Re: disable FreeRadius checking of client certs
Thanks guys for your post. First off, I have tried using the WinXP supplicant and I have no problems authenticating with the Linksys wifi cards. I just wish the Linksys utility was like Cisco where I can tell it do provide either/or username/cert. The Cisco cards have no problem with this as where using the Linksys with its utility does not provide me with what I want. No big deal. Using the Linksys client utitliy, a username, password, and certificate must be provided (the certificate is a combo box so I can't even leave it blank). I have always preferred to use the utility that came with wifi cards for configuration. They typically provide more information and are more user friendly than the Windows supplicant. This problem does pertain to the Linksys software more than FreeRadius. I was just hoping there was a way in the FreeRadius config files to help solve the problem Travis - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: "devel" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Tuesday, October 10, 2006 12:42 PM Subject: Re: disable FreeRadius checking of client certs Hi Travis Excuse me for top-posting, but just as Alan I'm a bit surprised by your post. If your authentication system is based on certificates, you need certificates and you really should not say anything like "certificates bother me" since that is the only expression of your trust, so without that verification no authentication will ever be reasonable or complete. If it is not, you do not have certificates. Allowing both for the same client (same machine) is discouraged. Personally I am not familar with a supplicant which tries one and then another for the same username. Thus, per user if you are using EAP-PEAP-MSCHAPv2 (passwords), then you are not using EAP-TLS. And vice versa. The good news is: the authentication method has strictly nothing to do with the WiFi card; it is completely virtualized, in software. EAP is only a transporter protocol, it does not say how to authenticate, it only says how to transport data. Thus, if EAP is supported by the card, then *every* EAP method is supported. That's magic about 802.1X and that's why it's supported in the operating system rather than being supported by a network card. Now if you are saying that you use a special Linksys 802.1X client, then I would first suggest that you use the standard WinXP client. Sorry, but the Linksys client is fairly unknown. Practically, it's difficult to guess from what you provided, but I think that you do use the WinXP supplicant (i.e. 802.1X client - I do not know of any linksys supplicant) and that you probably want to use EAP-PEAP-MSCHAPv2. That involves one server certificate (obviously one common trust anker - a self signed CA certificate) and some username/passwords on clients. What probably happened is that in the two cases where the Linksys card is used, you did not correctly configure EAP-PEAP (called "Protected EAP" in WinXP or similar), but you let it be "Smartcard or Certificate". Thus, the card tries to do TLS with some available pub/priv key combination, but Freeradius rejects it. Reconfigure the WinXP supplicant to do EAP-PEAP and it will ask you for passwords. Do not forget to deploy the server certificate on user machines... Well, I have not issued certs to clients. Some of my clients have the option to log in with a username "OR" a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I "MUST" provide a username and a cert. Strictly speaking, every EAP session will take a Username and the AAA server will derive from it the authentication method to use. When used in EAP-TLS, Windows XP typically fills it out with the CN from the certificate (if available) but that is of course insufficient and it would be more correct to give an identifier and then to start a TLS authentication session for that id. (How exactly the username compares to the certified information is an open question, since the username can be altered by different means). If there are no certs on the client machine, Linksys fills the cert in with "Trust Any", so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: hmmm??? you can't just use any certificate for authentication. What you need is a pair: certificate/private key. Nobody except Verisign has their private key. The only option for your Linksys 802.1X client would be to spontaneously create a CA and to issue one user certificate for EAP authentication signe
Re: disable FreeRadius checking of client certs
Well, I have not issued certs to clients. Some of my clients have the option to log in with a username "OR" a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I "MUST" provide a username and a cert. If there are no certs on the client machine, Linksys fills the cert in with "Trust Any", so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: Tue Oct 10 11:16:16 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CA Tue Oct 10 11:16:16 2006 : Error: TLS_accept:failed in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. I am not a FreeRadius expert so I may be misinterpreting the logs. Thanks. Travis - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "devel" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Tuesday, October 10, 2006 10:27 AM Subject: Re: disable FreeRadius checking of client certs "devel" <[EMAIL PROTECTED]> wrote: Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
disable FreeRadius checking of client certs
Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. FreeRadius 1.1.3 Travis J. WeaverSoftware EngineerOberon, Inc.1315 S. Allen St.Suite 405State College, PA 16801phone: (814)867-2312 ext. 210fax: (814)867-2314http://www.oberonwireless.com[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 7, Issue 48
Title: Nachricht
Le lun 14/11/2005 à 12:13, [EMAIL PROTECTED] a écrit :
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius vs. ActiveDirectory (Jonathan De Graeve)
2. Re: Freeradius vs. ActiveDirectory ([EMAIL PROTECTED])
3. AW: Freeradius vs. ActiveDirectory (V?lker)
4. RE: Failed attempts log (Thierry Hoferlin)
5. AW: Freeradius vs. ActiveDirectory (V?lker)
From: Jonathan De Graeve <[EMAIL PROTECTED]>
To: FreeRadius users mailing list
Subject: RE: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 11:36:45 +0100
What about the password?
I thought this was a kerberos one and didn’t reside into the ldap itself?
--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]
-
Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite
-
Van:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Völker, Christian
Verzonden: maandag 14 november 2005 11:22
Aan: freeradius-users@lists.freeradius.org
Onderwerp: Freeradius vs. ActiveDirectory
Yohoo!
Yes! I did it! ;)
My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth!
Below I have added a short summary how I realized it here.
But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.
Now I want to give access via freeradius only to some special groups.
I have figuered out, that there are these parameters:
groupname_attribute, groupmembership_filter and groupmembership_attribute
combined with some entries in the users-file.
I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.
Questions:
1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?
2. Which value should I use then in the users-file?
3. Is there anyone who can give a little help in further authenticating with group?
-short summary how to authenticate vs. ActiveDirectory ---
/etc/raddb/radiusd.conf
[...]
ldap {
#servername with an AD-Server running Win2003Srv
server = "adsrv.qsc.de"
#The Useraccount for querying AD (anonymous query is disabled)
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
#The password for the Query-User
password = 'xx'
#base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \
#I don't understand why
basedn = "ou=employees,dc=qsc,dc=de"
# I've copied the below string, because I didn't understand the meanings of the %{...}
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
# I had to increase the timeouts
timeout = 40
timelimit = 30
net_timeout = 10
}
The users-file left on default, no changes.
I hope, I could help some people trying to use AD for radius.
And, I hope, someone will help me with my user-problem.
Greets
Christian
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list
Subject: Re: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 10:42:07 +
Hi,
> I hope, I could help some people trying to use AD for radius.
there is another way - use the krb module to authenticate against AD
