RE: more EAP/TTLS trouble
Hi Steve Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and simply deployed method. I have personally used the freeradius peap mschapv2 pretty much out of the box. As far as the certificate error you saw earlier that was due to the nature of design of a modern secure authentication method which gave supported security feature like Server Certificate Validation enabled by default. If you just go through the net you will find tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours to the ones available for the authentication to work. Also if you are looking for ttls only you can test with the beta of windows 8 and become one of our early adopters when it releases. Thanx and Regards Aman Arneja Sent from my Windows Phone -- From: Steve Hopps Sent: 5/30/2012 6:23 PM To: FreeRadius users mailing list Subject: Re: more EAP/TTLS trouble We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. On May 30, 2012 2:43 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 05/29/2012 10:28 PM, Steve Hopps wrote: So I'm confused, what's the right way to handle this situation? What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/**documents/protocols/oracles.**htmlhttp://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/**documents/protocols/**compatibility.htmlhttp://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
Steve Windows is trying to validate the server Cert. By default we have server Cert Validation enabled. You can disable this from the properties. Regards Aman Arneja On Wed, May 30, 2012 at 1:47 AM, Steve Hopps steve.ho...@gmail.com wrote: The only computer in our office which causes certificate errors is a Windows 7 machine. So I attempted to connect using EAP/TTLS and MSCHAPv2 using my linux machine and my Android phone. Now I get a different error. I also tried using PEAP on my Android phone, and received no certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? ++[pam] returns invalid or [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid log follows server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 cli B4-07-F9-F2-99-F6) Using Post-Auth-Type Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows 8 beta supplicant always prefixes computer name to
user name MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Martin I work for the EAP team for Windows 8 and will look into this and get back to you. Regards Aman Arneja Sent from my Windows Phone From: Martin Pauly Sent: 4/23/2012 6:44 PM To: FreeRadius users mailing list Subject: OT: Windows 8 beta supplicant always prefixes computer name to user name Hi all, sorry, this is much OT. As many, we do PEAP with the help of ntlm_auth, both wired and wireless. Today, my first Windows 8 user walked in, wanting to do wired 802.1X. Setting things exactly as in Windows 7 results in the computer name always showing up as (pseudo-)domain in the authentication dialog. It's visible, but not changable. Subsequently, what I see in the server is (real names replaced): rad_recv: Access-Request packet from host 192.168.4.249 port 1645, id=98, length=161 User-Name = PCNAME\\username Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-11-BB-A7-94-8D Calling-Station-Id = F0-BF-97-D1-97-53 EAP-Message = 0x02010011014d455048495c426162616569 Message-Authenticator = 0x882ea6dd7bcb0c978b71d1da77ce7753 NAS-Port-Type = Ethernet NAS-Port = 50211 NAS-Port-Id = FastEthernet2/0/11 NAS-IP-Address = 192.168.4.249 username is not Windows' local username, cf. last part of http://www.uni-marburg.de/hrz/internet/students/swh-en/anleitung-en/vista-und-7-en/config-en TIA, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. MarburgFax:+49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP + Windows 7 with SSO and Password change
Password change and retry is very much supported for Windows and Eap for (P)eap-mschapv2. There would be some flag that needs to be set for this after which it will work, will check what that flag is and write back in some time Sent from my Windows Phone From: David Mitton Sent: 4/5/2012 6:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-PEAP + Windows 7 with SSO and Password change Yes, basically, password change operations are not supported by Windows EAP support. Not to mention RADIUS as well. Dave. Quoting c_dor...@gmx.de: Hi, we would like to use freeradius server for setup port access per 802.1x on wired LAN. The plan is to have a guest-vlan for unauthenticated supplicants and a vlan assignment for authenticated supplicants. We configured the freeradius Server (Version 2.1.12) to use peap/mschapv2 for user authentication. Each user can have one nativ/untagged VLAN. So far, the actual configuration works. Now we would like to use the Single Sign On feature from windows 7 supplicant before the user logged in. But this seems to work only if the user account is valid. When the User account is new (with password change on next loggon) or the password has expired, then the freeradius send the MS-CHAP-Error to the supplicant. But why the hell, the windows 7 client do not popup a window for change the password ? Is that generally not possible (cause EAP-MSCHAPv2) or something missed in config ? I tried to use freeradius 3.0.0 from git with enabling the passchange feature in the mschap module. I did all steps from doc/mschap.rst. The follow Debug is from freeradius 3.0.0: snip : : (8) Found Auth-Type = EAP (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) group authenticate { (8) - entering group authenticate {...} (8) eap : Request found, released from the list (8) eap : EAP/mschapv2 (8) eap : processing type mschapv2 (8) mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) mschapv2 : group MS-CHAP { (8) mschapv2 : - entering group MS-CHAP {...} (8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack? (8) mschap : Creating challenge hash with username: DOMAIN\test-user3 (8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password (8) mschap :expand: %{Stripped-User-Name} - (8) mschap :... expanding second conditional (8) mschap :expand: %{User-Name} - DOMAIN\test-user3 (8) mschap :expand: %{%{User-Name}:-None} - DOMAIN\test-user3 (8) mschap :expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} - --username=DOMAIN\test-user3 (8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack? (8) mschap : Creating challenge hash with username: DOMAIN\test-user3 (8) mschap :expand: %{mschap:Challenge} - 4b4be3875649ba1a (8) mschap :expand: --challenge=%{%{mschap:Challenge}:-00} - --challenge=4b4be3875649ba1a (8) mschap :expand: %{mschap:NT-Response} - a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2 (8) mschap :expand: --nt-response=%{%{mschap:NT-Response}:-00} - --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2 Exec-Program output: Password expired (0xc648) Exec-Program-Wait: plaintext: Password expired (0xc648) Exec-Program: returned: 1 (8) mschap : ntlm_auth says password has expired (8) [mschap] = reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. (8) eap : Handler failed in EAP/mschapv2 (8) eap : Failed in EAP select (8) [eap] = invalid (8) Failed to authenticate the user. (8) Login incorrect: [DOMAIN\\test-user3/via Auth-Type = EAP] (from client switches port 0 via TLS tunnel) } # server inner-tunnel (8) peap : Got tunneled reply code 3 MS-CHAP-Error = \013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired EAP-Message = 0x040b0004 Message-Authenticator = 0x (8) peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = \013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired EAP-Message = 0x040b0004 Message-Authenticator = 0x (8) peap : Tunneled authentication was rejected. (8) peap : FAILURE (8) [eap] = handled Sending Access-Challenge of id 128 to 192.168.15.52 port 2686 EAP-Message = 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403 Message-Authenticator = 0x State = 0x7cb2ed6374bef496dfd35c4e86820391 (8) Finished request 8. Waking up in 0.1 seconds. rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686, id=129, length=262 Framed-MTU = 1480 NAS-IP-Address = zzz.aaa.xxx.yyy NAS-Identifier = SWITCHxxx User-Name = DOMAIN\\test-user3 Service-Type = Framed-User : : :
RE: Windows 7 prompting several times
Hi guys I am from the Microsoft EAP team, and we have not seen this issue. Can you please send the following logs to me for investigating at aman.arn...@microsoft.com From an elevated command prompt : Netsh ras set tr * en run scenario Netsh ras set tr * di Also, you can consider me a Microsoft contact for authentication related issues. Thanx Aman Arneja Sent from my Windows Phone From: Francois Gaudreault Sent: 06-Mar-12 3:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows 7 prompting several times Hi Andi, I did see the behavior, and it appears to be a bug with the windows supplicant. Apparently, the credentials are not even passed to the EAP module to initiate the session with the NAS... We do not have any kind of contact at Microsoft to open a bug, so I believe you are stuck with those issues :S On 12-03-05 11:16 AM, Morris, Andi wrote: Hi all, Apologies for being slightly off topic. Does anyone else get a problem with Windows 7 clients prompting for the radius credentials 2 or 3 times before finally accepting them? No errors are shown on the radius side, and I’ve read that this is a problem with the operating system, but wondered whether anyone in this knowledgeable community had overcome this? Cheers, Andi From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. *Please could you ensure that all of your contact records and databases are updated to reflect this change.* Further information can be found on the website here. http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using windows 8's builtin eap-ttls w/ freeradius
Hi Alan I am from the Microsoft EAP team for windows 8 , if you face any issues or need clarity on any of our features please feel free to email me at aman.arn...@microsoft.com BTW we have tested our TTLS with freeradius successfully ! also thanx for the feedback I am processing it and will reply to you in a bit about it. Please feel free to email me on any Win8 authentication related issues/feedback. We have an interesting auto discoverability feature as well in our client , where if the profile has not been created we detect the method on the basis of credential type and a few more parameters. Also for Tls there is a new cert filtering mechanism. We also now support connecting to a server in peap if we do not have the root cert , by throwing a warning ( this is configurable of course ) We would love your feedback on these as well ! Thanx Aman Arneja Sent from my Windows Phone From: Alan Buxey Sent: 06-Mar-12 1:54 AM To: FreeRadius users mailing list Subject: Re: using windows 8's builtin eap-ttls w/ freeradius hi, right. interesting. I've just been looking into Windows 8 and I found that if I chose a non-EAP method with TTLS (eg PAP or MSCHAP) then it didnt work. but if I chose an EAP method with TTLS - eg EAP-MSCHAPv2 then it worked fine. so more needs to be looked at there. based on the UI it seems that theres 2 groups of people coding the stuff as the PEAP interface has updated options and layout - whereas the TTLS page is based on the old windows XP PEAP pane - from layout/options. its a little hideous. importing of CAs has changed again - since Win7 - the auto detect for cert import now puts it into the wrong place again...but manually choosing the store and choosing Root CAs gets it in the very small list of CAs that Win8 knows... it seems you can choose whatever you want for the anonymous ID in TTLS too - whereas the PEAP anonymous is more conservative. ..and none of this can be done via the new 'metro' interfaceyes, its funky and looks pretty but once again, it doesnt show you much detail when you hover over the wireless - signal strength bars, encyption and 802.11n - so what about channel or SNR? couldnt find an obvious 'disconnect' option in the interface either...but it did take me a minute or 2 to find the 'shutdown/reset' option! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 prompting several times
Sorry, forgot to add, I need the output stored under Sytemdrive\Windows\Tracing On Tue, Mar 6, 2012 at 8:48 AM, Aman Arneja arneja.a...@gmail.com wrote: Hi guys I am from the Microsoft EAP team, and we have not seen this issue. Can you please send the following logs to me for investigating at aman.arn...@microsoft.com From an elevated command prompt : Netsh ras set tr * en run scenario Netsh ras set tr * di Also, you can consider me a Microsoft contact for authentication related issues. Thanx Aman Arneja Sent from my Windows Phone From: Francois Gaudreault Sent: 06-Mar-12 3:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows 7 prompting several times Hi Andi, I did see the behavior, and it appears to be a bug with the windows supplicant. Apparently, the credentials are not even passed to the EAP module to initiate the session with the NAS... We do not have any kind of contact at Microsoft to open a bug, so I believe you are stuck with those issues :S On 12-03-05 11:16 AM, Morris, Andi wrote: Hi all, Apologies for being slightly off topic. Does anyone else get a problem with Windows 7 clients prompting for the radius credentials 2 or 3 times before finally accepting them? No errors are shown on the radius side, and I’ve read that this is a problem with the operating system, but wondered whether anyone in this knowledgeable community had overcome this? Cheers, Andi From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. *Please could you ensure that all of your contact records and databases are updated to reflect this change.* Further information can be found on the website here. http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius Nak List Issue
Hi FreeRadius Users We seem to be facing a problem while using EAP with free radius. If the client is proposing a list of methods in the NAK message being sent in response to server method proposal, it seems free radius is just looking at the first entry rather than parsing the list. Is this a known issue? Any workarounds or patches? Thanx Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius Nak List Issue
Sorry for spam but the version is 1.1.8 On Wed, Dec 21, 2011 at 5:22 PM, Aman Arneja arneja.a...@gmail.com wrote: Hi FreeRadius Users We seem to be facing a problem while using EAP with free radius. If the client is proposing a list of methods in the NAK message being sent in response to server method proposal, it seems free radius is just looking at the first entry rather than parsing the list. Is this a known issue? Any workarounds or patches? Thanx Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request information for EAP TTLS
Hi I am new to Free Radius and was just wondering if some1 can help me out. I am planning to implement an EAP TTLS client and was wondering the following about Free Radius for my testing. 1.) Does Free Radius Implementation of EAP TTLS Support the following a.) Client auth during phase 1 b.) Id privacy can be explicitly enabled or disables c.) Allowing tunneled methods such as FAST, PEAP as inner methods d.) Method chaining in phase 2 Thanx in advance for your help guys Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html