[OT (possibly)] problem with WinXP SP3 connecting, reconnecting
It's possible that this is my laptop that is causing this and not the Wireless AP or FreeRadius but I thought I would ask because my laptop doesn't do this on WPA-PSK on my home setup. Using Windows supplicant, clearly connects using PEAP and am given an IP address via LAN DHCP server. If I try to ping LAN devices, I get dropouts, perhaps as high as 100% but usally get at least 1 out of four, sometimes 3 out of 4 pings returned and frequently, the status try indicates reconnecting. I tried shutting off fast reconnect but it seems to not matter either way. I presume that this is somehow a problem between my Linksys Wireless AP and my laptop wireless (Atheros) and nothing at all to do with FreeRadius but I'm wondering if others have experienced this issue and might suggest something that I could try to remedy the problem. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap issues
Trying both TLS and TTLS on Macintosh OS X 10.5.5
certificates seem to be fine on both Windows and Macintosh using the
ca.der and caclient.p12 (using Ivan's newer script for generating) for
TLS
Below is radiusd -X log with one failed attempt and it just seems as if
the eap challenges go out but responses never come back.
LDAP authorizes and authenticates my VPN connections fine, it's just
802.1x that is my problem.
Any bone tossed here would be appreciated
Craig
FreeRADIUS Version 2.1.1, for host i686-redhat-linux-gnu, built on Dec
9 2008 at 20:42:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap-dist
including configuration file /etc/raddb/modules/preprocess-dist
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/realm-dist
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap-dist
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = $OBSCURED
nastype = other
}
client 192.168.100.9/32 {
require_message_authenticator = no
secret = $OBSCURED
shortname = RRAS
}
client 192.168.10.251/32 {
require_message_authenticator = no
secret = $OBSCURED
shortname = WAP-2
}
client 192.168.10.250/32 {
require_message_authenticator = no
secret = $OBSCURED
RE: eap issues
On Mon, 2009-04-13 at 22:20 +0100, Ivan Kalik wrote:
using the ca.der and caclient.p12 (using Ivan's newer script for
generating) for TLS
That was for 2.0.5. 2.1.x has updated Makefile by default.
it didn't have the various caclient generation stuff
-
Below is radiusd -X log with one failed attempt and it just seems as if the
eap challenges go out but responses never come back.
[ldap] checking if remote access for spare is allowed by uid [ldap] Added
User-Password = {crypt}$OBSCURED in check items [ldap] looking for check
items in directory...
rlm_ldap: sambaNtPassword - NT-Password == 0x$OBSCURED
rlm_ldap: sambaLmPassword - LM-Password == 0x$OBSCURED
...
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
...
No wonder. You are using crypt and nt hased passwords for EAP-MD5. That
can't work.
http://deployingradius.com/documents/protocols/compatibility.html
OK that sort of makes sense to me.
So I have two sections in eap.conf, ttls and peap which both ask for
'default_eap_type = *' and I have set them both to mschapv2
and in the eap section at the top, I changed default_eap_type to tls
Does this make sense?
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap issues
On Mon, 2009-04-13 at 22:20 +0100, Ivan Kalik wrote:
using the ca.der and caclient.p12 (using Ivan's newer script for
generating) for TLS
That was for 2.0.5. 2.1.x has updated Makefile by default.
Below is radiusd -X log with one failed attempt and it just seems as if the
eap challenges go out but responses never come back.
[ldap] checking if remote access for spare is allowed by uid [ldap] Added
User-Password = {crypt}$OBSCURED in check items [ldap] looking for check
items in directory...
rlm_ldap: sambaNtPassword - NT-Password == 0x$OBSCURED
rlm_ldap: sambaLmPassword - LM-Password == 0x$OBSCURED
...
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
...
No wonder. You are using crypt and nt hased passwords for EAP-MD5. That
can't work.
http://deployingradius.com/documents/protocols/compatibility.html
I'm working...at least on Macintosh. I'll drag in my Windows laptop
tomorrow to see if I can make either the standard WinXP SP3 supplicant
work now and I've also got the S2ecure TTLS software.
Thanks, that was a helpful clue.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ Re: eap-ttls failing]
On Wed, 2009-01-28 at 09:27 +0100, Alan DeKok wrote: Craig White wrote: I was complaining about it a few weeks ago (all my systems have been upgraded to SP3) and I was made to feel that it was just me. The first reporter of an issue often gets told it works for everyone else... If this is a wide-spread problem with XP SP3, then we'll have to investigate ways to fix it, or to document it. I understand and that's sort of why I'm monitoring because I am not convinced that it isn't me but I'm sort of thinking that it's something in SP3. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ Re: eap-ttls failing]
On Tue, 2009-01-27 at 21:08 -0500, Josh Hiner wrote: On Tue, 2009-01-27 at 23:05 +0100, t...@kalik.net wrote: Yes the cert is there, does report the correct oid etc.. etc.. Attached is the client certificate I am using. I even went into the configuration and made it so XP asks me to select my certificate manually. I select the certificate manually and it still gives the same error as above (Error in RegOpenKeyEx for base key, 2) etc.. Maybe there is still a problem with the certificate but it all looks fine to me. Can you peak at the cert for me? This is happening on all machines so there must be a problem with it? When I install the cert it asks me for the cert password which I type in (I use the password I put in the client.cnf file). There should be an input and output password in client.cnf correct? I'm at a loss. It is most likely a deliberate undermining of self-signed certificates. It looks wery much like this bug reported for machine certificates (user certificates weren't affected at the time). http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/ceaf827d-3cff-4a5f-a8e0-d32ac2bf9ea9/ Ivan Kalik Kalik Informatika ISP Ug! For such a problem, I am not seeing anything come across the mailing list. I would think that what I am doing is fairly popular? Why are more people not complaining? This is too bad and if true, very poor. I was complaining about it a few weeks ago (all my systems have been upgraded to SP3) and I was made to feel that it was just me. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server log not response
On Wed, 2009-01-21 at 13:58 +0900, saman saman wrote:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.0.10
port = 1812
}
Listening on authentication address 192.168.0.10 port 1812
Listening on proxy address 192.168.0.10 port 1814
Ready to process requests.
]# radtest John hello localhost 0 testing123-1
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
User-Name = John
User-Password = hello
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
radclient: no response from server for ID 121 socket 3
because it's only listening on 192.168.0.10 but you are trying to
connect to localhost (and I assume that localhost means 127.0.0.1)
try radtest John hello 192.168.0.10 0 testing123-1
or set up clients.conf with a setup for localhost
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote: Brian Ertel wrote: John, You are right, but the dir where the old radius was make installed is gone. That is the original folder that was created after unzipping and installing the old ver. Of radius is gone. Is there anything else I can do? You can recreate the tree, follow the same steps you did the first time which was probably something like this: % tar xf freeradius-server.tar % cd freeradius-server % ./configure #passing the exact same parameters you used the first time % make Now instead of make install run make make uninstall Then you can delete the source tree. BTW, all this is basic Linux/Unix administration, the freeradius-users list is not an appropriate place to learn these topics. seems to me that it attempts to load the files he installed from tarball that are in /usr/local/[bin|sbin] and that is what he needs to clean out before he ever attempts to use anything installed from rpm Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
On Tue, 2009-01-13 at 13:33 -0500, John Dennis wrote: Craig White wrote: On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote: Brian Ertel wrote: John, You are right, but the dir where the old radius was make installed is gone. That is the original folder that was created after unzipping and installing the old ver. Of radius is gone. Is there anything else I can do? You can recreate the tree, follow the same steps you did the first time which was probably something like this: % tar xf freeradius-server.tar % cd freeradius-server % ./configure #passing the exact same parameters you used the first time % make Now instead of make install run make make uninstall Then you can delete the source tree. BTW, all this is basic Linux/Unix administration, the freeradius-users list is not an appropriate place to learn these topics. seems to me that it attempts to load the files he installed from tarball that are in /usr/local/[bin|sbin] and that is what he needs to clean out before he ever attempts to use anything installed from rpm Exactly. FWIW the paths are embedded as a consequence of parameters passed to configure. When you build from an SRPM the spec file passes different parameters to configure than the default configure parameters, thus the two installs will not likely conflict, but it's possible. Therefore the best course of action, to assure there are no conflicts and to reduce the inevitable confusion of having multiple copies installed in various locations is to remove the first installation and then do an RPM install. An install copies many files into a variety of locations, the only way to assure you've removed all the files to use the same code to uninstall as was used to perform the install in the first place. BTW, this is one reason why using the package manager on the target system (e.g. rpm, apt, dpkg, etc.) is always preferred because they know how to install and uninstall and keep a system consistent. When you go behind the back of these package managers by installing things manually (e.g. make install) you run the risk of screwing your system up unless you have advanced skills and know exactly what you're doing. and 'make uninstall' often is simply not implemented in tarballs anyway. Seeing the OP trying to install tarballs and rpm packages seems to be a lesson in futility and I always opt for rpms if at all possible, just for the reasons that you mentioned. I actually rebuilt the F10 rpms before I saw your wiki page and like about the day before you announced the 2.1.3 package in testing so I'm sorry I didn't provide any useful feedback to either. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
On Tue, 2009-01-13 at 16:38 -0500, Brian Ertel wrote: Oh, and should I include the /i386 dir and the i386.rpm suffix like: rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm /usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm suggestion...make life easy on yourself cd /usr/src/redhat/RPMS/i386 yum localinstall \ freeradius-2.1.3-1.i386.rpm \ freeradius-libs-2.1.3-1.i386.rpm (yum localinstall will install the local rpm's and download/install any dependencies not yet installed) Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
http://wiki.freeradius.org/Red_Hat_FAQ nice wiki On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote: Alan, I am running CentOS 5. Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of Alan DeKok Sent: Fri 1/9/2009 2:15 PM To: FreeRadius users mailing list Subject: Re: eap/tls freeradius openssl Brian Ertel wrote: I am ready to get flamed. I reinstalled the newest ver. of Freeradius and did not change anything. It started up in debug mode. I am trying to put together a system that will do eap/tls. Wireless client - WAP - Radius... I also just installed the newest version of openssl. Freeradius starts up, but I get the: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. You need to install the OpenSSL *development* headers. output. I read on another thread about freeradius not being able to find the proper Openssl libs. I do not understand the process of making FR aware of OpenSSL and getting FR to not Ingore EAP-Type/tls... Which OS are you running? The name of the OpenSSL development package is OS dependent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
No - you download the fedora source rpm and build from spec file and it compiles using openssl-devel (and other development libraries as required) Craig On Fri, 2009-01-09 at 14:54 -0500, Brian Ertel wrote: Hi Craig, So if I install freeradius as an rpm is there also a freeradius-openssl and freeradius-openssl-dev rpm? Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of Craig White Sent: Fri 1/9/2009 2:41 PM To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls freeradius openssl http://wiki.freeradius.org/Red_Hat_FAQ nice wiki On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote: Alan, I am running CentOS 5. Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of Alan DeKok Sent: Fri 1/9/2009 2:15 PM To: FreeRadius users mailing list Subject: Re: eap/tls freeradius openssl Brian Ertel wrote: I am ready to get flamed. I reinstalled the newest ver. of Freeradius and did not change anything. It started up in debug mode. I am trying to put together a system that will do eap/tls. Wireless client - WAP - Radius... I also just installed the newest version of openssl. Freeradius starts up, but I get the: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. You need to install the OpenSSL *development* headers. output. I read on another thread about freeradius not being able to find the proper Openssl libs. I do not understand the process of making FR aware of OpenSSL and getting FR to not Ingore EAP-Type/tls... Which OS are you running? The name of the OpenSSL development package is OS dependent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap question
still a few issues so I upgraded to 2.1.1 and in debug mode (and I have enabled ldap), I see this... [ldap] checking if remote access for $SOME_USER is allowed by uid [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword - NT-Password == 0x... rlm_ldap: sambaLmPassword - LM-Password == 0x... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user $SOME_USER authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP should I just disable pap? (I can't think of anything that I need to use it for) OR... considering that the LDAP 'userPassword' is essentially the same password that is contained in sambaNTPassword and sambaLMPassword, do I just somehow enable # password_attribute = userPassword as it talks about in rlm_ldap doc file? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client certs
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/[EMAIL PROTECTED] error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Thu, 2008-12-11 at 01:13 +0100, [EMAIL PROTECTED] wrote: freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/[EMAIL PROTECTED] error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to persuade up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. OK - question... I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
On Wed, 2008-12-10 at 19:32 -0500, Jason Wittlin-Cohen wrote: server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. Craig Craig, You have to install the root certificate and client certificate to the correct certificate store. You have two options - the machine store or the personal certificate store of your current Windows user. The personal certificate store is probably what you want. Double click the client certificate, select install certificate and choose Place the certificate in the following store. Select the Personal certificate store. That should solve your problem. Thanks...I sort of thought so but this has been a frustrating experience and I'm not that dumb. Is it normal for this 'client' certificate to show Windows does not have enough information to verify this certificate when you view it? I did take the 'ca.der' and that is loaded in 'Trusted Root Authorities' and seems to be happy there but the client certificate, even newly generated from the scripts and the new Makefile from Ivan still shows that warning. It seems possible to me that the certificate provided by the server should provide the link between the CA certificate and the client certificate installed on the Windows client and make it happy but I haven't gotten this to work right - at least consistently. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Thu, 2008-12-11 at 01:49 +0100, [EMAIL PROTECTED] wrote: I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? You should. Original Makefile was creating ca certificate that was valid only for 30 days. This one will use value from ca.cnf. Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Then you haven't got the (correct) ca.der certificate in your trusted root certificate store. I was afraid you were gonna say that... I am honing by BOFH chops...each time I make new certs, I chase the iPhone users through their setup to accept the new cert. ;-) Though I was pretty certain that the certs I was making through my own scripts were right, I thought if I used the cert creation scripts from freeradius, things would just work... OK - I'll look at the cnf options because it would be nice to have more than 30 days anyway Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote: Craig, Apparently Windows automatically sends non-CA certificates in DER or PEM format to the Other People' certificate store. More importantly, the wireless supplicant in Windows XP \will not work with PEM or DER formatted client certificates. It'll complain that you have no certificate. You must convert to pkcs12 as the documentation states. openssl pkcs12 -export -in certname.pem \ -inkey keyname.key -out name.p12 -clcerts Jason Thanks for the help. Last week when I was generating certificates my own way, I was doing that and yes, as Ivan points out, the 'scripted' way that make client.pem does make the p12 cert for the client. My issue now - and obviously sh*t happens as I change things around is that with the certificates newly generated and radiusd restarted in 'debug' mode, the newly minted ca.der and client.p12 certificates installed in their proper homes in 'certificates' following the instructions here... http://wiki.freeradius.org/WPA_HOWTO#Step_4:_Configure_the_Client I 'repair' or 'refresh' Network Connection (obviously the repair is for the Wireless) and it hems/haws and finally says Authentication failed but the wireless AP never makes an effort to connect to the radius server. Just rebooted the laptop and checked for stale info in regedit HKCU\Software\Microsoft\EAPOL (none) This AP has been talking to the radius server for weeks now (and all day today) and authenticating Macintosh and iPhone clients but Windows is making me absolutely nuts. The radius server is also authenticating for my RRAS server on a Windows server on the LAN...my only issue has been Windows laptops ;-( At least earlier with my otherwise generated certificates, I could get through the AP and to the radius server but now...it's like no one is home. The Wireless AP does show my connection but that's it. I'm very frustrated Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Wed, 2008-12-10 at 21:36 -0500, Jason Wittlin-Cohen wrote: Craig, Have you tried authenticating with the same certificate from a different computer, or using a different supplicant? The XP supplicant is pretty awful. If you have an Intel card, you can download the Intel PROset software for free which has more features than XP's supplicant, supports more authentication options, and tends to work better. My personal favorite is Juniper's Open Access client. Juniper has a 30-day trial if you want to test to see if that solves your problems. yes, this laptop has Intel ProSet and I've been using that but with this latest round of certs, I've been unable get from Laptop to Radius, even with Intel ProSet. ;-( In addition, I find that if the sever is down while a client tries to connect, I have to refresh the settings on the AP, restarting the wireless, or the RADIUS server will show no activity at all. Restarting Windows or repairing the wireless connection doesn't help as it appears to be an issue with the AP. So, if you had the the RADIUS server down for even a short while, try restarting the AP. I did that about an hour ago but it never hurts and I'll do that when I start my next go 'round after dinner You can also see if there's a valid certificate chain. Start Run mmc. File Add Snap-In. Add Certificates. Choose My User. You should see a Certificates - Current User tree. Expand it, then open Personal Certificates. You should see your certificate in the list. Double click the certificate and check the Certificate Path tab. Certificate Status should be OK, and you should see both your client cert and the CA. there is and I've been checking that very thing all along - looks good - If your certificate was signed by the server key and not the CA key, certificate verification will fail. check Also, run freeradius with freeradius -X to check to see whether Windows is even communicating with the RADIUS server. I was having problems with my Ubuntu laptop and found it was timing out before even attempting to authenticate with the RADIUS server due to a driver issue. that's what I was referring to 'debug' mode I have enough hours logged in Radius configuration (first 1.1.2 and now 2.1.1) to know where all the bodies are buried and have googled and looked at the wiki.freeradius.org till I'm blind. Macintosh and iPhone's were easy because they just ask you to accept certificate(s) presented by server. Windows RRAS authentication against Radius server was simple. LDAP authentication seemed to be easy WinXP laptops - argh... Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realms and Windows domain
freeradius-1.1.3-1.2.el5 LDAP authentication (OpenLDAP) I am mostly working now but I do get failures if a user has the Windows Domain set to any value at all which of course means that the authentication is passed as DOMAIN\user and I want it to strip out the DOMAIN\ part and just keep the user so Windows laptops would just automatically authenticate current logged in user. Not sure this is necessary but this is the debug of what is happening... rlm_ldap: - authorize rlm_ldap: performing user authorization for MyOrg\craigwhite radius_xlat: '(uid=MyOrg\5c\5ccraigwhite)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin,o=MyOrg,c=US/pass to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=MyOrg\5c\5ccraigwhite) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for MyOrg\craigwhite with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [MyOrg\\craigwhite/no User-Password attribute] (from client RRAS port 11 cli 68.231.14.75) Delaying request 0 for 1 seconds Finished request 0 I have tried it with ntdomain_hack enabled but the outcome is the same. If I don't include the Domain, I get authenticated no problem...so I figure all I need/want is to strip the user name out. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realms and Windows domain
Not sure that it's the right place but I was able to hack 'hints' file to handle this Craig On Sat, 2008-12-06 at 12:07 -0700, Craig White wrote: freeradius-1.1.3-1.2.el5 LDAP authentication (OpenLDAP) I am mostly working now but I do get failures if a user has the Windows Domain set to any value at all which of course means that the authentication is passed as DOMAIN\user and I want it to strip out the DOMAIN\ part and just keep the user so Windows laptops would just automatically authenticate current logged in user. Not sure this is necessary but this is the debug of what is happening... rlm_ldap: - authorize rlm_ldap: performing user authorization for MyOrg\craigwhite radius_xlat: '(uid=MyOrg\5c\5ccraigwhite)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin,o=MyOrg,c=US/pass to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=MyOrg\5c\5ccraigwhite) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for MyOrg\craigwhite with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [MyOrg\\craigwhite/no User-Password attribute] (from client RRAS port 11 cli 68.231.14.75) Delaying request 0 for 1 seconds Finished request 0 I have tried it with ntdomain_hack enabled but the outcome is the same. If I don't include the Domain, I get authenticated no problem...so I figure all I need/want is to strip the user name out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows supplicant
I've been working on this on/off for 2 weeks now and I'm confused. I found on this Windows laptop I've been playing with that I can't connect via the built-in Windows XP SP3 supplicant but one connection I can make is using the Intel ProSet (it's a 2100) but the only way that I've been able to connect is using TTLS. The Intel Pro-Set suggests that my connection is: Security Mode: WPA Encryption Algorithm: TKIP 802.11 Authentication: Open 802.1x Authentication: TTLS (MS-CHAP) and I note that MS-CHAPv2 doesn't work here So I'm now wondering if the problem is my setup of eap.conf the MS-CHAPv2 I am authenticating RRAS from a Windows server and Macintosh and iPhone clients without issue. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT - Question about Switches
Sorry for the noise but this is actually related to my struggles with FreeRadius I am using FreeRadius and authenticating Windows RAS users (PPTP) Macintosh users via the same Windows RAS server using PPTP or L2TP, Macintosh WAP clients and iPhone clients without a problem. I am struggling with Windows clients both WAP and L2TP to the same Windows RAS server and I'm beginning to wonder if the problem is the switch I am using because endless google searching turned up a problem somewhere (I've forgotten which I read). I'm using a Dell PowerConnect 6248 switch which is a managed switch. Is it possible that it is interfering with some of the connections? My Windows WAP clients endlessly try to authenticate as 'anonymous' and my Windows L2TP connections don't seem to ever get to the Windows RAS server though a Macintosh using L2TP sailed right on through. I'm grasping at straws. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Tue, 2008-11-25 at 10:06 +0100, Alan DeKok wrote: Craig White wrote: I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... Because you've likely configured an anonymous outer identity, and it's not proceeding to the inner session. So it's not asking for the username or password. OK perhaps I am just looking in the wrong place and I'm using an older version of freeradius (part or RHEL/CentOS 5) but eap.conf, in peap section only has these options and I haven't found any combination that works... copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes proxy_tunneled_request_as_eap = no and I have the ttls section commented out. Am I in the right place? Am I missing something really obvious? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates confusion
please excuse me if this isn't entirely related to freeradius but it's all about getting WindowsXP laptops to my wireless network with freeradius and 8021.x I see that there is certificate failures and am thinking that I need to clean this up up until now, server2 is my ca and I have used that to generate and sign certificates. my radius server though is running on server1 and I think that my failure is related to the fact that I'm generating the certificates and signing them with server2. So my questions... 1. Do I set up server1 to be its own CA or do I still use server2 as the CA? 2. If server2 is the CA, do I then generate the request on server1, copy it to server2 and then sign it on server2? 3. Does anyone see any problems with these methods of generating certificates ? (openssl on Linux) # Generate server certificate signing request openssl req -new -nodes -keyout $SSL/radius_server_key.pem \ -out $SSL/radius_server_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign server certificate openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out radius_server_cert.pem \ -extensions xpserver_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_server_req.pem # Edit out text information in radius_server_cert.pem and then run # cat $SSL/radius_server_key.pem \ # $SSL/radius_server_cert.pem \ # $SSL/radius_server_keycert.pem # Generate client certificates # openssl req -new -keyout $SSL/radius_client_key.pem \ -out $SSL/radius_client_req.pem \ -days 730 \ -config $SSL/openssl.cnf # Sign client certificates openssl ca -config $SSL/openssl.cnf \ -policy policy_anything \ -out $SSL/radius_client_cert.pem \ -extensions xpclient_ext \ -extfile $SSL/xpextensions \ -infiles $SSL/radius_client_req.pem # cat $SSL/radius_client_key.pem $SSL/radius_client_cert.pem $SSL/radius_client_keycert.pem Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 02:59 -0600, Alan DeKok wrote: Craig White wrote: OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Then the supplicant is misconfigured. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. No. PEAP does MS-CHAP for username/passwd authentication. If you want authentication via client certs, use TLS. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. There's something else in your windows configuration that is making it *not* ask you for the username/password. Maybe it's cached in the registry. HLCU\Software\Microsoft doesn't even have an EAPOL entry at all. fixed the cert issue but still it's trying to authenticate as anonymous ;-( I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... rad_recv: Access-Request packet from host 192.168.1.250:2054, id=168, length=161 User-Name = anonymous NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Called-Station-Id = 00-21-29-E3-D1-84 Calling-Station-Id = 00-04-23-62-BD-3D Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x026300061900 State = 0x7de5407f2f55958f61578bc598c219a9 Message-Authenticator = 0x0682bd2213fba7b19656a91ac1454267 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module preprocess returns ok for request 46 modcall[authorize]: module chap returns noop for request 46 modcall[authorize]: module mschap returns noop for request 46 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 46 rlm_eap: EAP packet type response id 99 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 46 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 46 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 46 modcall: leaving group authorize (returns updated) for request 46 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 46 modcall: leaving group authenticate (returns handled) for request 46 Sending Access-Challenge of id 168 to 192.168.1.250 port 2054 EAP-Message = 0x0164040619400355040b130b4d61696e204f696365311a301806035504031311772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d301e170d3038313132333030333435375a170d3138313132313030333435375a3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f696365311a301806035504031311 EAP
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 00:24 +0100, [EMAIL PROTECTED] wrote: I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. It probably wants cacert.der. OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Thus since my Default Auth Type = LDAP (in users), these clients always fail authentication. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
last hurdle...windows clients
freeradius-1.1.3-1.2.el5 I am authenticating Windows RRAS connections, Macintosh wifi, iPhone wifi all with LDAP and mschapv2 (using sambaNTPassword hashes in OpenLDAP) My users basically consists of... DEFAULT Auth-Type = LDAP eap.conf default_eap_type = mschapv2 and of course my certificates and LDAP setup which works for all the above authentications. My problem is Windows XP laptops (updated to SP3) and I have generated certificates for them. I have loaded both the CA and p12 certificates on a Windows client, set for WPA, TKIP, PEAP but it never asks me for a user name and password and thus always tries to authenticate as anonymous (log below)...even if I check the box to 'Automatically use my Windows name and password' - it still comes in as 'anonymous' Is there some thing else I need to add so that Windows also uses name/password or do I have something else in Auth-Type to just allow those with the certificates? How do I do this? I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. Craig rad_recv: Access-Request packet from host 192.168.1.251:2050, id=112, length=172 User-Name = anonymous NAS-IP-Address = 192.168.1.251 NAS-Port = 0 Called-Station-Id = 00-21-29-E3-D1-8A Calling-Station-Id = 00-04-23-62-BD-3D Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02880011198715030100020230 State = 0xce80cf1b72bd9479de376550dc6d9052 Message-Authenticator = 0x90183570c2ef1940d04e9e5dc579a1bd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 59 modcall[authorize]: module preprocess returns ok for request 59 modcall[authorize]: module chap returns noop for request 59 modcall[authorize]: module mschap returns noop for request 59 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 59 rlm_eap: EAP packet type response id 136 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 59 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 59 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 59 modcall: leaving group authorize (returns updated) for request 59 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 59 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 59 modcall: leaving group authenticate (returns reject) for request 59 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown module eap
On Sun, 2008-11-16 at 07:55 +0100, Alan DeKok wrote: Craig White wrote: freeradius newbie here...not sure where I went wrong and someone probably can figure this out in a second. You edited the default configuration files and broke it. CentOS 5 (freeradius-1.1.3-1.2.el5) still using default certificates so as not to complicate things too much yet. I really suggest upgrading to 2.1.1. rlm_eap: No such sub-type for default EAP type peap radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1940] Unknown module eap. radiusd.conf[1887] Failed to parse authenticate section. Can someone toss me a bone here? You deleted the peap section from eap.conf. Or, you configured default_eap_type = peap, but without un-commenting the peap section in eap.conf. yup...thanks - the instructions that I was following didn't make it clear for me to do that (uncomment the peap section...duh). I'm sort of working through things one breakage at a time. As for upgrading, duly noted but I don't know what it is that I don't know so I'll stay with the distribution for the time being. I think Red Hat has a newer version on track. Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and unix return different results
I am trying to use mschap and the following is logged suggesting that ldap authorize succeeds but unix authorize fails but the passwords are the same (aside from the fact that samba hashes the password). I can ssh into the radius server with the user name and password... # getent passwd|grep craigwhite craigwhite:x:1013:1000:Craig White:/home/users/craigwhite:/bin/sh # radtest craigwhite MY_PASSWORD MY_RADIUS_SERVER 0 whatever and on the radius server running 'radiusd -X -f' Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.7:60829, id=45, length=62 User-Name = craigwhite User-Password = MY_PASSWORD NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = craigwhite, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for craigwhite radius_xlat: '(uid=craigwhite)' radius_xlat: 'ou=People,ou=Accounts,o=MY_ORG,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin,o=Mullen,c=US/riod to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=MY_ORG,c=US, with filter (uid=craigwhite) rlm_ldap: checking if remote access for craigwhite is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [UX ] op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value HASHED_PASSWORD op=21 rlm_ldap: Adding sambaLMPassword as LM-Password, value HASHED_PASSWORD op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user craigwhite authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [craigwhite]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. Obviously this is something to do with the 'users' file configuration which is still at it's default and apparently this is the problem here... DEFAULT Auth-Type = System Fall-Through = 1 What nugget am I missing? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and unix return different results
On Sun, 2008-11-16 at 09:45 -0700, Craig White wrote: I am trying to use mschap and the following is logged suggesting that ldap authorize succeeds but unix authorize fails but the passwords are the same (aside from the fact that samba hashes the password). I can ssh into the radius server with the user name and password... Obviously this is something to do with the 'users' file configuration which is still at it's default and apparently this is the problem here... DEFAULT Auth-Type = System Fall-Through = 1 What nugget am I missing? nevermind... Instead of above, I needed... DEFAULT Auth-Type = LDAP probably obvious to some here...this is pretty cool stuff Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown module eap
freeradius newbie here...not sure where I went wrong and someone probably can figure this out in a second. New installation, following guide @ tldp and another ldap guide but I don't think the ldap is the problem here. Not knowing what is significant, I'll just give the whole output. CentOS 5 (freeradius-1.1.3-1.2.el5) still using default certificates so as not to complicate things too much yet. # radiusd -X -f Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix:
