Re: Ntlm problem with peap
Hi, Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. rpm -qif /usr/bin/ntlm_auth Name: samba-common Version : 3.0.2 Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Thanks Nuno Fernandes On Mon, 2004-08-30 at 19:43, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: I'm having problems using freeradius with peap and ntlm. If you're running on a big endian machine, there's a bug in src/lib/md4.c which breaks MS-CHAP, and therefore PEAP. We hope to release 1.0.1 soon, to address this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Ntlm problem with peap
Hi again, On Tue, 2004-08-31 at 15:49, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. I've been running it on an x86 for a while, and I haven't seen any problems like that. Do you suspect problems in xlat or in microsoft supplicant? Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Yes, supply a clear-text, or NT-Password. I don't have clear text password but i do have NT-Password (unfortunadly in ldap and not starting with 0x). Could it work? Thanks for all the help.. Nuno Fernandes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
TTLS + Cisco AP1100
]: module suffix returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 4 modcall[authorize]: module files returns notfound for request 4 modcall: group authorize returns ok for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.253:1645, id=14, length=236 Sending Access-Reject of id 14 to 192.168.0.253:1645 EAP-Message = 0x04050004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 10 with timestamp 40d004fc Cleaning up request 1 ID 11 with timestamp 40d004fc Cleaning up request 2 ID 12 with timestamp 40d004fc Cleaning up request 3 ID 13 with timestamp 40d004fc Cleaning up request 4 ID 14 with timestamp 40d004fc Nothing to do. Sleeping until we see a request. -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: TTLS + Cisco AP1100
Ooopps.. I do see User1.. but i see [EMAIL PROTECTED] How do i rewrite it to remove realm so there is a match at users file? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote: Hello, I'm having problems authenticating windows XP clients using EAP-TTLS (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2. In logs i only see outer authentication [EMAIL PROTECTED]. Can anyone have it working? Thanks Nuno Fernandes Freeradius config: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } # ttls { #default_eap_type = md5 #copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } Users File: User1 User-Password == passwd1 Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 4 Freeradius logs show: rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10, length=157 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1 EAP-Message = 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d NAS-Port-Type = Virtual NAS-Port = 20 Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 10 to 192.168.0.253:1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11, length=209 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x13fa184ce90d2922912773ddc1189ee5 EAP-Message = 0x0202003c15800032160301002d012903017803310085f1af3aaa504b75c9a1e5942f5e4cdcdd3b5d06f7548d8550ad020f02000a0100 NAS-Port-Type = Virtual NAS-Port = 20 State = 0x41fe77eda11d1a9b9c7fa714fd945f6e Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP
Re: TTLS + Cisco AP1100
The problems seems to be here.. modcall[authorize]: module auth_log returns ok for request 4 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = User1 rlm_realm: Proxying request from user User1 to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 4 modcall[authorize]: module files returns notfound for request 4 modcall: group authorize returns ok for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Any sugestions? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:47, Nuno Miguel Pais Fernandes wrote: Ooopps.. I do see User1.. but i see [EMAIL PROTECTED] How do i rewrite it to remove realm so there is a match at users file? Thanks Nuno Fernandes On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote: Hello, I'm having problems authenticating windows XP clients using EAP-TTLS (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2. In logs i only see outer authentication [EMAIL PROTECTED]. Can anyone have it working? Thanks Nuno Fernandes Freeradius config: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } # ttls { #default_eap_type = md5 #copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } Users File: User1 User-Password == passwd1 Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 4 Freeradius logs show: rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10, length=157 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0002.8a21.1129 Calling-Station-Id = 000f.3d87.543f NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1 EAP-Message = 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d NAS-Port-Type = Virtual NAS-Port = 20 Service-Type = Login-User NAS-IP-Address = 192.168.0.253 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616 modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: Looking up realm eurotux.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm eurotux.com rlm_realm: Adding Stripped-User-Name = anonymous rlm_realm: Proxying request from user anonymous to realm eurotux.com rlm_realm: Adding Realm = eurotux.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group