LEAP
Ehlo We are usign Cisco1200 AP for roaming, but AP needs to auth into radius. Because CISCO it must use LEAP. But it fails on this rlm_eap: EAP/leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user rlm_eap: Handler failed in EAP/leap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 3 EAP with TLS and PEAP works well. LDAP user exists uid: AP-DATI userrPassword: cisco1234 sambaNTPassword: 3B298390489F668CA3C38047C7FE1266 sambaLMPassword: 8BE57A0FA91F460C19F10A933D4868DC How should I fix this? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Revocation List (EAP/TLS)
May do this with just a "cat cacert.pem crl.pem" > ca.pem comand? Le Mercredi 18 Mai 2005 08:50, Michael Griego a écrit : > There are no "crl_dir" and "crl" configuration options recognized by the > server. You must have added those. The correct way to do this is to > add the PEM encoded CRL to the end of your PEM encoded CA certificate, > referenced by the CA_file configuation option, then set check_crl = yes. > > --Mike > > [EMAIL PROTECTED] wrote: > >Have no one a solution of this problem? > > > >thanks for help > > > >Alain > > > >>Hi, > >> > >>I work with freeradius 1.0.2 > >> > >>If I configure in the TLS section of eap.conf (without this entries the > >>autentification process works fine) > >> > >>CA_path = /path > >>check_crl = yes > >>crl_dir = /path > >>crl = file > >> > >>Not any certificate is accepted (I generate the certificates and the crl > >>with > >>tinyca). > >> > >>How can I configure the eap.conf that the autentification process would > >> work correctly? > >> > >>Does anyone have a working EAP/TLS autentification where the CRL works? > >> > >>Thanks for help > >> > >>Alain > > > >- > >List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap (ms-chap v2) + ldap bind
I did Le Jeudi 12 Mai 2005 16:44, CHui a écrit : > I would like to know if anyone has a work around to support PEAP (ms chap > v2) client access authenticate against a LDAP server with bind operation. > Currently, retrieving clear text password from LDAP is not an option. > > > > Thanks > > Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - PEAP authentication
why dont you try this modules { ... # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" } } and then authorize { preprocess ... suffix ... } It should work onthe whay that DN it's rewrited Letme know if it works for you Le Jeudi 28 Avril 2005 21:25, Israel Fabio Alves a écrit : > Hi Michael, > > I will see this with Extreme Networks (Brazil). > > Thanks for your help. > > Michael Griego wrote: > > Talk to your NAS vendor. That's completely insane for a NAS to rewrite > > the User-Name, not to mention a violation of RFC 3579. > > > > --Mike > > > > Israel Fabio Alves wrote: > >> Hi, > >> > >> I need help to solve a problem. > >> > >> My configuration work 100% with Switch Cisco 2950. > >> > >> Now I need use Switch from Extreme Networks (Summit 1i), but this > >> Switch sent request to Freeradius with this "[EMAIL PROTECTED]". > >> > >> I think use attr_rewrite to change the request from this > >> "[EMAIL PROTECTED]" to "windowsdomain\username", but I do not > >> find the way to organize the information with attr_rewrite and I do > >> not know if this will work for authentication. > >> > >> Someone have a idea how I solve this. > >> > >> Very thanks. > >> Israel Alves > >> > >> - List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & ntlm_auth
I have just configured freeradius with ntlm, but I dont understand your problem, Can I help you? Le Jeudi 21 Avril 2005 12:22, Alan DeKok a écrit : > Sylvain Clerc <[EMAIL PROTECTED]> wrote: > > So, I read all of the debugging output and I find that mschap failed > > to find a nt/lm password and stop the real authentication at this > > moment. > > Yes, but it also failed to find a User-Password. > > If you don't tell the server what password to use for > authentication, it can't authenticate the user. > > For some reason, it's not running ntlm_auth. I don't know why. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP-V2
Le Jeudi 21 Avril 2005 07:53, Frank Bonnet a écrit : > Hello > > I'm new to the list :-) > > I am setting up a chillispot server to manage our future WiFi network > and I wonder if the schemas given with the lastest freeradius > ditribution as it is marqued for LDAP-v3 are OK for LDAP-v2 ? > > We actually use LDAP v2 ( openldap 2.0.27 ) as centralized > auth system and we do not plan to upgrade to v3 since several monthes. > > Any infos,tricks welcome, thanks a lot. Remember to still have support for LDAPv2 in OpenLDAP 2.1+, many apps does not support it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificate Failure with CMC Emulation Engine
Did you sign your certificates with OID extensions for user and server use? Le Vendredi 15 Avril 2005 20:14, Adam Gibson a écrit : > Background: > I am utilizing CMCs Emulation Engine to perform multi-client testing on a > wireless access point, which is configured for WPA 802.1x. I am running > EAP-TLS on FreeRADIUS 1.0.0-5 and OpenSSL 0.9.7d-25 on SuSE Linux > Professional 9.2. Before testing the access point with the Emulation > Engine I verified the FreeRADIUS configuration with Windows XP SP2 clients, > which allowed me to successfully associate, authenticate and transfer data > through the access point. > > Problem: > FreeRADIUS reports fatal bad_certificate when I try to associate and > authenticate the Emulation Engine with the access point. However, this is > the same client certificate I successfully used on the Windows clients. > > My contact at CMC built FreeRADIUS on a Redhat platform and tried to > troubleshoot the problem. Initially, he was unable to associate and > authenticate via the access point when running the Emulation Engine. He > eventually rebuilt his installation with the following configurations: > > OpenSSL: --no-shared > FreeRADIUS: --with-openssl-includes=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/lib > --disable-shared > > After he rebuilt his installation he was able to successfully use my > certificates with the Emulation Engine. > > Questions: > What did his rebuild configurations change? > Can anyone provide insight into my FreeRADIUS errors captured below? > > - Thanks, Adam Gibson > > rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:5501, id=23, > length=202 > Message-Authenticator = 0xd9e136bede727a18ffebbe5029428d2a > Service-Type = Framed-User > User-Name = "laptop" > Framed-MTU = 1488 > State = 0xb9a81d87e3edf4ae5692cb71c2d3f34d > Called-Station-Id = ":xx--xxx-xx" > Calling-Station-Id = "" > NAS-Identifier = "" > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 54Mbps 802.11g" > EAP-Message = 0x020200060d00 > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 2 > NAS-Port-Id = "STA port # 2" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 10 > modcall[authorize]: module "preprocess" returns ok for request 10 > modcall[authorize]: module "chap" returns noop for request 10 > modcall[authorize]: module "mschap" returns noop for request 10 > rlm_realm: No '@' in User-Name = "laptop", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 10 > rlm_eap: EAP packet type response id 2 length 6 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 10 > users: Matched laptop at 97 > modcall[authorize]: module "files" returns ok for request 10 > modcall: group authorize returns updated for request 10 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 10 > rlm_eap: Request found, released from the list > rlm_eap: EAP/tls > rlm_eap: processing type tls > rlm_eap_tls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake fragment handler > eaptls_verify returned 1 > eaptls_process returned 13 > modcall[authenticate]: module "eap" returns handled for request 10 > modcall: group authenticate returns handled for request 10 > Sending Access-Challenge of id 23 to xxx.xxx.xxx.xxx:5501 > EAP-Message = > 0x010303200d800716273025060355040a131e4c657669746f6e20566f69636520616e6 >420446174612044697669736f6e31133011060355040b130a416374697665204c61623114301 >20603550403130b4164616d20476962736f6e312b302906092a864886f70d010901161c61676 >962736f6e406c657669746f6e766f696365646174612e636f6d305c300d06092a864886f70d0 >101010500034b003048024100b9eb33f79f3aff24f1613023530ee0b512c4aec11c11840087e >9798f9da02446ff83854cf201fab7e2486a12f1e7fd406b1c34e7c38c29497d62765fae0ff48 >f0203010001a382011630820112301d0603551d0e041604143143 EAP-Message = > 0x009a0e958f0e4adccbc9e9e757ea7eb7d7173081e20603551d230481da3081d7801431430 >09a0e958f0e4adccbc9e9e757ea7eb7d717a181bba481b83081b5310b3009060355040613025 >553311330110603550408130a57617368696e67746f6e3110300e06035504071307426f74686 >56c6c31273025060355040a131e4c657669746f6e20566f69636520616e64204461746120446 >97669736f6e31133011060355040b130a416374697665204c6162311430120603550403130b4 >164616d20476962736f6e312b302906092a864886f70d010901161c61676962736f6e406c657 >669746f6e766f696365646174612e636f6d820100300c0603551d EAP-Message = > 0x13040530030101ff300d06092a864886f70d0101040500034100231a
Check_crl (Radius with LDAP/EAP-TLS)
Helo Radiususers, I have just setup a radius server with a LDAP backend for user auth for our WLAN. It auths pretty good with certs for client/server. I was wondering, to let Radius to check if cert has not expired. So I do next copy server.public.pem to /etc/ssl copy server.privatekey.pem to /etc/ssl copy cacert.pem to /etc/ssl copy ca.crl to /etc/ssl into /etc/ssl there are more files for other services. I run c_rehash /etc/ssl and put into .conf file at tls section this private_key_file = /etc/ssl/serverprivatekey.pem private_key_password = # server cert was make with -nodes option to not need crypt certificate_file = /etc/ssl/server.public.pem CA_file = /etc/ssl/cacert.pem CA_path = /etc/ssl check_crl = yes check_cert_cn = %{User-Name} It fails with a error message, that CRL could no be found, is there any more thing I coudl do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication + Windows DOMAIN
hablas español? Yo quieor hacer lo mismo, quizá nos podamos ayudar Le Mercredi 06 Avril 2005 12:20, Israel Fabio Alves a écrit : > Hi, > > I try to authenticate user Windows XP + PEAP + MSCHAPV2. The > authetication using user + password + domain. > > Always occur de same error: rlm_eap: Identity does not match User-Name, > setting from EAP Identity. > > > > Thanks for help. > > tp-opengate:/usr/local/radius/etc/raddb# /usr/local/radius/sbin/radiusd > -X -A > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/radius/etc/raddb/proxy.conf > Config: including file: /usr/local/radius/etc/raddb/clients.conf > Config: including file: /usr/local/radius/etc/raddb/snmp.conf > Config: including file: /usr/local/radius/etc/raddb/eap.conf > Config: including file: /usr/local/radius/etc/raddb/sql.conf > main: prefix = "/usr/local/radius" > main: localstatedir = "/usr/local/radius/var" > main: logdir = "/usr/local/radius/var/log/radius" > main: libdir = "/usr/local/radius/lib" > main: radacctdir = "/usr/local/radius/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = yes > main: log_file = "/usr/local/radius/var/log/radius/radius.log" > main: log_auth = yes > main: log_auth_badpass = yes > main: log_auth_goodpass = yes > main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/radius/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/radius/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = yes > mschap: require_strong = yes > mschap: with_ntdomain_hack = yes > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name} --domain=NTRSSRV > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap > (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/usr/local/openssl/ssl/misc/radius/newreq.pem" > tls: certificate_file = "/usr/local/openssl/ssl/misc/radius/newcert.pem" > tls: CA_file = "/usr/local/openssl/ssl/misc/radius/cacert.pem" > tls: private_key_password = "whatever" > tls: dh_file = "/usr/local/openssl/ssl/misc/radius/dh" > tls: random_file = "/usr/local/openssl/ssl/misc/radius/random" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > rlm_eap: Loaded and initialized type tls > peap: default_eap_type = "mschapv2" > peap: copy_request_to_tunnel = no > peap: use_tunneled_reply = no > peap: proxy_tunneled_request_as_eap = yes > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (ea
Freeradius + LDAP + Segmentation Fault
Helo, Im using Freeradius 1.0.2, and when I tray tu radtest configuration it breaks down logs shows taht autenticacion was made, and it says : "auth... correct" then, next line, Segmentation Fault I have configurate only LDAP, get rid of EAP, UNIX, PAM, CHAP, CHAPv2, PAP some sugestion, Now, I working with PAM (that is authenticate with LDAP) but Im loossing capabilities. Sugestions? LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POPTOP + RADIUS + LDAP
This topic has already been on list, remember, if you try to do CHAP it wont work because crypted passwords. Le Mercredi 16 Mars 2005 14:50, Anderson Alves de Albuquerque a écrit : > I am trying to install this: > > PPTP Client (Linux/Win XP/Win 2k) > RADIUS ---> LDAP > > I have problem with user authentication with RADIUS and LDAP. Does > someone could help me? > > My RADIUS already can do user authentication by GNUGK (VOIP/H.323). > > > Help me please. > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
You may want to read http://www.linuxchange.com/opendocs/howto/authentication/radius/index.es.html however it's on spanish LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
I rather preffer pap, you just only put on risk one account not everibody Le lundi 4 Octobre 2004 10:59, [EMAIL PROTECTED] a écrit : > Luis Daniel Lucio Quiroz schrieb: > > Isn't it a seccurity problem clear tex password to permit > > CHAP? > > Depending on your configuration, it may be one. > Essentially, there are two possible points of attack: > - the network: Try to intercept "the password" during > transfer. > - the configuration files: Try to read/modify user >passwords. > Now you can use either "PAP" (transfer clear-text > password and compare it's hash value with the > hash value stored on the server) - safe against stealing > password from server (only hash value is stored), but > risky if your network is not secure. Or you can use > "CHAP" (get a challenge, encrypt the challenge using > your password as "encryption key", server needs to > know the correct "encryption key" to verify the > correctness of the clients encryption) - safe against > snooping on the network, but password is stored on > the server. > > >From my point of view, if you can steal passwords from > > the server, you likely can steal information needed to > send "false" accept packets as well, i.e. if an attacker > can get to the CHAP passwords, your security is > compromised anyway and there (usually) is more > interesting stuff for the attacker than stealing passwords. > OTOH, network sniffing is "easily" done, so PAP really > isn't a good alternative, even though it's not quite as dumb > as my description makes it sound (it's not really clear text, > it's encrypted usind the shared RADIUS secret, but there > you can try dictionary attacks and it's stored on both client > and server in clear text, so if you think, CHAP is a problem, > than PAP is no better than a clear-text password transfer). > > Regards, >Stefan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP+MS-CHAP+freeRADIUS
Isn't it a seccurity problem clear tex password to permit CHAP? Le lundi 4 Octobre 2004 09:18, Alan DeKok a écrit : > "Mahesh S Kudva" <[EMAIL PROTECTED]> wrote: > > I did the same: > > > > username Auth-Type:= CHAP, CHAP-Password == "test" > > Service-Type = Framed-User, > > Framed-Protocol = PPP > > > > But still the server rejects the user. > > > > Configure a CLEAR-TEXT password for the user, using the > User-Password attribute. > > DO NOT set Auth-Type. The server will figure it out. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and Samba
Helo all, Well, I have just configure freeRadius using LDAP as a backend and it works well. Radtest reports that authentication is ok. So I configurer my PPTP/PPP vpn using radius plugin and it works (with pap). How ever I realize taht ldap.radmap file does mapping for LDAP and Radius and it has a NT,LM samba 2 mapping so I update them to use samba 3 properties. When I do this, authentication fails. LDAP has permitios to access to this propertis so it's not a LDAP problem. Is there any doc that I sould read about how to interact with Samba hashes. BTW using samba is there other auth metho than PAP available? Regards, LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html