AW: EAP identity - username check
I had the same problem here and my only solution was to turn off this check of the username. of the username. Ou only have to comment out the check_cert_cn Entry at the eap.conf to deaktivate this. Butt his turn of the check completely also for user certificates. I changed the username from host/username to username$ which is mostly needed using the mschap Modul aktivating with_ntdomain_hack and adding mschap: to the needed authentication part like ldap section or mysql section like (mschap:User-Name) Maybe there is an other solution to fix that problem without deaktivate this feature? Armin Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Carl Wahlin Gesendet: Mittwoch, 9. August 2006 17:09 An: freeradius-users@lists.freeradius.org Betreff: EAP identity - username check Hello, We are trying to get machine certificates to with freeradius for WLAN. Problem: We are using the sql user database plugin as we need to return attributes (which vlan the user belongs to, QoS etc) and it all works fine untill we install the certificates as machine certs. Windows changes the User-Name to host/username and that causes the username not to be correct according to what is in the database, and also the User-Name does not match the cn in the cert. We can change the attribute with search and replace, but then EAP gives us the error identity does not match the User-Name, setting from EAP Identity. Is there a way around this? It would be nice to be able to turn off the EAP identity - User-Name check as we really do not think it is necesary in our solution (and do not really see a security benifit of having it). Any ideas? /Carl With MSN Spaces email straight to your blog. Upload jokes, photos and more. It's free! It's free! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
Okay, thanks now it works quite well with the mschap module :-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Phil Mayers Gesendet: Montag, 24. Juli 2006 12:28 An: FreeRadius users mailing list Betreff: Re: AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* James J J Hooper wrote: In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}} Regards, James Sorry, what i suggested may only work in the mschap section, not in the LDAP bit... :( No, it should work anywhere, but he does need to have the mschap module configured, and I think it needs to be *before* the ldap module in authorize. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name of the mchine like host/250-IT and the search String on LDAP is like host/250-IT. I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? Thanks for helping me. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
Thanks, i tried out this now and got the following warning: rlm_ldap: performing user authorization for host/notebook-armin Sat Jul 22 12:25:24 2006 : Debug: WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{mschap:User-Name} Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: '((uid=)(objectclass=radiusprofile))' Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: 'ou=users,ou=radius,dc=ak-server,dc=de' And the search finishes with NOT FOUND rlm_ldap: waiting for bind result ... Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: Bind was successful Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: performing search in ou=users,ou=radius,dc=ak-server,dc=de, with filter ((uid=)(objectclass=radiusprofile)) Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: object not found or got ambiguous search result Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: search failed Any idea fort this? Looks like the searchString is complete emty now?? I made an LDAP Entry which looks like uid=host/notebook-armin$ Thanks for answering! Greetings Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von James J J Hooper Gesendet: Samstag, 22. Juli 2006 10:31 An: FreeRadius users mailing list Betreff: Re: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* --On Saturday, 22 July 2006 09:23 +0200 Krämer Armin [EMAIL PROTECTED] wrote: Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name of the mchine like host/250-IT and the search String on LDAP is like host/250-IT. I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}} Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripping Username Question *important*
Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name of the mchine like host/250-IT . I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? Thanks for helping me. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to change LDAP Search String
Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name at the form like host/250-IT. I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? Thanks for helping me. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside
Hi, first i wanna say thanks to all here fort he great helping setting up my radius as an part of my work at my Engineers-Exam work. Yesterday I finished my work and found my 2 Mistakes why computer authentication didnt wor properly at my network and now I wanna share this for you all here,knowing some of you are having still the same problems: First only the problem with machine authentication and after I passed my exams at 15.Juli I will post here an link to my whole Dokumentation describing how to set up my whole project including the following: An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. What you hav e to do if you create it with TinyCA to get working Certifikates for machine Authentication in a short sequenze and where are the problems I figured out. OK setting up TinyCA is easy and the binding to freeradius is describeld here a lot. The final Steps are the following especially for Windows: Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 at the ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into Client Certifikate Extended Key Usage. This is basically and essential for successful authentication but not all. For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST Be filled in the full qualified Computer name like workstatio1.exampledomain.de This entry is important for machine authentication because Windows XP searches for the field subjectAltName to find the certificate in the computer store. If this issent present authentication failes first time and after the internal counter of xp expire the second autjentication is successful(why??) But ok, add this and all is fine. In the openssl.cnf of TinnyCA you can see that the Email field is copied to the field subjectAltName. I will write a letter to the developer of TinnyCA if he could make a separate field for this Export the certificate as PKS12 an check include certificate and fingerprint (if fingerprint is important I will figure out later and tell you,havent found time checking this) but the Key must be included. And the last thing is that you have to import the computercertifikate not per doubleclick (In this case the certificated is stored at the CurrentUser Store and you have to copy it over mmc to the computer store, but this doesnt work, the certificate isnt correctly found if you do this that way!) Best ist to open mmc,doing a snap in of LocalComputer and the go to Eigene Certifikate, right click onto it,All Tasks,import then import the certificate and now you have the ca.certifikate and your computer certificate in the Store, now you have finaly to move the ca Certifikate into the root CertifikateStore under your ComputerAccountStore. Thats all at the mmc. Then go to the preferences of your network connection, Authentifikation tab, EAP-Tpye Propperties and at the list you have to check Check Servercertifikate uncheck Connect to this Server(this is optional) and at the list check your CA. If you also have a User Certifikate installed you will find there your CA 2 times. It is not important which you select, one should be enough. Finaly I can say what was here discussed you dont have to set another OID which is discussed here at one thread and you only have to change your registry if you have special requiremens to the authentication behaviors. The Basic setting of registry seams to be enough. I added the SupplicantMode DWORD with a value of 3 but this only seams to get start authentication faster than without but is not essential for basic setup. OK this is only an small dirty description for the first time, a better one will follow soon. But I thought many of you struggling over this and it would be good posting this fast. Sorry for typing mistakes, may someone will correct this :-) @Alan: Is their an interest posting my doku to the wiki, I can send the final document to you! Greetings and good luck Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside
-Ursprüngliche Nachricht- Von: Krämer Armin [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 20. Mai 2006 12:04 An: '[EMAIL PROTECTED]' Betreff: AW: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside Hi, i read your artikel at this magazine and it was quiete helpful, the only thing didnt working was machine certificate but like I described at my last post the only thing I struggled was XP Clients needing the full DN at this place I described and the CN as Computername and how to import them correctly. The ldap setup of you were really helpful. Thanks to you. Greetings from Baden Würtemberg Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 20. Mai 2006 09:23 An: Krämer Armin Betreff: Re: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside Am Samstag, 20. Mai 2006 09:01 schrieb Krämer Armin: Hi, (...) An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. Hi, I did this setup (LDAP, VLAN, Certs, ...) and wrote an article in the German Linux Magazin 01/05. All problems you list are more or less described there. Sorry, that I did not read the beginning of this discussion. So I could have helped you before. Greetings from Munich, Michael Schwartzkopff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: XP drops first EAP Request !!Verry important for my exam!!!
Has noone any idea about what causes that problem??? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Krämer Armin Gesendet: Sonntag, 7. Mai 2006 10:29 An: freeradius-users@lists.freeradius.org Betreff: XP drops first EAP Request !!Verry important for my exam!!! Hi, i have here an working environment with freeradius [EMAIL PROTECTED] stable with eap/tls an clinet certifikates and ldap backend. After an long time of experimenting i got MachineCertifikates working basicaly. My problem now ist that when my testing system boots up and halts at the login prompt the machine trys to authenticate a first time with the machine certifikate. This first move end up with handled . When i leave the machine at the login prompt, after 3ß seconds the second authentication request is invoked by XP and this time it is successfull. Verrry strange... I tryed lots of settings at the XP Machine (AuthMode,SupplicantMode) but cant find the mistake. Can someone help me please with this problem? Is there an possiblility if tjhis phenomen is normal to reduce the time of this 30 Seconds (reauthentication period at the xp machine)?? I will append the logs of freeradius of an complete authentication process and a secon log from the xp machine with turned on eapol tracing. Maybe this is helpful.Sorry For that zip File but otherwise the message would be to obig für that mailing list... Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS?? Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work? Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html