guys need to debug your network hardware (and Ricardo needs to 
use a threaded email client!)


It's not a FreeRADIUS issue if no packets are arriving at FreeRADIUS.

Some possible things to consider:

1. Some wireless platforms have a feature where they will try to "nudge" 
clients onto either a different access point, or 5GHz rather than 
2.4GHz. This might be implemented using vendor extensions (CCX) or it 
might be implemented by simply "rejecting" the client. Some clients 
treat a number of successive rejections as "bad password", because they 
can't distinguish between radio-layer and eap-layer rejections.


On Cisco lightweight, this feature tends to interop badly with e.g. 
Linux clients, using the default values.


2. Some wireless platforms vertically integrate the whole protocol stack 
(radio, eap, arp/dhcp/ip, etc.) and will reject clients at the 
bottom-most layer for violations at upper layers. This can confuse 
clients, and make them think auth has "failed"


3. Interference can cause dropped EAP packets. Check your EAP timeout 
values, and look for radio-layer problems. Get a decent wireless test 
tool - the Fluke AirCheck is excellent, and allows you to force auth to 
a specific BSSID/SSID combination, so you can track problems down.


...and so on.

No-one said wireless was easy. But this is not a FreeRADIUS problem.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + MySQL + DHCP Opt82

[IVB]

Fajar A. Nugraha-2 wrote
> 
> On Fri, Mar 30, 2012 at 4:29 PM, IVB  wrote:
>> I need help.
>>
>> Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
>> Hardware: RB SE100 under SEOS-6.4.1.4-Release
>>
>> BRAS sends Opt-82 related attributes in following format:
>>
> 
> What format?
> 

Agent-Remote-Id = 0x0006001e58ab0304
ADSL-Agent-Remote-Id = "\000\006\000\036X\253\003\004"
Agent-Circuit-Id = 0x000403fc0001
ADSL-Agent-Circuit-Id = "\000\004\003\374\000\001"



>>
>> Attributes Agent-* described in radius dictionary as 'octets'. Attributes
>> ADSL-Agent-* described in radius dictionary as 'string'.
> 
> AFAIK those are not DHCP dictionary. They're part of "normal" radius
> dictionary. So you just treat them like any other attribute.
> 
>>
>> I was try to store needed data in MySQL database from which Radius gets
>> 'check' attributes:
> 

INSERT INTO
  `radcheck` ( `UserName`, `Attribute`, `Value`, `op` )
VALUES
  ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ),
  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),
  ( '00:12:23:56:78:9A', 'Agent-Remote-ID', x'0006001e58ab0304', '==' )

(most important part of message disappears from my post)



>>
>> to Radius select that attributes to authenticate. But I got 'Login
>> incorrect' message in Radius log.
>>
>> If I remove both Agent-* attributes from DB (that means that I dont
>> validate
>> Opt-82 parameters) - I got 'Login OK'.
>>
>> I think that I use wrong format for Agent-* attributes, but I was try
>> some
>> different variants without success.
>>
>> I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login
>> OK' with _any_ attributes values - match and mismatch.
>>
>> So I need help. Very need.
> 
> You need to know what the NAS (i.e. BRAS) sends. An easy way to get
> that is to run FR in debug mode (-X) while the NAS is sending
> authentication packet.
> 

Yes, I know about debug mode, but BRAS and Radius are in project mode (using
PPPoE authorisation now). DHCP testing uses same context and same Radius
server. To run different Radius in debug mode I need to configure different
context...



> Then compare to what you have on radcheck. Note the operators (you
> probably need "==").
> 
> Then you need to find out what's going on. Again, debug mode would be
> the best way.
> 
> -- 
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606373.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Windows 7 prompting several times

[Morris, Andi]

Hi Ricardo,
Sorry it was a brief answer but I'm also unsure of where to turn next with 
this, especially as you are seeing the same issue with different network 
hardware.

Cheers,
Andi

-Original Message-
From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org] 
On Behalf Of Ricardo89
Sent: 30 March 2012 11:45
To: freeradius-users@lists.freeradius.org
Subject: Re: Windows 7 prompting several times

Hi Andy,
thanks for the brief reply.
I also think that the problem is that the NAS is asking the supplicant for the 
password several times, before finally receiving the user's entry and sending 
to radius.
I would like to solve the problem but since nobody yet find an answer. I don't 
know what to do next.

Best Regards
Ricardo

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5606322.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


From 1st November 2011 UWIC changed its title to Cardiff Metropolitan 
University. From the 6th December 2011, as part of this change, all email 
addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All 
emails sent from Cardiff Metropolitan University will now be sent from the new 
@cardiffmet.ac.uk address. Please could you ensure that all of your contact 
records and databases are updated to reflect this change. Further information 
can be found on the website 
here.

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan 
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n 
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a 
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad 
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion 
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar 
y wefan yma.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Ricardo89]

Hi Andy,
thanks for the brief reply.
I also think that the problem is that the NAS is asking the supplicant for
the password several times, before finally receiving the user's entry and
sending to radius.
I would like to solve the problem but since nobody yet find an answer. I
don't know what to do next.

Best Regards
Ricardo

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5606322.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[mimir]

Hello,

I added same definition to acct_users

DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm +=
TEST2,Replicate-To-Realm += TEST3

and it worked :)

I can send 3 servers same accounting messages.

I wonder another thing. Is it possible to get log/error or sth else if one
of the replicated servers  do not response? 

Thanks.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606305.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[mimir]

Hi,

Sorry, I wrote wrong in my previous post, I am trying to apply
Replicate-To-Realm to send accounting messages to 20 servers from my radius
server.

I added as below in /sites-available/default

accounting {

update control {
  Replicate-To-Realm := TEST1
  Replicate-To-Realm += TEST2
  Replicate-To-Realm += TEST3
  }

.

But, debug log says..

+[exec] returns noop
++[replicate] returns noop
++[control] returns noop

I think it has no affect ?

Thanks..



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606288.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: understanding

[Phil Mayers]

On 30/03/12 10:54, Heinrich, Sebastian wrote:

Now I am totally confused. Fajar says that it is not so easy to crack
the passwords and Phil says the opposite. I am not a hacker. Can
anybody say that this would be easy to do or not:


I didn't say it was easy. I said it was *possible*.

And you're asking for something we can't provide. This isn't a paid 
support hotline; we're individuals, and we're allowed to have our own, 
differing, opinions.


However: I'm sure everyone will agree with me when I say:

YOU SHOULD CONFIGURE YOUR CLIENTS TO CHECK THE CERTIFICATE.

I hope that is clear enough for you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Windows 7 prompting several times

[Morris, Andi]

This ties in with what I was saying, that the NAS (switch/access point) is 
asking the supplicant for the password several times, before finally receiving 
the user's entry and sending it onto the radius to be accepted or denied, 
whichever the case may be.

I still think the problem is supplicant/NAS.

Cheers,
Andi

-Original Message-
From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org] 
On Behalf Of Ricardo89
Sent: 30 March 2012 10:48
To: freeradius-users@lists.freeradius.org
Subject: Re: Windows 7 prompting several times

Hi Alan DeKok,
thanks for your reply.

I think you don’t understand what my problem is. My main problem is to 
understand why when the user is asked to enter his credentials more than one 
time nothing reaches my freeradius server, the only communication requests 
remains between the Access Point and the supplicant. In one of the many tests 
that

I made, I was checking the logs when the user was entering his credentials and 
nothing shows up in the logs only on the third or fourth attempt finally I see 
the connection accept logs.

Best Regards
Ricardo


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5606196.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


From 1st November 2011 UWIC changed its title to Cardiff Metropolitan 
University. From the 6th December 2011, as part of this change, all email 
addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All 
emails sent from Cardiff Metropolitan University will now be sent from the new 
@cardiffmet.ac.uk address. Please could you ensure that all of your contact 
records and databases are updated to reflect this change. Further information 
can be found on the website 
here.

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan 
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n 
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a 
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad 
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion 
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar 
y wefan yma.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: understanding

[Phil Mayers]

On 30/03/12 10:38, Fajar A. Nugraha wrote:


How easy is it to crack
such a password?  An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords.


They won't.


Not immediately. But MSCHAP is a complex (and old) algorithm, and it is 
possible to perform a known-ciphertext attack. See e.g.


http://code.google.com/p/mschapv2acc/

I'd wager this attack could be improved a lot by capturing multiple 
chal/resp pairs and doing clever stuff with them, but my crypto maths 
are very rusty by this point.


The takeaway is that you should not be doing MSCHAP over an insecure 
channel, IMO.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: understanding

[Heinrich, Sebastian]

Now I am totally confused. Fajar says that it is not so easy to crack the 
passwords and Phil says the opposite. I am not a hacker. Can anybody say that 
this would be easy to do or not:

"A CA certificate must be used at each client to authenticate the server to 
each client before the client submits authentication credentials. If the CA 
certificate is not validated it is generally trivially easy (in wireless 
networks) to introduce a fake Access Point which allows gathering MS-CHAPv2 
handshakes, which on recent hardware can be cracked in a matter of seconds." 
(source:  
http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol)

Best Regards

Sebastian Heinrich
Techn. DV 


Aluminium Oxid Stade GmbH
Johann-Rathje-Köser-Straße
21683 Stade

email  s.heinr...@aos-stade.de
webhttp://www.aos-stade.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Ricardo89]

Hi Alan DeKok,
thanks for your reply.

I think you don’t understand what my problem is. My main problem is to
understand why when the user is asked to enter his credentials more than one
time nothing reaches my freeradius server, the only communication requests
remains between the Access Point and the supplicant. In one of the many
tests that 

I made, I was checking the logs when the user was entering his credentials
and nothing shows up in the logs only on the third or fourth attempt finally
I see the connection accept logs.

Best Regards
Ricardo 


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5606196.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + MySQL + DHCP Opt82

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 4:29 PM, IVB  wrote:
> I need help.
>
> Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
> Hardware: RB SE100 under SEOS-6.4.1.4-Release
>
> BRAS sends Opt-82 related attributes in following format:
>

What format?

>
> Attributes Agent-* described in radius dictionary as 'octets'. Attributes
> ADSL-Agent-* described in radius dictionary as 'string'.

AFAIK those are not DHCP dictionary. They're part of "normal" radius
dictionary. So you just treat them like any other attribute.

>
> I was try to store needed data in MySQL database from which Radius gets
> 'check' attributes:
>
> to Radius select that attributes to authenticate. But I got 'Login
> incorrect' message in Radius log.
>
> If I remove both Agent-* attributes from DB (that means that I dont validate
> Opt-82 parameters) - I got 'Login OK'.
>
> I think that I use wrong format for Agent-* attributes, but I was try some
> different variants without success.
>
> I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login
> OK' with _any_ attributes values - match and mismatch.
>
> So I need help. Very need.

You need to know what the NAS (i.e. BRAS) sends. An easy way to get
that is to run FR in debug mode (-X) while the NAS is sending
authentication packet.

Then compare to what you have on radcheck. Note the operators (you
probably need "==").

Then you need to find out what's going on. Again, debug mode would be
the best way.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: understanding

[Phil Mayers]

On 30/03/12 10:18, Heinrich, Sebastian wrote:

We don't want to install certificates on the clients, but the problem
that is given in wikipedia is that anybody can install an access point
with the same ssid and a client that would connect with it would give
him his MSCHAP encrypted username and password. How easy is it to crack


Correct.


such a password?  An authentification wouldn't have happened but the


MSCHAP and even MSCHAPv2 are old specifications. They were created 
before the renaissance of modern crypto, and they are not, in my view, 
very good algorithms.


I would not trust MSCHAP or MSCHAPv2 to be secure against a 
known-ciphertext attack.



attacker would have had the encrypted usernames and passwords. That is a
problem because in my configuration that usernames and passwords are
used for the active directory. So is it only secure to connect to the AD
when checking the certificates? Or is there another possibility to make


Yes. It is only secure if you check the certificates.


it secure without installing certificates?


No.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: understanding

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian
 wrote:
> We don't want to install certificates on the clients, but the problem
> that is given in wikipedia is that anybody can install an access point
> with the same ssid and a client that would connect with it would give
> him his MSCHAP encrypted username and password.

err ... no. It doesn't work that way.

> How easy is it to crack
> such a password?  An authentification wouldn't have happened but the
> attacker would have had the encrypted usernames and passwords.

They won't.

> problem because in my configuration that usernames and passwords are
> used for the active directory. So is it only secure to connect to the AD
> when checking the certificates? Or is there another possibility to make
> it secure without installing certificates?

It depends on how "secure" you want it to be. MSCHAPv2, even without
PEAP, is already more secure than PAP.

Alan said If you don't check the certs, they don't add security. I
highly respect his oppinion as a radius expert, however I still think
that using certificates, even when you don't check them, adds some
level of security, because it makes sniffing a little harder.

There's no argument, however, that the best implementation would be to
use your own root CA, AND install it on clients, AND configure the
client to check certificate.

Phil's mail here might give you more options and information:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg74875.html

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS + MySQL + DHCP Opt82

[IVB]

I need help.

Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
Hardware: RB SE100 under SEOS-6.4.1.4-Release

BRAS sends Opt-82 related attributes in following format:


Attributes Agent-* described in radius dictionary as 'octets'. Attributes
ADSL-Agent-* described in radius dictionary as 'string'.

I was try to store needed data in MySQL database from which Radius gets
'check' attributes:

to Radius select that attributes to authenticate. But I got 'Login
incorrect' message in Radius log.

If I remove both Agent-* attributes from DB (that means that I dont validate
Opt-82 parameters) - I got 'Login OK'.

I think that I use wrong format for Agent-* attributes, but I was try some
different variants without success.

I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login
OK' with _any_ attributes values - match and mismatch.

So I need help. Very need.

And exuse me my english - it is not my native language.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606148.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: understanding

[Heinrich, Sebastian]

We don't want to install certificates on the clients, but the problem
that is given in wikipedia is that anybody can install an access point
with the same ssid and a client that would connect with it would give
him his MSCHAP encrypted username and password. How easy is it to crack
such a password?  An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords. That is a
problem because in my configuration that usernames and passwords are
used for the active directory. So is it only secure to connect to the AD
when checking the certificates? Or is there another possibility to make
it secure without installing certificates? 

Best Regards

Sebastian Heinrich
Techn. DV 

Aluminium Oxid Stade GmbH
21683 Stade

email  s.heinr...@aos-stade.de
webhttp://www.aos-stade.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 4:01 PM, mimir
 wrote:
> Hi,
>
> I installed latest version of freeradius and verified replicate module is
> existing.
>
> I can run replication via editing proxy.conf and acct_user. ( but I can
> replicate to only one server for now)
> I need to copy accountings to 20 servers.
>
> DEFAULT Proxy-To-Realm := TEST1  ( how can I add others ? )

Don't use users file. Instead, on accounting section, use something
like this (unstested, you need to verify this first)

update control {
  Proxy-To-Realm := TEST1
  Proxy-To-Realm += TEST2
  Proxy-To-Realm += TEST3
}

See http://freeradius.org/radiusd/man/unlang.html , look for "operators"


> #  Packets can be replicated to multiple destinations.  Just set
> #  Replicate-To-Realm multiple times.  One packet will be sent for
> #  each of the Replicate-To-Realm attribute in the "control" list.

exactly.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy + copy accounting to passive home server

[mimir]

Hi,

I installed latest version of freeradius and verified replicate module is
existing.

I can run replication via editing proxy.conf and acct_user. ( but I can
replicate to only one server for now)
I need to copy accountings to 20 servers.

DEFAULT Proxy-To-Realm := TEST1  ( how can I add others ? )

But, I can not define multiple realms replication although it says:

#  Packets can be replicated to multiple destinations.  Just set
#  Replicate-To-Realm multiple times.  One packet will be sent for
#  each of the Replicate-To-Realm attribute in the "control" list.

My configs are as below:

home servers are introduced with their IPS. and created realms for each home
server.

home_server_pool test_failover1 {
type = load-balance
home_server = test1
}

home_server_pool test_failover2 {
type = load-balance
home_server = test2
}

home_server_pool test_failover3 {
type = load-balance
home_server = test3
}

realm TEST1 {
acct_pool = test_failover1
}

realm TEST2 {
acct_pool = test_failover2
}

realm TEST3 {
acct_pool = test_failover3
}

Can you please help?

Thanks.


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606099.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Alan DeKok]

Ricardo89 wrote:
> Yes Alan, I see each request request hitting my LDAP server at least three
> times. 

  So... run the server in debug mode to see WHY it's hitting the LDAP
server three times.  Then, look at the debug log, and change the LDAP
queries so that it only hits the LDAP server once.

  There is no magic here.  You have to understand the solution you built.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Ricardo89]

Hi Alan,
thanks for your reply.
Yes Alan, I see each request request hitting my LDAP server at least three
times. 
When that problem of the user needs to enter their credentials more than one
time, as I said in the previous post nothing gets to the Ldap server, in the
best cases only at the third time the credentials reach the Ldap server and
also I see that request hitting the Ldap three times.

Do you know the solution for this?

Best Regards,

Ricardo

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Windows-7-prompting-several-times-tp5538046p5606056.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: understanding

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 2:46 PM, Heinrich, Sebastian
 wrote:
> Creating new certificates is only a security improveness when checking them?

No

> Is there any security improveness of creating new certificates and don't 
> checking them?

Yes. See what I wrote earlier.

I gave you my answers. If you don't agree with it, feel free to do so.
Others with more expertise in that field might add their comment
later.

Asking the same questions again, however, will only get you the same answer.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: understanding

[Alan DeKok]

Heinrich, Sebastian wrote:
> But a TLS tunnel can be established with the standard certificates given in 
> the certs subdirectory. Creating new certificates is only a security 
> improveness when checking them?

  Yes.

> Is there any security improveness of creating new certificates and don't 
> checking them?

  If you don't check the certs, then they don't exist, and they don't
add security.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: understanding

[Heinrich, Sebastian]

 Actually the existing certificates in the certs subdirectory could 
 be
>> deleted but the authentification would work?
>>
>>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, 
>>> then
>> you don't need certificates.
>>
>> But it would work with the standard certificates given in the certs 
>> subdirectory. There is no security improveness by creating new 
>> certificates

> Yes, there is.

> Once the TLS tunnel is established, the traffic inside it will be encrypted. 
> Anyone sniffing traffic it the middle will be unable to decode it. So at 
> minimum, it helps prevents user/password sniffing.

> The difference might not be obvious with PEAP-MSCHAPv2 vs plain MSCHAPv2, but 
> it's VERY significant when comparing PAP vs TTLS-PAP or PEAP-GTC.

>> and using them for PEAP-EAP-MSCHAPv2 when you don't check them.

>> ... and that's why the recommendation is to CHECK them, and to successfully 
>> do that you usually need to have every client import the CA used to sign the 
>> server certs.

But a TLS tunnel can be established with the standard certificates given in the 
certs subdirectory. Creating new certificates is only a security improveness 
when checking them?
Is there any security improveness of creating new certificates and don't 
checking them?

Best Regards

Sebastian Heinrich
Techn. DV 

Aluminium Oxid Stade GmbH
Johann-Rathje-Köser-Straße
21683 Stade

email  s.heinr...@aos-stade.de
webhttp://www.aos-stade.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: understanding

[Fajar A. Nugraha]

On Fri, Mar 30, 2012 at 2:21 PM, Heinrich, Sebastian
 wrote:
>>> Actually the existing certificates in the certs subdirectory could be
> deleted but the authentification would work?
>
>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then
> you don't need certificates.
>
> But it would work with the standard certificates given in the certs
> subdirectory. There is no security improveness by creating new
> certificates

Yes, there is.

Once the TLS tunnel is established, the traffic inside it will be
encrypted. Anyone sniffing traffic it the middle will be unable to
decode it. So at minimum, it helps prevents user/password sniffing.

The difference might not be obvious with PEAP-MSCHAPv2 vs plain
MSCHAPv2, but it's VERY significant when comparing PAP vs TTLS-PAP or
PEAP-GTC.

> and using them for PEAP-EAP-MSCHAPv2 when you don't check
> them.

... and that's why the recommendation is to CHECK them, and to
successfully do that you usually need to have every client import the
CA used to sign the server certs.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: understanding

[Heinrich, Sebastian]

> From wikipedia, "PEAP is a protocol that encapsulates the Extensible
Authentication Protocol (EAP) within an encrypted and authenticated
Transport Layer Security (TLS) tunnel."

> TLS always need a certificate.

>> There is nothing checked if you don't check the checkbox 'check
certificate'.

> It doesn't CHECK for the certificate common name (CN) or certificate
authority (CA), but it still uses the server certicate to create the TLS
tunnel.

>> Actually the existing certificates in the certs subdirectory could be
deleted but the authentification would work?

> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then
you don't need certificates.

But it would work with the standard certificates given in the certs
subdirectory. There is no security improveness by creating new
certificates and using them for PEAP-EAP-MSCHAPv2 when you don't check
them.

Best Regards
Sebastian Heinrich
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

[Alan DeKok]

Jens Weibler wrote:
> The problem is: debian ist still using the version 2.1.10 - even in
> sid... Is there a way to get this backported in the old version?

  No.

  You can build your own packages.  That's why there's a "debian"
directory in the source.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html