Re: D-link and freeradius
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Date: Mon, 13 Mar 2006 12:58:49 +0200 From: Christoforos Ntantogian [EMAIL PROTECTED] Subject: D-link and freeradius To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-7 Hello, I am going to setup an 802.1X wireless authentication with EAP-MD5, EAP-TLS and EAP-SIM. I would like to ask if freeradius supports the D-link wireless access points. The NAS list that freeradius support doesnt include D-link products. I have a D-link 900+ access point. How can i make it work with freeradius or i cant? I'm using FR with a Dlink 624. I did have to download the latest firmware from Dlink before it would work. Dave H -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) iQEVAwUBRBWYpiKWt8bugsEpAQiToAgAlX84Z+D2YHOUl+ZfYr25dUx3xYCKcJjY P+aEnUimIv1gpOCpU73DpgH+1LJP1ecdA/n1W9cBlf84Tu95pn0Hhj4JpVVqkhUh wBeemR+bdxBgMEVdLGoORQITtDXOgyp6rAx+oEa8KFMQEZm+VuEbSz4WNWawZ7o8 fse5qr7M9F+QRZJHZ1CQ9eafW/iBl3l8EMQN4mFibi/0M21NlZawqo4ymHey2mCQ 5ICQ2SrMKLMtdSnGKjZjiAw9EgV4OXsu3G7Ts5+R5IjetmHNmiv2fVK33Br2ycLT D3rdPpojdCwnvvbLQMU2B/NOOac3gH22ap41odNzaM3MStWljh1S0g== =N4A9 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEA
. From: Alan DeKok [EMAIL PROTECTED] Robert Myers [EMAIL PROTECTED] wrote: The reason I ask, is that I'm using a client cert signed by my CA to do eap/tls, and it's working. I have not implemented the server cert as of yet. Then it *should* work with PEAP. But I don't know of many people that use client certs with PEAP. I suspect no one has tested that, and that the client may be doing something different than with EAP-TLS. My suggestion is don't use client certs with PEAP. Alan DeKok. Ah well, I'm trying to authenticate both a machine (cert) and a user (password) to prevent people from using unchecked machines on the network. PEAP sort of does that I guess since the internal CA isn't set up on a client, but that's not a very secure method. Any suggestions appreciated and thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEA
Dave Huff wrote: . From: Alan DeKok [EMAIL PROTECTED] Robert Myers [EMAIL PROTECTED] wrote: The reason I ask, is that I'm using a client cert signed by my CA to do eap/tls, and it's working. I have not implemented the server cert as of yet. Then it *should* work with PEAP. But I don't know of many people that use client certs with PEAP. I suspect no one has tested that, and that the client may be doing something different than with EAP-TLS. My suggestion is don't use client certs with PEAP. Alan DeKok. Ah well, I'm trying to authenticate both a machine (cert) and a user (password) to prevent people from using unchecked machines on the network. PEAP sort of does that I guess since the internal CA isn't set up on a client, but that's not a very secure method. Any suggestions appreciated and thanks for your help. Interesting. What client is this? FC4/2.6.15-1.1831 Freeradius 1.0.4 Intel PROset 9.0.3.0 Is there a debug mode that would show me exactly which certs are being exchanged? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Dave Huff [EMAIL PROTECTED] wrote: rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert read:fatal:certificate unknown SSL is telling FreeRADIUS that the certificate sent by the client is bad. That's what I thought too, but I configured the CA, server, and client certs all on Openssl pretty much like http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap ter09186a00805ac269.html Windows is using the cert I installed from the linux box, at least I have a choice in ProSET. If Windows overrides for some reason, I wouldn't know...can I set a debug mode that would tell me? You're probably doing EAP-TLS where the server has one cert, and the client has cert signed by someone else entirely. For EAP-TLS to work, the client certs have to be signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. Dan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client certs with MSCHAPV2 in PEAP
I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. I've got PEAP-EAP-MSCHAPV2 working with just password authentication. I noted this http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ 1873393.html but was unable to figure out where the DEFAULT EAP-TLS-Require-Client-Cert := Yes should be set. Relative Linux/Freeradius noob, FC4/2.6.15-1.1831 Freeradius 1.0.4 Thanks, Dan H - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Dave Huff [EMAIL PROTECTED] wrote: I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. Would you be willing to run the serve rin debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? Sure, thought my question needed a quick answer, but here I've included the log AFTER inserting the line in the users file, and turning on the client cert part of MSCHAPV2 in ProSET: snip auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 192.168.0.1:1201 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xd4448443a5823bb9ceffabd590f27721 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43fcc0a4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1201, id=72, length=243 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = 00-0f-3d-3f-49-92 Calling-Station-Id = 00-0e-35-60-27-1f NAS-Identifier = HomeAP Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202006a19800060160301005b0157030143fcc0c5eb46025dd5e3662940ba6406 6bed01df2be7d94eb754c77da12672c33000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 State = 0xd4448443a5823bb9ceffabd590f27721 Message-Authenticator = 0xdcd7050a2c3750c9314d44818cf15867 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm b.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm b.com modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 75 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0780], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0074], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 72 to 192.168.0.1:1201 EAP-Message = 0x0103040a19c0084d160301004a0246030143fcc0c6b503405d5825db4720dc2d66 93c9570afd72cd19086b5e9d890c2f4f2010fa22c781d6954b8b8a8a8d1e7c1f3fc0d5bbf96b c540e87c90018c4636459f00350016030107800b00077c00077900035d3082035930820241a0 03020102020102300d06092a864886f70d01010405003063310b300906035504061302555331 1530130603550408130c50656e6e73796c76616e69613112301006035504071309576f726365 7374657231153013060355040a130c4944205761746368646f67733112301006035504031309 54726f6f7065724341301e170d3036303231393033313332325a EAP-Message = 0x170d3037303231393033313332325a3064310b300906035504061302555331153013060355 0408130c50656e6e73796c76616e69613112301006035504071309576f726365737465723115 3013060355040a130c4944205761746368646f6773311330110603550403130a54726f6f7065
