Re: Thanks
Hi alll ! Of course Jean-Paul, the problem was in my LDAP, I have changed my own LDAP configuration and freeradius works correctly with TTLS and TLS, but I have not changed anything in my freeradius configurations. So, thanks for your help!! José Luis Solano [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 9:58 AM Subject: Re: Thanks Great, but could you say more !!! José Luis Solano wrote: Thanks, my freeradius runs. José Luis Solano Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XSupplicant client with TTLS
Hi all, I'm here again ;) Anybody uses XSupplicant client with TTLS? Anybody knows if XSupplicant works OK with TTLS? Please, if there is some guy who works with XSupplicant, I need help!!! Thanks José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Message-Authenticator = 0x3802f12111d5ab22325d397383592df9 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = a0153, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched a0153 at 4 modcall[authorize]: module files returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for a0153 radius_xlat: '(uid=a0153)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=a0153) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = a0153 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = a0153 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = a0153, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 8 users: Matched a0153 at 4 modcall[authorize]: module files returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for a0153 radius_xlat: '(uid=a0153)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=a0153) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 8 modcall: group authorize returns ok for request 8 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 13 with timestamp 403b1a6c Cleaning up request 4 ID 14 with timestamp 403b1a6c Cleaning up request 5 ID 15 with timestamp 403b1a6c Cleaning up request 6 ID 16 with timestamp 403b1a6c Cleaning up request 7 ID 17 with timestamp 403b1a6c Sending Access-Reject of id 18 to 192.168.49.252:1225 EAP-Message = 0x04060004 Message-Authenticator = 0x Cleaning up request 8 ID 18 with timestamp 403b1a6c Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
... rad_recv: Access-Request packet from host 192.168.49.252:1225, id=3, length=144 User-Name = 991 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010010013939393939393939393931 Message-Authenticator = 0x43aba66dea12643188e55a3130b4e1cd modcall: entering group authorize for request 11 modcall[authorize]: module preprocess returns ok for request 11 modcall[authorize]: module chap returns noop for request 11 modcall[authorize]: module mschap returns noop for request 11 rlm_realm: No '@' in User-Name = 991, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 11 rlm_eap: EAP packet type response id 1 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 11 users: Matched DEFAULT at 16 modcall[authorize]: module files returns ok for request 11 rlm_ldap: - authorize rlm_ldap: performing user authorization for 991 radius_xlat: '(uid=991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=991) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 11 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 11 modcall: group Auth-Type returns invalid for request 11 auth: Failed to validate the user. Delaying request 11 for 1 seconds Finished request 11 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 10 ID 2 with timestamp 403b2142 Sending Access-Reject of id 3 to 192.168.49.252:1225 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 3 with timestamp 403b2146 Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
hi jean-Paul, have you seen the freeradius logs and my LDAP configuration? How many attributes LDAP needs? How freeradius get the password? Thanks a lot and sorry if I ask a lot José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 11:31 AM Subject: Re: AlfaAriss Client Help!!! Hi José, José Luis Solano wrote: Hi Jean-Paul!!! I have your configuration in my freeradius-snapshot-20040222 but I have the following error: (see freeradius logs please). I don't understand the configuration of users file: #- # Connexion 801.x a0153 What is it? It's a user of my Ldap back-End. # a0292 : Define the user for 802.1x Authentication #- a0292 == What is it? # a0292 : Define the user for 802.1x Authentication #- 9991 I have added, but I don't know why exactly??? :( # By default use Ldap for authentication #- DEFAULT Auth-Type := LDAP Ldap is the default authentication methode. Regards, Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP structure
Hi all, I use EAP/TTLS and a LDAP to store the users. What is the structure in my LDAP? do I need specific attributes in my LDAP (userPassword, etc)? do I need to change any schema files (RADIUS-LDAP.schema,RADIUS-LDAPv3.schema,RADIUS-SQL.schema)? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS error
NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 6 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for 9991 radius_xlat: '(uid=9991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=9991) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 9991 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = 9991 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = 9991 User-Password = izadisan FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = 9991, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for 9991 radius_xlat: '(uid=9991)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=9991) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 9991 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 5 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 5 modcall: group authenticate returns fail for request 5 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 5 with timestamp 403b7974 Sending Access-Reject of id 6 to 192.168.49.252:1225 EAP-Message = 0x04060004 Message-Authenticator = 0x Cleaning up request 5 ID 6 with timestamp 403b7974 Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks
Thanks, my freeradius runs. José Luis Solano
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi Jean-Paul, As you know, I'm fightting with my freeradius to run EAP/TTLS. I use Secure W2 client and LDAP, so could you (Jean-Paul) send me your configuration, please? I would need: -do I need to change anything when I install freeradius? -Modules eap, authorize, authenticate and ldap in radiusd.conf -users file configuration -have you changed anything in dictionary file? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 20, 2004 4:14 PM Subject: Re: AlfaAriss Client Help!!! Hi Tom, Tom Rixom wrote: Sorry about the previous email wasn't awake yet... here is a repost: Hello, If your LDAP back-end uses encrypted passwords certain authentication methods cannot be used. PEAP-EAP-MSCHAPV2 for example requires either clear-text passwords or Microsoft NT HASH passwords. I am not sure about LEAP. Because SecureW2 v1 sends over the password in the clear it can be used on any kind of database encryption their is. Are you using encryption in your LDAP database? I'm using Active Directory which encrypt the password. Tom Rixom Alfa Ariss Today, i succeeded a configuration with FreeRadius for EAP/TTLS (PAP) (SecureW2 client on Windows) which running with user/password check on Ldap back-end(AD). But for EAP/PEAP and EAP/LEAP challenge use MS-CHAP or MS-CHAPV2 for hashing. So FreeRadius can't retreive clear-text password from packets and can't perform check on Ldap back-end. Are you agree with this ? I 'm searching a solution to authenticate LEAP client (Mac OSX) with FreeReadius and Ldap back-end. Regards, Jean-Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client question
Hi Arthur, I think Alfa·ariss client is free for your personal usage, but you can't distribute it. Regars. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:39 AM Subject: Re: AlfaAriss Client question hi tom thanks for the clarification. me for my part i also tested it here and i confirm that it also works for me (alfaariss, cisco 350, win XP; cisco aps 1100/1200; freeradius ttls). tom, do you have any idea about legal issues with the alfaariss client? is it free, can i use it in an university? do i need a license? or supposing that i have a business, can i install it my client's network? thanks, artur Tom Rixom wrote: Hi, If you are having trouble with the cisco card under W2K try using the fake key trick. Just fill in a random WEP key (this also allows you to choose the WEP key size) and this will allow the authentication to proceed. After authentication the WEP key is overridden with the correct dynamic key and everything works. I have tested Cisco 350 cards on Windows XP Windows 2000 and Windows CE and they all worked (Using Cisco 350 1100 and 1200) Regards, Tom Rixom SecureW2 Alfa Ariss -Oorspronkelijk bericht- Van: Artur Hecker [mailto:[EMAIL PROTECTED] Verzonden: zo 22-2-2004 12:05 Aan: [EMAIL PROTECTED] CC: Onderwerp: Re: AlfaAriss Client question - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi lionel! Thanks a lot, of course and please send me your radiusd.conf. You can use my personal email [EMAIL PROTECTED] In user file, what I need to change? Thanks a lot again Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM Subject: RE: AlfaAriss Client Help!!! Hi José, I can send to you my radius.conf configuration where EAP/TTLS with LDAP work with SecureW2 client. Lionel. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 23 février 2004 10:11 À : [EMAIL PROTECTED] Objet : Re: AlfaAriss Client Help!!! Hi Jean-Paul, As you know, I'm fightting with my freeradius to run EAP/TTLS. I use Secure W2 client and LDAP, so could you (Jean-Paul) send me your configuration, please? I would need: -do I need to change anything when I install freeradius? -Modules eap, authorize, authenticate and ldap in radiusd.conf -users file configuration -have you changed anything in dictionary file? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Jean-Paul Chapalain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 20, 2004 4:14 PM Subject: Re: AlfaAriss Client Help!!! Hi Tom, Tom Rixom wrote: Sorry about the previous email wasn't awake yet... here is a repost: Hello, If your LDAP back-end uses encrypted passwords certain authentication methods cannot be used. PEAP-EAP-MSCHAPV2 for example requires either clear-text passwords or Microsoft NT HASH passwords. I am not sure about LEAP. Because SecureW2 v1 sends over the password in the clear it can be used on any kind of database encryption their is. Are you using encryption in your LDAP database? I'm using Active Directory which encrypt the password. Tom Rixom Alfa Ariss Today, i succeeded a configuration with FreeRadius for EAP/TTLS (PAP) (SecureW2 client on Windows) which running with user/password check on Ldap back-end(AD). But for EAP/PEAP and EAP/LEAP challenge use MS-CHAP or MS-CHAPV2 for hashing. So FreeRadius can't retreive clear-text password from packets and can't perform check on Ldap back-end. Are you agree with this ? I 'm searching a solution to authenticate LEAP client (Mac OSX) with FreeReadius and Ldap back-end. Regards, Jean-Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client question
Hi Arthur, Currently there are three clients available: **XSupplicant: Linux, I don't know if the last version works correctly with TTLS. Free. **SecureW2: Windows, TTLS (pap). Free for personal usage. **AEGISClient: Windows and Linux, Not free. Regards. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 11:00 AM Subject: Re: AlfaAriss Client question thanks jose i've just read the agreement on their site. it's free for the personal use. however, i don't want to install it in the university's network. we will probably propose the TTLS access here. well, i personally don't know any other available TTLS clients for windows. so i suppose that the students (at least the Windows-users among them) will use Alfa-Ariss - any of them at a personal basis, since i won't install anything in the network. i just ask myself if it's completely ok for AA, that's all. because otherwise we will need to develop it. ciao artur José Luis Solano wrote: Hi Arthur, I think Alfa·ariss client is free for your personal usage, but you can't distribute it. Regars. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:39 AM Subject: Re: AlfaAriss Client question hi tom thanks for the clarification. me for my part i also tested it here and i confirm that it also works for me (alfaariss, cisco 350, win XP; cisco aps 1100/1200; freeradius ttls). tom, do you have any idea about legal issues with the alfaariss client? is it free, can i use it in an university? do i need a license? or supposing that i have a business, can i install it my client's network? thanks, artur Tom Rixom wrote: Hi, If you are having trouble with the cisco card under W2K try using the fake key trick. Just fill in a random WEP key (this also allows you to choose the WEP key size) and this will allow the authentication to proceed. After authentication the WEP key is overridden with the correct dynamic key and everything works. I have tested Cisco 350 cards on Windows XP Windows 2000 and Windows CE and they all worked (Using Cisco 350 1100 and 1200) Regards, Tom Rixom SecureW2 Alfa Ariss -Oorspronkelijk bericht- Van: Artur Hecker [mailto:[EMAIL PROTECTED] Verzonden: zo 22-2-2004 12:05 Aan: [EMAIL PROTECTED] CC: Onderwerp: Re: AlfaAriss Client question - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Thanks Alan!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 3:18 PM Subject: Re: AlfaAriss Client Help!!! =?iso-8859-1?Q?Jos=E9_Luis_Solano?= [EMAIL PROTECTED] wrote: -have you changed anything in dictionary file? Don't edit the dictionary files. 99.9% of the time, it's the wrong thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 21 ID 10 with timestamp 403a2284 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 11 to 192.168.49.252:1225 Reply-Message += Password Has Expired\r\n Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.49.252:1225, id=12, length=146 User-Name = 8881 NAS-IP-Address = 192.168.49.252 NAS-Port = 0 Called-Station-Id = 00-80-C8-01-01-55 Calling-Station-Id = 00-0B-46-26-1C-44 NAS-Identifier = DWL-1000AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001101383838383838383838383831 Message-Authenticator = 0xe2a546a1d8596e1437b9d629a2e8a7de modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 rlm_realm: No '@' in User-Name = 8881, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 23 rlm_ldap: - authorize rlm_ldap: performing user authorization for 8881 radius_xlat: '(uid=8881)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=8881) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 22 op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 8881 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 23 modcall: group authorize returns updated for request 23 auth: Failed to validate the user. Delaying request 23 for 1 seconds Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 22 ID 11 with timestamp 403a2289 Sending Access-Reject of id 12 to 192.168.49.252:1225 Reply-Message += Password Has Expired\r\n Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 12 with timestamp 403a228d Nothing to do. Sleeping until we see a request. José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: José Luis Solano [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 4:06 PM Subject: Re: AlfaAriss Client Help!!! Thanks Alan!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 3:18 PM Subject: Re: AlfaAriss Client Help!!! =?iso-8859-1?Q?Jos=E9_Luis_Solano?= [EMAIL PROTECTED] wrote: -have you changed anything in dictionary file? Don't edit the dictionary files. 99.9% of the time, it's the wrong thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize and Authenticate with FILES: auth: Failed to validate the user
Hi all!!!
I have installed freeradius-snapshot-20040216 with
redhat 9.
I use AlfaAriss client under Windows XP, cisco pcmcia car on my laptop.
I use FILES to authorize and authenticate, but TTLS don't run ok.
any idea?? please help?? (Alan, Lionel, Jean-Paul, please)
freeradius logs
--
[EMAIL PROTECTED] raddb]# rad_recv: Access-Request packet from host
192.168.49.252:1225, id=41,
length=140 User-Name =
"anonymous" NAS-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1C-44" NAS-Identifier
= "DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x0201000e01616e6f6e796d6f7573
Message-Authenticator = 0xd46c99136b226ede9c334c88dfb2fa91modcall: entering
group authorize for request 0 modcall[authorize]: module "preprocess"
returns ok for request 0 modcall[authorize]: module "files" returns
notfound for request 0modcall: group authorize returns ok for request
0auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the userauth: Failed to validate the user.Delaying
request 0 for 1 secondsFinished request 0Going to the next
request--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Sending Access-Reject
of id 41 to 192.168.49.252:1225Waking up in 4 seconds...--- Walking the
entire request list ---Cleaning up request 0 ID 41 with timestamp
4035e87fNothing to do. Sleeping until we see a request.
users file
-
sgisev Auth-Type := Local , User-Password ==
"12345678"
DEFAULT Service-Type ==
Framed-User Framed-IP-Address =
255.255.255.254, Framed-MTU =
576, Service-Type =
Framed-User, Fall-Through =
Yes
DEFAULT Framed-Protocol ==
PPP Framed-Protocol =
PPP, Framed-Compression =
Van-Jacobson-TCP-IP
DEFAULT Hint ==
"CSLIP" Framed-Protocol =
SLIP, Framed-Compression =
Van-Jacobson-TCP-IP
DEFAULT Hint ==
"SLIP" Framed-Protocol =
SLIP
radiusd.conf
-
eap
{
default_eap_type = tls
timer_expire =
60
ignore_unknown_eap_types = no
md5
{
}
leap
{
}
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size =
1024
include_length =
yes
}
ttls
{
default_eap_type=md5
copy_request_to_tunnel =
no
use_tunneled_reply=no
} }
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
Re: Authorize and Authenticate with FILES: auth: Failed to validate the user
Sorry, and my authorize and authenticate modules in
radiusd.conf are:
authorize
{
preprocess
# Read the
'users' file files
}
authenticate
{ Auth-Type PAP
{
pap }
}
José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación
Regional Sur[EMAIL PROTECTED](+34)
954.088.060
- Original Message -
From:
José Luis Solano
To: [EMAIL PROTECTED]
Sent: Friday, February 20, 2004 12:15
PM
Subject: Authorize and Authenticate with
FILES: "auth: Failed to validate the user"
Hi all!!!
I have installed freeradius-snapshot-20040216
with redhat 9.
I use AlfaAriss client under Windows XP,
cisco pcmcia car on my laptop.
I use FILES to authorize and authenticate, but TTLS don't run ok.
any idea?? please help?? (Alan, Lionel, Jean-Paul, please)
freeradius logs
--
[EMAIL PROTECTED] raddb]# rad_recv: Access-Request packet from host
192.168.49.252:1225, id=41,
length=140 User-Name =
"anonymous" NAS-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1C-44"
NAS-Identifier = "DWL-1000AP+"
Framed-MTU = 1380 NAS-Port-Type
= Wireless-802.11 EAP-Message =
0x0201000e01616e6f6e796d6f7573
Message-Authenticator = 0xd46c99136b226ede9c334c88dfb2fa91modcall:
entering group authorize for request 0 modcall[authorize]: module
"preprocess" returns ok for request 0 modcall[authorize]: module
"files" returns notfound for request 0modcall: group authorize returns ok
for request 0auth: No authenticate method (Auth-Type) configuration found
for the request: Rejecting the userauth: Failed to validate the
user.Delaying request 0 for 1 secondsFinished request 0Going to
the next request--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Sending Access-Reject
of id 41 to 192.168.49.252:1225Waking up in 4 seconds...--- Walking
the entire request list ---Cleaning up request 0 ID 41 with timestamp
4035e87fNothing to do. Sleeping until we see a request.
users file
-
sgisev Auth-Type := Local , User-Password
== "12345678"
DEFAULT Service-Type ==
Framed-User Framed-IP-Address =
255.255.255.254, Framed-MTU =
576, Service-Type =
Framed-User, Fall-Through =
Yes
DEFAULT Framed-Protocol ==
PPP Framed-Protocol =
PPP, Framed-Compression =
Van-Jacobson-TCP-IP
DEFAULT Hint ==
"CSLIP" Framed-Protocol =
SLIP, Framed-Compression =
Van-Jacobson-TCP-IP
DEFAULT Hint ==
"SLIP" Framed-Protocol =
SLIP
radiusd.conf
-
eap
{
default_eap_type = tls
timer_expire =
60
ignore_unknown_eap_types = no
md5
{
}
leap
{
}
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size =
1024
include_length =
yes
}
ttls
{
default_eap_type=md5
copy_request_to_tunnel =
no
use_tunneled_reply=no
} }
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
EAP-PEAP Problems: module eap returns invalid for request 8 and auth: Failed to validate the user.
Hi alll !!!
I use: freeradius-snapshot-20040216,
openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP
client
I would like to run PEAP but freeradius show me the
following error. Please, look my authenticate and authorize
modules!!!
any idea??
thanks in advance!!!
freeradius logs
--
S-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1C-44" NAS-Identifier
= "DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x020900261900170301001be0b3850e761cf6e20dd6e18da7a7615d2adb243b14f91f0c1df86a
State =
0x112e15244708c595cec067388e416f35
Message-Authenticator = 0x4f0281d0e0d358ca365c0b2ca66be681modcall: entering
group authorize for request 8 modcall[authorize]: module "preprocess"
returns ok for request 8 modcall[authorize]: module "chap" returns
noop for request 8 rlm_eap: EAP packet type response id 9 length
38 rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation modcall[authorize]: module "eap" returns updated for
request 8 rlm_realm: No '@' in User-Name = "1119",
looking up realm NULL rlm_realm: No such realm
"NULL" modcall[authorize]: module "suffix" returns noop for request
8 users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8modcall: group
authorize returns updated for request 8 rad_check_password:
Found Auth-Type EAPauth: type "EAP"modcall: entering group authenticate
for request 8 rlm_eap: Request found, released from the list
rlm_eap: EAP/peap rlm_eap: processing type peap
rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS
eaptls_verify returned 7 rlm_eap_tls: Done initial handshake
eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes. rlm_eap_peap: Received EAP-TLV
response. rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.rlm_eap: Handler
failed in EAP/peap rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8modcall:
group authenticate returns invalid for request 8auth: Failed to validate the
user.Delaying request 8 for 1 secondsFinished request 8Going to the
next requestWaking up in 6 seconds...
radiusd.conf
-
modules {## Each module
has a configuration as follows:##name [ instance ]
{#config_item =
value#...#}##
The 'name' is used to load the 'rlm_name' library# which
implements the functionality of the module.## The
'instance' is optional. To have two different instances#
of a module, it first must be referred to by 'name'.# The
different copies of the module are then created by# inventing
two 'instance' names, e.g. 'instance1' and
'instance2'## The instance names can then be used in
later configuration# INSTEAD of the original 'name'. See
the 'radutmp' configuration# below for an
example.#
# PAP module to authenticate users based on
their stored password## Supports multiple encryption
schemes# clear: Clear text# crypt: Unix
crypt# md5: MD5 ecnryption#
sha1: SHA1 encryption.# DEFAULT: cryptpap
{encryption_scheme = crypt}
# CHAP module## To
authenticate requests containing a CHAP-Password
attribute.#chap {authtype =
CHAP}
# Pluggable Authentication
Modules## For Linux, see:#http://www.kernel.org/pub/linux/libs/pam/index.html##
WARNING: On many systems, the system PAM libraries
have#
memory leaks! We STRONGLY SUGGEST that you do
not# use PAM for authentication, due to those
memory leaks.#pam {##
The name to use for PAM authentication.# PAM looks in
/etc/pam.d/${pam_auth_name}# for it's configuration.
See 'redhat/radiusd-pam'# for a sample PAM configuration
file.## Note that any Pam-Auth attribute
set in the 'authorize'# section will over-ride this
one.#pam_auth = radiusd}
# Unix /etc/passwd style
authentication#unix
{## Cache /etc/passwd, /etc/shadow, and
/etc/group## The default is to NOT cache
them.## For FreeBSD, you do NOT want to
enable the cache,# as it's password lookups are done via a
database, so# set this value to
'no'.## Some systems (e.g. RedHat Linux
with pam_pwbd) can# take *seconds* to check a password,
from a passwd# file containing 1000's of entries.
For those systems,# you should set the cache value to
'yes', and set# the locations of the 'passwd', 'shadow',
and 'group'# files,
below.## allowed values: {no,
yes}cache = no
# Reload the cache every 600 seconds
(10mins). 0 to disable.cache_reload = 600
## Define the
locations of the normal passwd, shadow, and# group
files.## 'shadow' is commented out by
default, because not all# systems have shadow
passwords.## To force the module to use
the system password functions,# instead of reading the
files, leave the following entries# commented
out.## This is required for
Problems!!!!!!!!!!!!!!!!!!! (again)
Good morning! I haveinstalled Freeradius 0.9.3 with RedHat 9 and openssl 0.9.7c. TLS runs ok, but when I try toinsert TTLS or PEAP modules in radiusd.conf I get the following error when I try to run freeradius: ... Module: Loaded eapeap: default_eap_type = "tls"eap: timer_expire = 60rlm_eap: Loaded and initialized the type md5rlm_eap: Loaded and initialized the type leaptls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/usr/local/openssl/ssl/certs/server/server.pem"tls: certificate_file = "/usr/local/openssl/ssl/certs/server/server.pem"tls: CA_file = "/usr/local/openssl/ssl/certs/ca/ca.pem"tls: private_key_password = "izadisan"tls: dh_file = "/usr/local/openssl/ssl/certs/dh"tls: random_file = "/usr/local/openssl/ssl/certs/random"tls: fragment_size = 1024tls: include_length = yesrlm_eap_tls: conf N ctx storedrlm_eap: Loaded and initialized the type tlsrlm_eap: Failed to link EAP-Type/ttls: file not foundradiusd.conf[600]: eap: Module instantiation failed. = --- So, I'm going to change my configuration. Lionel, could you tell me your configuration please, and where can I find the versions you are using? Thanks in advance? José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34) 954.088.060
Re: Problems!!!!!!!!!!!!!!!!!!! (again)
Hi, Jean-Paul, good morning!!!
yes, I think!!! But could you review my radiusd.conf, please. Some variables
have other values and ignore_unknown_eap_types = no not exists in my
radiusd.conf.
Note:
For your configuration, perhaps you are using XSupplicant client under
linux, is it correct?
Thanks JP!!! ;)
---
eap {
default_eap_type = tls
timer_expire = 60
md5 {
}
leap {
}
tls {
private_key_password = XX
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type=tls
use_tunneled_reply=no
}
peap {
default_eap_type=mschapv2
copy_request_to_tunnel=yes
}
}
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Jean-Paul Chapalain [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 17, 2004 9:46 AM
Subject: Re: Problems!!! (again)
Hi José,
Check if modules section in radiusd.conf looks like this :
modules {
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
tls {
private_key_password = deleted
private_key_file = /etc/1x/server.gicm.net.pem
certificate_file = /etc/1x/server.gicm.net.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
}
Regards,
Jean-Paul.
José Luis Solano wrote:
Good morning!
I have installed Freeradius 0.9.3 with RedHat 9 and openssl 0.9.7c. TLS
runs ok, but when I try to insert TTLS or PEAP modules in radiusd.conf I
get the following error when I try to run freeradius:
...
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
tls: certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
tls: CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
tls: private_key_password = izadisan
tls: dh_file = /usr/local/openssl/ssl/certs/dh
tls: random_file = /usr/local/openssl/ssl/certs/random
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
rlm_eap: Failed to link EAP-Type/ttls: file not found
radiusd.conf[600]: eap: Module instantiation failed.
=
---
So, I'm going to change my configuration.
Lionel, could you tell me your configuration please, and where can I
find the versions you are using?
Thanks in advance?
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
(+34) 954.088.060
--
-- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure
-- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
-- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED]
-- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-authentication fails due to empty supplied password
Hi Tero,
I send you my LDAP configuration.
Good luck.
Note:
MYIP= localhost if the LDAP is the same PC.
ldap {
server = MYIP
identity = cn=Manager,dc=sgi,dc=es
password = MYPASS
basedn = ou=Wireless,dc=sgi,dc=es
#filter = (uid=%{Stripped-User-Name:-%{User-Name}})
filter = (uid=%u)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
tls_mode = no
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = {clear}
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Tero Ripattila [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 17, 2004 10:59 AM
Subject: LDAP-authentication fails due to empty supplied password
Hello All,
For some reason the password I supply to my test login foo gets passed
as empty [1] and I cannot understand why.
I am running freeradius-0.9.3 on OpenBSD 3.4-stable. I built my FR by
entering the following build statements:
$ ./configure --enable-shared=no --without-rlm_krb5 --localstatedir=/var
--sysconfdir=/etc
$ gmake gmake install
Here's the login information:
$ userinfo foo
login foo
passwd *
uid 2
groups users
change NEVER
class radius
gecos FreeRadius test user
dir /home/foo
shell /usr/local/bin/bash
expire NEVER
$ cat foo-people-example-tld.ldif
version: 1
# Entry 1: uid=foo,ou=People,dc=example,dc=tld
dn:uid=foo,ou=People,dc=example,dc=tld
uid: foo
cn: Test
sn: User
uidNumber: 2
homeDirectory: /home/foo
shadowMin: -1
shadowMax: 99
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: PureFTPdUser
gidNumber: 2
loginShell: /usr/local/bin/bash
userPassword: {CRYPT}iQpBkPrd9Egzg
FTPStatus: disabled
Here's information about my login class:
$ cat /etc/login.conf
radius:\
:requirehome@:\
:auth=radius:\
:radius-server=192.168.0.11:\
:radius-timeout=1:\
:radius-retries=5:
See my attached radius_log for more detailed information about the login
process.
See line 25 ja 26: user and group are resolved as empty. I think there
should be root.wheel, because I launced the daemon as root.
See line 156-158: /etc/shadow, /etc/group and /etc/passwd - Or should I
say master.passwd - are not resolved correctly. Perhaps I should define
them in the .conf file.
Greetings,
Tero
[1] rlm_ldap: empty password supplied
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AlfaAriss Client Heeeeeeeeeeeeelp!!!!!!!
Hi all!!!
I have installed freeradius-snapshot-20040216 with
redhat 9.
I use AlfaAriss client under Windows XP, cisco pcmcia car on my laptop.
When AlfaAriss client ask me user, password
and domain I write my user and password, but I don't know exactly what is my
domain.
I think there are two possible raisons to this
error:
1.- Write the correct domain.
2.- My radiusd.conf is not correct.
help please!!!
My freeradius logs and radiusd.conf
are:
My freeradius error is:
---
rad_recv: Access-Request packet from host
XXX.XXX.XXX.252:1229, id=90,
length=146 User-Name =
"001122334455" NAS-IP-Address =
XXX.XXX.XXX.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2" NAS-Identifier
= "DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x020100110130303131323234343535
Message-Authenticator = 0xb2dfd83cf36fc223a2a5326d6b528259modcall: entering
group authorize for request 2 modcall[authorize]: module "preprocess"
returns ok for request 2rlm_ldap: - authorizerlm_ldap: performing user
authorization for 001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0rlm_ldap: performing
search in ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap:
looking for check items in directory...rlm_ldap: Adding radiusExpiration as
Expiration, value 08 op=21rlm_ldap: Adding radiusAuthType as
Auth-Type, value EAP op=21rlm_ldap: looking for reply items in
directory...rlm_ldap: user 001122334455 authorized to use remote
accessldap_release_conn: Release Id: 0 modcall[authorize]: module
"ldap" returns ok for request 2modcall: group authorize returns ok for
request 2auth: Failed to validate the user.
=
--
radiusd.conf
--
...
eap
{default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
md5 { }
leap
{ }
tls
{
private_key_password =
izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file =
/usr/local/openssl/ssl/certs/ca/ca.pem
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
fragment_size =
1024
include_length = yes }
ttls
{
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply =
no } mschapv2 {
}}
...
ldap
{
server =
192.168.49.222
identity =
"cn=Manager,dc=sgi,dc=es"
password =
izadisan
basedn =
"ou=Wireless,dc=sgi,dc=es"
filter =
"(uid=%u)"
start_tls =
no
tls_mode =
no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number =
5
timeout =
4
timelimit =
3
net_timeout = 1 }
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
Re: PEAP/LDAP
Hi Lionel,
I have your radiusd.conf file, (thanks!!).
But I have a simple question: if I have TL and TTL in my radius.conf, what
eap-type will use freeradius TLS or TTLS?
it's the client who decide the eap-type?
Thanks in advan!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Monday, February 16, 2004 9:02 AM
Subject: PEAP/LDAP
Hi,
I have some problems with PEAP/LDAP (and TTLS/LDAP).
When I use LDAP only with a local authentification I don't have problem.
Reciprocally with PEAP module without LDAP.
But with these two modules the user is validated on the level of LDAP
server
but the 802.1x authentificaton failed!
I don't have user entry in users files.
Thanks.
Lionel Gavage
Extract of radius.conf:
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
Auth-Type LDAP {
ldap
}
}
Extract of log:
rad_recv: Access-Request packet from host 139.165.212.248:21645, id=234,
length=172
User-Name = u190336
Framed-MTU = 1400
Called-Station-Id = 000c.304f.75da
Calling-Station-Id = 000c.3052.9812
Message-Authenticator = 0xc7f68224c50a922844d275cfcbdb5853
EAP-Message =
0x020b002b1900170301002098ab17170a67942473547a6c29b7c9fbca9c855e8117506214a1
92b989347f11
NAS-Port-Type = Wireless-802.11
NAS-Port = 322
State = 0xfc69a5223e55955e5e876a12c9561f84
Service-Type = Framed-User
NAS-IP-Address = 139.165.212.248
modcall: entering group authorize for request 11
modcall[authorize]: module preprocess returns ok for request 11
modcall[authorize]: module chap returns noop for request 11
modcall[authorize]: module mschap returns noop for request 11
rlm_realm: No '@' in User-Name = u190336, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 11
rlm_eap: EAP packet type response id 11 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 11
users: Matched DEFAULT at 154
users: Matched DEFAULT at 173
modcall[authorize]: module files returns ok for request 11
rlm_ldap: - authorize
rlm_ldap: performing user authorization for u190336
radius_xlat: '(uid=u190336)'
radius_xlat: 'dc=ulg,dc=ac,dc=be'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulg,dc=ac,dc=be, with filter
(uid=u190336)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user u190336 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 11
modcall: group authenticate returns invalid for request 11
auth: Failed to validate the user.
Delaying request 11 for 1 seconds
Finished request 11
Going to the next request
Waking up in 5 seconds...
Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]Tél: +32-4-3664845
Fax: +32-4-3662920
Bat. B26 SeGI
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS and TLS (EAP-TYPES)
Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS and TLS (EAP-TYPES)
Do you know if Windows XP client has authentication TTLS? Where is the option? If Windows XP client has not TTLS, then do you know other client? Thankss a lot!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 1:37 PM Subject: RE: TTLS and TLS (EAP-TYPES) Yes, on the level of the configuration client. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 13:14 À : [EMAIL PROTECTED] Objet : TTLS and TLS (EAP-TYPES) Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS and TLS (EAP-TYPES)
Thanks a lot Lionel! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 2:04 PM Subject: RE: TTLS and TLS (EAP-TYPES) Hi José, No Windows XP client hasn't TTLS option. Windows XP client supports PEAP on the other hand. You can use SecureW2 (http://www.alfa-ariss.com/) Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 14:04 À : [EMAIL PROTECTED] Objet : Re: TTLS and TLS (EAP-TYPES) Do you know if Windows XP client has authentication TTLS? Where is the option? If Windows XP client has not TTLS, then do you know other client? Thankss a lot!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 16, 2004 1:37 PM Subject: RE: TTLS and TLS (EAP-TYPES) Yes, on the level of the configuration client. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 13:14 À : [EMAIL PROTECTED] Objet : TTLS and TLS (EAP-TYPES) Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with remote LDAP
Dear all !!
My old configuration was (2 different
PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius and LDAP:
XXX.XXX.XXX.222
With this configuration, my system runs ok!!
My currently configuration is (3 different PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius: XXX.XXX.XXX.206
IP LDAP: XXX.XXX.XXX.222
When I change the freeradius I can't access to my LDAP. (I have changed the
server freeradiud IP in my access point too!!!)
freeradius logs
-
S-IP-Address = 192.168.49.252
NAS-Port = 0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2" NAS-Identifier
= "DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x020100110130303131323234343535
Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall: entering
group authorize for request 0 modcall[authorize]: module "preprocess"
returns ok for request 0rlm_ldap: - authorizerlm_ldap: performing user
authorization for 001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0
rlm_ldap:
attempting LDAP reconnectionrlm_ldap: (re)connect to XXX.XXX.XXX.222:389,
authentication 0
rlm_ldap:
bind as cn=Manager,dc=sgi,dc=es/izadisan to 192.168.49.222:389rlm_ldap:
waiting for bind result ...rlm_ldap: performing search in
ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: no
dialupAccess attribute - access denied by default
==ldap_release_conn:
Release Id: 0 modcall[authorize]: module "ldap" returns userlock for
request 0modcall: group authorize returns userlock for request 0Delaying
request 0 for 1 secondsFinished request 0Going to the next
request--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Waking up in 1
seconds...
my radiusd.conf
ldap {server =
XXX.XXX.XXX.222identity =
"cn=Manager,dc=sgi,dc=es"password = izadisan
basedn = "ou=Wireless,dc=sgi,dc=es" filter =
"(uid=%u)"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5timeout =
4timelimit = 3net_timeout = 1}
any idea??
Thanks in advance!
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
Fw: Problem with remote LDAP
Thanks again Lionel ;) !!!
José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación
Regional Sur[EMAIL PROTECTED](+34)
954.088.060
- Original Message -
From:
Lionel Gavage
To: [EMAIL PROTECTED]
Sent: Monday, February 16, 2004 7:38
PM
Subject: RE: Problem with remote
LDAP
Hi,
Remove the
"access_attr = "dialupAccess"" parameter in LDAP config (put in comment). And
retest.
Lionel
Gavage.
-Message d'origine-De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]De
la part de José Luis SolanoEnvoyé: lundi 16 février
2004 19:32À: [EMAIL PROTECTED]Objet:
Problem with remote LDAP
Dear all !!
My old configuration was (2 different
PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius and LDAP:
XXX.XXX.XXX.222
With this configuration, my system runs ok!!
My currently configuration is (3 different PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius: XXX.XXX.XXX.206
IP LDAP: XXX.XXX.XXX.222
When I change the freeradius I can't access to my LDAP. (I have changed
the server freeradiud IP in my access point too!!!)
freeradius logs
-
S-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2"
NAS-Identifier = "DWL-1000AP+"
Framed-MTU = 1380
NAS-Port-Type =
Wireless-802.11 EAP-Message =
0x020100110130303131323234343535
Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall:
entering group authorize for request 0 modcall[authorize]: module
"preprocess" returns ok for request 0rlm_ldap: - authorizerlm_ldap:
performing user authorization for 001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0
rlm_ldap:
attempting LDAP reconnectionrlm_ldap: (re)connect to
XXX.XXX.XXX.222:389, authentication 0
rlm_ldap:
bind as cn=Manager,dc=sgi,dc=es/izadisan to 192.168.49.222:389rlm_ldap:
waiting for bind result ...rlm_ldap: performing search in
ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: no
dialupAccess attribute - access denied by default
==ldap_release_conn:
Release Id: 0 modcall[authorize]: module "ldap" returns userlock
for request 0modcall: group authorize returns userlock for request
0Delaying request 0 for 1 secondsFinished request 0Going to the
next request--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Waking up in 1
seconds...
my radiusd.conf
ldap {server =
XXX.XXX.XXX.222identity =
"cn=Manager,dc=sgi,dc=es"password = izadisan
basedn = "ou=Wireless,dc=sgi,dc=es" filter =
"(uid=%u)"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5timeout =
4timelimit = 3net_timeout =
1}
any idea??
Thanks in advance!
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
EAP-TTLS
hi all!!
I'm going to use TTLS with my freeRadius 0.8.1. I
have used TLS already and it run ok, but now I need TTLS too. Currently my code
in radius.conf is:
--
# Extensible Authentication
Protocol
# # For all EAP related
authentications eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is
received
default_eap_type = tls
# Default expiry time to clean the EAP
list,
# It is maintained to co-relate
the
# EAP-response for each EAP-request
sent.
timer_expire = 60
# Supported
EAP-types
#md5
{
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing
list.
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are
located in
the
# same file, then private_key_file
certificate_file
# must contain the same file
name.
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA
list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN
(4096)
# preferably half the MAX_RADIUS_LEN,
to
# accomodate other attributes in RADIUS
packet.
# On most APs the MAX packet length is
configured
# between 1500 - 1600. In these cases,
fragment
# size should be =
1024.
#
fragment_size = 600
# include_length is a flag which is by
default set to
yes
# If set to yes, Total Length of the message
is
included
# in EVERY packet we
send.
# If set to no, Total Length of the message
is
included
# ONLY in the First packet of a fragment
series.
#
include_length =
yes
}
}-
What changes I need if I want authentacation with
TLS AND TTLS. Anybody could to help me please???
Thanks a lot in advance!!
---
A litle question: Anybody use XSupplicant client
with TLS and TTLS?
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
To Alan Dekok: EAP-TTLS
Hi Alan!!
Idon't know you but I know you are old in this
list, so I thiks you can help me!!
I'm going to use TTLS with my freeRadius 0.8.1. I
have used TLS already and it run ok, but now I need TTLS too. Currently my code
in radius.conf is:
--
# Extensible Authentication
Protocol
# # For all EAP related
authentications eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is
received
default_eap_type = tls
# Default expiry time to clean the EAP
list,
# It is maintained to co-relate
the
# EAP-response for each EAP-request
sent.
timer_expire = 60
# Supported
EAP-types
#md5
{
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing
list.
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are
located in
the
# same file, then private_key_file
certificate_file
# must contain the same file
name.
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA
list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN
(4096)
# preferably half the MAX_RADIUS_LEN,
to
# accomodate other attributes in RADIUS
packet.
# On most APs the MAX packet length is
configured
# between 1500 - 1600. In these cases,
fragment
# size should be =
1024.
#
fragment_size = 600
# include_length is a flag which is by
default set to
yes
# If set to yes, Total Length of the message
is
included
# in EVERY packet we
send.
# If set to no, Total Length of the message
is
included
# ONLY in the First packet of a fragment
series.
#
include_length =
yes
}
}-
What changes I need if I want authentacation with
TLS AND TTLS. Anybody could to help me please???
Thanks a lot in advance!!
---
A litle question: Anybody use XSupplicant client
with TLS and TTLS?
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be = 1024.
#
fragment_size = 600
# include_length is a flag which is by default set
to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: freeradius-users [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
Hi,
I
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!!
If you want to send me your radiusd.conf, it will be très bien for me. So,
please send me your file if it's possible.
À tout!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 5:31 PM
Subject: RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive default_eap_type (in EAP module) must be fixed at tls.
It's right
And the default_eap_type (in TTLS module) to md5. It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For default_eap_type is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: Lionel Gavage [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The
first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
TTLS and I will run PEAP after. So, can you help me please?. Currently,
my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key Certificate are located in the
# same file, then private_key_file
certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet
