Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban <[EMAIL PROTECTED]> wrote: > > YvesDM wrote: > > > Strange, according to the copspot link I've sent you it uses https. (on > non-standard port) > I never used ipcop myself though. > > Kind regards > Yves > > Oh, weird. It must be in the details somewhere. That's the page I'd > looked at and this line had caught my eye: > > " Currently the portal user will only be able to use http (tcp port 80) > into the internet. All other access is blocked." > > I'll read through it more carefully though as this would be a great way > to go, thanks again! > Oh, i see, now I know what you mean. I thought you meant users weren't able to login through https. If your users need more opened ports this will probably be easy to modify through the firewall rules. But we're going off topic of this list. Good luck Kind regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Basic usage: What do I do next to get this to work?
>All settings in conf.s and laptop are made like described in tutorial for >AD integration. > > >The output is much longer -> many attempts, I think > > > >So I belief this is the problem, but I dont know how to solve it. > > > >Warning: Found 2 auth-types on request for user 'bnickaes' ? > > > >There is an entry auth-type in mySQL Database, but I can find only one >auth-type option for my user bnickaes there. > Well, you made one and the server another. There is no mention of using Auth-Type in user profiles in any manuals. On the contrary. In several places you are instructed not to use it. Remove that from the database. Debug with capital X (radiusd -X not -x). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I think we do. Lately I tried to get PEAP MSCHAPv2 to work. All settings in conf.s and laptop are made like described in tutorial for AD integration. And I get a response in Debug Mode when I try to connect to my WLAN. It says this: rad_recv: Access-Request packet from host 192.168.1.6:1027, id=171, length=139 User-Name = "bnickaes" NAS-IP-Address = 192.168.1.6 NAS-Identifier = "BBi5" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-1f-66-2d:BBi WLAN test" Calling-Station-Id = "00-14-a5-3e-a8-ba" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d01626e69636b616573 Message-Authenticator = 0x90e3fac9ac07c6554cc915f9084b7e7e rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 Warning: Found 2 auth-types on request for user 'bnickaes' Sending Access-Challenge of id 171 to 192.168.1.6 port 1027 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xae0040259c6e0027d20f07497ad772e3 rad_recv: Access-Request packet from host 192.168.1.6:1027, id=172, length=256 User-Name = "bnickaes" NAS-IP-Address = 192.168.1.6 NAS-Identifier = "BBi5" Framed-MTU = 1496 Called-Station-Id = "00-19-cb-1f-66-2d:BBi WLAN test" Calling-Station-Id = "00-14-a5-3e-a8-ba" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020070198000661603010061015d0301472883f5c4aedc6e4983d6084e41a67f 7f0241f4463d2d4fd718ccdf9a8123b12008bc4f684a5c373d3851e80c2a33ad09d141a57835 6d335d892ac642491e6dec001600040005000a000900640062000300060013001200630100 State = 0xae0040259c6e0027d20f07497ad772e3 Message-Authenticator = 0xa1fa011f6381228ee1c9140adce8c222 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 Warning: Found 2 auth-types on request for user 'bnickaes' The output is much longer -> many attempts, I think So I belief this is the problem, but I dont know how to solve it. Warning: Found 2 auth-types on request for user 'bnickaes' ? There is an entry auth-type in mySQL Database, but I can find only one auth-type option for my user bnickaes there. _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Doc. Caliban Gesendet: Mittwoch, 31. Oktober 2007 13:14 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? Bernd wrote: when I just do this: "Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/" and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: " Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked." I'll read through it more carefully though as this would be a great way to go, thanks again! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I'm trying to do it with openSSL - so no certificates to buy -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 13:35 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? You will need to buy a server certificate then. Those will have root CA already installed on Windows. If you make your own users will need to import it. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >Bernd wrote: > > > >> when I just do this: >> >> "Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the >> same for wired and wireless. Connection/Properties/click on Authentication >> tab/tick enable 802.1x box/select PEAP from the box/click on Properties >> button/" and use MSCHAPv2 on configure button it does not work. >> So I tried to create a certificate and import it - still doesn't work - >> think the cause is me and my missing experience with Radius. ;) >> > >It sounds like we're in the same boat, but you're one step ahead of me. >I haven't been able to try the latest suggestions yet. (Probably >tomorrow). I'm hoping to not have to deal with certificates unless it's >completely automated for my users. Most of them have little or no >computer skills beyond basic usage. > >-Doc > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
You will need to buy a server certificate then. Those will have root CA already installed on Windows. If you make your own users will need to import it. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >Bernd wrote: > > > >> when I just do this: >> >> "Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the >> same for wired and wireless. Connection/Properties/click on Authentication >> tab/tick enable 802.1x box/select PEAP from the box/click on Properties >> button/" and use MSCHAPv2 on configure button it does not work. >> So I tried to create a certificate and import it - still doesn't work - >> think the cause is me and my missing experience with Radius. ;) >> > >It sounds like we're in the same boat, but you're one step ahead of me. >I haven't been able to try the latest suggestions yet. (Probably >tomorrow). I'm hoping to not have to deal with certificates unless it's >completely automated for my users. Most of them have little or no >computer skills beyond basic usage. > >-Doc > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban <[EMAIL PROTECTED]> wrote: > > YvesDM wrote: > > > > Alternativley you could install the copspot plugin on ipcop ( > > http://www.ban-solms.de/t/IPCop-copspot.html ) > > It implements chillispot and gives you a captive portal which can talk > > to you radius for AAA. > > > > Kind regards > > Yves > > > That's a great suggestion, and something that I'd looked into at one > point. The problem is that CopSpot only allows for HTTP traffic and not > HTTPS. That will certainly be a big problem for a lot of my users. If > there was an easy way around that, I'd probably try it out. > Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
>button/" and use MSCHAPv2 on configure button it does not work. >So I tried to create a certificate and import it - still doesn't work - >think the cause is me and my missing experience with Radius. ;) > >What do you think? http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
Bernd wrote: when I just do this: "Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/" and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Thank you for the reply! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Jon Reynolds wrote: Also, uncheck the "Authenticate as computer when information is available" and "Enable Fast Reconnect", the latter will drive you crazy because it will keep resetting your settings back to default. Jon Perfect, thank you! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. I know the feeling! Thanks for all the info on doing this properly. You've no doubt saved me a bunch of time and frustration. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Alan DeKok wrote: Doc. Caliban wrote: All of our public workstations are on this interface so the machines are verified at the proxy. So... how does it do that? IPCop, the network router, is the NAS in this case. It has 3 interfaces, the WAN, LAN, and WiFi Access. (Known in IPCop as Red, Green, and Blue.) A fourth interface (Orange) can be added as a DMZ, but I don't need that at this time. The Blue interface requires a MAC address for each node allowed to connect. Typically you'd just put the AP's MAC in there and let the AP act as the DHCP server. In reality you can add the MAC for any device you want, which is how the public machines are verified: The only way they can connect in the first place is that I've added their MAC addresses to the access list. IPCop can also require user authentication across both the Green and Blue interfaces (It's all or nothing in that regard) via a local ACL, identd, LDAP, Windows authentication, or RADIUS. My user database already exists in MySQL for other reasons, so using RADIUS to tap into that is the easiest solution. For various reasons, I also do not want to add about 80% of the users to the windows AD. The plus side of this is that anyone using a public machine will have to be a valid user. The downside is that the few people who are on the LAN (Green) interface will also have to deal with RADIUS even though they are already validated in the Windows domain. It had been suggested to add their MAC's to the user database in MySQL and arrange it so that they are allowed to skip the RADIUS process, but dealing with that is well out of my skill set. In January we will receive a bunch of Cisco AP's to replace the rather motley collection that we are using now. At that point I will look at handing the NAS functions to them, but for now it will happen at the router. From the feedback, it sounds like I'm heading in the right direction with PEAP / MS-CHAP-V2, which is what my test laptop came up with automatically. I will also be sure to incorporate the suggestions regarding the proper configuration of the clients in implementing this. This has been a great resource! Thanks to everyone who has responded, and to whoever set up and maintains the mailing list. Regards, -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Basic usage: What do I do next to get this to work?
I'm new to RADIUS, too...and I'm trying do get this work the same way. I set up a WLAN and a RADIUS Server with a MySQL Database and a user authentication by username and password. I want to use PEAP (MSCHAPv2) and I read about a server certificate to install on my client computer to get it work? Of course, I could be wrong ;). But when I just do this: "Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/" and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) What do you think? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 04:45 An: FreeRadius users mailing list Betreff: Re: Basic usage: What do I do next to get this to work? PS. Time to go to bed. Clear the "Automatically use Windows logon blah, blah" box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] wrote: >> Hm, don't know much about IPCop but I would have some doubts about it >> authenticating wired users on a local network. >> >IPCop is actually pretty good for this as it uses one of it's interfaces >for wireless access based on granting each node specific access by MAC, >but it can be any network node, it doesn't have to be a wireless device. > >All of our public workstations are on this interface so the machines are >verified at the proxy. Now I just need to get the RADIUS piece in place >to validate the users. IPCop can require RADIUS authentication on top >of the MAC filter. It sounds good on paper, I just need to find the >easiest way possible for my users to deal with the RADIUS piece of the >model. >> You are on the right track with wireless. >> >> >That's good to hear. Again, I just need to find the simplest >implementation possible for starters. > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban <[EMAIL PROTECTED]> wrote: > > > <[EMAIL PROTECTED]> > > IPCop is actually pretty good for this as it uses one of it's > interfaces for wireless access based on granting each node specific > access by MAC, but it can be any network node, it doesn't have to be a > wireless device. > > > All of our public workstations are on this interface so the machines are > verified at the proxy. Now I just need to get the RADIUS piece in place to > validate the users. IPCop can require RADIUS authentication on top of the > MAC filter. It sounds good on paper, I just need to find the easiest way > possible for my users to deal with the RADIUS piece of the model. > Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: > All of our public workstations are on this interface so the machines are > verified at the proxy. Now I just need to get the RADIUS piece in place > to validate the users. IPCop can require RADIUS authentication on top > of the MAC filter. So... how does it do that? EAP? Then you configure the clients to dp EAP. If it has a captive web page, then that's how the clients authentication. Almost all of the RADIUS "magic" is in the NAS or AP. It controls much of the access process. The RADIUS server just tells it yes/no for particular users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. Clear the "Automatically use Windows logon blah, blah" box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Also, uncheck the "Authenticate as computer when information is available" and "Enable Fast Reconnect", the latter will drive you crazy because it will keep resetting your settings back to default. Jon -- perl -le "print scalar reverse qq/ten.ratsed\100rnoj/" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Time to go to bed. Clear the "Automatically use Windows logon blah, blah" box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] wrote: >> Hm, don't know much about IPCop but I would have some doubts about it >> authenticating wired users on a local network. >> >IPCop is actually pretty good for this as it uses one of it's interfaces >for wireless access based on granting each node specific access by MAC, >but it can be any network node, it doesn't have to be a wireless device. > >All of our public workstations are on this interface so the machines are >verified at the proxy. Now I just need to get the RADIUS piece in place >to validate the users. IPCop can require RADIUS authentication on top >of the MAC filter. It sounds good on paper, I just need to find the >easiest way possible for my users to deal with the RADIUS piece of the >model. >> You are on the right track with wireless. >> >> >That's good to hear. Again, I just need to find the simplest >implementation possible for starters. > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Oops, sent mail too early. Authentication method should be EAP-MSCHAPv2/click on Configure button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
>IPCop can require RADIUS authentication on top of the MAC filter. Fine. Enable it then. I assume it uses 802.1x for wired too. >I just need to find the easiest way possible for my users to deal with the >RADIUS piece of the model. Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
>This is my goal: > >Wireless users and desktop computers on the same subnet (IPCop Blue, for >those keeping score at home) will need to log in with a user name and >password, which are kept on the MySQL server. > Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. My guess is that DHCP will just hand them an IP address and they will connect without authentication. Since you want wired clients on the same subnet as wireless ones think about using a captive portal like Chillispot. You are on the right track with wireless. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Hmm... All good info, but it makes me wonder if I'm going about this the best way. This is my goal: Wireless users and desktop computers on the same subnet (IPCop Blue, for those keeping score at home) will need to log in with a user name and password, which are kept on the MySQL server. I want this to be as easy as possible for as many people as possible. I came up with my client settings by going with the defaults. I would like to use whatever is easiest for the users to implement. I really appreciate you time, Thank you. Alan DeKok wrote: Doc. Caliban wrote: I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. The debug output tries to be helpful. Honest. Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. ... rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: > I hate to ask this, but I'm running out of time on this project and I'm > completely new to RADIUS. I would be really happy if someone could just > point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. > I have freeRADIUS set up with an external MySQL user database and it's > successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. > So far I'm not having any luck, and I don't mind saying that I'm a > little over my head at this point. Someone familiar with this will > probably see glaring problems. The debug output tries to be helpful. Honest. > Access Point: > D-Link DWL-7100AP (Ciscos coming in January) > WPA-EAP > TKIP > > Client Laptop: > WPA Enterprise > TKIP > PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. > I set up an AP to use RADIUS, and the requests get through to the RADIUS > server, but they always fail. Posted below is the debug output from the > failed attempt. ... >> rlm_eap: EAP-NAK asked for EAP-Type/peap >> rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
You haven't configured PEAP in eap.conf. You need to configure tls and peap sections. You will also need a server certificate and to export root certificate to XP clients (if you are signing them yourself). Read instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD integration before doing anything. Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, "Doc. Caliban" <[EMAIL PROTECTED]> piše: >Hello, > >I hate to ask this, but I'm running out of time on this project and I'm >completely new to RADIUS. I would be really happy if someone could just >point me to a detailed HOW TO for what I need. > >I have freeRADIUS set up with an external MySQL user database and it's >successfully authorizing requests from NTRadPing. > >Now I need to actually try it out "In the field". I need people running >XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL >database that I have set up. > >So far I'm not having any luck, and I don't mind saying that I'm a >little over my head at this point. Someone familiar with this will >probably see glaring problems. > >I will provide all the details I can think of, but please let me know if >you need more. > >Server: >FreeRADIUS 1.1.7 with MySQL module. > >Database: >Remote MySQL > >Access Point: >D-Link DWL-7100AP (Ciscos coming in January) >WPA-EAP >TKIP > >Client Laptop: >WPA Enterprise >TKIP >PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) >MS-CHAP-V2 (Other options: GTC, TLS) > > > > > > >I set up an AP to use RADIUS, and the requests get through to the RADIUS >server, but they always fail. Posted below is the debug output from the >failed attempt. > > >> Ready to process requests. >> rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, >> length=193 >> Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 >> Service-Type = Framed-User >> User-Name = "testuser" >> Framed-MTU = 1488 >> Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" >> Calling-Station-Id = "00-1B-77-28-B3-CF" >> NAS-Identifier = "D-Link Access Point" >> NAS-Port-Type = Wireless-802.11 >> Connect-Info = "CONNECT 54Mbps 802.11a" >> EAP-Message = 0x020b01746261727468 >> NAS-IP-Address = 192.168.0.1 >> NAS-Port = 1 >> NAS-Port-Id = "STA port # 1" >> rad_lowerpair: User-Name now 'testuser' >> Processing the authorize section of radiusd.conf >> modcall: entering group authorize for request 0 >> modcall[authorize]: module "preprocess" returns ok for request 0 >> modcall[authorize]: module "chap" returns noop for request 0 >> modcall[authorize]: module "mschap" returns noop for request 0 >> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 0 >> rlm_eap: EAP packet type response id 0 length 11 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> modcall[authorize]: module "eap" returns updated for request 0 >> radius_xlat: 'testuser' >> rlm_sql (sql): sql_set_user escaped user --> 'testuser' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radcheck WHERE Username = 'testuser' ORDER BY id' >> rlm_sql (sql): Reserving sql socket id: 4 >> radius_xlat: 'SELECT >> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op >> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' >> radius_xlat: 'SELECT id, UserName, Attribute, Value, op >> FROM radreply WHERE Username = 'testuser' ORDER BY id' >> radius_xlat: 'SELECT >> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op >> FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND >> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' >> rlm_sql (sql): Released sql socket id: 4 >> modcall[authorize]: module "sql" returns ok for request 0 >> rlm_pap: Found existing Auth-Type, not changing it. >> modcall[authorize]: module "pap" returns noop for request 0 >> modcall: leaving group authorize (returns updated) for request 0 >> rad_check_password: Found Auth-Type EAP >> auth: type "EAP" >> Processing the authenticate section of radiusd.conf >> modcall: entering group authenticate for request 0 >> rlm_eap: EAP Identity >> rlm_eap: processing type md5 >> rlm_eap_md5: Issuing Challenge >> modcall[authenticate]: module "eap" returns handled for request 0 >> modcall: leaving group authenticate (returns handled) for request 0 >> Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 >> Framed-Protocol := PPP >> Service-Type := Framed-User >> Framed-MTU := 1500 >> Framed-Compression := Van-Jacobson-TCP-IP >> EAP-Message = 0x01010016
Basic usage: What do I do next to get this to work?
Hello, I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Now I need to actually try it out "In the field". I need people running XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL database that I have set up. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. I will provide all the details I can think of, but please let me know if you need more. Server: FreeRADIUS 1.1.7 with MySQL module. Database: Remote MySQL Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) MS-CHAP-V2 (Other options: GTC, TLS) I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, length=193 Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 Called-Station-Id = "00-11-95-DA-16-A6:SUSOM" Calling-Station-Id = "00-1B-77-28-B3-CF" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11a" EAP-Message = 0x020b01746261727468 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Id = "STA port # 1" rad_lowerpair: User-Name now 'testuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user --> 'testuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 Message-Authenticator = 0x State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1, length=206 Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Called-Station-Id = "00-11-95-DA-