No EAP session matching the State variable (and other various messages)
What exactly do error messages like: Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. mean? I have attmpted to rectify by seeing if modifying the following configuration options within eap.conf get rid of these. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 4096 should be OK. max_sessions = 16384 I have even gotten EAP caching (using the Cached-Session-Policy) to two hours now. These error messages especially appear to occur en masse at or near the hour and then seem to abruptly stop: Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. [ SNIPPED ] Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Which appear in conjunction with: Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. Sep 30 12:58:52 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 234 due to recent request 213661. As well as sometimes: Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. An oddity is that the issues appear cross server at about the same times: Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for request 754502 in component authenticate module peap. Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for request 828962 in component authenticate module peap. Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. - John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP session matching the State variable (and other various messages)
On 30 Sep 2013, at 18:17, John Douglass john.dougl...@oit.gatech.edu wrote: What exactly do error messages like: Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable. The State attribute is returned in Access-Challenges by the RADIUS server and is included in subsequent Access-Requests by the NAS. It links up all the rounds of Access-Requests/Access-Challenges required for EAP authentication to complete. That error message is usually displayed when the NAS has corrupted the State attribute contents (unlikely). Or the EAP session associated with the state has expired/or been lost (due to restart). This can also happen if you have a load balancer which is spraying packets over multiple RADIUS servers. All packets for one EAP session need to go to the same EAP server. I believe this also happens where you have EAP packets following a different path through a proxy network, and the final node before your home server changes. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. peap module is taking a very long time to complete. Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 The server thread dealing with the original request is blocked (probably in the peap module), the NAS has timed out the original request, and is retransmitting. The server is being smart and discarding the retransmitted request. Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. That's like the above message, but probably means a new packet with src ip, src port, dst ip, dst port, id that match an existing packet in the queue has been received, but with a different authenticator. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. An oddity is that the issues appear cross server at about the same times: Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for request 754502 in component authenticate module peap. Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for request 828962 in component authenticate module peap. Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. I'll let someone else answer that one :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP session matching the State variable (and other various messages)
Hi, Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. we are always in a battle with performance and load. you've already had a pretty good description of what the messages mean but I can offer another possible cause - in the PEAP module hang - I would suspect that you have the MSCHAP retry password option set? if so, you're waiting for the user to get around to typing in their details again...and again and again as they get it wrong or typo-fixed by their smartphone or tablet. we see similar messages at busy times of new devices (like start of year) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP session matching the State variable (and other various messages)
John Douglass wrote: Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. FreeRADIUS is dependent on other systems. So if Samba or AD block for 30 seconds, so does FreeRADIUS. In many cases, these errors are the result of something *else* going wrong. FreeRADIUS is complaining, because it noticed the problem, and told you. But there's nothing wrong with FreeRADIUS. You've got to fix the *other* problem to correct the issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comp128-1,2,3 support in EAP-SIM
On Tue, Sep 24, 2013 at 8:13 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 24 Sep 2013, at 18:12, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Note: Comp128-4 (milenage) is still unknown (please contact one of the developers if you have access to it's specification), but just algorithms 1-3 are still useful. Actually it's not, it's published in the 3GGP standards, neat :) *3GPP even And if you want to find something to test against for GSM-Milenage and EAP-SIM (or Milenage with EAP-AKA/AKA' for that matter), wpa_supplicant includes an implementation of EAP peer with support for software-simulated SIM/USIM authentication. hlr_auc_gw in hostapd (as a RADIUS/EAP server) implements same for EAP-SIM/AKA/AKA' server. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: I tried one of these inside gtc sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth Setting that *should* be one step of a working configuration. or ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password} Set where? You have been *very* vague about what you're doing. Is it a secret? Though I haven't tried replacing User-Password with Cleartext-Password. Don't do that. Trying random things is *always* a bad idea. Do I have to place this under gtc sub-section inside inner-eap? No. You have to configure the ntlm_auth module, and the ntlm_auth sub-section of the authenticate section. All of that is documented in the deployingradius.com page. See my comment earlier. Did I place the configuration at the right sub-section? I have no idea. You've been careful to say as little as possible, in a manner which is as confusing as possible. Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well. It WILL work. Just set auth_type = ntlm_auth in the gtc configuration. As I said. As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = /usr/bin/ntlm_auth ... command execution, but that don't work. So... rather than following instruction,s you're trying random things. How about running it in debugging mode, as suggested in the FAQ, man page, web pages, and daily on this list? The reason we recommend it is that IT WORKS. If you're trying random nonsense, you're wasting your time, and ours. The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well. The issue is the EAP-GTC specification, and the clients. Last I recall, it didn't support multiple challenge-responses. If it does, then it's possible to upgrade FreeRADIUS to do it. As always, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok al...@deployingradius.comwrote: Don wrote: I tried one of these inside gtc sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth Setting that *should* be one step of a working configuration. Ok, thank you for confirming that the above is one step towards working configuration. or ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password} Set where? You have been *very* vague about what you're doing. Is it a secret? Nothing secret, as I said I tried both configuration (one at a time) inside gtc sub-section of eap.conf. Though I haven't tried replacing User-Password with Cleartext-Password. Don't do that. Trying random things is *always* a bad idea. Thank you for confirming again. I won't change it in this case. Do I have to place this under gtc sub-section inside inner-eap? No. You have to configure the ntlm_auth module, and the ntlm_auth sub-section of the authenticate section. All of that is documented in the deployingradius.com page. See my comment earlier. Did I place the configuration at the right sub-section? I have no idea. You've been careful to say as little as possible, in a manner which is as confusing as possible. The two configurations mentioned earlier, I tried it both inside gtc sub-section of eap.conf. Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well. It WILL work. Just set auth_type = ntlm_auth in the gtc configuration. As I said. I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth. As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = /usr/bin/ntlm_auth ... command execution, but that don't work. So... rather than following instruction,s you're trying random things. How about running it in debugging mode, as suggested in the FAQ, man page, web pages, and daily on this list? The reason we recommend it is that IT WORKS. If you're trying random nonsense, you're wasting your time, and ours. So far I have tried adding two configurations inside gtc sub-section of eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and I will capture the error later. The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well. The issue is the EAP-GTC specification, and the clients. Last I recall, it didn't support multiple challenge-responses. If it does, then it's possible to upgrade FreeRADIUS to do it. As always, My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Thank you once again for your response. Apologize if I am wasting your time, not my intention. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: Nothing secret, as I said I tried both configuration (one at a time) inside gtc sub-section of eap.conf. That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth. I did that, but that didn't work. See the FAQ for it doesn't work Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth. Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server. My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS. Thank you once again for your response. Apologize if I am wasting your time, not my intention. If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan, I finally made EAP-GTC using ntlm_auth to work. Basically my initial configuration inside gtc sub-section of raddb/eap.conf was correct and modifying raddb/modules/ntlm_auth from %{mschap:User-Name} to %{User-Name} was also correct. I can also use %{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't break mschap testing thru radtest. The problem lies somewhere else, in this case something inside file raddb/users where the following line was added when I configured freeRadius with EAP-MSCHAPv2 and testing it with radtest: DEFAULT Auth-Type := ntlm_auth Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works. So, the gtc sub-section inside raddb/eap.conf is as follow: gtc { challenge = Password: auth_type = ntlm_auth } and raddb/modules/ntlm_auth content: exec ntlm_auth { wait yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{%{mschap:User-Name}:-%{User-Name}} --password=%{User-Password} } Again, thank you for all the supports. Regards, Dono On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok al...@deployingradius.comwrote: Don wrote: Nothing secret, as I said I tried both configuration (one at a time) inside gtc sub-section of eap.conf. That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth. I did that, but that didn't work. See the FAQ for it doesn't work Perhaps I didn't configure the ntlm_auth module though there is modules/ntlm_auth created when I configured EAP-MSCHAPv2 with ntlm_auth. Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server. My understanding about RADIUS is that client sends AccessRequest and wait for either: AccessReject, AccessAccept, or AccessChallenge. If it gets AccessChallenge and later gets another AccessChallenge again, it will response, until it gets AccessAccept or AccessReject. The client that I am using is NetMotion Mobility XE. Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS. Thank you once again for your response. Apologize if I am wasting your time, not my intention. If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP GTC vs MSCHAPv2
All, I have successfully configured freeRadius using EAP-PEAP with: 1. GTC to authenticate user against local password 2. MSCHAPv2 to authenticate user against Active Directory via ntlm_auth following instructions on this link: http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO I also understand from reading this link that EAP-GTC can be used (compatible) with ntlm_auth: http://deployingradius.com/documents/protocols/compatibility.html That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work? I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty. It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response. My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth? 2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work? Read the gtc sub-section of eap.conf. It tells you how to make EAP-GTC use a particular authentication method. I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty. You tried *where*? That matters. It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response. My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth? a) configure ntlm_auth as per the deployingradius.com docs, and the examples in the config files b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc configuration. 2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge? No. EAP-GTC is only challenge-response. It doesn't do multiple challenges. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan, Thank you for your reply and please find my inline response below. On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok al...@deployingradius.comwrote: Don wrote: That said, if EAP-GTC can be used along with ntlm_auth how do I configure it to make that work? Read the gtc sub-section of eap.conf. It tells you how to make EAP-GTC use a particular authentication method. I tried one of these inside gtc sub-section of eap.conf, that don't seem to work: auth_type = ntlm_auth or ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password} Though I haven't tried replacing User-Password with Cleartext-Password. Do I have to place this under gtc sub-section inside inner-eap? I tried to execute ntlm_auth passing --password=%{User-Password}, but that didn't work as User-Password is empty. You tried *where*? That matters. See my comment earlier. Did I place the configuration at the right sub-section? It says in eap.conf that GTC challenges the user with text and the response from the user is taken to be the User-Password. Perhaps I am executing ntlm_auth too early before GTC Password challenge is sent out and received the response. My questions are: 1. How can I configure freeRadius so GTC will work with ntlm_auth? a) configure ntlm_auth as per the deployingradius.com docs, and the examples in the config files Yes, I saw the ntlm_auth configuration under modules/mschap and modules/ntlm_auth. As stated in my first email, I am able to configure freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will work as well. b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc configuration. As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth = /usr/bin/ntlm_auth ... command execution, but that don't work. 2. Is it possible to send subsequent GTC challenge in addition to default Password challenge? If possible, how do I configure the subsequent GTC challenge? No. EAP-GTC is only challenge-response. It doesn't do multiple challenges. The reason I am asking the question of multiple challenges because I am currently evaluating another vendor solution for multi-factor authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2 additional inputs during authentication. Here is the link: https://www.duosecurity.com/docs/netmotion. I thought if they can do it, freeRadius can do it as well. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, Dono - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-AKA, EAP-AKA'
Just out of interest is anyone using EAP-AKA with the EAP2 module in FreeRADIUS 2.x.x? If so what sorts of services are you using for? Have any telcos successfully deployed EAP-SIM/EAP-AKA['] for authenticating handsets to GSM and 802.11 networks to facilitate cross medium roaming? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comp128-1,2,3 support in EAP-SIM
Looking for someone to test some new code (in master branch). Someone [1] has claimed to of decompiled a SIM validation program to figure out the algorithms for Comp128-2 and Comp128-3. The reason why this is particularly useful, is because Comp128-1 is horribly broken, and versions 2 and 3 which are meant to be more secure were not released to the public domain. The only way you could properly (with a randomly generated challenge) authenticate SIMs using Comp128-2 and Comp128-3 was with a commercial AuC (Authentication centre) which cost $/$$. To try out the code, you need to know the Ki of a SIM. You can then set attributes: control:EAP-Sim-Ki to the 64bit Ki value and control:EAP-Sim-Algo-Version (to 1, 2 or 3). which rlm_eap_sim will then use in preference to the normal triplets. As part of these changes, the other SIM triplets will now be looked for in the control list, whereas they were previously looked for in the reply list. update control { EAP-Sim-RAND1 := reply:EAP-Sim-RAND1 EAP-Sim-RAND2 := reply:EAP-Sim-RAND2 EAP-Sim-RAND3 := reply:EAP-Sim-RAND3 EAP-Sim-SRES1 := reply:EAP-Sim-SRES1 EAP-Sim-SRES2 := reply:EAP-Sim-SRES2 EAP-Sim-SRES3 := reply:EAP-Sim-SRES3 EAP-Sim-Kc1 := reply:EAP-Sim-Kc1 EAP-Sim-Kc2 := reply:EAP-Sim-Kc2 EAP-Sim-Kc3 := reply:EAP-Sim-Kc3 } Will fix up any existing configurations if you want to use the code from the master branch (which will become 3.1). If no one comes forward for testing, then i'll buy the hardware and do it myself, just if someone works at a telecoms provider, id imagine it'd be pretty easy to get hold of a test SIM, and Ki. Note: Comp128-4 (milenage) is still unknown (please contact one of the developers if you have access to it's specification), but just algorithms 1-3 are still useful. [1] http://www.hackingprojects.net/2013/04/secrets-of-sim.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comp128-1,2,3 support in EAP-SIM
Note: Comp128-4 (milenage) is still unknown (please contact one of the developers if you have access to it's specification), but just algorithms 1-3 are still useful. Actually it's not, it's published in the 3GGP standards, neat :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comp128-1,2,3 support in EAP-SIM
On 24 Sep 2013, at 18:12, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Note: Comp128-4 (milenage) is still unknown (please contact one of the developers if you have access to it's specification), but just algorithms 1-3 are still useful. Actually it's not, it's published in the 3GGP standards, neat :) *3GPP even Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. Also, in the simtriplets files at the bottom, I have tried the entries with a 1 at the beiging of the IMSI, and without and with the word SIM there also. On packet captures over the air, I get P1 - eap identity request P2 - eap identity response P3 - eap-failure So I beleive the radius server is not sending an eap-start module and is my configuration issue. Could anyone be so kind to help me please? Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=5, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0005 Framed-MTU = 1400 EAP-Message = 0x02ba0038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x25cd862fe8110e13ab54321c37032d00 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 186 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 5 to 10.53.1.200 port 45261 EAP-Message = 0x04ba0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +8 Ready to process requests. rad_recv: Access-Request packet from host 10.53.1.200 port 45261, id=6, length=257 User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org NAS-IP-Address = 192.168.21.1 Called-Station-Id = 5C-D9-98-BF-C0-9E:tt NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 5C-F8-A1-8B-35-BA Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Id = 524016AE-0006 Framed-MTU = 1400 EAP-Message = 0x02f20038013132333431353931343334363530383440776c616e2e6d6e633031352e6d63633233342e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xac6eea11e5915f4e4e5bbc06a7ed3e72 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm wlan.mnc015.mcc234.3gppnetwork.org for User-Name = 1234159143465...@wlan.mnc015.mcc234.3gppnetwork.org [suffix] No such realm wlan.mnc015.mcc234.3gppnetwork.org ++[suffix] returns noop [eap] EAP packet type response id 242 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not initiate sim, no RAND1 attribute [eap] ERROR - Default EAP type sim failed in initiate [eap]
Also, if I put the sim_files entry before eap in the default file I get the following error when I try and start Radiusd -s -X Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load /usr/local/etc/raddb/radiusd.conf[643]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[63]: Failed to load module sim_files. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. Could it be a linux thing, I am starting to think my linux skills are rubbish. I have been trying very hard :) Many thx ken On 23 September 2013 at 12:56 ken.farrington ken.farring...@802.co.uk wrote: Hi Arran, Im not sure if I have interpreted this right. Are you agreeing with my statement, that it is not needed or are you saying it is needed? I seem to recall I get an error when I put the sime_files in the default file. Many thx indeed for the lightning fast response mate :) Ken On 23 September 2013 at 12:49 Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 23 Sep 2013, at 12:32, ken.farrington ken.farring...@802.co.uk wrote: Hi All, I really do try to read the forums in full before I post, but I have seen much out there on this, but just cant find out why this is happening. Please see below. The only think I dont have is sim_files entry in the sites-enabled/default, as I assume this is now covered in the radiusd.conf file. No, it's not, that is a version 1.x.x configuration. You have to list it in sites-enabled/default before EAP for it to work. Honestly though you don't need the sim_files stuff as you can set the attributes required in the users file (files). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Authentication
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
Hey I wanted to say thanks for the tips! I convinced the peers that it was not a good idea to allow auto certificate acceptance and to just have the clients accept it when the new certificate went online. Cheers, - Trevor On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin bju...@clarku.edu wrote: Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Authentication
--Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . arvind...@gmail.com wrote: Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration and EAP verification question
In strongswan for ikev1 it uses xauth-eap that I use to do validation with RADIUS (that's the only way for ikev1 clients with strongswan). My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). Bypassing authentication is generally a bad idea. I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? No. User expiration checks are done on authentication. 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? Yes. 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
Alan DeKok aland at deployingradius.com writes: WorkingMan wrote: My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). Bypassing authentication is generally a bad idea. I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? No. User expiration checks are done on authentication. 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? Yes. 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Can you give me an example on how to always accept connection on EAP-* authentication (it will be password based from xauth-eap from strongswan) but at the same time still honour Expiration logic? I am not sure what to do it (or what to look for). I have been trying different settings for a week now without success. Background: As you know default IPSec VPN clients for iOS and Android are ikev1 based and that doesn't support EAP-TLS which is ideal for me (mutual certificate authentication). For ikev1 I can still do mutual certificate authentication but I want freeradius to do accounting stuff and sort of centralize login (otherwise there is no need of RADIUS). the only option with strongswan is via xauth-eap (internally via eap-radius; using eap-md5, eap-mschapv2, etc password based authentication). There is no way according to strongswan's team to do accounting only with ikev1 that's why I need to use xauth-eap so I can talk to freeradius. There is no need to do password authentication when certificate is already validated by the server and you can filter clients via certificate details (so it is safe; unless someone can sign fake client certificate). If I didn't care about user expiration (and simultaneous access control) I wouldn't need to ask for help (simply modify xauth-eap to always pass authentication and doesn't bother talking to RADIUS during authentication). I really want to use as much freeradius' feature as possible so I don't have to do things on the side (ex: do expiration check on VPN side). Any help would be much appreciated. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: Can you give me an example on how to always accept connection on EAP-* authentication (it will be password based from xauth-eap from strongswan) No. EAP doesn't (and can't) work that way. but at the same time still honour Expiration logic? I am not sure what to do it (or what to look for). I have been trying different settings for a week now without success. Because EAP is designed to make this impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls with SMD5-Password
Hi, I'm trying to setup eap-ttls with freeradius, all my tests in LAB was successful. I've test it with both users file and sql and it was working. Now I'm going to prepare it for real setup, my only problem is that all my User-Passwords is database is stored with SMD5-Password attribute and when I'm trying it with EAP authentications fails and I get these messages in debug: Fri Sep 20 08:58:47 2013 : Info: [eap] Request found, released from the list Fri Sep 20 08:58:47 2013 : Info: [eap] EAP/md5 Fri Sep 20 08:58:47 2013 : Info: [eap] processing type md5 Fri Sep 20 08:58:47 2013 : Debug: rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication Fri Sep 20 08:58:47 2013 : Info: [eap] Handler failed in EAP/md5 Fri Sep 20 08:58:47 2013 : Info: [eap] Failed in EAP select Fri Sep 20 08:58:47 2013 : Info: ++[eap] returns invalid Fri Sep 20 08:58:47 2013 : Info: Failed to authenticate the user. Is there any possibility to make it work without changing password attribute? Kind Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls with SMD5-Password
Hi, I'm trying to setup eap-ttls with freeradius, all my tests in LAB was successful. I've test it with both users file and sql and it was working. Now I'm going to prepare it for real setup, my only problem is that all my User-Passwords is database is stored with SMD5-Password attribute and when I'm trying it with EAP authentications fails and I get these messages in debug: Fri Sep 20 08:58:47 2013 : Info: [eap] Request found, released from the list Fri Sep 20 08:58:47 2013 : Info: [eap] EAP/md5 Fri Sep 20 08:58:47 2013 : Info: [eap] processing type md5 Fri Sep 20 08:58:47 2013 : Debug: rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication Fri Sep 20 08:58:47 2013 : Info: [eap] Handler failed in EAP/md5 Fri Sep 20 08:58:47 2013 : Info: [eap] Failed in EAP select Fri Sep 20 08:58:47 2013 : Info: ++[eap] returns invalid Fri Sep 20 08:58:47 2013 : Info: Failed to authenticate the user. Is there any possibility to make it work without changing password attribute? Kind Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with SMD5-Password
On 20 Sep 2013, at 17:04, Nasser Heidari nas...@rasana.net wrote: Hi, I'm trying to setup eap-ttls with freeradius, all my tests in LAB was successful. I've test it with both users file and sql and it was working. Now I'm going to prepare it for real setup, my only problem is that all my User-Passwords is database is stored with SMD5-Password attribute and when I'm trying it with EAP authentications fails and I get these messages in debug: http://deployingradius.com/documents/protocols/compatibility.html MD5/SMD5 requires the reference password be in cleartext. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS works but not PEAP/EAP-TLS
Hi, I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Is there anything I'm missing? The problem appears to be that the client doesn't send over the client cert. I know Windows is very fussy with what it accepts as a cert for EAP-TLS, but I'm confused as to why it works for one and not the other. Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11 Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 005a], ClientHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 0031], ServerHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 053e], Certificate Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 000d], CertificateRequest Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate request A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase ... Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state 0x7c569f3d755a860c did not finish! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Info: Ready to process requests. radius.log: http://pastebin.com/9fBdxfYt eap.conf: http://pastebin.com/7dL69pmQ inner-tunnel: http://pastebin.com/BGzJSKz0 Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a eap inner-eap section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote: On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debugging No EAP session matching the State variable
I run two freeradius servers (both 2.2.0 x86_64) with MySQL backends doing ntlm_auth (RHEL 6 Samba 3.6.9) for EAP-PEAP-MSChapV2 for our client devices. I have enabled the server debug using radmin (the debug file is HUGE so that is why I am not posting it along with). I have googled and read and analyzed as much as I can so I am looking to the list to see if anyone has experienced this problem. I was concentrating on a single user mhaley: Sep 16 08:40:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:01 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Around there (without the OK's, I am seeing many of this style of message): Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [jwalters38] (from client resnet1-WiSM-A port 13 cli a8:26:d9:34:bc:5f) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [arogers44] (from client Rich-core-WiSM-E port 29 cli a8:06:00:cc:6b:29) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bboggess3] (from client Rich-core-WiSM-E port 29 cli
Re: Debugging No EAP session matching the State variable
Hi, Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. turn on full debug for just a single User-Name or Calling-Station-Id (check radmin docs). whats your authentication clean-up/tidy up times - as if the clients dont respond then the session is cleared away and so no matching state/session will be found. also, what clients are these? Android, for example, has an annoying thign where 802.1X networks that have credentials stored need the credential store to be unlocked before they'll authenticate to that 802.1X network again. also, check your wireless domain. find some of these clients (CSI) on your wireless management dashboard and find out what their relationship with nearest APs is - they could be being mobile between APs in a nasty way or during authencication so a packet or 2 is mising. remmeber, with eg 802.1X and PEAP you've got 11 packets or more to be shunted over wireless (and UDP!) for an authentication. if you've allowed clients to join to APs at really low rates and borderline connections, this can cause grief. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP + SSL + Certificate chains
Hello, We are using freeradius with EAP/SSL and although it is working fine, I was wondering if there was a way to prevent the user from getting the prompt to accept the certificate? I have combined the intermediate and server certificates to one file and used that file in the 'certificate_file' config in eap.conf. On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? Cheers, - Trevor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
Trevor Jennings wrote: We are using freeradius with EAP/SSL and although it is working fine, I was wondering if there was a way to prevent the user from getting the prompt to accept the certificate? I have combined the intermediate and server certificates to one file and used that file in the 'certificate_file' config in eap.conf. On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. which is a better option for patching the hole, is to install a profile, anyway. So really, this means without prompting the user, any stolen key for any unrevoked certificate from any CA in that entire list, worldwide, could be used to launch a MITM attack and steal passwords or other data. This is not a particularly difficult object to get your hands on. (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. Heck they don't even fake it by making the first certificate they see sticky. The first time warez to perform an MITM on WPA2-Enterprise is packaged in a way that any old script kiddie can use, there will be pain.) -- Brian Julin Network Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
2013/9/12 Brian Julin bju...@clarku.edu Trevor Jennings wrote: [...] On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. If you want to make things all nice and green-looking for your end-users seek for mobileconfig signing. TERENA has a good example how to do this for eduroam: https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. And as you mention OS X, yes the same .mobileconfig for iOS will work for OS X 10.7 onwards, which was a quite nice thing in my environment to know. [...] (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. Heck they don't even fake it by making the first certificate they see sticky. Worse... ;-) It's up to the user to install the CA certificate on its own - even if that is a public CA in the Android, they can't select them otherwise (!) . At least then authentication stops if you put up a server certificate not signed by that specified CA. The only open source provisioning tool for Android (that I believe didn't get much traction) SU1X for Android, made by Swansea University for eduroam. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
Mathieu wrote: At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. That is promising, but I hope this does not become a case of Oh, there's an app for that basic system function versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote: Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 Aug 2013, at 23:39, Andrej andrej.gro...@gmail.com wrote: I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, We do this by using lots of custom linelog instances. In linelog.conf (just a few examples): linelog acceptlog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station -Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{ %{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N ame}:--}' = %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}' } linelog inner-acceptlog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address }:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{% {outer.request:UCam-Essid-Name}:--}' = %{%{reply:User-Name}:--} reply-msg '%{re ply:Reply-Message}' } linelog proxy-replylog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:- -}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep ly-msg '%{proxy-reply:Reply-Message}' = %{%{proxy-reply:User-Name}:--} } We call them as follows: [default] post-proxy { ... proxy-replylog ... } post-auth { ... acceptlog ... } [inner-tunnel] post-auth { ... inner-acceptlog ... } There are some references to %{UCam-AP-Name} and things in there -- we set these with things like: if (%{Aruba-Location-Id}) { update request { UCam-AP-Name := %{Aruba-Location-Id} UCam-Essid-Name := %{Aruba-Essid-Name} } } ... they let us not refer to the direct Aruba attributes and would allow us to more easily add another wireless system (we used to have Cisco but migrated away) - if we had to move again, we don't have lots of Cisco-specific bits all over the place. Note that the attributes are defined in 'dictionary'. The above stuff will give lines like: 2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rc...@cam.ac.uk (station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20 (erri...@lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' = rcf34 reply-msg '[cam.ac.uk] Successful authentication ACCEPT' [example from inner-acceptlog.] Hope this helps, - Bob -- Bob Franklin rc...@cam.ac.uk +44 1223 748479 Network Division, University of Cambridge Computing Service - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: This brings me back to my earlier question: what values are available where, and when, via which mechanism? This was asked and answered. I suggest reading responses to your messages. Asking what values are available is wrong. There are no magic values in the server. There are just attributes in a packet. If you want to know what attributes are available, look at the debug output. That REALLY is it. It's not hard. It's not rocket science. There's no magic. I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, Read doc/aaa.rst You don't passd information into a module. The incoming packet (and associated data) is given to the module. The module then decides what to do. sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Have you tried reading the debug output? It's *telling you* what it's doing. The f_ticks module is telling you what it's doing. Have you tried reading the default configuration for the linelog module? It has LOTS of documentation describing how it works. Ask *specific* questions about what's confusing you. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. So... do you see that data in the debug output? If so, read man unlang for how to reference attributes. See the default linelog configuration for how the module works. Put the two together, and you'll have it. Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. There are NO examples which document exactly what you're trying to do. Most deployments are unique. Creating documentation for every possible deployment is impossible. It sounds like you're not understanding basic concepts, and reading random web pages, looking for a magic solution. This isn't the best approach. Read doc/aaa.rst. Read man unlang. Read the debug output. Read the default linelogconfiguration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-Peap-MSchapv2 proxy from innertunnel
I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below WC -- Wireless controller FR-2.10 -- Freeradius server ISE-proxy -- The server FR-2.10 is sending proxy requests to: It does appear that FR-2.10 is beginning a conversation with ISE-proxy and id: 0xde It seem that ISE-proxy responds ok, but then the next message from FR-2.10 to ISE-proxy has id: 0xa8, but I'm thinking that ISE-proxy is expecting 0xdf ?.. I'll admit I'm still pretty confused about much of the EAP, stuff.. but maybe I'm missing something simple in the config ? Any ideas would be greatly appreciated.. Thanks, Robert 07:03:51.286831 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x82 length: 227 07:03:51.287639 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x82 length: 64 07:03:51.289921 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x83 length: 354 07:03:51.300931 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x83 length: 1090 07:03:51.304143 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x84 length: 238 07:03:51.304640 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x84 length: 1086 07:03:51.307583 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x85 length: 238 07:03:51.314568 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x85 length: 1086 07:03:51.317658 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x86 length: 238 07:03:51.324409 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x86 length: 923 07:03:51.335322 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x87 length: 440 07:03:51.337658 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x87 length: 123 07:03:51.339867 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x88 length: 238 07:03:51.344424 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x88 length: 101 07:03:51.346564 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x89 length: 328 --- Begin proxy ? 07:03:51.354527 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246 07:03:51.371848 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132 07:03:51.372108 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x89 length: 101 07:03:51.374137 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x8a length: 312 07:03:51.384449 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306 07:03:51.386386 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49 07:03:52.387589 IP FR-2.10.radius WC.32769: RADIUS, Access Reject (3), id: 0x8a length: 101 --End proxy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... I just went back to run another test and the proxy server now seems to be down. This server is run by our network group and I don't know when it might be back.. As soon as it comes back, I will run and capture the debug and see if I can see the EAP-message AVP's ? I will also post the debug Thanks, Robert 07:03:51.354527 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246 07:03:51.371848 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132 07:03:51.384449 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306 07:03:51.386386 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Martin Kraus [lists...@wujiman.net] Sent: Thursday, August 29, 2013 8:11 AM To: FreeRadius users mailing list Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls ignore client cert expiry check - crazy idea?
Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On Thu, Aug 29, 2013 at 02:56:44PM +, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? That is the id of the radius packet. EAP lives insided radius packet AVPs called EAP-Message. You can see the AVPs when you run tcpdump -vv. What is worth noting is that radius Access-Request carries EAP-Response from the client to the server and Access-Challenge carries EAP-Request from the server to the client. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 15:56, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? Yes, in the EAP-Message attribute (EAP packet) I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... TBH proxying EAP inner is not common at all; there have been bugs in that area in the past. Re-reading I notice that you're running 2.10 - upgrade. I'm pretty certain that version has inner-eap proxy bugs. Go to 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. WC-- is the wirless controller (155.99.193.24) FR-2.10 -- Freeradius 2.10 (155.97.182.175) ISE-proxy -- ISE proxy server (155.97.185.76) Again, any help would be much appreciated.. Thanks, Robert 09:31:25.451223 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x72 length: 229 09:31:25.452467 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x72 length: 64 09:31:25.454469 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x73 length: 355 09:31:25.461847 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x73 length: 1090 09:31:25.465436 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x74 length: 239 09:31:25.465779 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x74 length: 1086 09:31:25.469322 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x75 length: 239 09:31:25.469644 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x75 length: 1086 09:31:25.472928 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x76 length: 239 09:31:25.473199 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x76 length: 923 09:31:25.482815 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x77 length: 441 09:31:25.485315 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x77 length: 123 09:31:25.488059 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x78 length: 239 09:31:25.488362 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x78 length: 101 09:31:25.490724 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x79 length: 329 --Begin Proxy 09:31:25.491570 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xd8 length: 242 09:31:25.497310 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xd8 length: 128 09:31:25.497504 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x79 length: 101 09:31:25.499645 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x7a length: 313 09:31:25.500528 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0x47 length: 300 09:31:25.502871 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0x47 length: 49 09:31:26.504148 IP FR-2.10.radius WC.32769: RADIUS, Access Reject (3), id: 0x7a length: 101 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, August 29, 2013 7:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rdebug.out Description: rdebug.out - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, I've tried this with 2.2 and still get the same behavior.. If I actually look at the proxy-inner-tunnel I see the following for post-proxy.. post-proxy { # # This is necessary for LEAP, or if you set: # # proxy_tunneled_request_as_eap = no # eap I see that eap needs be invoked if using proxy_tunneled_request_as_eap = no Does it actually need to NOT be there for proxy_tunneled_request_as_eap = no I should say I'm actually NOT using the proxy-inner-tunnel server, but rather the default inner-tunnl with: # If you want the inner tunnel request to be proxied, delete # the next few lines. # # update control { # Proxy-To-Realm := LOCAL # } Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, August 29, 2013 9:38 AM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On 29/08/13 15:56, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? Yes, in the EAP-Message attribute (EAP packet) I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... TBH proxying EAP inner is not common at all; there have been bugs in that area in the past. Re-reading I notice that you're running 2.10 - upgrade. I'm pretty certain that version has inner-eap proxy bugs. Go to 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 17:01, Robert Roll wrote: Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. The problem here is pretty straightforward, but not obvious from the debugs since FR is just proxying. Basically, the client sends the inner EAP-identity, and the proxy server responds with an EAP-TLS start i.e. you would be doing EAP-TLS inside PEAP, if this worked: rad_recv: Access-Challenge packet from host 155.97.185.76 port 1812, id=216, length=128 State = ... Proxy-State = 0x313231 EAP-Message = 0x010900060d20 0x0d == 13 == EAP-TLS. This is encrypted and sent down the tunnel. The client then sends an EAP-NAK, listing 26 as the only supported EAP type (which is weird - is it a Windows machines set to some odd combo like cryptobinding enabled?): [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) ...which the proxy server then rejects: rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, length=49 Proxy-State = 0x313232 EAP-Message = 0x04090004 So the solution is simple - if you're going to proxy the inner auth, ensure the client inner auth method and upstream proxy auth method are mutually compatible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. ...which the proxy server then rejects: rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, length=49 Proxy-State = 0x313232 EAP-Message = 0x04090004 So the solution is simple - if you're going to proxy the inner auth, ensure the client inner auth method and upstream proxy auth method are mutually compatible. i.e. set proxy_tunneled_request_as_eap = no Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Robert Roll wrote: If I actually look at the proxy-inner-tunnel I see the following for post-proxy.. The post-proxy stage has NOTHING to do with the home server. If the home server rejects the request, the issue is WAY before the post-process stage. I see that eap needs be invoked if using proxy_tunneled_request_as_eap = no Does it actually need to NOT be there for proxy_tunneled_request_as_eap = no No. See my reply to Phil. You need to set: proxy_tunneled_request_as_eap = no in eap.conf, peap{} subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: Phil Mayers wrote: [peap] Got tunneled request EAP-Message = 0x02090006031a 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. Doh, yes, brain fade. TBH this page could be clearer: http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
On 29/08/13 18:16, Alan DeKok wrote: i.e. set proxy_tunneled_request_as_eap = no Although IIRC that *definitely* had issues in 2.1.10, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: On 29/08/13 18:16, Alan DeKok wrote: i.e. set proxy_tunneled_request_as_eap = no Although IIRC that *definitely* had issues in 2.1.10, right? I don't recall... that was a long time ago, and I'm trying to get 3.0 out the door. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote: On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Everything becomes an attribute or a variable and the definitions are mostly at /usr/share/freeradius/dictionary.freeradius.internal and you can also define your own attributes in /etc/freeradius/dictionary. I use this to get time in a format similar to syslog by having a variable My-Local-Time and calling an exec module with date command and assigning the result to this variable which I can then reference in my linelog. the only way I found how to get what I need is to define a linelog, write there the variables I hope will have what I'm looking for and call that linelog from some part of the server configuration and just run my clients against it and see what happens. for the username you can use outer.request:User-Name in the inner-tunnel which should reference the outer tunnel User-Name. User-Name in the inner-tunnel should be the inner EAP username. Also the attribute named Inner-Tunnel-User-Name might have the inner EAP username but that might be defined only in the post-auth section of the default server. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 27.08.2013 10:57, ken.farrington wrote: Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) My raddb/sites-enabled/default: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files pap } My raddb/users: 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c, EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5, EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5, EAP-Sim-SRES1 = 0x5dc9a406, EAP-Sim-SRES2 = 0x3b3f8ea3, EAP-Sim-SRES3 = 0x85bb8aeb, EAP-Sim-KC1 = 0x75e85aff085e917b, EAP-Sim-KC2 = 0x3055d76de12f1772, EAP-Sim-KC3 = 0x81806503efeebec1 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated permanent identity for IMSI 250016490216808. (EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector (aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available. You can extract IMSI and GSM triplets from the SIM card using smart card reader and agsm2 program (http://agsm.sourceforge.net). Note this will always use same GSM triplets for authentication and consequently same master session key (MSK) for encryption. You need to integrate with HLR to retrieve truly random GSM triplets. Usually this is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Fantastic and thanks. On it now :) On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote: On 27.08.2013 10:57, ken.farrington wrote: Many thanks indeed. Are you saying I can just take out sim_files from the authorise in the default file and it should work anyway? If so, fantastic :) My raddb/sites-enabled/default: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files pap } My raddb/users: 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org EAP-Sim-RAND1 = 0x09844aff4ccf66cdb95e59dba8ec291c, EAP-Sim-RAND2 = 0x100446e9e8f553a9d87d0444a44b6cf5, EAP-Sim-RAND3 = 0x753fdfc2d7e834002557a069462a1fa5, EAP-Sim-SRES1 = 0x5dc9a406, EAP-Sim-SRES2 = 0x3b3f8ea3, EAP-Sim-SRES3 = 0x85bb8aeb, EAP-Sim-KC1 = 0x75e85aff085e917b, EAP-Sim-KC2 = 0x3055d76de12f1772, EAP-Sim-KC3 = 0x81806503efeebec1 1250016490216...@wlan.mnc001.mcc250.3gppnetwork.org is a decorated permanent identity for IMSI 250016490216808. (EA-Sim-RAND1, EAP-Sim-SRES1, EAP-Sim-KC1) is an authentication vector (aka GSM triplet). rlm_eap_sim requires three GSM triplets to be available. You can extract IMSI and GSM triplets from the SIM card using smart card reader and agsm2 program (http://agsm.sourceforge.net). Note this will always use same GSM triplets for authentication and consequently same master session key (MSK) for encryption. You need to integrate with HLR to retrieve truly random GSM triplets. Usually this is done by some sort of RADIUS-to-MAP gateway, like Cisco ITP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP logging
Hi, I'm trying to find a way to log EAP requests and responses on an IdP in such way that the inner and outer identity of a request end up on one line; using linelog via f_ticks I managed to get a slightly more concise logging going than the detail level in accounting messages. But I'd like to be able to correlate the two, and am struggling to do so. Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 27 Aug 2013, at 17:59, Andrej andrej.gro...@gmail.com wrote: Hi, I'm trying to find a way to log EAP requests and responses on an IdP in such way that the inner and outer identity of a request end up on one line; using linelog via f_ticks I managed to get a slightly more concise logging going than the detail level in accounting messages. But I'd like to be able to correlate the two, and am struggling to do so. Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Sure. Just pull in outer.User-Name in your format string, and call it from the inner server. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 05:09, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Hi Arran, Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Sure. Just pull in outer.User-Name in your format string, and call it from the inner server. Cool - I'll give that a go. Is there a comprehensive list anywhere of which kind of values is permissible in which context? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: Cool - I'll give that a go. Is there a comprehensive list anywhere of which kind of values is permissible in which context? See the debug output. If it's in the debug output, you can use it. If it's not in the debug output, it doesn't exist. And you can't use it. You can always reference the outer tunnel from the inner one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 09:09, Alan DeKok al...@deployingradius.com wrote: See the debug output. If it's in the debug output, you can use it. If it's not in the debug output, it doesn't exist. And you can't use it. You can always reference the outer tunnel from the inner one. OK. So, I found a couple of *key* statements in the debug output; and running the server with -X gives me [f_ticks] expand: %{proxy-reply:Packet-Type} - [f_ticks] ... expanding second conditional [f_ticks] expand: f_ticks.%{%{proxy-reply:Packet-Type}:-format} - f_ticks.format WARNING: No such configuration item .f_ticks.format [f_ticks] No such entry .f_ticks.format ++[f_ticks] returns noop But I don't seem to be writing any output at all from the f_ticks module (whether in debug mode or not). It looks like this: linelog f_ticks { filename = ${logdir}/f-ticks format = %{outer.User-Name}#%{User-Name}#%{Packet-Src-IP-Address}# reference = f_ticks.%{%{proxy-reply:Packet-Type}:-format} f_ticks { Access-Accept = F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK# Access-Reject = F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL# } } Alan DeKok. Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. In fact you do not need rlm_eap_files. All can be done using rlm_files module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote: On 25.08.2013 15:03, ken.farrington wrote: Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim rlm_eap_sim is compiled in. /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory rlm_sim_files is not compiled in. Oops yes sorry. rlm_sim_files, not rlm_eap_sim In fact you do not need rlm_eap_files. All can be done using rlm_files module. I'll defer to you on that ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Hello all, I hope this email finds you all well and is my first post. I think I have a small problem with my backtrack distro and I am trying to load eap-sim onto my free radius server 2.1.11. I have followed the guide to add the relevant parts of the config and when I put the config into the default files for as per http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html http://freeradius.1045715.n5.nabble.com/EAP-SIM-configuration-on-v2-1-12-td5714134.html but I get the same message. I think it is a library or link issue. I am not the best linux person in the world s sorry if this seems like a dumb question Module: Linked to sub-module rlm_eap_sim Module: Instantiating eap-sim Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module preprocess from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module suffix from file /usr/local/etc/raddb/modules/realm realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[138]: Failed to load module sim_files. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. root@bt:/usr/local/etc/raddb# more simtriplets.dat If anyone could help, that would be fantastic many thx ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM Module Failed to Load
Thanks so much I will try that. Much regards ken.farring...@802.co.uk Phil Mayers p.may...@imperial.ac.uk wrote: On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM authentication problem at 2nd stage
dear guest, i have problem in eap-sim authentication. I'm using freeradius 2.2.0, blackberry 9220 here my simtripletsdat. file 1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00 1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400 1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc 1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b 1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324 1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13 here content of users file 1510080332618369Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13, 1510012660372465 Auth-Type := EAP,EAP-Type := sim EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7, EAP-Sim-SRES1 := 0x95762655, EAP-Sim-KC1 := 0x449177635B92bc00, EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69, EAP-Sim-SRES2 := 0x257b31c6, EAP-Sim-KC2 := 0x64ff9467DEa1e400, EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3, EAP-Sim-SRES3 := 0x4F41eb06, EAP-Sim-KC3 := 0xF3ce89b4FCbc, 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.orgAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13 Already included sim_files in modules and sim { } in eap.conf. I analyze in debug , the firsth authorization success (sim_files return ok status) , the first authenticating success , the second authorization success also, but the problem the second authenticating is failed. Already read in the past list archive, but no clue . Here debug of radius Ready to process requests. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=129, length=250 User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.88.52 Called-Station-Id = FA-1A-67-9F-E4-68:NOLSPOT-Secure NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 70-AA-B2-EF-8E-9D Connect-Info = CONNECT 54Mbps 802.11g Framed-MTU = 1400 EAP-Message = 0x0210003801313531303038303236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc080.mcc510.3gppnetwork.org for User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [suffix] Found realm wlan.mnc080.mcc510.3gppnetwork.org [suffix] Adding Stripped-User-Name = 1510080332618369 [suffix] Adding Realm = wlan.mnc080.mcc510.3gppnetwork.org [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 16 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} - 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user -- ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found ++[sql
EAP and non-EAP on same port?
Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. Does anyone have an example configuration of this? Thanks. -- Bruce Bruce Bauman - Systems Administrator Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (848) 445-6363 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Bruce Bauman wrote: Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. Why? We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. There's no magic here. There's no documentation on how do I do EAP?. Because none is needed. EAP is just another module you list (or not) in a virtual server. So... list eap in the virtual serverm as is done in the example files raddb/sites-available/default, and also raddb/sites-available/inner-tunnel. Does anyone have an example configuration of this? The default configuration does EAP and non-EAP on the same port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
On 03/07/13 15:29, Bruce Bauman wrote: Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. Does anyone have an example configuration of this? The default config handles both eap and non-EAP just fine. You just list the eap and other auth modules (mschap, pap, chap) in authorize and authenticate, and pull the password info from LDAP/SQL/files as per usual. However, it's likely you mean something more than the simple config you've specified. Can you be more specific about what is unclear to you? If you want to do some logic conditional on whether the request is EAP or not, you can do this; authorize { ... if (EAP-Message) { # we're an EAP request sql eap blahblah } else { # we're non-eap files ldap mschap chap pap } ... } And of course, the inner EAP auth can be sent to a virtual server - see the sample eap.conf that comes with the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Hi, We'd like to simplify our configuration and use the same port for both. the default configuration does that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
Can I know what brand of radius server you are going to use for EAP-SIM/AKA ? I am interesting on this On Tue, Jul 2, 2013 at 3:51 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.**3gppnetwork.orghttp://wlan.mncX.mccY.3gppnetwork.orgis unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
On 01.07.2013 18:34, Alan DeKok wrote: It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. You can proxy Access-Requests to another server if User-Name matches [^@]*@wlan.mncX.mccY.3gppnetwork.org. This another server should insist on using EAP-SIM. If user tries to use another EAP method server should reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
From: Iliya Peregoudov iperegu...@cboss.ru To: freeradius-users@lists.freeradius.org Sent: Tuesday, July 2, 2013 2:20 PM Subject: Re: Using freeradius as proxy for EAP-SIM/EAP-AKA On 01.07.2013 18:34, Alan DeKok wrote: It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. You can proxy Access-Requests to another server if User-Name matches [^@]*@wlan.mncX.mccY.3gppnetwork.org. This another server should insist on using EAP-SIM. If user tries to use another EAP method server should reject the user. So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
--I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? yes it is possible , but you have to make sure that all requests of an EAP session are being entertain by the same server, ( as proxy can have multipile freeradius servers), Read proxy.config, it have some methods for proxy, some of these are for chap and one or two or of EAP. similarly you can use some other methods like (Linux Virtual Server LVS) to accomplish this task. On Mon, Jul 1, 2013 at 10:48 AM, Ming-Ching Tiew mct...@yahoo.com wrote: Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
If I understand you correctly, it means it is only possible to have ONE radius server which does EAP SIM/EAP AKA authentication in the entire chain of connections ? It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? How about Linux LVS ? Will it able to split the EAP-SIM/EAP-AKA request to different (final) server based on certain criteria ? From: Muhammad Nadeem mnadeem8...@gmail.com To: Ming-Ching Tiew mct...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, July 1, 2013 3:10 PM Subject: Re: Using freeradius as proxy for EAP-SIM/EAP-AKA --I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? yes it is possible , but you have to make sure that all requests of an EAP session are being entertain by the same server, ( as proxy can have multipile freeradius servers), Read proxy.config, it have some methods for proxy, some of these are for chap and one or two or of EAP. similarly you can use some other methods like (Linux Virtual Server LVS) to accomplish this task. On Mon, Jul 1, 2013 at 10:48 AM, Ming-Ching Tiew mct...@yahoo.com wrote: Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authentication for multiple clients
There is a clear distinction between the two cases. First case: user record is found in users file: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 [skipped] +- entering group authorize {...} [skipped] [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 [skipped] +- entering group authenticate {...} [skipped] Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 Second case: user record is not found in users file: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 [skipped] +- entering group authorize {...} [skipped] ++[files] returns noop [skipped] +- entering group authenticate {...} [skipped] Failed to authenticate the user. [skipped] +- entering group REJECT {...} [skipped] Sending Access-Reject of id 2 to 192.168.2.1 port 2048 It seems your users file is broken in some way. You need to fix it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
Ming-Ching Tiew wrote: If I understand you correctly, it means it is only possible to have ONE radius server which does EAP SIM/EAP AKA authentication in the entire chain of connections ? No. It means that you don't KNOW it's EAP-SIM until after you decide to proxy it. It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. How about Linux LVS ? Will it able to split the EAP-SIM/EAP-AKA request to different (final) server based on certain criteria ? No. Adding a virtual server is no different from adding another machine on the network. It won't make any difference. The issue is with the EAP protocol. Not with the network stack. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using freeradius as proxy for EAP-SIM/EAP-AKA
Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication for multiple clients
Hi, i have tried with one client and it's success to authenticate and access internet in wlan i just try one client and success but when i use another client and it fails first, i connect with one client and it's success (until Finished request 2 in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed and also add patch as in : http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh and this is my debug log rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a0f020002000111010100 Message-Authenticator = 0x State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message
Re: eap sim authorization problem
Hi, thanx for your reply i also tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, when i already connect with one device successfully, i try another device the result another device is rejected by server any idea? thanx for your time and your answer best regard On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your answer i tried to fix syntax error in in users file and also i tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, the result is same, my first device can connect to internet and the second device can't connect if my first device is already connect thanx for your time and your answer best regards On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030383033323536353635303140776c616e2e6d6e633030382e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 20.06.2013 8:38, raptor raptor wrote: i just try one client and success but when i use another client and it fails Post debug log if you want to diagnose authentication failure. is it correct if i add other client in users and simtriplets.dat? Yes, you should add auth vectors for all your SIM cards into users file, one stanza for every SIM card. If you still get insufficient number of challenges message then your simtriplets.dat is not relevant. Just forget about it. Auth vectors from users file are sufficient. Freeradius is very flexible. There is no one single way of correctly configure it. But there are indefinite number of ways to misconfigure it. If you prefer not to diagnose authentication failures but insert random stuff into randomly selected configuration files it's unlikely you accidentally configure it correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your quick response here is my log debug rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x1e692ae9b93631a0f54bda0997d713f2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 116 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.1 port 2048 EAP-Message = 0x01740014120a0f020002000111010100 Message-Authenticator = 0x State = 0x2e42338f2e362191820b0799859172e9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=0, length=265 Cleaning up request 0 ID 0 with timestamp +10 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02740058120a0705c857b63e06e1bb7341a729ea36de8804100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0x4228372d93c4496516a4c62a6b0d1f84 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 116 length 88 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok [sql] User 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/sim [eap] processing type sim +++ EAP-sim decoded packet: User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x2e42338f2e362191820b0799859172e9 NAS-Port-Type = Wireless-802.11 EAP-Message
Re: eap sim authorization problem
On 20.06.2013 13:38, raptor raptor wrote: Sending Access-Accept of id 0 to 192.168.2.1 port 2048 MS-MPPE-Recv-Key = 0x9d0b6b0a9151822473399a9fed44e8f0d74df083532a7d437e436f60866252d8 MS-MPPE-Send-Key = 0xebf07da25ca3cd97267d1fc6a1ce18d68ad2737902f610284bdb45c6eed0cb7f EAP-Message = 0x03760004 Message-Authenticator = 0x User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org Finished request 2. I cannot see authentication failure in this debug log. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminate eap-ttls
What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. You can only do PAP on the remote server if your inner auth method was PAP. Basically, this means EAP-TTLS/PAP. Doing that is simple: server inner-tunnel { authorize { update control { Proxy-To-Realm := THEREALM } } } If this isn't working, send a debug from radiusd -X Many thanks Phil, that now works a treat. For other folks, the main trip up I had was the eapol config. Originally I had: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity=testuser password=testpassword ca_cert=/home/carla/ca.pem phase2=auth=TTLS } As per the original page, but I really needed: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity=testuser password=testpassword ca_cert=/home/carla/ca.pem phase2=auth=PAP } The phase2 indicating the inner protocol. Obvious when you know! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, IIiya i'm sorry my posting above is about one client first, i connect with one client and it's success (until Finished request 2 in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed here is my debug log: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a0f020002000111010100 Message-Authenticator = 0x State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02a10058120a07055004b19c6e3aacce33e95d1f3c10c481100100010e0e00333135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f726700 Message-Authenticator = 0xc9bbe2c285ff35377724d62bb118966b # Executing section authorize from file /etc/freeradius/sites-enabled/default
Re: terminate eap-ttls
Hi, I have managed to setup a simple test using eapol_test as per http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS thats a rather old...and random URL. why not look at official docs? and it all works as described except that I have to use ca.pem instead of server.pem. I think this might be because the example uses an older version of FreeRadius? yes, ca_cert=/home/carla/server.pem is wrong. thats basically checking the RADIUS server cert..not the CAeapol_test wants to verify the CA with that config option. What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. tell EAP to send the message to somewhere else other than inner-tunnel virtual server the inner-tunnel virtual server is a local instance you need to proxyso define a remote pool as per proxy.conf examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 13:28, adrian.p.sm...@bt.com wrote: What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminate eap-ttls
What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. okay. so you need to start by terminating the EAP on your server...so you need the current out of the box configuration and use the inner-tunnel...but then you want to then proxy the PAP authentication - that would be done with some 'update control' unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html