freeradius certificate noob doubt

[shirkavand]

Hi There,

Ok i am following the next tutorial in order to use certificates+freeRadius:

http://deployingradius.com/documents/configuration/eap.html

After executing:

$ cd /etc/raddb/certs
$ make

Do i have to copy/paste any of the files created to the supplicant to make
it work?

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius certificate noob doubt

[shirkavand]

Hi,

What does the guide say?

The guide does not say anything about copying any file to the client. So i
assumed that it is not need it, but still after configuring the supplicant
as the tutorial explains(for permitting the use of an unknown certificate) i
always get certificate not found and no request reached the freeradius
server from the supplicant.

Just to clarify, my freeradius server is working well with everything
else(freeradius+mysql+PAP+EAP and windows supplicant can connect too), just
having troubles with certificates part.

Any idea?

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certs files missing?

[shirkavand]

Use the package and you'll probably get the certificates automatically

So i can avoid to execute  make in /usr/share/doc/freeradius/examples etc
etc for generating test certificates? then i can use  the defaults ones that
are stored into /etc/freeradius/certs that came with the normal package
installation?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: windows client authentication error

[shirkavand]

Hi there,

Thanks for your help.

Does PAP work?

OK as i understand (correct me if i am wrong) no matter if I use MySql or
users.cof file for validating the users, if i execute:

*$radtest sqltest testpwd localhost 1812 testing123*

and the message i get is ( from both, the server terminal window, and the
radtest terminal window):

*Access-Accept*

Means that PAP worked fine. If this is right, then i must say: yes PAP
works.

Did you configure the sql module?

i am not sure what you exactly mean with sql module, but I can tell what i
did configure for sql+freradius:

1- In /etc/freeradius/radiusd.conf i uncommented the line $INCLUDE
sql.conf
2- Create a DB called radius and create a user called radius with full
access to the just created DB
3- Load mysql schema and insert into radcheck table a user(the schema i used
was /etc/freeradius/sql/mysql/schema.sql)
*NOTE: i just insert a user into radcheck table, i did not populate any
other table
4- Configure /etc/freeradius/sql.conf with my just created DB
parameters(server, login, password) and uncommented the line readclients =
yes
5- Then uncommented the sql line for the following sections in the
/etc/freeradius/sites/enabled/default file:
a) authorize
b) accounting
c) session
d) post-auth
6- Ran a radtest, and everyhtin worked fine

Did i aswered your question?

Is the PEAP request for user sqltest?

Yes, on the windows supplicant machine, i gave my credentials as follows:

Login: sqltest
password: testpwd
domain:

I leaved domain always blank because i have not configurated any domain yet.

 If you take a step by step approach, it should be trivial to configure.

Well, i did not test the server with users.conf file. Once freeradius was
installed and working, i just jump to install and configure mysql and make
the first radtest using both. The radtest worked just fine.

If you think that using the users.conf first could give me any clue about
the erros i am having, i will not hesisate to test it.

Any idea?

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:

[shirkavand]

hi,

dora as david said NTRadping (windows or wine :-D ) in other words..if you
are using ubuntu you eed to use wine in order to get NTRadping up

Cheers

2010/5/19 dorra aa dj_dido2...@hotmail.com

  yes i want to try my radius server whith an extern client. i'm wrking
 whith ubuntu. does NTRadping works in ubuntu?

 --
 Date: Wed, 19 May 2010 12:56:54 +0200
 Subject: Re:
 From: davidse...@gmail.com
 To: freeradius-users@lists.freeradius.org


 Do you want it only to try your radius server?

 You can use NTRadping (windows or wine :-D ) or JRadius to try your
 freeradius server.

 Regards,
 David


 2010/5/19 dorra aa dj_dido2...@hotmail.com

  after the addition of customers in the database sql, I assay to test a
 client in other computer by  using radtest.
 but i had those lignes:
 # radtest
 Le programme 'radtest' peut être trouvé dans les paquets suivants :(that's
 means The program 'radtest' can be found in the following packages)
  * radiusd-livingston
  * yardradius
  * xtradius
  * freeradius

 all that a want that the client try to acced to the server.and all the
 document said that i may use radtest but it's just working only in server
 thank you

 --
 Hotmail: Trusted email with powerful SPAM protection. Sign up 
 now.https://signup.live.com/signup.aspx?id=60969

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 --
 Hotmail: Trusted email with powerful SPAM protection. Sign up 
 now.https://signup.live.com/signup.aspx?id=60969

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: windows client authentication error

[shirkavand]

Hi there,

Thank you very much. It worked like a charm.

Cheers,

Shirkavand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certs files missing?

[shirkavand]

btw i am using Ubuntu 10.04 + FreeRadius 2.1.8 ( installed usig apt-get )
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

certs files missing?

[shirkavand]

Hi there,

I am trying to use certificates with freeradius. I am following steps given
here http://deployingradius.com/

The step #2 (Get
EAPhttp://deployingradius.com/documents/configuration/eap.html
working
using snake oil certificates) says that i have to execute the following
commands:

$ cd /etc/raddb/certs
$ make

but in my freeradius installation the certs folder does not have any make
file, so if i try to run above commands i get errors. In fact my
installation does not have several files that the tutorial suppose that
should exist, they are:

a) make fille
b) ca.cnf
c) sefver.cnf
d) xpextensions

Any idea why these files are missing?

Cheers,

Shirkavand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

windows client authentication error

[shirkavand]

Hi there,

i have installed freeradius 2.1.8 on ubuntu 10.04. radtest using mysql
backend works fine. But when a windows supplicant tryes to connect the
server always gets rejected. Freeradius debug console shows:

...
...
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for sqltest with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler

...
...

Any idea why am missing?

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: windows client authentication error

[shirkavand]

I have into radcheck table the next user created:

1 | sqltest  | Cleartext-Password | := | testpwd

Dont know what i get the No Cleartext-Password configured error too.

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free Radius testing....

[shirkavand]

HI there,

Are your sure that your freeradius server is up? Try to start freeradius in
debug mode and make the radtest again:

sudo freeradius -X
radtest bob bob localhost 1812 testing

If you get an error trying to start the server with sudo freeradius -X try
to stop it and start+test again:

killall freeradius
sudo freeradius -X
radtest bob bob localhost 1812 testing

As James said you need to run in debug mode while tetsing...so you can check
whats going on.

Cheers,

Shirkavand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: autthentication error

[shirkavand]

Hi there,

Thanks for the fast reply.

I did not build myself freeradius, i have installed Freeradius on ubuntu
9.10 using

sudo apt-get install freeradius*

But maybe this does not installed openSSL support so I am going to check if
i have dev packages and ssl support properly installed, and come back to you
if necessary.

Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: autthentication error

[shirkavand]

HI there,

Ok i have tryed to add ssl support to freeradius in my ubuntu 9.10. As i
mentioned before i have installed freeradius using apt-get. The thing is
that every tutorial i followed did not woked, and after hours of trying...i
read that freeradius over ubuntu does not have ssl support for some license
issues.

Is this right?

Then i just remove all my freeradius installation, and tryed to install from
source(because fin so menay tutorials explaning this kind of installation),
i downloaded the last version from freeradius.org, and followed the
installation tutorial that exists there(creating a .deb package etc etc),
but all i get is tons of dependencies errors.

Is there any way of installing freeradius over ubuntu 9.10 with ssl support
using apt? Any advice will be apreciatted.

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: autthentication error

[shirkavand]

hi,

i have followed this tutorial(because this is what i need exacty to do) but
it does not worked either.

http://www.wains.be/index.php/2009/09/13/wpa2-freeradius-eap-tls/

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

autthentication error

[shirkavand]

Hi,

I have configurated a freeradius server using MySql authentication. When i
run radtest i get a succefull response:

rad_recv: Access-Request packet from host 127.0.0.1 port 45562, id=209,
length=59
 User-Name = sqltest
User-Password = testpwd
NAS-IP-Address = 127.0.1.1
 NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = sqltest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - sqltest
[sql] sql_set_user escaped user -- 'sqltest'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op   FROM radcheck
WHERE username = '%{SQL-User-Name}'   ORDER BY id - SELECT
id, username, attribute, value, op   FROM radcheck   WHERE
username = 'sqltest'   ORDER BY id
[sql] User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM radreply
WHERE username = '%{SQL-User-Name}'   ORDER BY id - SELECT
id, username, attribute, value, op   FROM radreply   WHERE
username = 'sqltest'   ORDER BY id
 expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority - SELECT
groupname   FROM radusergroup   WHERE username = 'sqltest'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testpwd
[pap] Using clear text password testpwd
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 209 to 127.0.0.1 port 45562
Finished request 20.
Going to the next request

Now i have configurated a windows supplicant, when i enter the credentials
for login from the suplicant pc, the radius server always sends a rejected
response in the servers terminal(i have freeradius over debug mode to se all
the messages), this is what i get:

Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.4 port 3666, id=0,
length=139
Cleaning up request 18 ID 0 with timestamp +502
User-Name = sqltest
 NAS-IP-Address = 192.168.1.4
Called-Station-Id = 00226b81bae1
 Calling-Station-Id = 002369764cef
NAS-Identifier = 00226b81bae1
 NAS-Port = 21
Framed-MTU = 1400
State = 0x5589d8c55588dc92d29bccd07151cb7c
 NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060319
Message-Authenticator = 0xb35d1b6482700c1122714ca033d1e480
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = sqltest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - sqltest
[sql] sql_set_user escaped user -- 'sqltest'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op   FROM radcheck
WHERE username = '%{SQL-User-Name}'   ORDER BY id - SELECT
id, username, attribute, value, op   FROM radcheck   WHERE
username = 'sqltest'   ORDER BY id
[sql] User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM radreply
WHERE username = '%{SQL-User-Name}'   ORDER BY id - SELECT
id, username, attribute, value, op   FROM radreply   WHERE
username = 'sqltest'   ORDER BY id
 expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority - SELECT
groupname   FROM radusergroup   WHERE username = 'sqltest'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type 25
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - sqltest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 19
Sending Access-Reject of id 0 to 192.168.1.4 port 3666
EAP-Message = 0x04010004
Message-Authenticator 

Freeradius + mysql + openssl certificates?

[shirkavand]

Hi,

Can i use freeradius + mysql + ssl certficates at the same time for
autenticating users...or this does not make sense? I am a bit confused if i
have to use one of them(mysql or ssl certificates) for autentication
purposes.

I have read tutorials for using freeradius + mysql OR freeradius + ssl
certificates. In  freeradius + mysql tutorial explains how to make the
autentication using mysql... so the passwords and users are all stored
inside a mysql db. In the other hand the  freeradius + ssl
certificates   explains how to make the autentication using a file called
users that stores all the users and paswords.

So i am wondering if i can not make the radius server autenticate users
using the credential fino from the mysql Db and using certificates too..or
if each one are different methods to use.

Any ideas?

Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html