Windows Phone CA verification debugging
Hi list While I've been quite successful in making preconfigured profiles and docs for our students on how to make proper proper wireless configuration, I'm encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message). On the desktop side one can at least fire up 'netsh ras diagnostics' to trace (P)EAP and CHAP during connection which can help figuring out at least something. But on WP8, well there is no such thing that I've found. Is there anyone on the FR list who already had to mangle a WP8 device? -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Phone CA verification debugging
Hi, encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message). we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both. eg crlDistributionPoints = URI:http://yoururl.here/ca.crl in the server extensions. the HEAD for 2.2.x and 3.x FreeRADIUS has the required change to the certificate generating code for this if you want to check/validate/verify alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Phone CA verification debugging
Hi, 2013/9/16 a.l.m.bu...@lboro.ac.uk we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both. eg crlDistributionPoints = URI:http://yoururl.here/ca.crl in the server extensions. Thank you Alan, at least good to hear someone is out there who got it working. Hmm the server certificate though seems to contain a CRLDP. I'v tried removing personal and attach the openssl output at the end, maybe someone spots a problem... Do you happen to have Subject Alternate Names or would you avoid it with RADIUS? (That certificate does have them) I know for example that some exotic or (very old) browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far. The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if that's of importance. -- Mathieu # openssl x509 -text -in /etc/freeradius/certs/myserver.pem Certificate: Data: Version: 3 (0x2) Serial Number: snip! Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: snip Not After : snip Subject: ..., C= ... snip Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: snip! (yes it's larger than 1024 bit) ;-) Modulus: snip X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73 X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS: snip! X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha1WithRSAEncryption snip -BEGIN CERTIFICATE- snip -END CERTIFICATE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Last call for Version 2.2.1
Unless there are any objections, we'll release 2.2.1 tomorrow. The list of changes is large: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Last call for Version 2.2.1
Unless there are any objections, we'll release 2.2.1 tomorrow. The list of changes is large: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for Version 2.2.1
On 16 Sep 2013, at 13:44, Alan DeKok al...@deployingradius.com wrote: The list of changes is large: Seems sort of small to me :) Here's the changelog: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.12 Second LDAP Server
Hi,
thanks for the Help. Actually im decided to create a new VM and reinstall the
complete Server. I`m following the complete How-To, but i`m getting two
different Errors.
The First One is this:
It`s under the first Point: Configuring Authentification with Active Directory
I`m startet the Samba and Kerberos Services und used this Command:
net join -U MyAdministrator
Worked. I`m getting this Message:
Using short domain name -- MYDomain
Joined 'UBUNTU' to realm 'MYDomain'
The next Step wbinfo -a user%password works too, but i`m getting this
Error-Message:
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
Is this normal? How can I fix it? The Response seems to work correctly.
The Second One is this:
It`s the last Point on this Page: Configuring FreeRadius to use ntml_auth for
MS-CHAP
In this Step, i must edit the following line with this text in the file:
/etc/freeradius/modules/mschap
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
But my default commented ntml_auth looks like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
In my default ntlm_auth, the option --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
is missing. Should i add it?
Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the
MS-CHAP authentification reuqest with this command:
$ radtest -t mschap bob hello localhost 0 testing123
And i`m getting this Error-Message:
Sending Access-Request of id 251 to 127.0.0.1 port 1812
User-Name = bob
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
MS-CHAP-Challenge = 0x01774f129c72245c
MS-CHAP-Response =
0x000124ff68dcea66e8348622a45aa91804201f2102e9ecc0add6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=38
MS-CHAP-Error = \000E=691 R
/etc/freeradius/users
First Line:
bob Cleartext-Password := hello
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
@Mathieu
Is there a current RADIUS-book that you can recommend?
-- BeliarsFire-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote:
The next Step wbinfo -a *user*%*password *works too, but i`m getting
this Error-Message:
/Could not authenticate user Username%Password with plaintext password/
challenge/response password authentication succeeded
Is this normal? How can I fix it? The Response seems to work correctly.
It's a Samba issue. Ask the Samba people.
In my default ntlm_auth, the option
/--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*} /is missing. Should i add it?
Sure. It's more needed if you use multiple domains.
Actually i`m using my default uncommented ntlm_auth. So, i`m going to
test the MS-CHAP authentification reuqest with this command:
/$ radtest -t mschap bob hello localhost 0 testing123/
//
/And i`m getting this Error-Message:/
//
/Sending Access-Request of id 251 to 127.0.0.1 port 1812
sigh Run the server in debugging mode as suggested in the FAQ,
man page, web pages, and daily on this list. Do NOT look at the
client output. It's unimportant.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for Version 2.2.1
Hi, ..so many new features... thought 3.x was where the new features and dev work was going into ;-) PS has anyone tested it with MariaDB? Wondering if its 100% drop-in compatible? (I'm postgres myself but looks like MySQL is dying) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi,
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for
that command.
In this Step, i must edit the following line with this text in the file:
/etc/freeradius/modules/mschap
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
But my default commented ntml_auth looks like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
the docs and default values have seperated over time.
In my default ntlm_auth, the option
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} is missing. Should i add it?
depends on what you want to do and need to do. do you TRUST your clients to be
sending the correct
domain? I dont...so I've set the domain manually.
$ radtest -t mschap bob hello localhost 0 testing123
First Line:
bob Cleartext-Password := hello
whats the users file got to do with anything? if you have clashing usernames
you will have a few problems.
i expect you are trying to test your AD? the radtest failed due to incorrect
password.. ie the AD is not bob/hello
I'd recommend using 'eapol_test' for better/advanced testing - its part of the
wpa_supplicant
package.
@Mathieu
Is there a current RADIUS-book that you can recommend?
FreeRADIUS for beginners is a good current book
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for Version 2.2.1
a.l.m.bu...@lboro.ac.uk wrote: ..so many new features... thought 3.x was where the new features and dev work was going into ;-) Well, yes. 2.2.1 has a lot of tiny features that are minor code changes. v3 is nearly everything re-written or updated. Those re-writes allow the addition of major new features. Oh, and v3 is *smaller* than v2, even with the new features. Not by a lot, but it's definitely smaller. That means (long term) fewer bugs, and more stability. PS has anyone tested it with MariaDB? Wondering if its 100% drop-in compatible? It's 100% drop-in compatible from what I've seen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for Version 2.2.1
On 16 Sep 2013, at 16:08, Alan DeKok al...@deployingradius.com wrote: a.l.m.bu...@lboro.ac.uk wrote: ..so many new features... thought 3.x was where the new features and dev work was going into ;-) Well, yes. 2.2.1 has a lot of tiny features that are minor code changes. v3 is nearly everything re-written or updated. Those re-writes allow the addition of major new features. Oh, and v3 is *smaller* than v2, even with the new features. Not by a lot, but it's definitely smaller. That means (long term) fewer bugs, and more stability. It's more consistent, and has pretty colours too, ooo look at the pretty colours. PS has anyone tested it with MariaDB? Wondering if its 100% drop-in compatible? It's 100% drop-in compatible from what I've seen. RE the death of MySQL: http://community.spiceworks.com/topic/299394-mysql-dying-a-slow-death Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + 2 x LDAP + VLAN
Thank you,
it works with simple modification (not too effective):
ldap1
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
ldap2
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2
}
}
Miroslav
Dne 12.9.2013 19:36, Arran Cudbard-Bell napsal(a):
On 12 Sep 2013, at 18:18, Miroslav Lednicky miroslav.ledni...@fnusa.cz
mailto:miroslav.ledni...@fnusa.cz wrote:
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and
Ubuntu 12.04
authorize {
ldap1
if (ok) {
update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
elsif {
ldap2
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2
}
}
}
}
Arran Cudbard-Bell a.cudba...@freeradius.org
mailto:a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Mgr. Miroslav Lednický
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debugging No EAP session matching the State variable
I run two freeradius servers (both 2.2.0 x86_64) with MySQL backends doing ntlm_auth (RHEL 6 Samba 3.6.9) for EAP-PEAP-MSChapV2 for our client devices. I have enabled the server debug using radmin (the debug file is HUGE so that is why I am not posting it along with). I have googled and read and analyzed as much as I can so I am looking to the list to see if anyone has experienced this problem. I was concentrating on a single user mhaley: Sep 16 08:40:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:01 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Around there (without the OK's, I am seeing many of this style of message): Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [jwalters38] (from client resnet1-WiSM-A port 13 cli a8:26:d9:34:bc:5f) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [arogers44] (from client Rich-core-WiSM-E port 29 cli a8:06:00:cc:6b:29) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bboggess3] (from client Rich-core-WiSM-E port 29 cli
Re: Debugging No EAP session matching the State variable
Hi, Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. turn on full debug for just a single User-Name or Calling-Station-Id (check radmin docs). whats your authentication clean-up/tidy up times - as if the clients dont respond then the session is cleared away and so no matching state/session will be found. also, what clients are these? Android, for example, has an annoying thign where 802.1X networks that have credentials stored need the credential store to be unlocked before they'll authenticate to that 802.1X network again. also, check your wireless domain. find some of these clients (CSI) on your wireless management dashboard and find out what their relationship with nearest APs is - they could be being mobile between APs in a nasty way or during authencication so a packet or 2 is mising. remmeber, with eg 802.1X and PEAP you've got 11 packets or more to be shunted over wireless (and UDP!) for an authentication. if you've allowed clients to join to APs at really low rates and borderline connections, this can cause grief. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
