Re: Validate server certificate problem
They are, it's part of our default domain policy. On Tue, Aug 9, 2011 at 20:29, Sallee, Stephen (Jake) wrote: > > Windows clients are on the domain, so the user cert and the CA are > added by default when you join the machine to the domain > > That is true so long as you are using a self-signed cert assigned by your > enterprise CA. We had this same issue and we had to manually import the > cert to get it to work. Our computers are on a Windows AD Domain. Hope > that helps. > > ** ** > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton, Texas > > 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > ** ** > > *From:* > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org[mailto: > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] *On > Behalf Of *Petar Marinkovic > *Sent:* Tuesday, August 09, 2011 12:17 PM > *To:* FreeRadius users mailing list > *Subject:* Re: Validate server certificate problem > > ** ** > > Windows clients are on the domain, so the user cert and the CA are added by > default when you join the machine to the domain > > On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) > wrote: > > I believe you need to install the server cert and any intermediate certs on > the client before the validate server cert option will work. > > > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton, Texas > > 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > > > *From:* > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org[mailto: > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] *On > Behalf Of *Petar Marinkovic > *Sent:* Tuesday, August 09, 2011 11:16 AM > *To:* freeradius-users@lists.freeradius.org > *Subject:* Validate server certificate problem > > > > I've set up latest version of FreeRadius from source on Ubuntu, and I > cannot get EAP-TLS and PEAP to work when the option "Validate server > certificate" is on. We're using Windows CA to be able to auth users on the > domain. I saw this old article > http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html > on > how to generate server certificate, but that fails for me in both ways > > 1st fails because of a missing template on Windows CA - how to create the > template to match what freeradius needs? > > 2nd fails with the following error CA certificate and CA private key do not > match > > 2634:error:0B080074:x509 certificate routines:X509_check_private_key:key > values mismatch:x509_cmp.c:406: > > That's strange, cause CA cert and CA private key are in the same file (as > noted in the text) and I didn't mistake the password (since I followed the > message blindly, with the same password). > > > > When I untick the "Validate server certificate" in Windows clients (XP, > Windows 7) I'm able to connect with both EAP-TLS and PEAP > > > > Any help is appreciated, thanks in advance. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > ** ** > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Validate server certificate problem
Windows clients are on the domain, so the user cert and the CA are added by default when you join the machine to the domain On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) wrote: > I believe you need to install the server cert and any intermediate certs > on the client before the validate server cert option will work. > > ** ** > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton, Texas > > 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > ** ** > > *From:* > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org[mailto: > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] *On > Behalf Of *Petar Marinkovic > *Sent:* Tuesday, August 09, 2011 11:16 AM > *To:* freeradius-users@lists.freeradius.org > *Subject:* Validate server certificate problem > > ** ** > > I've set up latest version of FreeRadius from source on Ubuntu, and I > cannot get EAP-TLS and PEAP to work when the option "Validate server > certificate" is on. We're using Windows CA to be able to auth users on the > domain. I saw this old article > http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html > on > how to generate server certificate, but that fails for me in both ways > > 1st fails because of a missing template on Windows CA - how to create the > template to match what freeradius needs? > > 2nd fails with the following error CA certificate and CA private key do not > match > > 2634:error:0B080074:x509 certificate routines:X509_check_private_key:key > values mismatch:x509_cmp.c:406: > > That's strange, cause CA cert and CA private key are in the same file (as > noted in the text) and I didn't mistake the password (since I followed the > message blindly, with the same password). > > ** ** > > When I untick the "Validate server certificate" in Windows clients (XP, > Windows 7) I'm able to connect with both EAP-TLS and PEAP > > ** ** > > Any help is appreciated, thanks in advance. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Validate server certificate problem
I've set up latest version of FreeRadius from source on Ubuntu, and I cannot get EAP-TLS and PEAP to work when the option "Validate server certificate" is on. We're using Windows CA to be able to auth users on the domain. I saw this old article http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html on how to generate server certificate, but that fails for me in both ways 1st fails because of a missing template on Windows CA - how to create the template to match what freeradius needs? 2nd fails with the following error CA certificate and CA private key do not match 2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406: That's strange, cause CA cert and CA private key are in the same file (as noted in the text) and I didn't mistake the password (since I followed the message blindly, with the same password). When I untick the "Validate server certificate" in Windows clients (XP, Windows 7) I'm able to connect with both EAP-TLS and PEAP Any help is appreciated, thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS to require client cert
Yes, it does, but something isnt working, he is just not checking the
client certificate
On 07/15/2009, Ivan Kalik wrote:
>> Hi all, I need help once again. I want TTLS to require client cert. I put
>> EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not
>> working. What I am doing wrong here?
>
> What isn't working? Freeradius can request a certificate - does your
> supplicant support that?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS to require client cert
Hi all, I need help once again. I want TTLS to require client cert. I put
EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not
working. What I am doing wrong here?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS (PAP) with Win2K3 domain not working
Thing is that, colleague has a software, developed by his company, I cannot
disclose which one, that can test eap-gtc,and that works. And the thing is,
when he tries to connect to freeradius server I set up, he cannot auth with
domain username and pw. He can auth with EAP-TLS, EAP-TTLS with PAP,
EAP-mschapv1 and EAP-mschapv2 and the only thing left to try is EAP-GTC. So
my question is, what need's to be done on server side to make that happen?
This is server output
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "testpass"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04030004
Message-Authenticator = 0x
[ttls] Got tunneled Access-Reject
SSL: Removing session
28767d93f75a91c5975ff5a5bb2862e3703de9c700b7e4e1a6db061068d2a37a from
the cache
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user test
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> Anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
So my question is, what needs to be setup in order to make eap-gtc work with
win2k3 domain?
Thanks once again, you've been most helpful
Cheers,
Petar
On Fri, Jun 26, 2009 at 14:10, Ivan Kalik wrote:
> > All of this is for testing purposes. So, I just need all of those methods
> > to
> > work, if it can't work with domain, then cleartext password will be fine.
> > Can you give me some more info about seting up TTLS-GTC, testing is being
> > done on Windows XP. Also, for EAP-TTLS with chap, enabling user is
> enough,
> > right?
>
> Every method that works with passwords will work with Cleartext-Password
> in users file. Working with encrypted passwords is restricting choice.
>
> wpa_supplicant has a Windows port. It should work with all the mentioned
> protocols. For download and documentation (installation, configuration)
> look up their site. Their testing tool (eapol_test) is used extensively by
> freeradius developers for testing EAP protocols without the hardware.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Hi Ivan,
All of this is for testing purposes. So, I just need all of those methods to
work, if it can't work with domain, then cleartext password will be fine.
Can you give me some more info about seting up TTLS-GTC, testing is being
done on Windows XP. Also, for EAP-TTLS with chap, enabling user is enough,
right?
Sorry if some of my questiosn doesn't make sense, still new to all of this
On Fri, Jun 26, 2009 at 13:44, Ivan Kalik wrote:
> > What's left for me, I would like to authenticate users in domain with
> LEAP
> > and TTLS-GTC.
>
> Leap is rubbish and shouldn't be used ("Cisco LEAP, similar to WEP, has
> had well-known security weaknesses since 2003 involving offline password
> cracking."). For TTLS-GTC all you need is a supplicant that supports it. I
> know only of wpa_supplicant.
>
> > Also, what's needed to make EAP-TTLS with CHAP work?
>
> Supplicant that supports it.
>
> > I know
> > you can't use ntlm_auth for that, so what do I need to put inside users
> > file? Will creating test user, for example, test Cleartext-Password:=
> > "test"
> > work?
>
> Yes, chap can't be made to work with AD; it will work fine with clear
> passwords in users file. But storing passwords in several places (AD,
> users file, ...) is a bit of an administration nightmare. With AD you tend
> to change passwords every 6 weeks - how are you going to keep other
> passwords in sync?
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Ok, that works, many thanks for this :)
What's left for me, I would like to authenticate users in domain with LEAP
and TTLS-GTC. Also, what's needed to make EAP-TTLS with CHAP work? I know
you can't use ntlm_auth for that, so what do I need to put inside users
file? Will creating test user, for example, test Cleartext-Password:= "test"
work?
On Fri, Jun 26, 2009 at 11:43, Petar Marinkovic wrote:
> Ah yes, now it started, thanks a lot. Will see if now EAP-TTLS with PAP
> works.
>
> Thanks a lot mate, you saved my life (for now :)
>
> Cheers,
>
> Petar
>
>
> On Fri, Jun 26, 2009 at 11:38, Ivan Kalik wrote:
>
>> > Similar error, again when the server is starting
>> >
>> > Module: Linked to module rlm_files
>> > Module: Instantiating files
>> > files {
>> > usersfile = "/etc/freeradius/users"
>> > acctusersfile = "/etc/freeradius/acct_users"
>> > preproxy_usersfile = "/etc/freeradius/preproxy_users"
>> > compat = "no"
>> > }
>> > /etc/freeradius/sites-enabled/inner-tunnel[157]: ERROR: Unknown value
>> > ntlm_auth_pap for attribute Auth-Type
>>
>> You haven't listed ntlm_auth_pap in authenticate section of inner-tunnel
>> virtual server.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Ah yes, now it started, thanks a lot. Will see if now EAP-TTLS with PAP
works.
Thanks a lot mate, you saved my life (for now :)
Cheers,
Petar
On Fri, Jun 26, 2009 at 11:38, Ivan Kalik wrote:
> > Similar error, again when the server is starting
> >
> > Module: Linked to module rlm_files
> > Module: Instantiating files
> > files {
> > usersfile = "/etc/freeradius/users"
> > acctusersfile = "/etc/freeradius/acct_users"
> > preproxy_usersfile = "/etc/freeradius/preproxy_users"
> > compat = "no"
> > }
> > /etc/freeradius/sites-enabled/inner-tunnel[157]: ERROR: Unknown value
> > ntlm_auth_pap for attribute Auth-Type
>
> You haven't listed ntlm_auth_pap in authenticate section of inner-tunnel
> virtual server.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Yes, I reverted authenticate part to
Auth-Type PAP {
pap
}
On Fri, Jun 26, 2009 at 11:26, Ivan Kalik wrote:
> > Sorry, I just c/p that line from other link
> >
> > here is mine
> >
> > exec ntlm_auth_pap {
> > wait = yes
> > input_pairs = request
> > shell_excape = yes
> > output = none
> > program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE
> > --username=%{mschap:User-Name} --password=%{User-Password}"
> > }
> >
> > should domain field be pre-windows 2000/NT name or fqdn? (domain.com)
> >
> > Also, I didn't get you quite well, I am new to both linux and freeradius,
> > should I set following
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
> >
> > in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and
> > /etc/freeradius/sites-available/inner-tunnel files?
>
> No, authenticate should look like:
>
> Auth-Type PAP {
> pap
> }
>
> ntlm_auth_pap
>
> ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Similar error, again when the server is starting
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
/etc/freeradius/sites-enabled/inner-tunnel[157]: ERROR: Unknown value
ntlm_auth_pap for attribute Auth-Type
/etc/freeradius/sites-enabled/inner-tunnel[156]: Failed to parse
"update" subsection.
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing
authorize section.
Errors initializing modules
That part of code in in /etc/freeradius/sites-enabled/inner-tunnel and
/etc/freeradius/sites-available/inner-tunnel files, like this
pap
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
Thanks in advance!
Petar
On Fri, Jun 26, 2009 at 11:22, Ivan Kalik wrote:
> > In eap.conf, for eap-ttls there is a line
> >
> > virtual_server = "inner-tunnel"
> >
> > I put this part of your code in
> /etc/freeradius/sites-enabled/inner-tunnel
> > and /etc/freeradius/sites-available/inner-tunnel files, like this
> >
> > Auth-Type PAP
> > {
> > pap
> > }
> >
> > if(!control:Auth-Type) {
> > update control {
> > Auth-Type = ntlm_auth_pap
> > }
> > }
>
> Sorry, mistake in my instructions. Put that in authorize (not
> authenticate) after pap.
>
> > and when I try to restart the server, I get following error:
> >
> > radiusd: Loading Virtual Servers
> > server inner-tunnel {
> > modules {
> > Module: Checking authenticate {...} for more modules to load
> > Module: Linked to module rlm_pap
> > Module: Instantiating pap
> > pap {
> > encryption_scheme = "auto"
> > auto_header = no
> > }
> > /etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value
> > ntlm_auth_pap for attribute Auth-Type
> >
> > /etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse
> > "update" subsection.
> >
> > /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
> > authenticate section.
> >
> > Errors initializing modules
> >
> > Sorry if I am asking stupid questions, but I am new to linux and
> > freeradius,
> > and this is all so confusing for me :) What I am doing wrong?
> >
> >
> > On Fri, Jun 26, 2009 at 00:03, Ivan Kalik wrote:
> >
> >> > First, thanks Alan for your help, I managed to make it work with AD.
> >> Now
> >> I
> >> > want to try to test to make EAP-TTLS with PAP to authenticate users in
> >> > domain. I saw this link
> >> >
> >>
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
> >> >
> >> > So I added following lines to modules section of radiusd.conf
> >> >
> >> > exec ntlm_auth_pap {
> >> > wait = yes
> >> > input_pairs = request
> >> > shell_escape = yes
> >> > output = none
> >> >
> >> > program = "/path/to/ntlm_auth --username=%{User-Name}
> >> --domain=EXCHANGE
> >> > --password=%{User-Password}"
> >> > }
> >> >
> >> > and I edited /etc/freeradius/sites-available/default file and
> >> > /etc/freeradius/sites-enabled/default, section authenticate to
> >> >
> >> > Auth-Type PAP
> >> > {
> >> > ntlm_auth_pap
> >> > }
> >>
> >> Don't do that. One - it's a wrong virtual server and two - it's not
> >> going
> >> to work. Use the same technique as in the guide for pap requests. List
> >> ntlm_auth_pap in authenticate section of inner-tunnel virtual server
> >> (look
> >> at ttls section of eap.conf and you will see where will inner tunnel
> >> requests end up). Forcing Auth-Type in users file might break a few
> >> things
> >> so add this to authenticate section of inner-tunnel virtual server
> >> *after*
> >> pap instead:
> >>
> >> if(!control:Auth-Type) {
> >> update control {
> >> Auth-Type = ntlm_auth_pap
> >> }
> >> }
> >>
> >> That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request
> >> if
> >> password is nowhere to be found.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
In eap.conf, for eap-ttls there is a line
virtual_server = "inner-tunnel"
I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel
and /etc/freeradius/sites-available/inner-tunnel files, like this
Auth-Type PAP
{
pap
}
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
and when I try to restart the server, I get following error:
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
/etc/freeradius/sites-enabled/inner-tunnel[186]: ERROR: Unknown value
ntlm_auth_pap for attribute Auth-Type
/etc/freeradius/sites-enabled/inner-tunnel[185]: Failed to parse
"update" subsection.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
Errors initializing modules
Sorry if I am asking stupid questions, but I am new to linux and freeradius,
and this is all so confusing for me :) What I am doing wrong?
On Fri, Jun 26, 2009 at 00:03, Ivan Kalik wrote:
> > First, thanks Alan for your help, I managed to make it work with AD. Now
> I
> > want to try to test to make EAP-TTLS with PAP to authenticate users in
> > domain. I saw this link
> >
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
> >
> > So I added following lines to modules section of radiusd.conf
> >
> > exec ntlm_auth_pap {
> > wait = yes
> > input_pairs = request
> > shell_escape = yes
> > output = none
> >
> > program = "/path/to/ntlm_auth --username=%{User-Name}
> --domain=EXCHANGE
> > --password=%{User-Password}"
> > }
> >
> > and I edited /etc/freeradius/sites-available/default file and
> > /etc/freeradius/sites-enabled/default, section authenticate to
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
>
> Don't do that. One - it's a wrong virtual server and two - it's not going
> to work. Use the same technique as in the guide for pap requests. List
> ntlm_auth_pap in authenticate section of inner-tunnel virtual server (look
> at ttls section of eap.conf and you will see where will inner tunnel
> requests end up). Forcing Auth-Type in users file might break a few things
> so add this to authenticate section of inner-tunnel virtual server *after*
> pap instead:
>
> if(!control:Auth-Type) {
> update control {
> Auth-Type = ntlm_auth_pap
> }
> }
>
> That will set Auth-Type to ntlm_auth_pap for a pap inner tunnel request if
> password is nowhere to be found.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) with Win2K3 domain not working
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_excape = yes
output = none
program = "/usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE
--username=%{mschap:User-Name} --password=%{User-Password}"
}
should domain field be pre-windows 2000/NT name or fqdn? (domain.com)
Also, I didn't get you quite well, I am new to both linux and freeradius,
should I set following
Auth-Type PAP
{
ntlm_auth_pap
}
in authenticate section of /etc/freeradius/sites-enabled/inner-tunnel and
/etc/freeradius/sites-available/inner-tunnel files?
Thanks for all your help
On Thu, Jun 25, 2009 at 18:43, wrote:
> Hi,
>
> > exec ntlm_auth_pap {
> > wait = yes
> > input_pairs = request
> > shell_escape = yes
> > output = none
> >
> > program = "/path/to/ntlm_auth --username=%{User-Name}
> --domain=EXCHANGE --password=%{User-Password}"
>
>
> i really do hope that you changed that bit to be the correct $PATH
> for your ntlm_auth command
>
> > and I edited /etc/freeradius/sites-available/default file and
> > /etc/freeradius/sites-enabled/default, section authenticate to
> >
> > Auth-Type PAP
> > {
> > ntlm_auth_pap
> > }
>
> no. this is TTLS, so this is going to occur in the inner-tunnel
> unless you've really cooked up your config is some wierd way.
> a default install will use the inner-tunnel sites-enabled file
> - put your ntlm_auth_pap stuff into that file.
>
> > server inner-tunnel {
> > +- entering group authorize {...}
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > ++[unix] returns notfound
> > [suffix] No '@' in User-Name = "testuser", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > ++[control] returns noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] returns noop
> > ++[files] returns noop
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > ++[pap] returns noop
> > No authenticate method (Auth-Type) configuration found for the
> > request: Rejecting the user
> >
> > Failed to authenticate the user.
> > } # server inner-tunnel
>
> see. inner-tunnel. you arent dealing with the user properly
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS (PAP) with Win2K3 domain not working
First, thanks Alan for your help, I managed to make it work with AD. Now I
want to try to test to make EAP-TTLS with PAP to authenticate users in
domain. I saw this link
http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-March/msg00417.html
So I added following lines to modules section of radiusd.conf
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = "/path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE
--password=%{User-Password}"
}
and I edited /etc/freeradius/sites-available/default file and
/etc/freeradius/sites-enabled/default, section authenticate to
Auth-Type PAP
{
ntlm_auth_pap
}
But when user tries to connect, I get following error:
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "testuser"
User-Password = "testuserpass"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testuser"
User-Password = "testuserpass"
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
SSL: Removing session
963d9312e7948dc613d384208137728dce44b3071923bb0c257aeaf9229a1a95 from
the cache
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
If someone can help, that would be great. Thanks once again for your help
with my previous question folks, I really appreciate it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
