RE: more EAP/TTLS trouble
Hi Steve Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and simply deployed method. I have personally used the freeradius peap mschapv2 pretty much out of the box. As far as the certificate error you saw earlier that was due to the nature of design of a modern secure authentication method which gave supported security feature like Server Certificate Validation enabled by default. If you just go through the net you will find tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours to the ones available for the authentication to work. Also if you are looking for ttls only you can test with the beta of windows 8 and become one of our early adopters when it releases. Thanx and Regards Aman Arneja Sent from my Windows Phone -- From: Steve Hopps Sent: 5/30/2012 6:23 PM To: FreeRadius users mailing list Subject: Re: more EAP/TTLS trouble We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. On May 30, 2012 2:43 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 05/29/2012 10:28 PM, Steve Hopps wrote: So I'm confused, what's the right way to handle this situation? What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/**documents/protocols/oracles.**htmlhttp://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve
Windows is trying to validate the server Cert. By default we have server
Cert Validation enabled. You can disable this from the properties.
Regards
Aman Arneja
On Wed, May 30, 2012 at 1:47 AM, Steve Hopps steve.ho...@gmail.com wrote:
The only computer in our office which causes certificate errors is a
Windows 7 machine. So I attempted to connect using EAP/TTLS and
MSCHAPv2 using my linux machine and my Android phone. Now I get a
different error.
I also tried using PEAP on my Android phone, and received no
certificate errors. What could the windows machine be doing different?
Why does the machine even enter the picture when the authentication is
between the Access Point and the server?
Below is the portion of the log which shows the rejection, when using
my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt
it?) Where I am confused is near the bottom, what is causing the
rejection?
++[pam] returns invalid
or
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
log follows
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
Found Auth-Type = PAM
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
rlm_pam: Attribute User-Password is required for authentication.
++[pam] returns invalid
Failed to authenticate the user.
Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [test] (from client -REMOVED- port 0 cli
B4-07-F9-F2-99-F6)
Using Post-Auth-Type Reject
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows 8 beta supplicant always prefixes computer name to
user name MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Martin I work for the EAP team for Windows 8 and will look into this and get back to you. Regards Aman Arneja Sent from my Windows Phone From: Martin Pauly Sent: 4/23/2012 6:44 PM To: FreeRadius users mailing list Subject: OT: Windows 8 beta supplicant always prefixes computer name to user name Hi all, sorry, this is much OT. As many, we do PEAP with the help of ntlm_auth, both wired and wireless. Today, my first Windows 8 user walked in, wanting to do wired 802.1X. Setting things exactly as in Windows 7 results in the computer name always showing up as (pseudo-)domain in the authentication dialog. It's visible, but not changable. Subsequently, what I see in the server is (real names replaced): rad_recv: Access-Request packet from host 192.168.4.249 port 1645, id=98, length=161 User-Name = PCNAME\\username Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-11-BB-A7-94-8D Calling-Station-Id = F0-BF-97-D1-97-53 EAP-Message = 0x02010011014d455048495c426162616569 Message-Authenticator = 0x882ea6dd7bcb0c978b71d1da77ce7753 NAS-Port-Type = Ethernet NAS-Port = 50211 NAS-Port-Id = FastEthernet2/0/11 NAS-IP-Address = 192.168.4.249 username is not Windows' local username, cf. last part of http://www.uni-marburg.de/hrz/internet/students/swh-en/anleitung-en/vista-und-7-en/config-en TIA, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. MarburgFax:+49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP + Windows 7 with SSO and Password change
Password change and retry is very much supported for Windows and Eap
for (P)eap-mschapv2. There would be some flag that needs to be set for
this after which it will work, will check what that flag is and write
back in some time
Sent from my Windows Phone
From: David Mitton
Sent: 4/5/2012 6:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP-PEAP + Windows 7 with SSO and Password change
Yes, basically, password change operations are not supported by
Windows EAP support. Not to mention RADIUS as well.
Dave.
Quoting c_dor...@gmx.de:
Hi,
we would like to use freeradius server for setup port access per
802.1x on wired LAN. The plan is to have a guest-vlan for
unauthenticated supplicants and a vlan assignment for authenticated
supplicants.
We configured the freeradius Server (Version 2.1.12) to use
peap/mschapv2 for user authentication. Each user can have one
nativ/untagged VLAN.
So far, the actual configuration works.
Now we would like to use the Single Sign On feature from windows 7
supplicant before the user logged in.
But this seems to work only if the user account is valid.
When the User account is new (with password change on next loggon)
or the password has expired, then the freeradius send the
MS-CHAP-Error to the supplicant. But why the hell, the windows 7
client do not popup a window for change the password ?
Is that generally not possible (cause EAP-MSCHAPv2) or something
missed in config ?
I tried to use freeradius 3.0.0 from git with enabling the
passchange feature in the mschap module.
I did all steps from doc/mschap.rst.
The follow Debug is from freeradius 3.0.0:
snip
:
:
(8) Found Auth-Type = EAP
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) group authenticate {
(8) - entering group authenticate {...}
(8) eap : Request found, released from the list
(8) eap : EAP/mschapv2
(8) eap : processing type mschapv2
(8) mschapv2 : # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) mschapv2 : group MS-CHAP {
(8) mschapv2 : - entering group MS-CHAP {...}
(8) mschap : NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password
(8) mschap :expand: %{Stripped-User-Name} -
(8) mschap :... expanding second conditional
(8) mschap :expand: %{User-Name} - DOMAIN\test-user3
(8) mschap :expand: %{%{User-Name}:-None} - DOMAIN\test-user3
(8) mschap :expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -
--username=DOMAIN\test-user3
(8) mschap : NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap :expand: %{mschap:Challenge} - 4b4be3875649ba1a
(8) mschap :expand: --challenge=%{%{mschap:Challenge}:-00} -
--challenge=4b4be3875649ba1a
(8) mschap :expand: %{mschap:NT-Response} -
a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
(8) mschap :expand: --nt-response=%{%{mschap:NT-Response}:-00}
- --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
Exec-Program output: Password expired (0xc648)
Exec-Program-Wait: plaintext: Password expired (0xc648)
Exec-Program: returned: 1
(8) mschap : ntlm_auth says password has expired
(8) [mschap] = reject
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
(8) eap : Handler failed in EAP/mschapv2
(8) eap : Failed in EAP select
(8) [eap] = invalid
(8) Failed to authenticate the user.
(8) Login incorrect: [DOMAIN\\test-user3/via Auth-Type = EAP]
(from client switches port 0 via TLS tunnel)
} # server inner-tunnel
(8) peap : Got tunneled reply code 3
MS-CHAP-Error = \013E=648 R=0
C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired
EAP-Message = 0x040b0004
Message-Authenticator = 0x
(8) peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = \013E=648 R=0
C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired
EAP-Message = 0x040b0004
Message-Authenticator = 0x
(8) peap : Tunneled authentication was rejected.
(8) peap : FAILURE
(8) [eap] = handled
Sending Access-Challenge of id 128 to 192.168.15.52 port 2686
EAP-Message =
0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403
Message-Authenticator = 0x
State = 0x7cb2ed6374bef496dfd35c4e86820391
(8) Finished request 8.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686,
id=129, length=262
Framed-MTU = 1480
NAS-IP-Address = zzz.aaa.xxx.yyy
NAS-Identifier = SWITCHxxx
User-Name = DOMAIN\\test-user3
Service-Type = Framed-User
:
:
:
RE: Windows 7 prompting several times
Hi guys I am from the Microsoft EAP team, and we have not seen this issue. Can you please send the following logs to me for investigating at aman.arn...@microsoft.com From an elevated command prompt : Netsh ras set tr * en run scenario Netsh ras set tr * di Also, you can consider me a Microsoft contact for authentication related issues. Thanx Aman Arneja Sent from my Windows Phone From: Francois Gaudreault Sent: 06-Mar-12 3:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows 7 prompting several times Hi Andi, I did see the behavior, and it appears to be a bug with the windows supplicant. Apparently, the credentials are not even passed to the EAP module to initiate the session with the NAS... We do not have any kind of contact at Microsoft to open a bug, so I believe you are stuck with those issues :S On 12-03-05 11:16 AM, Morris, Andi wrote: Hi all, Apologies for being slightly off topic. Does anyone else get a problem with Windows 7 clients prompting for the radius credentials 2 or 3 times before finally accepting them? No errors are shown on the radius side, and I’ve read that this is a problem with the operating system, but wondered whether anyone in this knowledgeable community had overcome this? Cheers, Andi From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. *Please could you ensure that all of your contact records and databases are updated to reflect this change.* Further information can be found on the website here. http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using windows 8's builtin eap-ttls w/ freeradius
Hi Alan I am from the Microsoft EAP team for windows 8 , if you face any issues or need clarity on any of our features please feel free to email me at aman.arn...@microsoft.com BTW we have tested our TTLS with freeradius successfully ! also thanx for the feedback I am processing it and will reply to you in a bit about it. Please feel free to email me on any Win8 authentication related issues/feedback. We have an interesting auto discoverability feature as well in our client , where if the profile has not been created we detect the method on the basis of credential type and a few more parameters. Also for Tls there is a new cert filtering mechanism. We also now support connecting to a server in peap if we do not have the root cert , by throwing a warning ( this is configurable of course ) We would love your feedback on these as well ! Thanx Aman Arneja Sent from my Windows Phone From: Alan Buxey Sent: 06-Mar-12 1:54 AM To: FreeRadius users mailing list Subject: Re: using windows 8's builtin eap-ttls w/ freeradius hi, right. interesting. I've just been looking into Windows 8 and I found that if I chose a non-EAP method with TTLS (eg PAP or MSCHAP) then it didnt work. but if I chose an EAP method with TTLS - eg EAP-MSCHAPv2 then it worked fine. so more needs to be looked at there. based on the UI it seems that theres 2 groups of people coding the stuff as the PEAP interface has updated options and layout - whereas the TTLS page is based on the old windows XP PEAP pane - from layout/options. its a little hideous. importing of CAs has changed again - since Win7 - the auto detect for cert import now puts it into the wrong place again...but manually choosing the store and choosing Root CAs gets it in the very small list of CAs that Win8 knows... it seems you can choose whatever you want for the anonymous ID in TTLS too - whereas the PEAP anonymous is more conservative. ..and none of this can be done via the new 'metro' interfaceyes, its funky and looks pretty but once again, it doesnt show you much detail when you hover over the wireless - signal strength bars, encyption and 802.11n - so what about channel or SNR? couldnt find an obvious 'disconnect' option in the interface either...but it did take me a minute or 2 to find the 'shutdown/reset' option! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Sorry, forgot to add, I need the output stored under Sytemdrive\Windows\Tracing On Tue, Mar 6, 2012 at 8:48 AM, Aman Arneja arneja.a...@gmail.com wrote: Hi guys I am from the Microsoft EAP team, and we have not seen this issue. Can you please send the following logs to me for investigating at aman.arn...@microsoft.com From an elevated command prompt : Netsh ras set tr * en run scenario Netsh ras set tr * di Also, you can consider me a Microsoft contact for authentication related issues. Thanx Aman Arneja Sent from my Windows Phone From: Francois Gaudreault Sent: 06-Mar-12 3:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows 7 prompting several times Hi Andi, I did see the behavior, and it appears to be a bug with the windows supplicant. Apparently, the credentials are not even passed to the EAP module to initiate the session with the NAS... We do not have any kind of contact at Microsoft to open a bug, so I believe you are stuck with those issues :S On 12-03-05 11:16 AM, Morris, Andi wrote: Hi all, Apologies for being slightly off topic. Does anyone else get a problem with Windows 7 clients prompting for the radius credentials 2 or 3 times before finally accepting them? No errors are shown on the radius side, and I’ve read that this is a problem with the operating system, but wondered whether anyone in this knowledgeable community had overcome this? Cheers, Andi From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. *Please could you ensure that all of your contact records and databases are updated to reflect this change.* Further information can be found on the website here. http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius Nak List Issue
Hi FreeRadius Users We seem to be facing a problem while using EAP with free radius. If the client is proposing a list of methods in the NAK message being sent in response to server method proposal, it seems free radius is just looking at the first entry rather than parsing the list. Is this a known issue? Any workarounds or patches? Thanx Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius Nak List Issue
Sorry for spam but the version is 1.1.8 On Wed, Dec 21, 2011 at 5:22 PM, Aman Arneja arneja.a...@gmail.com wrote: Hi FreeRadius Users We seem to be facing a problem while using EAP with free radius. If the client is proposing a list of methods in the NAK message being sent in response to server method proposal, it seems free radius is just looking at the first entry rather than parsing the list. Is this a known issue? Any workarounds or patches? Thanx Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request information for EAP TTLS
Hi I am new to Free Radius and was just wondering if some1 can help me out. I am planning to implement an EAP TTLS client and was wondering the following about Free Radius for my testing. 1.) Does Free Radius Implementation of EAP TTLS Support the following a.) Client auth during phase 1 b.) Id privacy can be explicitly enabled or disables c.) Allowing tunneled methods such as FAST, PEAP as inner methods d.) Method chaining in phase 2 Thanx in advance for your help guys Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
