Client certs with MSCHAPV2 in PEAP
I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. I've got PEAP-EAP-MSCHAPV2 working with just password authentication. I noted this http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ 1873393.html but was unable to figure out where the DEFAULT EAP-TLS-Require-Client-Cert := Yes should be set. Relative Linux/Freeradius noob, FC4/2.6.15-1.1831 Freeradius 1.0.4 Thanks, Dan H - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Alan DeKok > > "Dave Huff" <[EMAIL PROTECTED]> wrote: > > I would like to configure this setup using Freeradius. My WinXP > > client (Intel ProSET) supports this, but FR chokes on it > when enabled. > > Would you be willing to run the serve rin debugging mode, > as suggested in the FAQ, README, INSTALL, and daily on this list? Sure, thought my question needed a quick answer, but here I've included the log AFTER inserting the line in the users file, and turning on the client cert part of MSCHAPV2 in ProSET: auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 192.168.0.1:1201 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xd4448443a5823bb9ceffabd590f27721 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43fcc0a4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1201, id=72, length=243 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00-0f-3d-3f-49-92" Calling-Station-Id = "00-0e-35-60-27-1f" NAS-Identifier = "HomeAP" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202006a19800060160301005b0157030143fcc0c5eb46025dd5e3662940ba6406 6bed01df2be7d94eb754c77da12672c33000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 State = 0xd4448443a5823bb9ceffabd590f27721 Message-Authenticator = 0xdcd7050a2c3750c9314d44818cf15867 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "b.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "b.com" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 75 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0780], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 72 to 192.168.0.1:1201 EAP-Message = 0x0103040a19c0084d160301004a0246030143fcc0c6b503405d5825db4720dc2d66 93c9570afd72cd19086b5e9d890c2f4f2010fa22c781d6954b8b8a8a8d1e7c1f3fc0d5bbf96b c540e87c90018c4636459f00350016030107800b00077c00077900035d3082035930820241a0 03020102020102300d06092a864886f70d01010405003063310b300906035504061302555331 1530130603550408130c50656e6e73796c76616e69613112301006035504071309576f726365 7374657231153013060355040a130c494420576174636
RE: Client certs with MSCHAPV2 in PEAP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Alan DeKok > > "Dave Huff" <[EMAIL PROTECTED]> wrote: > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > > certificate_unknown TLS Alert read:fatal:certificate unknown > > SSL is telling FreeRADIUS that the certificate sent by the > client is bad. That's what I thought too, but I configured the CA, server, and client certs all on Openssl pretty much like http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap ter09186a00805ac269.html Windows is using the cert I installed from the linux box, at least I have a choice in ProSET. If Windows overrides for some reason, I wouldn't know...can I set a debug mode that would tell me? > > You're probably doing EAP-TLS where the server has one > cert, and the client has cert signed by someone else > entirely. For EAP-TLS to work, the client certs have to be > signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. Dan > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEA
. >From: "Alan DeKok" <[EMAIL PROTECTED]> >Robert Myers <[EMAIL PROTECTED]> wrote: >> The reason I ask, is that I'm using a client cert signed by my CA to do >> eap/tls, and it's working. I have not implemented the server cert as of >> yet. > Then it *should* work with PEAP. But I don't know of many people >that use client certs with PEAP. I suspect no one has tested that, >and that the client may be doing something different than with EAP-TLS. > My suggestion is don't use client certs with PEAP. > Alan DeKok. Ah well, I'm trying to authenticate both a machine (cert) and a user (password) to prevent people from using unchecked machines on the network. PEAP sort of does that I guess since the internal CA isn't set up on a client, but that's not a very secure method. Any suggestions appreciated and thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEA
> > Dave Huff wrote: > > . > >> From: "Alan DeKok" <[EMAIL PROTECTED]> > > > >> Robert Myers <[EMAIL PROTECTED]> wrote: > >>> The reason I ask, is that I'm using a client cert signed > by my CA to > >>> do eap/tls, and it's working. I have not implemented the server > >>> cert as of yet. > > > >> Then it *should* work with PEAP. But I don't know of many people > >> that use client certs with PEAP. I suspect no one has > tested that, > >> and that the client may be doing something different than > with EAP-TLS. > > > >> My suggestion is don't use client certs with PEAP. > > > >> Alan DeKok. > > > > Ah well, I'm trying to authenticate both a machine (cert) and a user > > (password) to prevent people from using unchecked machines > on the network. > > PEAP sort of does that I guess since the internal CA isn't > set up on a > > client, but that's not a very secure method. Any suggestions > > appreciated and thanks for your help. > > Interesting. What client is this? FC4/2.6.15-1.1831 Freeradius 1.0.4 Intel PROset 9.0.3.0 Is there a debug mode that would show me exactly which certs are being exchanged? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: D-link and freeradius
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > Date: Mon, 13 Mar 2006 12:58:49 +0200 > From: "Christoforos Ntantogian" <[EMAIL PROTECTED]> > Subject: D-link and freeradius > To: > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-7" > Hello, > I am going to setup an 802.1X wireless authentication with EAP-MD5, EAP-TLS and EAP-SIM. > I would like to ask if freeradius supports the D-link wireless access points. The NAS list > that freeradius support doesnt include D-link products. I have a D-link 900+ access point. > How can i make it work with freeradius or i cant? I'm using FR with a Dlink 624. I did have to download the latest firmware from Dlink before it would work. Dave H -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) iQEVAwUBRBWYpiKWt8bugsEpAQiToAgAlX84Z+D2YHOUl+ZfYr25dUx3xYCKcJjY P+aEnUimIv1gpOCpU73DpgH+1LJP1ecdA/n1W9cBlf84Tu95pn0Hhj4JpVVqkhUh wBeemR+bdxBgMEVdLGoORQITtDXOgyp6rAx+oEa8KFMQEZm+VuEbSz4WNWawZ7o8 fse5qr7M9F+QRZJHZ1CQ9eafW/iBl3l8EMQN4mFibi/0M21NlZawqo4ymHey2mCQ 5ICQ2SrMKLMtdSnGKjZjiAw9EgV4OXsu3G7Ts5+R5IjetmHNmiv2fVK33Br2ycLT D3rdPpojdCwnvvbLQMU2B/NOOac3gH22ap41odNzaM3MStWljh1S0g== =N4A9 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html