Re: Ntlm problem with peap
Hi, Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. rpm -qif /usr/bin/ntlm_auth Name: samba-common Version : 3.0.2 Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Thanks Nuno Fernandes On Mon, 2004-08-30 at 19:43, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: I'm having problems using freeradius with peap and ntlm. If you're running on a big endian machine, there's a bug in src/lib/md4.c which breaks MS-CHAP, and therefore PEAP. We hope to release 1.0.1 soon, to address this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Ntlm problem with peap
Hi again, On Tue, 2004-08-31 at 15:49, Alan DeKok wrote: Nuno Miguel Pais Fernandes [EMAIL PROTECTED] wrote: Running 1.0.0 on dual intel so little-endian. Aparently challenge or nt-response are being generated wrongly, or it's a bug in ntlm_auth. I've been running it on an x86 for a while, and I haven't seen any problems like that. Do you suspect problems in xlat or in microsoft supplicant? Any ideias? Is there any workaround to have peap with mschapv2 working without ntlm? Yes, supply a clear-text, or NT-Password. I don't have clear text password but i do have NT-Password (unfortunadly in ldap and not starting with 0x). Could it work? Thanks for all the help.. Nuno Fernandes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
TTLS + Cisco AP1100
]: module suffix returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 4 modcall[authorize]: module files returns notfound for request 4 modcall: group authorize returns ok for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.253:1645, id=14, length=236 Sending Access-Reject of id 14 to 192.168.0.253:1645 EAP-Message = 0x04050004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 10 with timestamp 40d004fc Cleaning up request 1 ID 11 with timestamp 40d004fc Cleaning up request 2 ID 12 with timestamp 40d004fc Cleaning up request 3 ID 13 with timestamp 40d004fc Cleaning up request 4 ID 14 with timestamp 40d004fc Nothing to do. Sleeping until we see a request. -- Nuno Miguel Pais Fernandes [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: TTLS + Cisco AP1100
Ooopps..
I do see User1.. but i see [EMAIL PROTECTED]
How do i rewrite it to remove realm so there is a match at users file?
Thanks
Nuno Fernandes
On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote:
Hello,
I'm having problems authenticating windows XP clients using EAP-TTLS
(I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2.
In logs i only see outer authentication [EMAIL PROTECTED].
Can anyone have it working?
Thanks
Nuno Fernandes
Freeradius config:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
#
ttls {
#default_eap_type = md5
#copy_request_to_tunnel = no
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Users File:
User1 User-Password == passwd1
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 4
Freeradius logs show:
rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10,
length=157
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 0002.8a21.1129
Calling-Station-Id = 000f.3d87.543f
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1
EAP-Message =
0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d
NAS-Port-Type = Virtual
NAS-Port = 20
Service-Type = Login-User
NAS-IP-Address = 192.168.0.253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616
modcall[authorize]: module auth_log returns ok for request 0
rlm_realm: Looking up realm eurotux.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm eurotux.com
rlm_realm: Adding Stripped-User-Name = anonymous
rlm_realm: Proxying request from user anonymous to realm eurotux.com
rlm_realm: Adding Realm = eurotux.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 1 length 26
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
modcall[authorize]: module files returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 10 to 192.168.0.253:1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0x41fe77eda11d1a9b9c7fa714fd945f6e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11,
length=209
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 0002.8a21.1129
Calling-Station-Id = 000f.3d87.543f
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0x13fa184ce90d2922912773ddc1189ee5
EAP-Message =
0x0202003c15800032160301002d012903017803310085f1af3aaa504b75c9a1e5942f5e4cdcdd3b5d06f7548d8550ad020f02000a0100
NAS-Port-Type = Virtual
NAS-Port = 20
State = 0x41fe77eda11d1a9b9c7fa714fd945f6e
Service-Type = Login-User
NAS-IP-Address = 192.168.0.253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat:
'/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
rlm_detail:
/var/log/radius/radacct/%{Client-IP
Re: TTLS + Cisco AP1100
The problems seems to be here..
modcall[authorize]: module auth_log returns ok for request 4
rlm_realm: Looking up realm eurotux.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm eurotux.com
rlm_realm: Adding Stripped-User-Name = User1
rlm_realm: Proxying request from user User1 to realm eurotux.com
rlm_realm: Adding Realm = eurotux.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 4
modcall[authorize]: module files returns notfound for request 4
modcall: group authorize returns ok for request 4
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Any sugestions?
Thanks
Nuno Fernandes
On Wed, 2004-06-16 at 09:47, Nuno Miguel Pais Fernandes wrote:
Ooopps..
I do see User1.. but i see [EMAIL PROTECTED]
How do i rewrite it to remove realm so there is a match at users file?
Thanks
Nuno Fernandes
On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote:
Hello,
I'm having problems authenticating windows XP clients using EAP-TTLS
(I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2.
In logs i only see outer authentication [EMAIL PROTECTED].
Can anyone have it working?
Thanks
Nuno Fernandes
Freeradius config:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
#
ttls {
#default_eap_type = md5
#copy_request_to_tunnel = no
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Users File:
User1 User-Password == passwd1
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 4
Freeradius logs show:
rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10,
length=157
User-Name = [EMAIL PROTECTED]
Framed-MTU = 1400
Called-Station-Id = 0002.8a21.1129
Calling-Station-Id = 000f.3d87.543f
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1
EAP-Message =
0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d
NAS-Port-Type = Virtual
NAS-Port = 20
Service-Type = Login-User
NAS-IP-Address = 192.168.0.253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616
modcall[authorize]: module auth_log returns ok for request 0
rlm_realm: Looking up realm eurotux.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm eurotux.com
rlm_realm: Adding Stripped-User-Name = anonymous
rlm_realm: Proxying request from user anonymous to realm eurotux.com
rlm_realm: Adding Realm = eurotux.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 1 length 26
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
modcall[authorize]: module files returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group
