no response to Access-Challenge
Hi, Sorry for the rookie question but I'd like to know what I can make of the following: I have just one wireless device, an access point and a freeradius server. When the supplicant tries to connect I can see the following messages in FR over and over: rad_recv: Access-Request packet from... ... Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x2bd535b12bd72c983ec1de5e3f93e675 Finished request 18. Going to the next request Waking up in 4.9 seconds. Cleaning up request 18 ID 46 with timestamp +771 Ready to process requests. There are quite a few Access-Request/Access-Challenge pairs (it goes on for about a minute or two) until the supplicant finally succeeds to connect with TLS handshakes and so on (WPA2+AES+EAP-TLS). What can be causing this delay? It's as if the conversation were out of sync or as if one side weren't listening. Could it be AP, the client supplicant, the wlan driver? If I were to use a packet sniffer like wireshark, what filter could I apply and what should I look for? Ideas are welcome. Thanks Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa_supplicant on Windows takes a long time to auth via freeradius
Hi, I'm noticing that at times my Windows wpa_supplicant takes a long time to authenticate via freeradius. It seems to associate quickly to a Linksys WAP2000 access point. However, it takes a full 4-5 minutes to complete the connection. I noticed that each time Freeradius sends an Access-Challenge it wakes up in 4.9 seconds. Is this normal? I'm attaching the log files of both Freeradius and wpa_supplicant in the hope that someone can help me understand what's making my client PC take so much time to connect to my wireless network. Thanks, Vieri freeradius.log.gz Description: GNU Zip compressed data wpa_supplicant.log.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
only accept PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes
Hi, I setup freeradius to accept authentications using PEAP-MSCHAPv2 with client certificates via EAP-TLS-Require-Client-Cert = Yes. However, clients who authenticate via EAP-TLS also succeed. How can I reject all auth types except PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes? (ie. I require both client certificates and username/password.) Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check_crl = yes leads to verify error:num=3:unable to get certificate CRL
Hi,
I'm doing something wrong with my Certificate Revocation List but I can't seem
to understand what.
I'm using freeradius 2.1.7 and openssl 0.9.8k. I'm self-signing the
certificates.
With check_crl = no everything works well.
However, authentication does not work with check_crl = yes and I get an
unable to get certificate CRL error.
How can I debug this and understand why it can't get the CRL?
Here are the steps I perform:
# cd /etc/ssl
# openssl ca -gencrl -keyfile FHM-CA/certs/radius_client_D_831_key.pem -cert
FHM-CA/certs/radius_client_D_831_cert.pem -out FHM-CA/crl/FHM_crl.pem -crldays
60
# c_rehash FHM-CA/crl
# cp FHM-CA/cacert.pem /etc/raddb/certs/FHM/
# cat FHM-CA/crl/FHM_crl.pem /etc/raddb/certs/FHM/cacert.pem
# openssl verify -CApath FHM-CA/crl FHM-CA/crl/radius_client_D_831_cert.pem
FHM-CA/crl/radius_client_D_831_cert.pem: OK
eap.conf
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = x
private_key_file =
${certdir}/FHM/radius_server_keycert.pem
certificate_file =
${certdir}/FHM/radius_server_keycert.pem
CA_file = ${cadir}/FHM/cacert.pem
dh_file = ${certdir}/FHM/dh
random_file = ${certdir}/FHM/random
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash CA certsCRLs Directory'.
#'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
check_crl = yes
CA_path = /etc/ssl/FHM-CA/crl/
crl_file = /etc/ssl/FHM-CA/crl/FHM_crl.pem
crl_path = /etc/ssl/FHM-CA/crl/FHM_crl.pem
The supplicant has the radius_client_D_831_cert.p12 certificate but I get this
error on the freeradius server:
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 1812
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Handshake [length 05fe], Certificate
-- verify error:num=3:unable to get certificate CRL
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
Any ideas are greatly appreciated.
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to require client certificate with PEAP
Hi,
If I use EAP-TLS with a self-signed client certificate, I can connect my
Windows XP clients to a WLAN.
If I use PEAP alone, then my Windows XP clients connect to a WLAN with an
Active Directory username.
I'm trying to combine both EAP-TLS and PEAP but since I'm not a radius security
guru then I'll rephrase what my goal is:
I simply want to *require* that all wifi clients use PEAP *AND* have a
self-signed client certificate installed on their system.
That way, if I want to, I can revoke the certificates from the server.
The Windows native clients are configured to use:
Eap type: PEAP
and have both root and client certificates installed.
However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get
this message in the log:
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
How should I configure Windows XP to send the client certificate?
Thanks,
Vieri
PS:
Here are the relevant config files and debug log:
FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu, built on Oct 1 2008 at
12:36:40
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
}
client 10.215.146.83 {
require_message_authenticator = no
secret = F5jmE6xA
shortname = FHMWIFI
}
client 10.215.146.130 {
require_message_authenticator = no
secret = F5jmE6x2B1_002369E349C4
shortname = FHMWIFI_2B1
}
client 10.215.146.131 {
require_message_authenticator = no
secret = F5jmE6x2B2
PEAP + EAP-TLS: client certificates
Hi, Sorry for the trivial questions but here I go: I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application. If I try to connect from a Windows client via a wireless AP WIFIAP1 with Active Directory user1 I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/via Auth-Type = EAP] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from Auth-Type = EAP and from via TLS tunnel? If connected via PEAP, authentication is secure. However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and cannot be sniffed. Does this data encryption depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Ivan Kalik t...@kalik.net wrote: If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + EAP-TLS: client certificates
--- On Thu, 10/22/09, Vieri rentor...@yahoo.com wrote:
From: Vieri rentor...@yahoo.com
Subject: Re: PEAP + EAP-TLS: client certificates
To: freeradius-users@lists.freeradius.org
Date: Thursday, October 22, 2009, 9:05 AM
--- On Thu, 10/22/09, Ivan Kalik t...@kalik.net
wrote:
If I install a self-signed certificate on
another
Windows client and
connect via EAP-TLS then I can connect without
having
to use an Active
Directory user, as expected.
I'm wondering if I can *require* both a
certificate on
the client machine
AND an AD user authentication. In other words,
how can
I *require*
PEAP-EAP-TLS? (currently, my freeradius
configuration
seems to require
PEAP OR EAP-TLS)
Freeradius version: 2.0.5
Don't know about that version. It should say how to
require
certificates
for peap in eap.conf above peap section.
Is this the option?
EAP-TLS-Require-Client-Cert = Yes
I'm not sure where I should place it.
If in eap.conf I have:
peap {
...
virtual_server = inner-tunnel
}
then maybe I should edit sites-available/inner-tunnel and add:
server inner-tunnel {
...
authorize {
...
update control {
...
EAP-TLS-Require-Client-Cert = Yes
}
}
}
Is this correct?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
--- On Sun, 10/18/09, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login. OK, thanks for the suggestion. And thanks, Micro$oft, for automating things for me. the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff. I thought so. regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert. But I have to revoke it manually (CRL) as soon as I'm informed of the theft, which is usually a long and unreliable process. :-( Thanks anyway. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows client MS-chap auto-reauthentication
Hello,
I'm connecting Windows clients to a LAN via Linksys access points and a
Freeradius server.
I'm using EAP/TLS with certificates installed on the clients and in
modules/mschap I defined:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
So the Windows clients must have a certificate and login with the credentials
of an Active Directory user member of the WIFI_DATA group.
This setup works fine. However, I'm seeing a major difference between a Windows
XP pro SP2 client and a Windows Vista:
if the Vista client (laptop) reboots the OS then access to the LAN via WIFI
requires the user to re-enter login username and password, as expected.
If the XP client reboots the OS then user credentials seem to be automatically
sent to the Radius server again, as if they were stored on the system (no user
interaction).
Can I change this behavior and require the user to re-send their login data
each time the Windows session is closed or the OS reboots?
I realize this is a client-only issue and that freeradius can't possibly
detect the difference between the 2 cases (or can it?) but I am concerned that
if, for example, the XP laptop is stolen (or unauthoritatively lent) then all
the unwanted user needs to do to access our LAN is boot the OS, unless the
legitimate user's password has expired. The laptop is for a hospital's
Emergency department so it's easy to imagine that it cannot be under 24-hour
surveillance (but usually, the legitimate users switch the device off when done
working or the laptop automatically turns off after an inactivity timeout).
Does anyone know:
why XP re-authenticates automatically and how to disable it?
why Vista doesn't behave the same way?
if installing SP3 on XP removes this feature?
if somethng can be done on freeradius to discriminate manual logins from
auto-logins?
I'm running freeradius 2.0.5 on Linux.
Thank you,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and active directory
Hi, I noticed that some freeradius.org howtos suggest to specify a password server in Samba when using ads security: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html Why should one do that, especially if the samba docs say Use password server option only with security = server? Besides, if I comment out password server =, specify realm = MYDOMAIN.ORG and then define the AD servers in krb5.conf one per line: kdc = server1.MYDOMAIN.ORG:88 kdc = server2.MYDOMAIN.ORG:88 then authentication via AD is as expected. I'm just curious to know why these howtos suggest to specify a password server when using ads security in Samba. Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, PEAP, Active Directory and --require-membership-of
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the mschap
module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roaming with WPA-Enterprise/Radius
Hello, I have freeRadius version 1.0.5 on gentoo Linux (r3). I am using threeLinksys WAP54G access points. I've managed to roam seamlessly both with Broadcom and Intel wireless laptops. However, this is true for open APs or with WEP encryption. If I use WPA-Enterprise with a Radius server, there's a long delay when switching between APs (10 seconds). The test environment is as follows: freeRadius.org Gentoo Linux server --- 3 Linksys WAP54G APs configured with WPA-Enterprise w/Radius --- 1 roaming laptop The delay seems to be due to re-authentication with the freeRadius server and that seems to be "expensive". Is there a way of "caching" or "pre-authenticating" or "propagating authentication between APs"? Has anyone found a solution to this roaming problem in case one uses WPA-Enterprise/Radius? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
