no response to Access-Challenge
Hi, Sorry for the rookie question but I'd like to know what I can make of the following: I have just one wireless device, an access point and a freeradius server. When the supplicant tries to connect I can see the following messages in FR over and over: rad_recv: Access-Request packet from... ... Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x2bd535b12bd72c983ec1de5e3f93e675 Finished request 18. Going to the next request Waking up in 4.9 seconds. Cleaning up request 18 ID 46 with timestamp +771 Ready to process requests. There are quite a few Access-Request/Access-Challenge pairs (it goes on for about a minute or two) until the supplicant finally succeeds to connect with TLS handshakes and so on (WPA2+AES+EAP-TLS). What can be causing this delay? It's as if the conversation were out of sync or as if one side weren't listening. Could it be AP, the client supplicant, the wlan driver? If I were to use a packet sniffer like wireshark, what filter could I apply and what should I look for? Ideas are welcome. Thanks Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa_supplicant on Windows takes a long time to auth via freeradius
Hi, I'm noticing that at times my Windows wpa_supplicant takes a long time to authenticate via freeradius. It seems to associate quickly to a Linksys WAP2000 access point. However, it takes a full 4-5 minutes to complete the connection. I noticed that each time Freeradius sends an Access-Challenge it wakes up in 4.9 seconds. Is this normal? I'm attaching the log files of both Freeradius and wpa_supplicant in the hope that someone can help me understand what's making my client PC take so much time to connect to my wireless network. Thanks, Vieri freeradius.log.gz Description: GNU Zip compressed data wpa_supplicant.log.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
only accept PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes
Hi, I setup freeradius to accept authentications using PEAP-MSCHAPv2 with client certificates via EAP-TLS-Require-Client-Cert = Yes. However, clients who authenticate via EAP-TLS also succeed. How can I reject all auth types except PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes? (ie. I require both client certificates and username/password.) Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check_crl = yes leads to verify error:num=3:unable to get certificate CRL
Hi, I'm doing something wrong with my Certificate Revocation List but I can't seem to understand what. I'm using freeradius 2.1.7 and openssl 0.9.8k. I'm self-signing the certificates. With check_crl = no everything works well. However, authentication does not work with check_crl = yes and I get an unable to get certificate CRL error. How can I debug this and understand why it can't get the CRL? Here are the steps I perform: # cd /etc/ssl # openssl ca -gencrl -keyfile FHM-CA/certs/radius_client_D_831_key.pem -cert FHM-CA/certs/radius_client_D_831_cert.pem -out FHM-CA/crl/FHM_crl.pem -crldays 60 # c_rehash FHM-CA/crl # cp FHM-CA/cacert.pem /etc/raddb/certs/FHM/ # cat FHM-CA/crl/FHM_crl.pem /etc/raddb/certs/FHM/cacert.pem # openssl verify -CApath FHM-CA/crl FHM-CA/crl/radius_client_D_831_cert.pem FHM-CA/crl/radius_client_D_831_cert.pem: OK eap.conf tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = x private_key_file = ${certdir}/FHM/radius_server_keycert.pem certificate_file = ${certdir}/FHM/radius_server_keycert.pem CA_file = ${cadir}/FHM/cacert.pem dh_file = ${certdir}/FHM/dh random_file = ${certdir}/FHM/random # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. #'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes CA_path = /etc/ssl/FHM-CA/crl/ crl_file = /etc/ssl/FHM-CA/crl/FHM_crl.pem crl_path = /etc/ssl/FHM-CA/crl/FHM_crl.pem The supplicant has the radius_client_D_831_cert.p12 certificate but I get this error on the freeradius server: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 1812 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Handshake [length 05fe], Certificate -- verify error:num=3:unable to get certificate CRL [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation Any ideas are greatly appreciated. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to require client certificate with PEAP
Hi, If I use EAP-TLS with a self-signed client certificate, I can connect my Windows XP clients to a WLAN. If I use PEAP alone, then my Windows XP clients connect to a WLAN with an Active Directory username. I'm trying to combine both EAP-TLS and PEAP but since I'm not a radius security guru then I'll rephrase what my goal is: I simply want to *require* that all wifi clients use PEAP *AND* have a self-signed client certificate installed on their system. That way, if I want to, I can revoke the certificates from the server. The Windows native clients are configured to use: Eap type: PEAP and have both root and client certificates installed. However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get this message in the log: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate How should I configure Windows XP to send the client certificate? Thanks, Vieri PS: Here are the relevant config files and debug log: FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu, built on Oct 1 2008 at 12:36:40 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64 radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } } client 10.215.146.83 { require_message_authenticator = no secret = F5jmE6xA shortname = FHMWIFI } client 10.215.146.130 { require_message_authenticator = no secret = F5jmE6x2B1_002369E349C4 shortname = FHMWIFI_2B1 } client 10.215.146.131 { require_message_authenticator = no secret = F5jmE6x2B2
PEAP + EAP-TLS: client certificates
Hi, Sorry for the trivial questions but here I go: I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application. If I try to connect from a Windows client via a wireless AP WIFIAP1 with Active Directory user1 I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from Auth-Type = EAP and from via TLS tunnel? If connected via PEAP, authentication is secure. However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and cannot be sniffed. Does this data encryption depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Ivan Kalik t...@kalik.net wrote: If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Vieri rentor...@yahoo.com wrote: From: Vieri rentor...@yahoo.com Subject: Re: PEAP + EAP-TLS: client certificates To: freeradius-users@lists.freeradius.org Date: Thursday, October 22, 2009, 9:05 AM --- On Thu, 10/22/09, Ivan Kalik t...@kalik.net wrote: If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. If in eap.conf I have: peap { ... virtual_server = inner-tunnel } then maybe I should edit sites-available/inner-tunnel and add: server inner-tunnel { ... authorize { ... update control { ... EAP-TLS-Require-Client-Cert = Yes } } } Is this correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
--- On Sun, 10/18/09, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login. OK, thanks for the suggestion. And thanks, Micro$oft, for automating things for me. the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff. I thought so. regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert. But I have to revoke it manually (CRL) as soon as I'm informed of the theft, which is usually a long and unreliable process. :-( Thanks anyway. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows client MS-chap auto-reauthentication
Hello, I'm connecting Windows clients to a LAN via Linksys access points and a Freeradius server. I'm using EAP/TLS with certificates installed on the clients and in modules/mschap I defined: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} So the Windows clients must have a certificate and login with the credentials of an Active Directory user member of the WIFI_DATA group. This setup works fine. However, I'm seeing a major difference between a Windows XP pro SP2 client and a Windows Vista: if the Vista client (laptop) reboots the OS then access to the LAN via WIFI requires the user to re-enter login username and password, as expected. If the XP client reboots the OS then user credentials seem to be automatically sent to the Radius server again, as if they were stored on the system (no user interaction). Can I change this behavior and require the user to re-send their login data each time the Windows session is closed or the OS reboots? I realize this is a client-only issue and that freeradius can't possibly detect the difference between the 2 cases (or can it?) but I am concerned that if, for example, the XP laptop is stolen (or unauthoritatively lent) then all the unwanted user needs to do to access our LAN is boot the OS, unless the legitimate user's password has expired. The laptop is for a hospital's Emergency department so it's easy to imagine that it cannot be under 24-hour surveillance (but usually, the legitimate users switch the device off when done working or the laptop automatically turns off after an inactivity timeout). Does anyone know: why XP re-authenticates automatically and how to disable it? why Vista doesn't behave the same way? if installing SP3 on XP removes this feature? if somethng can be done on freeradius to discriminate manual logins from auto-logins? I'm running freeradius 2.0.5 on Linux. Thank you, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and active directory
Hi, I noticed that some freeradius.org howtos suggest to specify a password server in Samba when using ads security: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html Why should one do that, especially if the samba docs say Use password server option only with security = server? Besides, if I comment out password server =, specify realm = MYDOMAIN.ORG and then define the AD servers in krb5.conf one per line: kdc = server1.MYDOMAIN.ORG:88 kdc = server2.MYDOMAIN.ORG:88 then authentication via AD is as expected. I'm just curious to know why these howtos suggest to specify a password server when using ads security in Samba. Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, PEAP, Active Directory and --require-membership-of
Hi, I'm running freeradius-2.0.5 on Linux. My setup is as follows: Windows Vista native client - Linksys AP - FreeRadius Linux server (PEAP/mschapv2) - Active Directory Windows server Everything works smoothly with the following ntlm_auth parameters in the mschap module: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} However, user authentication is rejected when I add the --domain parameter: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (from the Windows Vista client I obviously set the DOMAIN filed; besides, if I run the freeradius daemon with debug enabled I see that it correclty reeives 'DOMAIN\username') For starters, I don't understand why authentication fails if I add --domain. How can I find out why? Then, adding --require-membership-of with or without --domain also fails. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Finally, running ntlm_auth from the command line yields: # ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser --require-membership-of='DOMAIN\\WIFI' password: NT_STATUS_OK: Success (0x0) Could it be a bug in the freeradius version I'm running? Can anyone please suggest how I can debug this (not a radius expert ;-) )? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roaming with WPA-Enterprise/Radius
Hello, I have freeRadius version 1.0.5 on gentoo Linux (r3). I am using threeLinksys WAP54G access points. I've managed to roam seamlessly both with Broadcom and Intel wireless laptops. However, this is true for open APs or with WEP encryption. If I use WPA-Enterprise with a Radius server, there's a long delay when switching between APs (10 seconds). The test environment is as follows: freeRadius.org Gentoo Linux server --- 3 Linksys WAP54G APs configured with WPA-Enterprise w/Radius --- 1 roaming laptop The delay seems to be due to re-authentication with the freeRadius server and that seems to be "expensive". Is there a way of "caching" or "pre-authenticating" or "propagating authentication between APs"? Has anyone found a solution to this roaming problem in case one uses WPA-Enterprise/Radius? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html