AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
Okay i tried a little and my result is now that my attr_rewirite looks like: search_string = (host/) replace_string = That works to delete the host/ part. But i need a $ appended to the User-Name. How can i do this? Mit freundlichen Grüßen Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Michael Mitchell Gesendet: Samstag, 22. Juli 2006 11:42 An: FreeRadius users mailing list Betreff: Re: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* Hi Armin, You may be able to use the attr_rewrite module to rewrite the value of the attribute in the authorize section. You can use a regular expression, something like: search_string = ^([^/]*)/(.*)$ replace_string = %{2}$ You may need to escape some characters (for example the forward slash), you'll have to try it... Hope that helps. regards, Mike Krämer Armin wrote: When a machine authenticates I get the name of the mchine like host/250-IT and the search String on LDAP is like host/250-IT. I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Root Certificate via ADS
Hi, im planing to install my generated root Certifikate via W2k ADS to the Clients. How can i do this via AADS? What do i have to do in ADS and Group Policies?The second question ist that i will have to set a markonto my certifikate at the Trusted RootCertifikate Field at the network Connection (hoe you understand what i mean) . How can i do this? Intall Root Certifikate and set this mark that i can use EAP-TLS wit Freeradius? I dont want to put it on 300 clients per hand :-)Thank Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant ldap Authenthication and 2 Problems
Hi, at the moment i trying to get my ldap authetication working with redundant ldap directorys. I made a second ldap modul and the following entry at the authentication part Redundant{ ldap1 ldap2 } I fired up an second ldap directoy which is replicated by first one. My problem is that if i kill ldap1 i cant get an result from ldap2. Bit the database and directory is the same! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.4:389, authentication 0 rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de/freeradius to 192.168.1.4:389 rlm_ldap: cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de bind to 192.168.1.4:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for Notebook-XXX.de radius_xlat: '((uid=Notebook-AK.XXX.de)(objectclass=radiusprofile))' radius_xlat: 'ou=users,ou=radius,dc=XXX,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.5:389, authentication 0 rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de/freeradius to 192.168.1.5:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=XXX,dc=de, with filter ((uid=Notebook-AK.XXX.de)(objectclass=radiusprofile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns notfound for request 0 modcall: group redundant returns notfound for request 0 modcall: group authorize returns updated for request 0 The second problem is that if both ldap1 an d ldap2 are down the eap-tls modul which is for authorisation goes on and authenticates the user.. How can i change that that? I want to configure the server,that if ldap failes the whole process fails and the user is rejected. What will i have to add to my redundant part? Hope this is understandable? Mit freundlichen Grüßen Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP-TLS ErrorMessage but working
Oh, im sorry, about htat, thought it would be better to send the whole log of one authentication for better understanding. OK, here it is again only the one line: TLS_accept:error in SSLv3 read client certificate A Greetings Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Freitag, 20. Januar 2006 19:15 An: FreeRadius users mailing list Betreff: Re: EAP-TLS ErrorMessage but working =?iso-8859-1?Q?Armin_Kr=E4mer?= [EMAIL PROTECTED] wrote: i just got ldap in my testenvironment working but can someone tell me what the marked line in the log means? Please no HTML to the list. And is it really that hard to cut and paste the one line, rather than sending the whole debug log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS ErrorMessage but working
Hi, i just got ldap in my testenvironment working but can someone tell me what the marked line in the log means? The authentication works fine and i get access to my network?? Or can i ignore this message? Greetings Armin Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/lib/ssl/server_zertifikat.pem tls: certificate_file = /usr/lib/ssl/server_zertifikat.pem tls: CA_file = /usr/lib/ssl/demoCA/cacert.pem tls: private_key_password = XXX tls: dh_file = /etc/ssl/certs/dh tls: random_file = /etc/ssl/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 10 ldap: timeout = 20 ldap: timelimit = 20 ldap: identity = cn=freeradius,ou=admins,ou=radius,dc=ak-server,dc=de ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = XX ldap: basedn =
Simple Question about LDAP
Whee can i define that freeradius should look at the ldap database for user accounts and not at the users list? Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP?
I posted 3 days ago an mesage with 2 logfiles out of radius. Because this is a part of my Projekt for my final exam as an IT-Engineer it is verry important for me getting this working. Maybe someone of you has any further idea? Or would it be better to contact the openssl Team for this issue? You think this is an Certificate Problem or a Problem of the Freeradius Config? Greetings Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Armin Krämer Gesendet: Freitag, 6. Januar 2006 22:21 An: freeradius-users@lists.freeradius.org Betreff: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP? Sorry, forgotte to attach the files... Okay, i tested on and found an difference. I attach 2 Files. One is the output with an normal Client-Certificate the other with an Certifikate with the OID 1.3.6.1.4.1.311.17.2. In both cases the Certifikate is rejected with Error in Certifikate A. The Client Certifikate ist tested as Client-Certifikate and works when installed as an normal Account Certifikate. Sems like the mistake is at the Certifikate itself??? When i generated the Special Machine Certifikate i changed out the normal OID against the other one described above. Or may i have to add OID as a second OID to the certifikate? Thanks for helping. :-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 6. Januar 2006 21:11 An: [EMAIL PROTECTED] Betreff: Re: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP? Hello, - login as local administrateur - start mmc.exe - add certificate / computer account / local computer (note sure for names, my XP is french, so I translate) - Then, in the tree, select root certification autority/Certificates - Right click, All tasks/Import - select your root.der - Then, in the tree, select Personnal/Certificates - Right click, All tasks/Import - select your machine.p12 - enter your private key - close mmc - set AuthMode to 2 in registry - in computer panel/Network connection/wireless connection - tab Association WPA TKIP - tab Auth check Authenticate as computer... - tab Auth/Properties check Validate serveur certificate and select your certificate in the list, !!! Be aware, in property, you add to check Connexion to these servers, but let it uncheck for testing - Pray... ;-) Hope it helps. FYI, it works for me. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Noone anny idea fot -- TLS Athentifikation before Domain Logon XP?
Does noone have got any ideahow to solve this problem? Greetings Armin Hi, i searched the whole archive about this Problems but can not find an real answert to my Problem. I want Windows XP to authenticate to Freeradius when before the user Logs on the domain otherwise he would have no network connection to reach the PDC and the logon fails. It should be possible wit the XP Client and no other additional software. I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails. Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Noone anny idea fot -- TLS Athentifikation before Domain LogonXP?
Here, this is the only output of freeradius-X-A when i copy the Certifikate into the Machine Location in MMC-Computer Certificate and add the root certs also. What kind of OID is now correct for Machine Certifikate? The normal Client Authentifikation OID or an other? Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.252:3912, id=44, length=156 User-Name = host/Notebook-AK.ak-server.de NAS-IP-Address = 192.168.1.252 NAS-Identifier = acess_point_siemens NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022c002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0x53d26ddeab0dd0406e4710707257e707 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = host/Notebook-AK.ak-server.de, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 44 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 207 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 44 to 192.168.1.252:3912 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x012d00060d20 Message-Authenticator = 0x State = 0xc64cbbb104fb839fdb2c2cede14e4f2e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 44 with timestamp 43be09ac Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.252:3913, id=45, length=156 User-Name = host/Notebook-AK.ak-server.de NAS-IP-Address = 192.168.1.252 NAS-Identifier = acess_point_siemens NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0xfb2bddbd89303b852866ad099e315c52 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = host/Notebook-AK.ak-server.de, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 45 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 207 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 45 to 192.168.1.252:3913 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x012e00060d20 Message-Authenticator = 0x State = 0x399b87c79d22ab0ddb4e05e1d9a82ba0 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 45 with timestamp 43be09ba Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host
AW: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP?
Okay, i tested on and found an difference. I attach 2 Files. One is the output with an normal Client-Certificate the other with an Certifikate with the OID 1.3.6.1.4.1.311.17.2. In both cases the Certifikate is rejected with Error in Certifikate A. The Client Certifikate ist tested as Client-Certifikate and works when installed as an normal Account Certifikate. Sems like the mistake is at the Certifikate itself??? When i generated the Special Machine Certifikate i changed out the normal OID against the other one described above. Or may i have to add OID as a second OID to the certifikate? Thanks for helping. :-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 6. Januar 2006 21:11 An: [EMAIL PROTECTED] Betreff: Re: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP? Hello, - login as local administrateur - start mmc.exe - add certificate / computer account / local computer (note sure for names, my XP is french, so I translate) - Then, in the tree, select root certification autority/Certificates - Right click, All tasks/Import - select your root.der - Then, in the tree, select Personnal/Certificates - Right click, All tasks/Import - select your machine.p12 - enter your private key - close mmc - set AuthMode to 2 in registry - in computer panel/Network connection/wireless connection - tab Association WPA TKIP - tab Auth check Authenticate as computer... - tab Auth/Properties check Validate serveur certificate and select your certificate in the list, !!! Be aware, in property, you add to check Connexion to these servers, but let it uncheck for testing - Pray... ;-) Hope it helps. FYI, it works for me. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP?
Sorry, forgotte to attach the files... Okay, i tested on and found an difference. I attach 2 Files. One is the output with an normal Client-Certificate the other with an Certifikate with the OID 1.3.6.1.4.1.311.17.2. In both cases the Certifikate is rejected with Error in Certifikate A. The Client Certifikate ist tested as Client-Certifikate and works when installed as an normal Account Certifikate. Sems like the mistake is at the Certifikate itself??? When i generated the Special Machine Certifikate i changed out the normal OID against the other one described above. Or may i have to add OID as a second OID to the certifikate? Thanks for helping. :-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 6. Januar 2006 21:11 An: [EMAIL PROTECTED] Betreff: Re: Noone anny idea fot -- TLS Athentifikation before Domain, Logon XP? Hello, - login as local administrateur - start mmc.exe - add certificate / computer account / local computer (note sure for names, my XP is french, so I translate) - Then, in the tree, select root certification autority/Certificates - Right click, All tasks/Import - select your root.der - Then, in the tree, select Personnal/Certificates - Right click, All tasks/Import - select your machine.p12 - enter your private key - close mmc - set AuthMode to 2 in registry - in computer panel/Network connection/wireless connection - tab Association WPA TKIP - tab Auth check Authenticate as computer... - tab Auth/Properties check Validate serveur certificate and select your certificate in the list, !!! Be aware, in property, you add to check Connexion to these servers, but let it uncheck for testing - Pray... ;-) Hope it helps. FYI, it works for me. Regards, Jeremy rad_recv: Access-Request packet from host 192.168.1.252:3981, id=211, length=156 User-Name = host/Notebook-AK.ak-server.de NAS-IP-Address = 192.168.1.252 NAS-Identifier = acess_point_siemens NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02d3002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0xdc7a41517d6dec674ce6ff8219eef368 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 69 modcall[authorize]: module preprocess returns ok for request 69 modcall[authorize]: module chap returns noop for request 69 modcall[authorize]: module mschap returns noop for request 69 rlm_realm: No '@' in User-Name = host/Notebook-AK.ak-server.de, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 69 rlm_eap: EAP packet type response id 211 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 69 users: Matched entry DEFAULT at line 207 modcall[authorize]: module files returns ok for request 69 modcall: group authorize returns updated for request 69 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 69 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 69 modcall: group authenticate returns handled for request 69 Sending Access-Challenge of id 211 to 192.168.1.252:3981 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01d400060d20 Message-Authenticator = 0x State = 0xa1c7c1956b9316d9f037a05c69ad25c8 Finished request 69 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.252:3982, id=212, length=220 User-Name = host/Notebook-AK.ak-server.de NAS-IP-Address = 192.168.1.252 NAS-Identifier = acess_point_siemens NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xa1c7c1956b9316d9f037a05c69ad25c8 EAP-Message = 0x02d400500d8000461603010041013d030143bda6f2fc59b27540aac54a5085da11347df898b75c1fbbbd32fb87d3bd028f1600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x921d7a28a8db01f4270383a31a31a5e5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 70 modcall[authorize]: module preprocess returns ok for request 70 modcall[authorize]: module chap returns noop for request 70 modcall[authorize]: module mschap returns noop for request 70 rlm_realm: No '@' in User-Name = host/Notebook-AK.ak-server.de, looking up realm NULL
TLS Athentifikation before Domain Logon XP
Hi, i searched the whole archive about this Problems but can not find an real answert to my Problem. I want Windows XP to authenticate to Freeradius when before the user Logs on the domain otherwise he would have no network connection to reach the PDC and the logon fails. It should be possible wit the XP Client and no other additional software. I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails. Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compilation PRoblems unter Debian Sarge stable
Hi, I compiled Freeradius out of the 1.05 Sources following the Article of CT 18/2004. I changed out the Original Makefile in /tmp/freeradius-1.0.5/src/modules/rlm_eap/types/rlm_eap_tls and added the one which iss hostet by CT-Magazine. The only changes are the 2 added files with the Openssl librarys. But now the make call gives out 2 errors. I want to use the freeradius with eap_tls. Can someone give me an hint where the mistake resists? In the attachment there is an output of make and of the makefile of the eap_tls direcory. Greetings Armin Makefile_used for compilation with changes Description: Binary data Makefileoriginal Description: Binary data debian:/tmp/freeradius-1.0.5# make /makelogfreeradius.txt makefilefreeradius make[1]: Entering directory `/tmp/freeradius-1.0.5' Making all in src... make[2]: Entering directory `/tmp/freeradius-1.0.5/src' make[3]: Entering directory `/tmp/freeradius-1.0.5/src' Making all in include... make[4]: Entering directory `/tmp/freeradius-1.0.5/src/include' make[4]: Für das Ziel »all« ist nichts zu tun. make[4]: Leaving directory `/tmp/freeradius-1.0.5/src/include' Making all in lib... make[4]: Entering directory `/tmp/freeradius-1.0.5/src/lib' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS dict.o print.o radius.o valuepair.o token.o misc.o log.o filters.o missing.o md4.o md5.o sha1.o hmac.o hmacsha1.o snprintf.o isaac.o crypt.o udpfromto.o rbtree.o -o libradius.a ar cru libradius.a dict.o print.o radius.o valuepair.o token.o misc.o log.o filters.o missing.o md4.o md5.o sha1.o hmac.o hmacsha1.o snprintf.o isaac.o crypt.o udpfromto.o rbtree.o ranlib libradius.a make[4]: Leaving directory `/tmp/freeradius-1.0.5/src/lib' Making all in modules... make[4]: Entering directory `/tmp/freeradius-1.0.5/src/modules' make[5]: Entering directory `/tmp/freeradius-1.0.5/src/modules' Making static dynamic in rlm_acct_unique... make[6]: Entering directory `/tmp/freeradius-1.0.5/src/modules/rlm_acct_unique' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include rlm_acct_unique.o -o rlm_acct_unique.a ar cru rlm_acct_unique.a rlm_acct_unique.o ranlib rlm_acct_unique.a make[6]: Leaving directory `/tmp/freeradius-1.0.5/src/modules/rlm_acct_unique' Making static dynamic in rlm_always... make[6]: Entering directory `/tmp/freeradius-1.0.5/src/modules/rlm_always' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include rlm_always.o -o rlm_always.a ar cru rlm_always.a rlm_always.o ranlib rlm_always.a make[6]: Leaving directory `/tmp/freeradius-1.0.5/src/modules/rlm_always' Making static dynamic in rlm_attr_filter... make[6]: Entering directory `/tmp/freeradius-1.0.5/src/modules/rlm_attr_filter' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include rlm_attr_filter.o -o rlm_attr_filter.a ar cru rlm_attr_filter.a rlm_attr_filter.o ranlib rlm_attr_filter.a make[6]: Leaving directory `/tmp/freeradius-1.0.5/src/modules/rlm_attr_filter' Making static dynamic in rlm_attr_rewrite... make[6]: Entering directory `/tmp/freeradius-1.0.5/src/modules/rlm_attr_rewrite' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include rlm_attr_rewrite.o -o rlm_attr_rewrite.a ar cru rlm_attr_rewrite.a rlm_attr_rewrite.o ranlib rlm_attr_rewrite.a make[6]: Leaving directory `/tmp/freeradius-1.0.5/src/modules/rlm_attr_rewrite' Making static dynamic in rlm_chap... make[6]: Entering directory `/tmp/freeradius-1.0.5/src/modules/rlm_chap' /tmp/freeradius-1.0.5/libtool --mode=link ld \ -module -static
unknown certificate??
Hi, i installed the aktual version of freeradius on a debian system and generated a CA und server/client certificates with TinyCA2. I want to authenticate the clients using EAP/TLS. But now i get this output of freeradius and freeradius freezes at this point. Can someone tell me why this happens? Sending Access-Challenge of id 22 to 192.168.1.252:1326 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0117040a0dc011da95300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e7943412047656e65726174656420436572746966696361746530210603551d11041a3018811643412d52616469757340616b2d7365727665722e6465300b0603551d0f040403020106300d06092a864886f70d010105050003820201002cb7d2ab56adb9d5a348a6bc0391ecbd8f53215ca3ad83c74730cba78bcb0f36800f71f9c9e672b5ad761fddb06f72075715ad686dd6e31c496c015847927af98a5820860004122fd22eba64dbffe46d8def EAP-Message = 0x4dfd2195d70b313f472b31e0dec0d39f08e95d9c6ee43b060954e7cda70492fb473698daca42a3a76e07601ecc9d746ea3eac2daa4da050dd21d1c8daebf845abc3daa199a3fb35c5fc6c876d312b8c90775a6de01092e337da7ccb155f9e67713b1e3a8c171b3663256e60f25e009c9aa454db5299ed3de9ac280eca445f57ab53be98287d63540631085c9a166904842e44d4ff63e691c86590ff95319bf1370f7f5f1f8eaa331403588e2bda2bb2d6750e3a769fe878e9723ab0f8903deab637a6d83fe77f79f89af7dbb7578d511033d01b0f5455b016503582ca56fcc79142ff1551abab18e9f76a71e148838d7036db5de29a4f6bc4598daffd1 EAP-Message = 0x199ad4d07da7e11c82f03f6895c1b3941139eadf341ce19d3edbfd1bac3719b5f7eb22c5ba729d58c553ce72adb9af2e92edc34381b42c83c755bafa8442f28d5c574c8a9827938605f397110186c84e34d13bbd8fc322f58808f7f556518d19f93c42678f12acf01f3f1ab70834b2baa1cc461bdc970e0f942ea57f1b3913e55cca966066c00c504d12e8d22a81d0daee14c4e08165a871d33373b49037fe596fc987f47dfbea4343b2cad19053e50d95160301028d0c0002890040be4f362c2e1dd2744e7c980ee5d9a708e9075935767ee7fecb9a91b67b0e1611eb5acc1d7d32248195513d17734004d37cc721d59ed25d08a48a2164361419e300 EAP-Message = 0x010500400a294a0f089a763d7338d32e2f8c633b1e186a316091c678c314a1afb16ceb2b57090b5a068d36c54ff061e5ab76b4a969c88a0f7590aefef1b56512aebf5c2e02006572fd3a81faa03031a8dee67d18ee0625b873e37ede370854c4a7ee122ad3206d97e0ef365299eac3baa8d8bf6af223058628d5660da500e81a906cc044ef2f3ec59a7373f447e46e5ad84aaa0d373a1988f0cf6b647bcfb913d6607fc88e0287f201fc3ddc563921460daf1ed27988e407e65c2ea2b25173a95d2db5bda931ae2b9e8a5605d82e1331e3a091ee29029aa8218efb3c883da22208b556120a3e85a96206a29a8951e050439b350e932836667981dbd617 EAP-Message = 0x6d69bed85ccfa622102bcfe18acfe16c40c119ba45dc Message-Authenticator = 0x State = 0xd18c60556f39fcd47f7a825bbd1b5a27 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.252:1327, id=23, length=130 User-Name = Kraemer.Armin NAS-IP-Address = 192.168.1.252 NAS-Identifier = acess_point_siemens NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xd18c60556f39fcd47f7a825bbd1b5a27 EAP-Message = 0x021700060d00 Message-Authenticator = 0xe4c3119fa2de7a9cc9e9a4ec080c3826 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = Kraemer.Armin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 23 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 23 to 192.168.1.252:1327 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User
AW: unknown certificate??
Hmmm... like i said i generated that Certifikate with TinyCA2. If you generate the certifikates with TinyCA2 ist automatically signs it. I only have to export the Client Certifikate to PKCS12 format for my XP machine. Could you tell me what there could go wrong? Thanks, Armin =?iso-8859-1?Q?Armin_Kr=E4mer?= [EMAIL PROTECTED] wrote: i installed the aktual version of freeradius on a debian system and generated a CA und server/client certificates with TinyCA2. I want to authenticate the clients using EAP/TLS. But now i get this output of freeradius and freeradius freezes at this point. Can someone tell me why this happens? The client certificate isn't signed by the server cert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
12077 error???
Hi, I set up freeradius with eap-tls and after I generated my certificates with TinnyCA and configured it in eap.conf File I get this error message...Does anyone knows what causes this error? Thanks Armin debian:~# freeradius -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/cert-srv.pem tls: certificate_file = /etc/freeradius/certs/cert-srv.pem tls: CA_file = /etc/freeradius/certs/cacert.pem tls: private_key_password = test tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /etc/freeradius/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) 12077:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE 12077:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:450: 12077:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: 12077:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 12077 error???
I build the deb Files out of the source. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von King, Michael Gesendet: Donnerstag, 15. September 2005 16:50 An: FreeRadius users mailing list Betreff: RE: 12077 error??? -Original Message- From: [EMAIL PROTECTED] Behalf Of Armin Krämer Hi, I set up freeradius with eap-tls and after I generated my certificates with TinnyCA and configured it in eap.conf File I get this error message...Does anyone knows what causes this error? Thanks Armin debian:~# freeradius -X -A Did you install FreeRadius via Apt (aptitude) or compile from source? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Thanks for the answert Alan, but what do you mean that it should be made more prominent in EAP-Conf? Could you give me detailed instructions how i can get this OID to my certificates?ArminFreeRadius users mailing list freeradius-users@lists.freeradius.org schrieb am 25.08.05 17:35:11:Ben Walding [EMAIL PROTECTED] wrote: And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully.That OID is added by the cert creation script in the "scripts"directory, but it! should be made more prominent in eap.conf, too.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Hi, i found this thred yesterday and tried it out to add this OID but it had no effekt...OK maybe i made somthing wrong. Could you describe how you added this oid to your machine zertifikate? Today i built completely new root,server and client certificates depending on the article in www.linuxjournal.com/article/8095. I will post here my users file: My new generated Client Certifikates uses client10 as Client Name.Greetings Armin## Please read the documentation file ../doc/processing_users_file,# or 'man 5 users' (after installing the server) for more information.## This file contains authentication security and configuration# information for each user. Accounting requests are NOT processed# through this file. Instead, see 'acct_users', in this directory.## The first field is the ! user's name and can be up to# 253 characters in length. This is followed (on the same line) with# the list of authentication requirements for that user. This can# include password, comm server name, comm server port number, protocol# type (perhaps set by the "hints" file), and huntgroup name (set by# the "huntgroups" file).## If you are not sure why a particular reply is being sent by the# server, then run the server in debugging mode (radiusd -X), and# you will see which entries in this file are matched.## When an authentication request is received from the comm server,# these values are tested. Only the first match is used unless the# "Fall-Through" variable is set to "Yes".## A special user named "DEFAULT" matches on all usernames.# You can have several DEFAULT entries. All entries are processed# in the order they appear in this file. The first entry that# matches the login-request will stop processing unless you use# the Fall-Through variable.## If you use the databas! e support to turn this file into a .db or .dbm# file, the DEFAULT entr ies _have_ to be at the end of this file and# you can't have multiple entries for one username.## You don't need to specify a password if you set Auth-Type += System# on the list of authentication requirements. The RADIUS server# will then check the system password file.## Indented (with the tab character) lines following the first# line indicate the configuration values to be passed back to# the comm server to allow the initiation of a user session.# This can include things like the PPP configuration values# or the host to log the user onto.## You can include another `users' file with `$INCLUDE users.other'### For a list of RADIUS attributes, and links to their definitions,# see:## http://www.freeradius.org/rfc/attributes.html### Deny access for a specific user. Note that this entry MUST# be before any other 'Auth-Type' attribute which results in the user# being authenticated.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional r! esources.##lameuser Auth-Type := Reject# Reply-Message = "Your account has been disabled."## Deny access for a group of users.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##DEFAULT Group == "disabled", Auth-Type := Reject# Reply-Message = "Your account has been disabled."### This is a complete entry for "steve". Note that there is no Fall-Through# entry so that no DEFAULT entry will be used, and the user will NOT# get any attributes in addition to the ones listed here.##steve Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Framed-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# Framed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#test Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Fra! med-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# F ramed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#DEFAULT Auth-Type := EAP-TLS #Local, User-Password == "whatever"#Reply-Message = "Default Client",#Tunnel-Medium-Type = 6,#Tunnel-Private-Group-Id = 1,#Tunnel-Type = 13Client1 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Hello,%u Willkommen im Netzwerk der Firma Metaldyne", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13host/Client10 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Client10", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13Workstation3 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "client3", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13## This is an entry for a user with a space in their name.# Note ! the double quotes surrounding the name.##"John Doe" Auth-Type := Local, User-Password ==
Re: Windows Client Authentification bevore Domain logon
Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below.The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. If anyone konws why this doesnt work please mail me. rad_recv: Access-Request packet from host 10.40.0.254:1024, id=125, length=120NAS-IP-Address = 10.40.0.254NAS-Port-Type = EthernetService-Type = Framed-UserMessage-Authenticator = 0x75b32a36b118137416c352ac114ec00cNAS-Port = 8Framed-MTU = 1490User-Name = "host/Client5"Calling-Station-Id = "00-10-5A-F7-F0-BA"EAP-Message = 0x02ff001101686f73742f436c69! 656e7435 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "host/Client5", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 255 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 181 users: Matched entry DEFAULT at line 200 modcall[authorize]: module "files" returns ok for request 0! modcall: group authorize returns updated for request 0 r ad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tlsrlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0modcall: group authenticate returns handled for request 0Sending Access-Challenge of id 125 to 10.40.0.254:1024Framed-IP-Address = 255.255.255.254Framed-MTU = 576Service-Type = Framed-UserEAP-Message = 0x01060d20Message-Authenticator = 0xState = 0x3409168c713d79e19e09bf2f2ab092c9Finished request 0Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...--- Walking the entire reque! st list ---Cleaning up request 0 ID 125 with timestamp 430c8459Nothing to do. Sleeping until we see a request.FreeRadius users mailing list freeradius-users@lists.freeradius.org schrieb am 24.08.05 09:52:57:At 12:49 23/08/05, you wrote:Hi, thanks for your email!Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email??Whoops - You are right it was a typing mistake, it is AuthMode.Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugg! ing modse that he only tried to use the default entry in the u ser File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File???I am new to freeRADIUS myself in order to get my system working I followed the instructions in these web pages, http://www.linuxjournal.com/article/8017, http://www.linuxjournal.com/article/8095, http://www.linuxjournal.com/article/8151.It does look like a certificates problem, but then I am very new to FreeRADIUS and I spent a considerable amount of time adjusting settings to make it work.This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file! : /etc/freeradius/proxy.confConfig: including file: /etc/freeradius/clients.confConfig: including file: /e! tc/freeradius/snmp.confConfig: including file: /etc/freeradius/eap.confConfig: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/! run/freeradius/freeradius.pid" main: user = "freerad"nbsp;main: group = "freerad" main: usercollide = no main: lower_user = "! no" main: lower_pass = "no" main: nospace_user = "no"< BR> main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main:
Re: Windows Client Authentification bevore Domain logon
Hi, thanks for your email!Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email?? Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugging modse that he only tried to use the default entry in the user File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File??? This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2 Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file! : /etc/freeradius/proxy.confConfig: including file: /etc/freeradius/clients.confConfig: including file: /etc/freeradius/snmp.confConfig: including file: /etc/freeradius/eap.confConfig: including file: /etc/freeradius/sql.confmain: prefix = "/usr"main: localstatedir = "/var"main: logdir = "/var/log/freeradius"main: libdir = "/usr/lib/freeradius"main: radacctdir = "/var/log/freeradius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = "/var/log/freeradius/radius.log"main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = "/var/! run/freeradius/freeradius.pid"main: user = "freerad" p;main: group = "freerad"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/sbin/checkrad"main: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library ! search path is /usr/lib/freeradiusModule: Loaded exec exec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yesmschap: require_encryption = nomschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = "(null)"mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = nounix: passwd = "(null)"! ;unix: shadow = "/etc/shadow"unix: group = "(null)" ;unix: radwtmp = "/var/log/freeradius/radwtmp"unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls"eap: timer_expire = 60eap: ignore_unknown_eap_types = noeap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = "Password: "gtc: auth_type = "PAP"rlm_eap: Loaded and initialized type gtctls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/etc/ssl/certs/8021x-server.pem"tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"tls: CA_file = "/etc/ssl/certs/root.pem"tls: private_key_pa! ssword = "whatever"tls: dh_file = "/etc/ssl/certs/dh"tls: random_file = "/etc/ssl/certs/random"tls: fragment_size = 1024tls: include_length = yestls: check_crl = notls: check_cert_cn = "(null)"rlm_eap: Loaded and initialized type tlsmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups"preprocess: hints = "/etc/freeradius/hints"preprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix"realm: delimiter = "@"realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (suffix ) Module: Loaded files files: usersfile = "/etc/freeradius/users"files: acctusersfile = "/etc/freeradius/acct_users"files: preproxy_usersfile =
AW: Windows Client Authentification bevore Domain logon
Okay, thanks for the answert, if anyone knows a client software which is free or cheap and supports this please mail me. I need it for ~300 Clients. Greeting Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Montag, 22. August 2005 18:17 An: FreeRadius users mailing list Betreff: Re: Windows Client Authentification bevore Domain logon =?iso-8859-1?Q?Kr=E4mer_Armin?= [EMAIL PROTECTED] wrote: Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS?? No. Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work? With other client software, and machine certificates (rather than machine accounts in AD) it may be possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More tha one dynamical VLAN.
Hi, i set up an EAP-TLS based Radius Server an want realize dynamical VLANS Port based with a Nortel BAystack 470 48T Switch. Is there any possiblility how i can give more than one VLANID dynamicaly to the switch? Wit one VLAn it works fine, but how can give a second ore third VLAN ID to th P same port? Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi, at the moment i´m planing to build a Network based out of 20 VLAN over 8 Nortel switches. Depending on the given Layout of the Network I need to add some PC´s to more than one Port based VLAN. Is it posible to give the VLAN ID over the Radius Server, and is it possible to send more than one VLAN ID for one Client to the Switch? Does this work? Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius VLANID Question
Hi, at the moment i´m planing to build a Network based out of 20 VLAN over 8 Nortel switches. Depending on the given Layout of the Network I need to add some PC´s to more than one Port based VLAN. Is it posible to give the VLAN ID over the Radius Server, and is it possible to send more than one VLAN ID for one Client to the Switch? Does this work? Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html