ipad ssl error in free radius
hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logout error
Hi guys when users logout from the wireless network , i can see following error in the log Error Error: rlm_radutmp: Logout for NAS Wlan1 port 0, but no Login record IS there any reason for that, how can fix it Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys I had to also set the "*use_tunneled_reply=yes*" in the eap.conf to get the Dynamic vlan assignment to work On 12 July 2013 19:42, val john wrote: > Hi guys , > > Small question , do i need to import radius ldap schema ( items like > radiusprofiles > ) to our ldap server to get this VLAN assignment work > > Thank You > john > > > On 12 July 2013 18:39, Arran Cudbard-Bell wrote: > >> >> On 12 Jul 2013, at 13:57, val john wrote: >> >> > Hi guys , >> > >> > i have a freeradius setup that works with ldap group authentication ,i >> also need to configure the dynamic VLAN assignment , so i configured the >> "users" file as fallows , >> > >> > DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" >> > Tunnel-Type = VLAN, >> > Tunnel-Medium-Type = IEEE-802, >> > Tunnel-Private-Group-Id = "100", >> >Reply-Message = "You are Accepted" >> > >> > DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" >> > Tunnel-Type = VLAN, >> > Tunnel-Medium-Type = IEEE-802, >> > Tunnel-Private-Group-Id = "200", >> > Reply-Message = "You are Accepted" >> > >> > DEFAULT Auth-Type := Reject >> > >> > >> > ,Do i need any other configuration file to be edited to get VALN >> assignment to work ..? or juts "users" file is enough >> >> Just users file is fine. >> >> Arran Cudbard-Bell >> FreeRADIUS Development Team >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell wrote: > > On 12 Jul 2013, at 13:57, val john wrote: > > > Hi guys , > > > > i have a freeradius setup that works with ldap group authentication ,i > also need to configure the dynamic VLAN assignment , so i configured the > "users" file as fallows , > > > > DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = "100", > >Reply-Message = "You are Accepted" > > > > DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = "200", > > Reply-Message = "You are Accepted" > > > > DEFAULT Auth-Type := Reject > > > > > > ,Do i need any other configuration file to be edited to get VALN > assignment to work ..? or juts "users" file is enough > > Just users file is fine. > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment with ldap groups
Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the "users" file as fallows , DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "100", Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "200", Reply-Message = "You are Accepted" DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts "users" file is enough Please advice Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius outer identity
Hi guys , i have freeradius server that authenticate with LDAP and set up was working fine , but when the client specifies the outer identity (some dummy user name ) Radius server taking that dummy user name as actual username , because of that LDAP authentication fails . (Authentication proceeds working file if the client not specifying any outer identity) Can you guys please advice , how to fix this issue Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS: Access Reject comes randomly from AAA
Hi... just check the mail with subject: *"generating ssl certs in debian squeeze"* , it may help Thank You On 20 October 2012 18:42, Alan DeKok wrote: > Rathod Subhashchandra wrote: > > This issue is coming consistently for multiple clients during Network > Entry. > > So read the debug log. It isn't hard. > > > 2012/06/04 15:52:41:686559 : TLS_accept:failed in > > SSLv3 read client certificate A > > 2012/06/04 15:52:41:686579 : rlm_eap: SSL error > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > > "Unknown CA". Perhaps that means something. > > > To resolve this issue, your timely help will be appreciated. > > This is a free mailing list. Asking for "timely help" is not > appropriate. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generating ssl certs in debian squeeze
Hi... as i see log says , "Error: TLS Alert read:fatal:unknown CA" . and you need to specify the certificate Authority in your client when testing. Certifcate authority is a File called "CA.pem" once you added to the client error should go away. And make sure debian sever hostname should be same as "commonName" specified in server.cnf Thank You On 15 September 2012 08:44, austin wonderly wrote: > hello, thanks for the tip, although unfortunately im am still getting > problems :( have included the out of eapol_test right here > http://pastebin.com/8iKsCUfn and also what shows up in the freeradius > logs as well (have included the file names that i currently have in in my > /etc/freeradius/certs directory) http://pastebin.com/MtQDVaWL, would you > guys know of anything that I could do to resolve this? it actually seems > like the same problem that i've been having with the other solutions that I > have tried earlier on (yesterday and today), thanks again for the help too > > > On Fri, Sep 14, 2012 at 9:17 PM, val john wrote: > >> Download the tar.gz file form freeradius , in that file , in folder >> "freeradius-server-xxx/raddb/certs" provide very easy way generate certs >> (./bootstrap) , just copy its its content to the freeradius in debian >> "/etc/freeradius/certs/" >> >> Thank you >> >> >> -- Forwarded message -- >> From: austin wonderly >> Date: 15 September 2012 03:23 >> Subject: generating ssl certs in debian squeeze >> To: freeradius-users@lists.freeradius.org >> >> >> Hello, I was wondering if anyone knew of any tutorials for generating ssl >> certificates for freeradius in debian squeeze? Have been trying to find a >> method that would work over the last few days and have not found a solution >> yet (have probably spent around 6-7 hrs just getting this part to work so >> far), I am trying to setup a radius server to provide eap-ttls >> authentication for a non public network (windows machines, as well linux >> based machines would be on the network), if someone could point me in the >> right direction though or possibly offer some advice I would really >> appreciate it as i've pretty much exhausted my options at this point in >> time. having said that, would there be any downsides to just using the >> "snakeoil" certificates in this type of configuration? thanks >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generating ssl certs in debian squeeze
Download the tar.gz file form freeradius , in that file , in folder "freeradius-server-xxx/raddb/certs" provide very easy way generate certs (./bootstrap) , just copy its its content to the freeradius in debian "/etc/freeradius/certs/" Thank you -- Forwarded message -- From: austin wonderly Date: 15 September 2012 03:23 Subject: generating ssl certs in debian squeeze To: freeradius-users@lists.freeradius.org Hello, I was wondering if anyone knew of any tutorials for generating ssl certificates for freeradius in debian squeeze? Have been trying to find a method that would work over the last few days and have not found a solution yet (have probably spent around 6-7 hrs just getting this part to work so far), I am trying to setup a radius server to provide eap-ttls authentication for a non public network (windows machines, as well linux based machines would be on the network), if someone could point me in the right direction though or possibly offer some advice I would really appreciate it as i've pretty much exhausted my options at this point in time. having said that, would there be any downsides to just using the "snakeoil" certificates in this type of configuration? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tunnel TLS Authentication with PAP
Hi.. i have freeradius that uses LDAP authentication password in md5 format and have ubuntu client that users WPA supplicant with following details, Authentication : Tunneled TLS CA certificate : ca.pem Inner Authentication : PAP Then the username and password , because im using CA certificate(ca.pem) of the radius in the client side , server and client communication should be secure ...correct me if im worng.. i just want to know , is these details are secure to send password via network , because when i ran radius in debug mode i can see the password in clear text. Thank You john - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth in freeradius
Thanks got the message On 17/05/2012, Alan DeKok wrote: > val john wrote: >> Any one knows , is there any way to achive EAP-TTLS in windows 7 >> without installing third party tools . > > You said: Windows 7 doesn't come with TTLS, but you want TTLS without > installing third party tools. > > Uh... right. > > Install a third party supplicant, or live without TTLS. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth in freeradius
Hi... able to get work freeradius + LDAP , one of the issue i had is our users LDAP passwords are stored in SHA format ,but windows 7 client provide PEAP ,there for i was unable to authenticate the windows 7 clients ,(Start to throw some mschap errors) In windows 7, i tried wpa_supplicat , xsupplicant windows version but non of them work with win7 .but then i started to use secure W2 windows 7 client (used EAP-TTLS) .. and its stated perfectly fine...unfortunately its seems to be a commercial product.. Any one knows , is there any way to achive EAP-TTLS in windows 7 without installing third party tools . Thank you john On 16/05/2012, Garber, Neal wrote: >> i cant find the ntlm_auth file in my OS , >> is it coming with freeradius or we have to >> install it separately . > > It's part of Samba. A simple google search for ntlm_auth > would have answered that question for you. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth in freeradius
Please note that im using Debian as OS Thank You John On 16 May 2012 19:57, val john wrote: > Hi... > > i need to configure the freeradius with mschap (need to specify the > ntlm_auth file path in "modules/mschap and modules/ntlm_auth files) , but > i cant find the ntlm_auth file in my OS , > > is it coming with freeradius or we have to install it separately . > > > Thank you > John > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth in freeradius
Hi... i need to configure the freeradius with mschap (need to specify the ntlm_auth file path in "modules/mschap and modules/ntlm_auth files) , but i cant find the ntlm_auth file in my OS , is it coming with freeradius or we have to install it separately . Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html