LEAP
Ehlo We are usign Cisco1200 AP for roaming, but AP needs to auth into radius. Because CISCO it must use LEAP. But it fails on this rlm_eap: EAP/leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user rlm_eap: Handler failed in EAP/leap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 3 EAP with TLS and PEAP works well. LDAP user exists uid: AP-DATI userrPassword: cisco1234 sambaNTPassword: 3B298390489F668CA3C38047C7FE1266 sambaLMPassword: 8BE57A0FA91F460C19F10A933D4868DC How should I fix this? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Revocation List (EAP/TLS)
May do this with just a "cat cacert.pem crl.pem" > ca.pem comand? Le Mercredi 18 Mai 2005 08:50, Michael Griego a écrit : > There are no "crl_dir" and "crl" configuration options recognized by the > server. You must have added those. The correct way to do this is to > add the PEM encoded CRL to the end of your PEM encoded CA certificate, > referenced by the CA_file configuation option, then set check_crl = yes. > > --Mike > > [EMAIL PROTECTED] wrote: > >Have no one a solution of this problem? > > > >thanks for help > > > >Alain > > > >>Hi, > >> > >>I work with freeradius 1.0.2 > >> > >>If I configure in the TLS section of eap.conf (without this entries the > >>autentification process works fine) > >> > >>CA_path = /path > >>check_crl = yes > >>crl_dir = /path > >>crl = file > >> > >>Not any certificate is accepted (I generate the certificates and the crl > >>with > >>tinyca). > >> > >>How can I configure the eap.conf that the autentification process would > >> work correctly? > >> > >>Does anyone have a working EAP/TLS autentification where the CRL works? > >> > >>Thanks for help > >> > >>Alain > > > >- > >List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap (ms-chap v2) + ldap bind
I did Le Jeudi 12 Mai 2005 16:44, CHui a écrit : > I would like to know if anyone has a work around to support PEAP (ms chap > v2) client access authenticate against a LDAP server with bind operation. > Currently, retrieving clear text password from LDAP is not an option. > > > > Thanks > > Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
why dont you try this
modules {
...
# '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
}
}
and then
authorize {
preprocess
...
suffix
...
}
It should work onthe whay that DN it's rewrited
Letme know if it works for you
Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit :
> Hi Michael,
>
> I will see this with Extreme Networks (Brazil).
>
> Thanks for your help.
>
> Michael Griego wrote:
> > Talk to your NAS vendor. That's completely insane for a NAS to rewrite
> > the User-Name, not to mention a violation of RFC 3579.
> >
> > --Mike
> >
> > Israel Fabio Alves wrote:
> >> Hi,
> >>
> >> I need help to solve a problem.
> >>
> >> My configuration work 100% with Switch Cisco 2950.
> >>
> >> Now I need use Switch from Extreme Networks (Summit 1i), but this
> >> Switch sent request to Freeradius with this "[EMAIL PROTECTED]".
> >>
> >> I think use attr_rewrite to change the request from this
> >> "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not
> >> find the way to organize the information with attr_rewrite and I do
> >> not know if this will work for authentication.
> >>
> >> Someone have a idea how I solve this.
> >>
> >> Very thanks.
> >> Israel Alves
> >>
> >> - List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> > - List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & ntlm_auth
I have just configured freeradius with ntlm, but I dont understand your problem, Can I help you? Le Jeudi 21 Avril 2005 12:22, Alan DeKok a écrit : > Sylvain Clerc <[EMAIL PROTECTED]> wrote: > > So, I read all of the debugging output and I find that mschap failed > > to find a nt/lm password and stop the real authentication at this > > moment. > > Yes, but it also failed to find a User-Password. > > If you don't tell the server what password to use for > authentication, it can't authenticate the user. > > For some reason, it's not running ntlm_auth. I don't know why. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP-V2
Le Jeudi 21 Avril 2005 07:53, Frank Bonnet a écrit : > Hello > > I'm new to the list :-) > > I am setting up a chillispot server to manage our future WiFi network > and I wonder if the schemas given with the lastest freeradius > ditribution as it is marqued for LDAP-v3 are OK for LDAP-v2 ? > > We actually use LDAP v2 ( openldap 2.0.27 ) as centralized > auth system and we do not plan to upgrade to v3 since several monthes. > > Any infos,tricks welcome, thanks a lot. Remember to still have support for LDAPv2 in OpenLDAP 2.1+, many apps does not support it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificate Failure with CMC Emulation Engine
Did you sign your certificates with OID extensions for user and server use? Le Vendredi 15 Avril 2005 20:14, Adam Gibson a écrit : > Background: > I am utilizing CMCs Emulation Engine to perform multi-client testing on a > wireless access point, which is configured for WPA 802.1x. I am running > EAP-TLS on FreeRADIUS 1.0.0-5 and OpenSSL 0.9.7d-25 on SuSE Linux > Professional 9.2. Before testing the access point with the Emulation > Engine I verified the FreeRADIUS configuration with Windows XP SP2 clients, > which allowed me to successfully associate, authenticate and transfer data > through the access point. > > Problem: > FreeRADIUS reports fatal bad_certificate when I try to associate and > authenticate the Emulation Engine with the access point. However, this is > the same client certificate I successfully used on the Windows clients. > > My contact at CMC built FreeRADIUS on a Redhat platform and tried to > troubleshoot the problem. Initially, he was unable to associate and > authenticate via the access point when running the Emulation Engine. He > eventually rebuilt his installation with the following configurations: > > OpenSSL: --no-shared > FreeRADIUS: --with-openssl-includes=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/lib > --disable-shared > > After he rebuilt his installation he was able to successfully use my > certificates with the Emulation Engine. > > Questions: > What did his rebuild configurations change? > Can anyone provide insight into my FreeRADIUS errors captured below? > > - Thanks, Adam Gibson > > rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:5501, id=23, > length=202 > Message-Authenticator = 0xd9e136bede727a18ffebbe5029428d2a > Service-Type = Framed-User > User-Name = "laptop" > Framed-MTU = 1488 > State = 0xb9a81d87e3edf4ae5692cb71c2d3f34d > Called-Station-Id = ":xx--xxx-xx" > Calling-Station-Id = "" > NAS-Identifier = "" > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 54Mbps 802.11g" > EAP-Message = 0x020200060d00 > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 2 > NAS-Port-Id = "STA port # 2" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 10 > modcall[authorize]: module "preprocess" returns ok for request 10 > modcall[authorize]: module "chap" returns noop for request 10 > modcall[authorize]: module "mschap" returns noop for request 10 > rlm_realm: No '@' in User-Name = "laptop", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 10 > rlm_eap: EAP packet type response id 2 length 6 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 10 > users: Matched laptop at 97 > modcall[authorize]: module "files" returns ok for request 10 > modcall: group authorize returns updated for request 10 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 10 > rlm_eap: Request found, released from the list > rlm_eap: EAP/tls > rlm_eap: processing type tls > rlm_eap_tls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake fragment handler > eaptls_verify returned 1 > eaptls_process returned 13 > modcall[authenticate]: module "eap" returns handled for request 10 > modcall: group authenticate returns handled for request 10 > Sending Access-Challenge of id 23 to xxx.xxx.xxx.xxx:5501 > EAP-Message = > 0x010303200d800716273025060355040a131e4c657669746f6e20566f69636520616e6 >420446174612044697669736f6e31133011060355040b130a416374697665204c61623114301 >20603550403130b4164616d20476962736f6e312b302906092a864886f70d010901161c61676 >962736f6e406c657669746f6e766f696365646174612e636f6d305c300d06092a864886f70d0 >101010500034b003048024100b9eb33f79f3aff24f1613023530ee0b512c4aec11c11840087e >9798f9da02446ff83854cf201fab7e2486a12f1e7fd406b1c34e7c38c29497d62765fae0ff48 >f0203010001a382011630820112301d0603551d0e041604143143 EAP-Message = > 0x009a0e958f0e4adccbc9e9e757ea7eb7d7173081e20603551d230481da3081d7801431430 >09a0e958f0e4adccbc9e9e757ea7eb7d717a181bba481b83081b5310b3009060355040613025 >553311330110603550408130a57617368696e67746f6e3110300e06035504071307426f74686 >56c6c31273025060355040a131e4c657669746f6e20566f69636520616e64204461746120446 >97669736f6e31133011060355040b130a416374697665204c6162311430120603550403130b4 >164616d20476962736f6e312b302906092a864886f70d010901161c61676962736f6e406c657 >669746f6e766f696365646174612e636f6d820100300c0603551d EAP-Message = > 0x13040530030101ff300d06092a864886f70d0101040500034100231a
Check_crl (Radius with LDAP/EAP-TLS)
Helo Radiususers,
I have just setup a radius server with a LDAP backend for user auth for our
WLAN.
It auths pretty good with certs for client/server.
I was wondering, to let Radius to check if cert has not expired. So I do next
copy server.public.pem to /etc/ssl
copy server.privatekey.pem to /etc/ssl
copy cacert.pem to /etc/ssl
copy ca.crl to /etc/ssl
into /etc/ssl there are more files for other services.
I run c_rehash /etc/ssl
and put into .conf file at tls section this
private_key_file = /etc/ssl/serverprivatekey.pem
private_key_password =
# server cert was make with -nodes option to not need crypt
certificate_file = /etc/ssl/server.public.pem
CA_file = /etc/ssl/cacert.pem
CA_path = /etc/ssl
check_crl = yes
check_cert_cn = %{User-Name}
It fails with a error message, that CRL could no be found, is there any more
thing I coudl do?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication + Windows DOMAIN
hablas español?
Yo quieor hacer lo mismo, quizá nos podamos ayudar
Le Mercredi 06 Avril 2005 12:20, Israel Fabio Alves a écrit :
> Hi,
>
> I try to authenticate user Windows XP + PEAP + MSCHAPV2. The
> authetication using user + password + domain.
>
> Always occur de same error: rlm_eap: Identity does not match User-Name,
> setting from EAP Identity.
>
>
>
> Thanks for help.
>
> tp-opengate:/usr/local/radius/etc/raddb# /usr/local/radius/sbin/radiusd
> -X -A
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/radius/etc/raddb/proxy.conf
> Config: including file: /usr/local/radius/etc/raddb/clients.conf
> Config: including file: /usr/local/radius/etc/raddb/snmp.conf
> Config: including file: /usr/local/radius/etc/raddb/eap.conf
> Config: including file: /usr/local/radius/etc/raddb/sql.conf
> main: prefix = "/usr/local/radius"
> main: localstatedir = "/usr/local/radius/var"
> main: logdir = "/usr/local/radius/var/log/radius"
> main: libdir = "/usr/local/radius/lib"
> main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = yes
> main: log_file = "/usr/local/radius/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/radius/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/radius/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes
> mschap: with_ntdomain_hack = yes
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --domain=NTRSSRV
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap
> (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/openssl/ssl/misc/radius/newreq.pem"
> tls: certificate_file = "/usr/local/openssl/ssl/misc/radius/newcert.pem"
> tls: CA_file = "/usr/local/openssl/ssl/misc/radius/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/openssl/ssl/misc/radius/dh"
> tls: random_file = "/usr/local/openssl/ssl/misc/radius/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (ea
Freeradius + LDAP + Segmentation Fault
Helo, Im using Freeradius 1.0.2, and when I tray tu radtest configuration it breaks down logs shows taht autenticacion was made, and it says : "auth... correct" then, next line, Segmentation Fault I have configurate only LDAP, get rid of EAP, UNIX, PAM, CHAP, CHAPv2, PAP some sugestion, Now, I working with PAM (that is authenticate with LDAP) but Im loossing capabilities. Sugestions? LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POPTOP + RADIUS + LDAP
This topic has already been on list, remember, if you try to do CHAP it wont work because crypted passwords. Le Mercredi 16 Mars 2005 14:50, Anderson Alves de Albuquerque a écrit : > I am trying to install this: > > PPTP Client (Linux/Win XP/Win 2k) > RADIUS ---> LDAP > > I have problem with user authentication with RADIUS and LDAP. Does > someone could help me? > > My RADIUS already can do user authentication by GNUGK (VOIP/H.323). > > > Help me please. > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
You may want to read http://www.linuxchange.com/opendocs/howto/authentication/radius/index.es.html however it's on spanish LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
I rather preffer pap, you just only put on risk one account not everibody Le lundi 4 Octobre 2004 10:59, [EMAIL PROTECTED] a écrit : > Luis Daniel Lucio Quiroz schrieb: > > Isn't it a seccurity problem clear tex password to permit > > CHAP? > > Depending on your configuration, it may be one. > Essentially, there are two possible points of attack: > - the network: Try to intercept "the password" during > transfer. > - the configuration files: Try to read/modify user >passwords. > Now you can use either "PAP" (transfer clear-text > password and compare it's hash value with the > hash value stored on the server) - safe against stealing > password from server (only hash value is stored), but > risky if your network is not secure. Or you can use > "CHAP" (get a challenge, encrypt the challenge using > your password as "encryption key", server needs to > know the correct "encryption key" to verify the > correctness of the clients encryption) - safe against > snooping on the network, but password is stored on > the server. > > >From my point of view, if you can steal passwords from > > the server, you likely can steal information needed to > send "false" accept packets as well, i.e. if an attacker > can get to the CHAP passwords, your security is > compromised anyway and there (usually) is more > interesting stuff for the attacker than stealing passwords. > OTOH, network sniffing is "easily" done, so PAP really > isn't a good alternative, even though it's not quite as dumb > as my description makes it sound (it's not really clear text, > it's encrypted usind the shared RADIUS secret, but there > you can try dictionary attacks and it's stored on both client > and server in clear text, so if you think, CHAP is a problem, > than PAP is no better than a clear-text password transfer). > > Regards, >Stefan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
Isn't it a seccurity problem clear tex password to permit CHAP? Le lundi 4 Octobre 2004 09:18, Alan DeKok a écrit : > "Mahesh S Kudva" <[EMAIL PROTECTED]> wrote: > > I did the same: > > > > username Auth-Type:= CHAP, CHAP-Password == "test" > > Service-Type = Framed-User, > > Framed-Protocol = PPP > > > > But still the server rejects the user. > > > > Configure a CLEAR-TEXT password for the user, using the > User-Password attribute. > > DO NOT set Auth-Type. The server will figure it out. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and Samba
Helo all, Well, I have just configure freeRadius using LDAP as a backend and it works well. Radtest reports that authentication is ok. So I configurer my PPTP/PPP vpn using radius plugin and it works (with pap). How ever I realize taht ldap.radmap file does mapping for LDAP and Radius and it has a NT,LM samba 2 mapping so I update them to use samba 3 properties. When I do this, authentication fails. LDAP has permitios to access to this propertis so it's not a LDAP problem. Is there any doc that I sould read about how to interact with Samba hashes. BTW using samba is there other auth metho than PAP available? Regards, LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
