Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
Am 25.01.2013 16:25, schrieb Bertalan Voros: Hi Alan, Thanks for your insight, you are absolutely correct regarding the issues. I will have to find a compromise that is acceptable by everyone. Post somewhere, e.g. possibly on a captive portal, a link to the CA certificate with instruction on how to install it on the various systems involved. cheers Erich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi on 20.11.2012 16:22, Brekler Custodio wrote: Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: 1085 [mschap] Told to do MS-CHAPv2 for 1085 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject looks like your authentication data is missing on the server side. cheers Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi on 20.11.2012 17:16, Brekler Custodio wrote: So you mean that my MYSQL Server has a problem with my authentication ? I don't think you use sql for authentication, follow the advice Alan gave you and check your sites-enabled/inner-tunnel file. cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
on 20.11.2012 19:21, Brekler Custodio wrote: Thanks everyone for the help. We will be looking for a solution. The guy that take cares of our BD said that all our passwords are MD5 and he dont know how to change to MSCHAPv2 or how to generate. And windows dont allow us to connect on 802.1x with MD5. Well, all you have to do is to find the credentials in the database. AFAIK FR looks them up in the radtest table with an attribute of NT-Password. If you have another table where they are located you will either need to adapt the sql query or replicate the credentials. cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
on 08.11.2012 09:01, Fajar A. Nugraha wrote: ... It is a ZyXEL, so basically a black box, even to the local vendor. Just to be sure, you HAVE enabled sql in accounting section, right? I guess the fact that I have entries in the radacct table which correspond to actual connection attempts should prove that. mysql select username,acctstarttime,acctstoptime,acctinputoctets from radacct; +--+-+-+-+ | username | acctstarttime | acctstoptime| acctinputoctets | +--+-+-+-+ | test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 | | test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 | | test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 | | test | 2012-11-07 21:20:53 | 2012-11-07 21:24:13 | 0 | | test | 2012-11-07 21:41:50 | 2012-11-07 21:42:13 | 0 | | test | 2012-11-07 21:42:43 | 2012-11-07 21:47:14 | 0 | | test | 2012-11-08 07:52:42 | 2012-11-08 07:55:45 | 0 | | test | 2012-11-08 08:35:15 | 2012-11-08 08:50:22 | 0 | | test | 2012-11-08 09:56:24 | 2012-11-08 10:02:28 | 0 | | test | 2012-11-08 10:06:58 | 2012-11-08 10:07:23 | 0 | | test | 2012-11-08 10:11:31 | 2012-11-08 10:12:06 | 0 | | test | 2012-11-08 10:12:20 | 2012-11-08 10:12:35 | 0 | | test | 2012-11-08 10:12:42 | 2012-11-08 10:13:11 | 0 | | test | 2012-11-08 10:13:27 | 2012-11-08 10:14:38 | 0 | | test | 2012-11-08 10:14:51 | NULL| 0 | +--+-+-+-+ If you want to be extra sure, run FR in debug mode, and do a login-logout using a client (e.g. notebook) to the NAS (i.e. AP). FR should print out what packets it received. If it DOESN'T show any accounting packets, then your NAS doesn't send them, or hasn't been configured to do so. I _guess_ it shows some accounting rad_recv: Accounting-Request packet from host 194.124.158.62 port 47037, id=165, length=135 Acct-Session-Id = 509ACAB9-000F Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = test NAS-Port = 0 Called-Station-Id = 50-67-F0-38-A9-E5:ZyXEL Calling-Station-Id = 74-F0-6D-07-9B-91 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 194.124.158.62,Acct-Session-Id = 509ACAB9-000F,User-Name = test' [acct_unique] Acct-Unique-Session-ID = de12b16f3f8a6cf8. ++[acct_unique] returns ok ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 194.124.158.62 [detail]expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108 [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108 [detail]expand: %t - Thu Nov 8 10:22:38 2012 ++[detail] returns ok [sql] expand: %{User-Name} - test [sql] sql_set_user escaped user -- 'test' [sql] expand: %{Acct-Delay-Time} - [sql] ... expanding second conditional [sql] expand:INSERT INTO radacct (acctsessionid,acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime,acctstoptime, acctsessiontime, acctauthentic,connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay,xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List
Accounting and DialupAdmin
Hi gents FR 2.0 I added a user to my datebase using the dialup_admin interface. The radcheck table shows the following mysql select * from radcheck - ; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 2 | test | NT-Password | := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 4 | test1| User-Password | := | $1$SQZqMcWE$doZxYeK1Sb24QQJvmYpYm0 | ++--+---+++ Now this is interesting. I can log in using the test account with the NT-Password attribute. The one created by dialup_admin with the name of test1 and the attribute User-Password cannot be used from the same M$ Windows 7 PC, as was to be expected from the compatibility table. I looked into admin.conf and found # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Alan on 08.11.2012 19:10, Alan DeKok wrote: Erich Titl wrote: # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Change that from crypt to clear. Then PEAP will work. Yes, I know if I also change the attribute to Cleartext-Password. Any plans to support NT-Password hashes? Thanks Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Hi Alan on 08.11.2012 21:06, Alan DeKok wrote: Erich Titl wrote: Yes, I know if I also change the attribute to Cleartext-Password. Any plans to support NT-Password hashes? In dialup_admin? Send a patch. This works for me diff -urN freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf freeradius-server-2.2.0/dialup_admin/conf/admin.conf --- freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf 2012-11-09 07:30:40.0 +0100 +++ freeradius-server-2.2.0/dialup_admin/conf/admin.conf 2012-11-09 07:44:28.0 +0100 @@ -133,7 +133,7 @@ general_radius_server_secret: XX general_auth_request_file: %{general_base_dir}/conf/auth.request # -# can be one of crypt,md5,clear +# can be one of crypt,md5,clear,smbpass # general_encryption_method: crypt # diff -urN freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php --- freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php 1970-01-01 01:00:00.0 +0100 +++ freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php 2012-11-09 07:43:43.0 +0100 @@ -0,0 +1,6 @@ +?php +function da_encrypt($Input) { + // shamelessly taken from php.net + return(strtoupper(hash('md4',iconv('UTF-8','UTF-16LE',$Input; +} +? cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql, Accounting and DialupAdmin
Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. mysql select username,acctstarttime,acctstoptime,acctoutputoctets,acctoutputoctets from radacct; +--+-+-+--+--+ | username | acctstarttime | acctstoptime| acctoutputoctets | acctoutputoctets | +--+-+-+--+--+ | test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 |0 | | test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 |0 | | test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 |0 | +--+-+-+--+--+ Thanks for hints Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 03:35, Fajar A. Nugraha wrote: On Wed, Nov 7, 2012 at 10:16 PM, Erich Titl erich.t...@think.ch wrote: Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted Because you use Windows client, which defaults to EAP-MSCHAPv2. See http://deployingradius.com/documents/protocols/compatibility.html If your main concern is I don't want to store cleartext password in db, you should be able to use NT-Password. Search the list archive, there's a recent thread about this. Thanks, I read that URL, actually that one guided me to enter a Cleartext Password at all. mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value | ++--+++--+ | 1 | test | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 2 | test | NT-Password| := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 3 | test | Cleartext-Password | := | 1234 | ++--+++--+ 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P :-( Do you have a recommendation for AP's that pass this information? ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. It is a ZyXEL, so basically a black box, even to the local vendor. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 08:16, Fajar A. Nugraha wrote: ... IIRC only one of them will be used. I suggest you dop MD5 (since it's useless for your purpose) and Cleartext (you don't want that, right?) and verify you use the correct NT-Password (use smbencrypt if you haven't already done so) Yes, it appears that authentication using NT-Password hash works fine for M$. What would be the least common setting in a multi vendor environment. I guess, OSX, for example, is using a different protocol. 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. ... It is a ZyXEL, so basically a black box, even to the local vendor. Then blame the vendor. Seriously. Why would you want to use something that even the local vendor can't support? I am in an evaluation phase and this is a vendor with widespread acceptance here. Finding such a weakness is important as we will probably drop the product then. Unfortunately not everyone is really comfortable with open source products. This is just the kind of reality the vendors try to lock us in. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No luck connecting from a ZyXEL NWA3160-N AP
Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) . and the CA cert luna:/usr/local/etc/raddb/certs # openssl x509 -in Think_CA.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=c...@think.ch Validity Not Before: Sep 16 17:00:07 2004 GMT Not After : Sep 14 17:00:07 2014 GMT Subject: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think CA/emailAddress=c...@think.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ... If you need the full output of radiusd, let me know. Maybe someone can give me a push in the right direction. Thanks Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No luck connecting from a ZyXEL NWA3160-N AP
Hi Phil on 02.11.2012 16:10, Phil Mayers wrote: On 02/11/12 14:56, Erich Titl wrote: authenticating against a MySQL database appeast to work fine using radtest This is not really a good test. radtest is sending pap. Download the wpa_supplicant sources and compile eapol_test. I connected a ZyXEL NWA 3160-N (latest Firmware), generated a certificate request, signed it using XCA and reimported it on the AP. Why does the AP need a cert? IMHO it does not, but it has one [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca . There appears to be something wrong with the client certificate passed by the AP in the eap conversation. I doublechecked the certificates and googled my fingers raw on this. No. This is a message *from* the client saying it doesn't trust the *radius server* certificate. A... very interesting, so the client rejects the certificate You haven't imported your CA on the client properly. M sounds reasonable, just that the AP does not appear to want to import the CA cert, because it wants a corresponding cert request. Thanks a lot, this appears to be just the push that I needed. Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html