Re: EAP-TLS Authentication

2013-09-23 Thread Muhammad Nadeem
-->Please suggest any document which can help in better understanding on
TLS Authentication.

Arvind, I also faced the same issue at beginning , but I would suggest to
read Freeradius own documentation. That is probably the best.


On Mon, Sep 23, 2013 at 7:45 PM, arvind132 .  wrote:

> Hi,
> I am facing some issues with 802.1x EAP-TLS Authentication.
> Please suggest any document which can help in better understanding on TLS
> Authentication.
> Thanks.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS Authentication

2013-09-23 Thread arvind132 .
Hi,
I am facing some issues with 802.1x EAP-TLS Authentication.
Please suggest any document which can help in better understanding on TLS
Authentication.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS works but not PEAP/EAP-TLS

2013-09-17 Thread John Carter
Thanks Martin,

I had already changed this in the config, but it lead me to the real issue
which was that I'd added a "eap inner-eap" section to my eap.conf, but I
also had a modules/inner-eap file from the default config. When I removed
modules/inner-eap file it all works fine.

Thanks again,
John.



On 17 September 2013 08:46, Martin Kraus  wrote:

> On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
> > I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
> > EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
> > doesn't.
>
> Hi.
>
> make fragment_size in modules/inner-eap smaller then fragment_size in
> eap.conf
>
> I've got 1200 in inner-eap and 1400 in eap.conf
>
> cheers
> mk
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
John Carter
Identity Networks
jcar...@identitynetworks.com
skype:jcartermeru
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS works but not PEAP/EAP-TLS

2013-09-17 Thread Martin Kraus
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
> I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
> EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
> doesn't.

Hi.

make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf

I've got 1200 in inner-eap and 1400 in eap.conf

cheers
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS works but not PEAP/EAP-TLS

2013-09-17 Thread John Carter
Hi,

I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
doesn't.

Is there anything I'm missing? The problem appears to be that the client
doesn't send over the client cert. I know Windows is very fussy with what
it accepts as a cert for EAP-TLS, but I'm confused as to why it works for
one and not the other.

Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included
Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11
Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept
initialization
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept
initialization
Mon Sep 16 12:56:55 2013 : Info: [tls] <<< TLS 1.0 Handshake [length 005a],
ClientHello
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client
hello A
Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 0031],
ServerHello
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server
hello A
Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 053e],
Certificate
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write
certificate A
Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 000d],
CertificateRequest
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write
certificate request A
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data
Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more
data: SSLv3 read client certificate A
Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase
...
Mon Sep 16 12:57:00 2013 : Debug: WARNING:
!!
Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state
0x7c569f3d755a860c did not finish!
Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Mon Sep 16 12:57:00 2013 : Debug: WARNING:
!!
Mon Sep 16 12:57:00 2013 : Info: Ready to process requests.

radius.log: http://pastebin.com/9fBdxfYt
eap.conf: http://pastebin.com/7dL69pmQ
inner-tunnel: http://pastebin.com/BGzJSKz0

Thanks,

John.

-- 
John Carter
Identity Networks
jcar...@identitynetworks.com
skype:jcartermeru
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-tls ignore client cert expiry check - crazy idea?

2013-09-02 Thread ken.farrington
Hi All,

Just to let you all know I did get all my setup working (took me a while being
not a linux guru) but it does work as expected.  Just in case anyone was
wondering :)

Many thanks all
Ken
:)

On 29 August 2013 at 16:05 "ken.farrington"  wrote:

>  Hi All,
> 
>  Is there a way if I had 10 clients in my home lab and all the certs expire
> tomorrow, that rather than re-provide all the certs to my clients, I can frigg
> the radius server time, to still accpet them.
> 
>  Im guessing this is a no, but from what I see, the client cert is presented,
> and check against the server time.
> 
>  Would this be correct?
> 
>  Many thanks in advanced
>  Ken
> 
> 
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap-tls ignore client cert expiry check - crazy idea?

2013-08-29 Thread ken.farrington
Hi All,

Is there a way if I had 10 clients in my home lab and all the certs expire
tomorrow, that rather than re-provide all the certs to my clients, I can frigg
the radius server time, to still accpet them.

Im guessing this is a no, but from what I see, the client cert is presented, and
check against the server time.

Would this be correct?

Many thanks in advanced
Ken


Ken Farrington
Director
CCIE #12651

802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk


Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and TLS record protocol

2013-05-24 Thread Phil Mayers

On 05/24/2013 09:12 AM, Pieter Hulshoff wrote:

Hello all,

I'm new to the list, relatively new to authentication, and I'm trying to figure
out some details regarding the RFCs. I was hoping some of you might be able
and willing to help me out here.

As I understand it, using TLS you can authenticate the server and optionally
the client, negotiate the encryption/signing algorithm(s) for the TLS record
protocol, and exchange the key information before switching to the selected
encryption/signing algorithm(s) for secure data transport. EAP-TLS however
seems focused on authorization and exchanging the key information, leaving the
actual data encryption to be determine by other means (e.g. IEEE 802.1X MKA
i.c.w. MACsec).

My questions:
1. Is this understanding correct?


Sort of. You've focussed on EAP-TLS, but that's misleading. *All* EAP 
methods are solely for authentication; the EAP protocols are not used to 
forward traffic, they merely authenticate and, if the link-layer 
requries it, derive encryption keys.


By way of illustrating the implications - note that, on a non-MACSEC 
802.1x wired connection, you can (but shouldn't!) use EAP-MD5 which does 
not derive key material, because there's no link-layer encryption.


Similarly, on wireless 802.1x, you can use EAP-PWD or EAP-EKE, both of 
which derive key material and both of which have nothing to do with TLS.



2. Does this imply that the negotiated encryption/signing algorithm(s) are
only used for the EAP-TLS Finished messages?


For *all* EAP methods, the only output is success/failure and optionally 
key material, and the key material is just a securely-derived set of 
bits. The cryptographic primitives used by the EAP method have no 
bearing on the cryptographc primitives used by the link layer.


Also - this not not a FreeRADIUS question really, and if you have more 
questions, they might be better off in another forum.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS and TLS record protocol

2013-05-24 Thread Pieter Hulshoff
Hello all,

I'm new to the list, relatively new to authentication, and I'm trying to figure 
out some details regarding the RFCs. I was hoping some of you might be able 
and willing to help me out here.

As I understand it, using TLS you can authenticate the server and optionally 
the client, negotiate the encryption/signing algorithm(s) for the TLS record 
protocol, and exchange the key information before switching to the selected 
encryption/signing algorithm(s) for secure data transport. EAP-TLS however 
seems focused on authorization and exchanging the key information, leaving the 
actual data encryption to be determine by other means (e.g. IEEE 802.1X MKA 
i.c.w. MACsec).

My questions:
1. Is this understanding correct?
2. Does this imply that the negotiated encryption/signing algorithm(s) are 
only used for the EAP-TLS Finished messages?

Any and all insights would be most welcome. :)

Kind regards,

Pieter Hulshoff

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-21 Thread Matthew Newton
On Tue, May 21, 2013 at 03:21:33PM +0800, Robert wrote:
> Thank you! The configuration in the link works. The key is setting
> fragment_size correctly.

Yes, that was the gotcha.

> But I am confused about the two methods :
> Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ?
> Or they are two different methods?

Same thing, but usually referred to as PEAP/EAP-TLS (or sometimes,
probably incorrectly, EAP-PEAP/EAP-TLS).

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-21 Thread Matthew Newton
On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer 
wrote:
> Just confirming that I've tested this in the past and it works, but I
> believe the poster of the article is dubious about a production
> environment.

Not at all - we are running it in production.

The warning at the bottom is to make you think about what you're
doing first, rather than to blindly copy my examples and then open
yourself up to security issues that you haven't thought through.
The examples are stripped down to their utter bare minimum - which
is unlikely to be what you want in production.

> When I tried it on wifi it took a second or so more to
> authenticate for some reason, so we eventually went with eap-tls
> instead because of this and because it was simpler.  I did also
> get quite a few "The EAP message did not complete" but that
> could be coincidental.

It's been running fine here with a lot of laptops for over a year
now. We usually see the "EAP did not complete" errors from bad
wireless signals or misconfigured EAP timers.

As the article says - the only real benefit is to get SoH data
from the device. If you don't want/need that, you're fine with
plain EAP-TLS (and with less round trips, it will auth faster,
too).

Cheers

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-21 Thread Robert
Thank you! The configuration in the link works. The key is setting
fragment_size correctly.

But I am confused about the two methods :
Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ?
Or they are two different methods?
-Original Message-
From: freeradius-users-bounces+robert_chen=favite@lists.freeradius.org
[mailto:freeradius-users-bounces+robert_chen=favite@lists.freeradius.org
] On Behalf Of Phil Mayers
Sent: Monday, May 20, 2013 5:51 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 09:02, Robert wrote:
> Hi
>
> I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
>
> I want to know if freeradius supports the following methods :

See here:

http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft
-soh/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
未在此訊息中找到病毒。
已透過 AVG 檢查 - www.avg.com
版本: 2012.0.2242 / 病毒庫: 3162/5839 - 發佈日期: 05/19/13

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-21 Thread Franks Andy (RLZ) IT Systems Engineer
Just confirming that I've tested this in the past and it works, but I
believe the poster of the article is dubious about a production
environment. When I tried it on wifi it took a second or so more to
authenticate for some reason, so we eventually went with eap-tls instead
because of this and because it was simpler. 
I did also get quite a few "The EAP message did not complete" but that
could be coincidental.


-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 20 May 2013 10:51
To: freeradius-users@lists.freeradius.org
Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 09:02, Robert wrote:
> Hi
>
> I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
>
> I want to know if freeradius supports the following methods :

See here:

http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-micro
soft-soh/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread Phil Mayers

On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote:

Ahhh.

According to this conversation:


That's a really old conversation. See instead the link I posted in my 
other email.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread stefan.paetow
Ahhh. 

According to this conversation: 
http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html
 - FR does support PEAP-EAP-TLS :-)

Stefan


-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Phil Mayers
Sent: 20 May 2013 10:49
To: freeradius-users@lists.freeradius.org
Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote:
> It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you 
> can configure all supported options in there.

Not sure you've understood what he's asking there; he wants to know if you can 
to PEAP with EAP-TLS as an inner.

The main advantage to this is anonymous outer ID.

I *think* FR supports this, but I can't remember the details or if there are 
any caveats.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread Phil Mayers

On 20/05/13 09:02, Robert wrote:

Hi

I use freeradius v2.1.10 in Debian Squeeze 6.0.1.

I want to know if freeradius supports the following methods :


See here:

http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread Phil Mayers

On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote:

It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can
configure all supported options in there.


Not sure you've understood what he's asking there; he wants to know if 
you can to PEAP with EAP-TLS as an inner.


The main advantage to this is anonymous outer ID.

I *think* FR supports this, but I can't remember the details or if there 
are any caveats.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread stefan.paetow
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can 
configure all supported options in there.

Regards

Stefan


From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Robert
Sent: 20 May 2013 09:03
To: freeradius-users@lists.freeradius.org
Subject: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

Hi

I use freeradius v2.1.10 in Debian Squeeze 6.0.1.

I want to know if freeradius supports the following methods :

l  EAP PEAP/TLS

l  EAP PEAP/EAP-TLS
?

The client I use is wpa_supplicant v0.6.9.

Regards,
Robert



-- 

This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.

Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 

Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.

Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

 







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

2013-05-20 Thread Robert
Hi

 

I use freeradius v2.1.10 in Debian Squeeze 6.0.1.

 

I want to know if freeradius supports the following methods :

l  EAP PEAP/TLS

l  EAP PEAP/EAP-TLS

?

 

The client I use is wpa_supplicant v0.6.9.

 

Regards,

Robert

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on certificates before deep dive into EAP-TLS

2013-04-12 Thread Alan DeKok
Mathieu Simon wrote:
> Telling students how to install a internal CA root isn't going to work,
> it already
> didn't work for teachers in the past ...

  Yes.  That is a problem.

> But allowing only (internal) devices with certs from the internal CA
> through CA_file
> would allow us to more easily integrate those non-personal but
> school-owned devices.

  That would work.

> I just hope I'm not telling complete bullshit... ;-)

  Nope.

> Thank you Alan for your time to answer!

  It's what I do.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
Hi

Am 11.04.2013 20:08, schrieb Alan DeKok:
> 
>> The real-life example would be that people could use PEAP-MSCHAPv2 for
>> credential-based logins (server certificate being signed by a "trusted"
>> external CA)
>   While that works, it's not recommended.  It means that the client will
> trust *any* certificate signed by that CA, for network access.
>
>   It's usually a bad idea.
Correct, that for sure isn't what I'd want :-)

certificate_file - the server-side certificate - would contain the
certificate
(and it's trust chain) by the "trusted" CA.

CA_file would only contain the internal CA, such as that only those signed
by the one internal CA IT has control over it, would be accepted by FR.
(oh and I'd want to have a regularly up-to-date revocation list...)
> 
>
>   You don't need one CA per EAP method.
Sure, I am only looking for the server-side certificate
(certificate_file) being
signed by a CA that most devices trust - since most of the users are
going to use
PEAP-MSCHAPv2 with devices not under direct controll of IT.

Telling students how to install a internal CA root isn't going to work,
it already
didn't work for teachers in the past ...

But allowing only (internal) devices with certs from the internal CA
through CA_file
would allow us to more easily integrate those non-personal but
school-owned devices.

I just hope I'm not telling complete bullshit... ;-)

Thank you Alan for your time to answer!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Alan DeKok
Mathieu Simon wrote:
> Usually I've seen example for EAP-TLS setups that used a server-side
> certificate
> issued from the same CA as the one it should allow EAP-TLS clients who
> present
> their certificate to FR.

  Yes.

> Am I guessing correctly that CA_file can contain a different list of CA(s)
> than the server certificate that is shown to the client?

  Yes.  It contains a list of valid CAs.

> The real-life example would be that people could use PEAP-MSCHAPv2 for
> credential-based logins (server certificate being signed by a "trusted"
> external CA)

  While that works, it's not recommended.  It means that the client will
trust *any* certificate signed by that CA, for network access.

  It's usually a bad idea.

> while some devices could login using EAP-TLS but only when they present
> a certificate from an internal CA (that usually isn't being trusted by
> devices
> outside of control of IT department).

  That works.  The client will need *both* CAs.

  But why be this complicated?  Just use one CA, which is for both
EAP-TLS and PEAP.  It can issue client certs to some machines, and *not*
issue client certs to others.

  You don't need one CA per EAP method.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
G'day

As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:

Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.

Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)

eap.conf:
  tls {
 [...]
 certificate_file = "/etc/freeradius/ssl/cert.p

 #  Trusted Root CA list
 CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem"
[...]

The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a "trusted"
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-24 Thread Alan Buxey
Blah blah. But you don't say what the issue is with the documentation...in fact 
your issue was with the default config and your requirements...which are 
actually both fully documented in the config. I don't see why you've dropped in 
from nowhere, thrown your ego around and then claim to be leaving. Expect 
help/advice in the future? Because if so, you've gone about it the wrong way 
really

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-24 Thread Alan DeKok
Thomas Hruska wrote:
> The difference from your response to Arran's response to my questions is
> night and day.  He was moderately polite while you were and are
> downright rude.

  As always, my first response is polite and answers your questions.  I
only get blunt when people argue with me.

  I'll also note that you've conveniently deleted all of my other
points.  I'll take that as evidence you agree with them.

>  That's the other key factor - making sure stuff
> can be found via Google as a top result on the official site.  Google is
> your first line of defense against newbies and, when you host the
> content yourself, you control that line of defense.

  Another lecture about how superior you are.

> On a different note, I've also found that telling people how long I've
> been writing software does nothing beneficial.  You just get into a
> yelling match with those who have been writing software longer.

  If you've been writing software for a long time, you should have been
able to figure out how to edit the default config.

> I can tell when I'm not wanted, so I'll just drop off this list.  Later.

  I have no patience for people who are ignorant about a subject, and
lecture me on it.

  This list is for people who want to solve RADIUS problems.  If you
focus on that, you're OK.  If you complain about "red flags" because of
your RADIUS ignorance, you will get told off, and rightly so.  It's rude
to be condescending to experts, and I won't have it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-24 Thread Thomas Hruska

On 3/24/2013 5:59 AM, Alan DeKok wrote:

Thomas Hruska wrote:

Nowhere in there does it explain why proxying is on by default.  It just
says that it can be turned off.  I want to know why it is on by default
in the first place.  From what I'm beginning to understand, based on
your reply, FreeRADIUS opens a port that isn't necessary for basic
functionality as part of its default installation.  That sort of
behavior should at least raise an eyebrow if not a few red flags.


   You're unhappy that your questions got push-back.  So you're pushing
back in return.  However... you know little or nothing about RADIUS, and
I've been doing this for 20 years.



   And after doing this for 20 years, your message is typical of a
particular class of newbie.  The existing documentation is too
complicated.  Yet you don't ask a specific question.  Instead, you have
a long complicated post complaining about many things, and asking many
questions.  When I point this out, you start putting me down.

   I've had hundreds of conversations like this, and it's always annoying.

   Your entire approach is wrong.  Read "man radiusd".  That documents
the correct approach.


The difference from your response to Arran's response to my questions is 
night and day.  He was moderately polite while you were and are 
downright rude.  I've met grizzled veteran developers before.  You are 
one of those.  As a developer myself, I know I've got two options:


1)  Fend off the newbies constantly.
2)  Write better documentation.  With a dash of humor in the mix.  If it 
isn't fun, then it isn't worth reading (or writing) it.


I've found that the latter creates a MUCH better experience for everyone 
(i.e. the "nuisances" go away - hey, I've been where you are at as 
well).  I've also found that *I* have to actually write the 
documentation because no one else will do it for me (e.g. Wikis don't 
really work for software).  And it isn't a FAQ, it is real documentation 
naturally covering a wide range of common (and even uncommon) topics.  I 
always include a documentation cycle in my software releases - and it 
takes about a week to two weeks to complete, but it is so worth it. 
Whenever a user asks a question, I check the documentation to make sure 
I wrote something about it, write a quick paragraph in a polite 
response, and link to the right place, knowing someone else will find 
the post + reply via a Google search later and won't ask the same 
question as a result.  That's the other key factor - making sure stuff 
can be found via Google as a top result on the official site.  Google is 
your first line of defense against newbies and, when you host the 
content yourself, you control that line of defense.


On a different note, I've also found that telling people how long I've 
been writing software does nothing beneficial.  You just get into a 
yelling match with those who have been writing software longer.


Anyway, just a few things I've picked up over the years.

I can tell when I'm not wanted, so I'll just drop off this list.  Later.



   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you might find useful.

http://cubiclesoft.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-24 Thread Alan DeKok
Thomas Hruska wrote:
> Nowhere in there does it explain why proxying is on by default.  It just
> says that it can be turned off.  I want to know why it is on by default
> in the first place.  From what I'm beginning to understand, based on
> your reply, FreeRADIUS opens a port that isn't necessary for basic
> functionality as part of its default installation.  That sort of
> behavior should at least raise an eyebrow if not a few red flags.

  You're unhappy that your questions got push-back.  So you're pushing
back in return.  However... you know little or nothing about RADIUS, and
I've been doing this for 20 years.

  I won't explain why there are no "red flags" in the default
configuration.  I *will* explain that it's unproductive for newbies to
second-guess experts.

> The default client secrets(s) should be different from the default proxy
> secret(s) to avoid confusion for first-time users.

  So as a first-time user, you know more about their needs than someone
who's done this for 20 years?

> I missed that it is there for testing.  And I see why:

  Don't quote the config files at me.  I wrote them.  This just comes
across as condescending, and lecturing me about the text I wrote.

> Again, defaults exist for a reason.  The reasons for the defaults are
> what I'm actually after here.

  The reasons are given in the documentation, web pages, "man" pages,
config files, etc.  The defaults enable the server to do the Right Thing
in the widest possible set of circumstances.

  i.e. so that newbies like you can get the server running with minimal
work.

  Your response is to insult the developers, by claiming that the
defaults "raise red flags".

  Stop it.  It's ignorant and annoying.

> All I was asking here was if commenting out those protocols in
> 'eap.conf' was all I have to do to disable them?  A simple confirmation
> would suffice.

  I answered that.

>>   You're looking for reassurance that editing the config files won't
>> cause the server to explode in flaming metal.  It won't.  Edit them.
> 
> I admit that there is a little of that, but I'm just trying to save
> myself from breaking things too badly by understanding why the defaults
> are the defaults before I go and blow away large portions of config.

  The defaults are documented.  See the comments in the config files.

  The procedure for editing the defaults is documented.  See "man radiusd".

  It's really not rocket science.  You're looking for emotional
reassurance that the server won't explode.  I'm not going to give it.
Instead, you should follow the documentation, and follow the documented
methods for editing the configuration.  If something goes wrong, it's
just text.  Put the old config back, and start again.


  And after doing this for 20 years, your message is typical of a
particular class of newbie.  The existing documentation is too
complicated.  Yet you don't ask a specific question.  Instead, you have
a long complicated post complaining about many things, and asking many
questions.  When I point this out, you start putting me down.

  I've had hundreds of conversations like this, and it's always annoying.

  Your entire approach is wrong.  Read "man radiusd".  That documents
the correct approach.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-24 Thread Alan Buxey
All that stuff is on by default to ensure that people who want more than a 
really dumb and minimal server can get up and running without having to try to 
find what combination of stuff needs to be enabled.

So, eg proxying is enabled ..whats the issue? Unless you have actually edited 
proxy.conf to do something it won't do anything , there's no entry in 
clients.conf other than localhost too, so even if you had the required ports 
open to the world, nothing is going to happen.

If all you want is EAP-TLS auth then its very easy to minimise to that 
configmuch much easier than having to learn the server better and trying to 
get there from a minimal config that doesn't work out if the box (ask those who 
have tried doing it that way...look at mailing list history for those that 
stripped the config out before then trying to get things to work)

This isn't Apache, which does have a whole load of things on and can get you 
p0wned on port 80 if you have that open to the world

alan

--
This smartphone uses free WiFi around the world with eduroam, now that's what I 
call smart.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-23 Thread Arran Cudbard-Bell

On 23 Mar 2013, at 23:32, Thomas Hruska  wrote:

> On 3/23/2013 3:54 PM, Alan DeKok wrote:
>> Thomas Hruska wrote:
> 
>>   Read proxy.conf.
> 
> [Sigh]  I have.  It doesn't make sense to me.  Why enable it as a default if 
> it isn't necessary for basic functionality?  Hopefully you can see how the 
> average user might be confused, "Hey the authors enabled this by default.  
> Maybe there is a very important reason for that.

Nope, just means more things work with less tweaking.

>  I'll go ahead and leave it alone because they know better."  But I see an 
> open port and wonder if it is actually necessary.  So I figured I would ask 
> to obtain some knowledge of why it is enabled by default, hence the original 
> questions.  Here's the text from 'radiusd.conf':
> 
> # PROXY CONFIGURATION
> #
> #  proxy_requests: Turns proxying of RADIUS requests on or off.
> #
> #  The server has proxying turned on by default.  If your system is NOT
> #  set up to proxy requests to another server, then you can turn proxying
> #  off here.  This will save a small amount of resources on the server.
> #
> #  If you have proxying turned off, and your configuration files say
> #  to proxy a request, then an error message will be logged.
> #
> #  To disable proxying, change the "yes" to "no", and comment the
> #  $INCLUDE line.
> #
> #  allowed values: {no, yes}
> #
> 
> 
> Nowhere in there does it explain why proxying is on by default.  It just says 
> that it can be turned off.  I want to know why it is on by default in the 
> first place.  From what I'm beginning to understand, based on your reply, 
> FreeRADIUS opens a port that isn't necessary for basic functionality as part 
> of its default installation.  That sort of behavior should at least raise an 
> eyebrow if not a few red flags.

Why is authentication on by default, you might just want to do accounting? why 
is accounting on by default, you might just want to do authentication? It's on 
by default because it does no harm having it on by default, and makes it easier 
for people with no knowledge of the server to use the server.

You just add a realm, and it works, instead of having to toggle different bits 
of config to make it work.

I think the configs could probably do with trimming a bit, but it does not make 
sense to disable these things by default, as there are no security 
implications, just a slight increase in memory usage.

>>> Not sure why I would need this either.  Based on the 'secret' string's
>>> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
>>> not 100% confident about that.
>> 
>>   No.  Clients have nothing to do with proxies.
>> 
>>   Do you plan on testing your server?  If so, that entry can be useful.
> 
> The default client secrets(s) should be different from the default proxy 
> secret(s) to avoid confusion for first-time users.
> 
> I missed that it is there for testing.  And I see why:
> 

That sentence is ambiguous.

> 
> 
>>> Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
>>> password - it can expire, but the message "Password Has Expired" seems
>>> like it will never appear (or, if it does, it'll be confusing to a
>>> user).  I'm probably not going to use the 'logintime' features.  'exec'
>>> might be useful since I probably will use the external 'openssl' based
>>> 'verify' method in 'eap.conf' (unless someone can suggest a better
>>> approach).
>> 
>>   So... delete the things you're not using.  That's why there are
>> comments explaining what those modules do.  So you can learn, and think
>> for yourself.
> 
> Again, defaults exist for a reason.  The reasons for the defaults are what 
> I'm actually after here.

Again it's so things just work. For rlm_logintime, if you read the code: 
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_logintime/rlm_logintime.c#L157

If there's no Login-Time attribute in the request it does nothing. If there is 
a Login-Time attribute in the request it ensures the user can only login before 
that time.

It means you can add Login-Time in a users file, and it'll just work, instead 
if hunting through the server to figure out where to turn on the Login-Time 
module.


>>>  Some of the stuff in 'eap.conf' is confusing.  I've commented
>>> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
>>> uncommented and set 'default_ea

Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-23 Thread Thomas Hruska

On 3/23/2013 3:54 PM, Alan DeKok wrote:

Thomas Hruska wrote:



   Read proxy.conf.


[Sigh]  I have.  It doesn't make sense to me.  Why enable it as a 
default if it isn't necessary for basic functionality?  Hopefully you 
can see how the average user might be confused, "Hey the authors enabled 
this by default.  Maybe there is a very important reason for that.  I'll 
go ahead and leave it alone because they know better."  But I see an 
open port and wonder if it is actually necessary.  So I figured I would 
ask to obtain some knowledge of why it is enabled by default, hence the 
original questions.  Here's the text from 'radiusd.conf':


# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#


Nowhere in there does it explain why proxying is on by default.  It just 
says that it can be turned off.  I want to know why it is on by default 
in the first place.  From what I'm beginning to understand, based on 
your reply, FreeRADIUS opens a port that isn't necessary for basic 
functionality as part of its default installation.  That sort of 
behavior should at least raise an eyebrow if not a few red flags.




Not sure why I would need this either.  Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.


   No.  Clients have nothing to do with proxies.

   Do you plan on testing your server?  If so, that entry can be useful.


The default client secrets(s) should be different from the default proxy 
secret(s) to avoid confusion for first-time users.


I missed that it is there for testing.  And I see why:

###
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#



Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
password - it can expire, but the message "Password Has Expired" seems
like it will never appear (or, if it does, it'll be confusing to a
user).  I'm probably not going to use the 'logintime' features.  'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).


   So... delete the things you're not using.  That's why there are
comments explaining what those modules do.  So you can learn, and think
for yourself.


Again, defaults exist for a reason.  The reasons for the defaults are 
what I'm actually after here.




  Some of the stuff in 'eap.conf' is confusing.  I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do.  Documentation on setting up an "EAP-TLS only"
RADIUS server is limited.


I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.


All I was asking here was if commenting out those protocols in 
'eap.conf' was all I have to do to disable them?  A simple confirmation 
would suffice.




  You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal.  It won't.  Edit them.


I admit that there is a little of that, but I'm just trying to save 
myself from breaking things too badly by understanding why the defaults 
are the defaults before I go and blow away large portions of config.


--
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you might find useful.

http://cubiclesoft.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-23 Thread Alan DeKok
Thomas Hruska wrote:
> Since I only want EAP-TLS, output lines like the following bother me
> (I've inlined my concerns):
...
> Does FreeRADIUS really need to load all of those config files to
> function?

  No.  That's why they config files are editable.  So you can edit them.

>  That is, does it hurt in any way to load all of the module
> config files?

  I don't understand the question.  What can "hurt" about loading config
files

> What does this do?

  Read raddb/proxy.conf.  This is documented.  Extensively.

> All of this seems to be in proxy.conf.  It doesn't look like I need any
> of it but I'm not sure if it is safe to get rid of it/comment it out.

  Read proxy.conf.

> Again, this will be the only RADIUS server in the network and my
> understanding is that proxies are for forwarding requests to other
> RADIUS servers.  Given my setup, can I safely comment out the '$INCLUDE
> proxy.conf' line in 'radiusd.conf'?

  This is documented.  The comments above the line "$INCLUDE proxy.conf"
tell you.  And again, the reason the config files are text is so that
you can edit them.

  What's the worst that can happen?  If something goes wrong... just put
the text back.

> Not sure why I would need this either.  Based on the 'secret' string's
> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
> not 100% confident about that.

  No.  Clients have nothing to do with proxies.

  Do you plan on testing your server?  If so, that entry can be useful.

> Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a
> password - it can expire, but the message "Password Has Expired" seems
> like it will never appear (or, if it does, it'll be confusing to a
> user).  I'm probably not going to use the 'logintime' features.  'exec'
> might be useful since I probably will use the external 'openssl' based
> 'verify' method in 'eap.conf' (unless someone can suggest a better
> approach).

  So... delete the things you're not using.  That's why there are
comments explaining what those modules do.  So you can learn, and think
for yourself.

> Even when 'default' was the only thing in 'sites-enabled', it loaded a
> bunch of stuff other than EAP-TLS.  I currently have nothing in
> 'sites-enabled' right now, but would like insight into what the
> configuration file should be to just do EAP-TLS.

  Read raddb/sites-enabled/default.

  Honestly, there is a *lot* of documentation on this included with the
config files.  I see no reason to cut & paste it here.  Instead, you
should find the time to readit.

> What do I need to do to set up FreeRADIUS so that it only supports
> EAP-TLS?

  Configure only EAP, and EAP-TLS.

>  Some of the stuff in 'eap.conf' is confusing.  I've commented
> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
> uncommented and set 'default_eap_type = tls', but I'm not sure if that
> is all I need to do.  Documentation on setting up an "EAP-TLS only"
> RADIUS server is limited.

  Nonsense.  I don't mean that there's lots of documentation on setting
up your exact desired configuration.  I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.

> What is the best method of setting it up so that only the router can
> communicate with the RADIUS server on port 1812?

  Firewalls.  Then, making sure that the server is only listening on
port 1812

  Most of these questions are "The server does A and B, but I only want
it to do A.  What do I do?"  And the answer is "edit the config files so
that it doesn't do B".

 You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal.  It won't.  Edit them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Setting up EAP-TLS as the ONLY authentication mechanism?

2013-03-23 Thread Thomas Hruska
I want to set up FreeRADIUS using EAP-TLS only.  I'm running Ubuntu 
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the 
default Ubuntu/Debian apt-get package repository.  I'm finding junk 
scattered all over the place for configuring this thing (typical), so my 
first objective is to get FreeRADIUS into a locked-down state so that 
'freeradius -X' doesn't return things that bother me (i.e. pared back to 
minimal functionality first).


Since I only want EAP-TLS, output lines like the following bother me 
(I've inlined my concerns):


FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 
2012 at 17:58:57

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
...
including configuration file /etc/freeradius/modules/pam
...
including configuration file /etc/freeradius/modules/chap
...

^^^
Does FreeRADIUS really need to load all of those config files to 
function?  That is, does it hurt in any way to load all of the module 
config files?  From what I can tell, they don't seem to be relevant 
until they are instantiated later on, but I would appreciate confirmation.



radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }

^
What does this do?  I don't think I need a proxy server.  My setup is 
just a consumer router plus a single Ubuntu box with FreeRADIUS on it.



 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }

^
All of this seems to be in proxy.conf.  It doesn't look like I need any 
of it but I'm not sure if it is safe to get rid of it/comment it out. 
Again, this will be the only RADIUS server in the network and my 
understanding is that proxies are for forwarding requests to other 
RADIUS servers.  Given my setup, can I safely comment out the '$INCLUDE 
proxy.conf' line in 'radiusd.conf'?



radiusd:  Loading Clients 
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }

^
Not sure why I would need this either.  Based on the 'secret' string's 
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm 
not 100% confident about that.



radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
wait = no
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file 
/etc/freeradius/modules/expiration

  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file 
/etc/freeradius/modules/logintime

  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 }

^^
Most of that seems irrelevant to EAP-TLS.  A certificate isn't exactly a 
password - it can expire, but the message "Password Has Expired" seems 
like it will never appear (or, if it does, it'll be confusing to a 
user).  I'm probably not going to use the 'logintime' features.  'exec' 
might be useful since I probably will use the external 'openssl' based 
'verify' method in 'eap.conf' (unless someone can suggest a better 
approach).



radiusd:  Loading Virtual Servers 
...

^^
Even when 'default' was the only thing in 'sites-enabled', it loaded a 
bunch of stuff other than EAP-TLS.  I currently have nothing i

Re: EAP-TLS testing, occasional errors

2013-03-07 Thread Phil Mayers

On 07/03/13 16:01, Bertalan Voros wrote:


Has anyone seen this before?


I see all kinds of weirdness from clients.

Fundamentally, the problem is at the client - it didn't send a 
certificate - so you need to troubleshoot it there.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS testing, occasional errors

2013-03-07 Thread Bertalan Voros
Hello All,

I have configured a server to test EAP-TLS.

Created the CA, a server and one client certificate.
The same client certificate was then installed on three different devices;
OSX, Windows 7 and an Android 4.2.

All is well, all the devices can authenticate successfully, however, every
now and again I can see similar entries in the log like the one below.

A failure.
Thu Mar  7 14:30:57 2013 : Error: TLS Alert write:fatal:handshake failure
Thu Mar  7 14:30:57 2013 : Error: TLS_accept: error in SSLv3 read
client certificate B
Thu Mar  7 14:30:57 2013 : Error: rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Thu Mar  7 14:30:57 2013 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Thu Mar  7 14:30:57 2013 : Auth: Login incorrect (TLS Alert
write:fatal:handshake failure): [wifiuser] (from client CiscoAP port 289
cli 10-68-3F-48-41-46)

Then a success soon after from the same device (this is the Android one)
Thu Mar  7 14:32:10 2013 : Auth: Login OK: [wifiuser] (from client CiscoAP
port 291 cli 10-68-3F-48-41-46)

Very occasionally the Android device would give up and not attempt to
reauthenticate.

The AP is set to reauthenticate clients every 10 minutes. (a rickety old
Cisco Aironet 1200).

Has anyone seen this before?

Thanks in advance,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and OS X clients

2013-02-20 Thread Jaap Winius

Quoting a.l.m.bu...@lboro.ac.uk:


you might want to look into 'eduroam CAT' tool - as your NREN
federation/eduroam people about it.


Thanks very much! I'll look into it.


whoa re your instructions aimed at? I worry a great deal about them
because you arent telling them to install/verify a CA or a RADIUS server
for the connection (thus basically negating the whole point of PKI!)
and the site might use EAP-FAST (some places actually do more than
just EAP-TTLS).  also, end users dont need to run this tool! you
(the admin) so all the hard work of configuring the profile and
then just provide the end user/customer the *SIGNED* mobileconfig file


Oh, hey, I thought I was just sharing this information with a bunch of  
lazy sysadmins, some of whom might be interested to know how I  
eventually managed to connect OS X 10.7 (Lion) hosts to my wifi network.


As I mentioned in my previous post, I did not author those  
instructions. I'm also not in the habit of re-posting information  
written by others, but although they may not be perfect, I thought  
they were helpful and then suddenly became worried that Apple might  
make them disappear at one point or another (it wasn't exactly easy  
information to find).


Moreover, I explained that I was using a WPA2-Enterprise configuration  
with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in  
this thread on Sunday 17 Feb.


Cheers,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS and OS X clients

2013-02-20 Thread A . L . M . Buxey
Hi,

> Eventually, though, it turned out that the most important issue was
> with OS X 10.7 (Lion). With this particular version of Apple's OS,

yes, I know. Apple suck for doing this.  I manage campus network at
Loughborough university and eduroam federation in the UK
and so am well aware of OSX and their idea of making OSX have the
same .mobileconfig method as iOS.

you might want to look into 'eduroam CAT' tool - as your NREN
federation/eduroam people about it.


whoa re your instructions aimed at? I worry a great deal about them
because you arent telling them to install/verify a CA or a RADIUS server
for the connection (thus basically negating the whole point of PKI!)
and the site might use EAP-FAST (some places actually do more than
just EAP-TTLS).  also, end users dont need to run this tool! you
(the admin) so all the hard work of configuring the profile and
then just provide the end user/customer the *SIGNED* mobileconfig file

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS and OS X clients

2013-02-20 Thread Jaap Winius

Quoting a.l.m.bu...@lboro.ac.uk:


SSL certs can be in various formats. Ones that are 'usable'
depends on the underlying code, but the useful types are
usually PEM, DER (also known as CER) and P12these are
all active certs. CSR is a certificate signing request file
and isn't a valid cert for client use. ... On OSX you need
to ensure you have the CA installed - and TRUSTED!"


Thanks, Alan. That straightened some things out for me.

Eventually, though, it turned out that the most important issue was  
with OS X 10.7 (Lion). With this particular version of Apple's OS, the  
facility for adding enterprise network configurations is not as  
flexible as it once was. Now, if something different is required, a  
special (free) tool must first be obtained -- the iPhone Configuration  
Utility -- with which to create an XML profile that can then be  
applied. Not exactly what I was expecting, but that's the way it is.  
For anyone who might be interested, here's the set of instructions  
that I used:




If your school uses TTLS with PAP (LDAP backend) then yah, the auto  
connection with ethernet will not help you. That is because the  
default EAP type that is supported is TTLS MSCHAPv2 (which is a bit  
more secure that PAP --ya ya, I know it is not fool proof).


Anyway, all is not lost.

You have three choices on how to get an 802.1X profie that supports  
TTLS with PAP onto your Mac.

1. Download iPCU and create a .mobileconfig file
2. Buy Lion server and use Profile Manager
3. Create a .mobileconfig (xml file) from scratch

Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1.

Please put on your learning hat now

**Please note this example is for a wired OR wireless 802.1X  
connection that requires TTLS and PAP for Lion clients**


1. Download and install the iPCUhttp://support.apple.com/kb/DL851
2. Open the iPCU (the iPCU is install in Applications - Utilities)
3. In the right hand side click on Configuration Profiles.
4. Click on New. (upper left)
5. You will see a new profile with a bunch of payloads (general,  
passcode, restrictions, etc). Don't worry you do not need to fill most  
of these out.
6. Click on General and fill out a Profile Name, Identifier (they can  
be anything) the rest of the fields you can leave blank. I used spam  
and spam.
7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles  
for Ethernet (it will just ignore the SSID field). Click configure.
7a. For SSID ..If your school has a wireless network that uses TTLS  
with PAP, fill in the SSID name (wireless network name) that your  
school uses. If your school does not use wireless, then just use an  
label (e.g. spam).
7b. Ignore the hidden network field (unless of course your school uses  
a hidden SSID and you want to use wireless for this connection).
7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2  
Enterprise. If this profile is going to be used for WiFi, then you  
need to find out what type of security your school uses. Most likely  
it will be WPA/WPA2 Enterprise (I hope).
7d. Once you choose WPA/WPA2 Enterprise you will see more options  
appear. Choose TTLS.

7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST.
7f. For Inner Authentication choose PAP.
8. You will see three tabs, one for protocol (that you already filled  
out), one for Authentication and one for Trust. You can ignore trust  
unless you have the certificate from the radius server already loaded  
on your client. Don't worry if you do not have the cert, the Mac will  
load it (with your permission) during the first authentication. Ignore  
the Authentication tab for now.

9. Now look at the top left of the tool and choose Export
9a. for Security, just choose none (don't worry about signing it)
9b. Hit Export.
10. You will get a Save As dialogue box. Give the profile a name (like  
spam  or something) and choose where you would like to save the profile.
11. Now goto where you save your profile and double click it. System  
Prefs will launch and try to install the profile.

11a. Just hit continue and continue again.
11b. You will be prompted for "settings" which are the username and  
password. You can either just hit install (the eapol supplicant will  
ask you for your credentials during the authentication phase) or you  
can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION.  
If you insert a bad username or password into this field, it will get  
saved as a keychain entry (with bad info) and you will never be able  
to connect. The Mac will just silently fail authentication until you  
delete the keychain entry and do a fresh auth. Save yourself some  
trouble and leave the fields blank and just hit install.

11c. You will be prompted for your admin password to install the profile.
12. The profile should be installed now.
13. In system prefs, click show all then click network.
14. If you click on your Ethernet interface you should no

Re: EAP-TLS certificate problem

2013-02-19 Thread Alan DeKok
Muhammad Nadeem wrote:
> I suucceed to authenticate the users from a database.
> But when i setup the same setup on another machine, I was failed :(
> The following output is the debug output of the freeradius server. (I
> think EAP NAK,, is creating problems).

  Yes.  Read the debug output.

> [eap] EAP NAK
> [eap] NAK asked for bad type 0
> [eap] Failed in EAP select

  The client is broken.

  Don't blame FreeRADIUS.  Go fix the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS certificate problem

2013-02-19 Thread John Dennis

On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:

On 2/19/13, Phil Mayers  wrote:

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.


Doesn't look like you actually heeded this advice does it? Hint, look at 
your select statement. You're setting the Auth-Type.



Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table



Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS certificate problem

2013-02-19 Thread Phil Mayers

On 19/02/13 14:16, Muhammad Nadeem wrote:


[eap] EAP NAK
[eap] NAK asked for bad type 0


You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS certificate problem

2013-02-19 Thread Muhammad Nadeem
On 2/19/13, Phil Mayers  wrote:
> On 19/02/13 09:11, Muhammad Nadeem wrote:
>> Hi, everybody
>> I have used pre-shipped certificates of Freeradius for testing
>> purpose. This testing was succeed with a test user 'bob', with files
>> authentication.
>> Now in the next step I wanna authenticate a user from my Database with
>> Digital certificates. When i authenticate the user, server side
>> confirm and send "Access-Accept" packet, but at client, following
>> error occurs.
>> " No Message-Authenticator attribute found
>> Incoming RADIUS packet did not have correct Message-Authenticator -
>> dropped
>> STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
>> - dropping packet"
>>
>> I googled this problem and found a solution that the user Auth-type is
>> set to Accept (I manually checked the user in Database , and its
>> Auth-Type was Accept) and this type prevent further process.
>
> Yes
>
>> Now my question is that , could I continue EAP-TLS authentication,
>> regardless of Auth-Type is set to Accept???
>
> No. Don't set Auth-Type unless you know what you're doing.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.112 port 35397,
id=0, length=132
User-Name = "001AAD3F8165"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x021101303031414144334638313635
Message-Authenticator = 0xebcf3f94a32bf89eaabf4be3b2ce493b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
rlm_sql (sql): Reserving sql socket id: 9
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
[sql]   expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in
(SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT
NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'127.0.0.1')
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.112 port 35397
Qos-Policing-Profile-Name := "128K_UL"
Qos-Metering-Profile-Name := "512K_DL"
Context-Name := "Postpaid-VR"
DHCP-Max-Leases := 1
Forward-Policy := "in:nonpayment_redirect_post"
HTTP

Re: EAP-TLS certificate problem

2013-02-19 Thread Phil Mayers

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread Phil Mayers

On 18/02/13 10:57, Muhammad Nadeem wrote:


ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"


^^^ typo - should be "client.key"

This is basic stuff; please read the docs for wpa_supplicant/eapol_test 
more carefully, and your own configs, before posting questions, 
particularly as others have pointed out, this is not the eapol_test 
support list...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread A . L . M . Buxey
Hi,

> > (but this mailing list isnt a support forum for either of those tools!)


I guess you dont read what I post..which means I'm not likely to answer you.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread Muhammad Nadeem
On 2/18/13, a.l.m.bu...@lboro.ac.uk  wrote:
> Hi,
>
>> Thankfully, this isn't correct. You can use "eapol_test" which comes
>> with the "wpa_supplicant" source to test pretty much every EAP type
>> there is, including EAP-TLS.
>>
>> To the OP - download wpa_supplicant sources and build eapol_test.
>
> eapol_test is VERY powerful.and there are even little test scripts
> provided
> in the FreeRADIUS source
>
> however, if you want clicky GUI then also look at JRadius Simulator:
>
> http://www.coova.org/JRadius/Simulator
>
> (but this mailing list isnt a support forum for either of those tools!)
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
thanx A.L.M,,, but actually I am not aware of what to send in request
of EAP-TLS.
I have followed the README in /raddb/certs/  and make the CA, CLIENT
and SERVER certificate.
Now I request to the server with eapol_test, with following parameter
netwrok={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="bob"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"
private_key_passwd="whatever"
}

but this request give me a FAILURE response.
I have googled a lot to find my appropriate answer, ( what need to
send in client request etc etc).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread Muhammad Nadeem
On 2/18/13, Phil Mayers  wrote:
> On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
>> Hello Muhammad,
>>
>> On 18.02.2013 07:17, Muhammad Nadeem wrote:
>>> Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
>>> have configured eap.confg to use EAP-TLS. But i don't know , how to
>>> send requests to freeradius server, so that he can authenticate the
>>> user using TLS (with digital certificate).
>>> Can anyone help me, thanks in advance..
>>
>> You will need a RADIUS Client, e.g.
>>- wireless access point
>>- lan switch
>>
>> which acts as the RADIUS Client (Authenticator in 802.1X terminology).
>> Both have to support 802.1X and RADIUS.
>> Without you won't be able to test EAP-TLS. I am not aware of a simulator
>> client program.
>
> Thankfully, this isn't correct. You can use "eapol_test" which comes
> with the "wpa_supplicant" source to test pretty much every EAP type
> there is, including EAP-TLS.
>
> To the OP - download wpa_supplicant sources and build eapol_test.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

thanks phill, eapol_test really working . thanks a lot
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread A . L . M . Buxey
Hi,

> Thankfully, this isn't correct. You can use "eapol_test" which comes
> with the "wpa_supplicant" source to test pretty much every EAP type
> there is, including EAP-TLS.
> 
> To the OP - download wpa_supplicant sources and build eapol_test.

eapol_test is VERY powerful.and there are even little test scripts provided
in the FreeRADIUS source 

however, if you want clicky GUI then also look at JRadius Simulator:

http://www.coova.org/JRadius/Simulator

(but this mailing list isnt a support forum for either of those tools!)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-18 Thread Phil Mayers

On 02/18/2013 06:31 AM, Tobias Hachmer wrote:

Hello Muhammad,

On 18.02.2013 07:17, Muhammad Nadeem wrote:

Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital certificate).
Can anyone help me, thanks in advance..


You will need a RADIUS Client, e.g.
   - wireless access point
   - lan switch

which acts as the RADIUS Client (Authenticator in 802.1X terminology).
Both have to support 802.1X and RADIUS.
Without you won't be able to test EAP-TLS. I am not aware of a simulator
client program.


Thankfully, this isn't correct. You can use "eapol_test" which comes 
with the "wpa_supplicant" source to test pretty much every EAP type 
there is, including EAP-TLS.


To the OP - download wpa_supplicant sources and build eapol_test.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS problem

2013-02-17 Thread Tobias Hachmer

Hello Muhammad,

On 18.02.2013 07:17, Muhammad Nadeem wrote:

Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital certificate).
Can anyone help me, thanks in advance..


You will need a RADIUS Client, e.g.
  - wireless access point
  - lan switch

which acts as the RADIUS Client (Authenticator in 802.1X terminology). 
Both have to support 802.1X and RADIUS.
Without you won't be able to test EAP-TLS. I am not aware of a 
simulator client program.


Regards,
Tobias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS and OS X clients

2013-02-17 Thread A . L . M . Buxey
Hi,

> https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network
> 
> In this example, the users are given a personalized *.cer
> certificate to add to their keychain. Since I don't have any
> client.cer files, I tried this approach with a client.csr file
> instead, which seemed personalized enough, but still I run into the
> same roadblock.
> 
> Can anyone say what I should be doing differently? E.g. are *.cer
> certificates mandatory (if so, how can I make them?), or can I not
> use my self-signed certificates?

rightSSL cerst can be in various formats.  ones that are 'usable' depends
on the underlying codebut the useful types are usually PEM, DER (also known 
as
CER) and P12these are all active certs

CSR is a certificate signing request file and isnt a valid cert for client use.


if you have one type you can easily convert it to any of the other formats
using 'openssl' on the command line of a Linux or OSX system - the command 
format
isnt trivial...but its fairly obvious, the man pages over it and there are MANY
web pages out there telling you how to do it.

under Linux, most of the network admin tools for WPA2/WPA enterprise are fairly 
limited
and fussy about certificates, how and where they are installed...on OSX you 
need to ensure
you have the CA installed - and TRUSTED!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS and OS X clients

2013-02-17 Thread Alan DeKok
Jaap Winius wrote:
> Can anyone say what I should be doing differently? E.g. are *.cer
> certificates mandatory (if so, how can I make them?), or can I not use
> my self-signed certificates?

  I'm always use pem or crt files, not *.cer.  It works on my Mac.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS and OS X clients

2013-02-17 Thread Jaap Winius

Hi folks,

My WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and  
4096-bit SHA-1 certificates works great with wpaspplicant on Linux,  
but can anyone help me understand how to get this to work for OS X  
(Lion) clients?


My Linux client uses a copy of the ca.pem file to establish the link  
(after which PAP is used to authenticate), but although the same  
ca.pem file can be imported into the OS X client's keychain, this  
certificate never shows up as a selectable identity when configuring  
EAP-TLS wireless access, like in this case (bottom of the page):


https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network

In this example, the users are given a personalized *.cer certificate  
to add to their keychain. Since I don't have any client.cer files, I  
tried this approach with a client.csr file instead, which seemed  
personalized enough, but still I run into the same roadblock.


Can anyone say what I should be doing differently? E.g. are *.cer  
certificates mandatory (if so, how can I make them?), or can I not use  
my self-signed certificates?


Thanks,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP TLS client

2013-02-15 Thread A . L . M . Buxey
Hi,

> official website.
> But i have a problem, when I want to "make eapol_test" it give the
> follwoing error.
> /usr/bin/ld: cannot find -lnl
> collect2: ld returned 1 exit status
> make: *** [eapol_test] Error 1
> Any idea about this error?//

compilation error due to missing libraries.  however, this is NOT a freeRADIUS
issue and the answer can be sought from the wpa_supplicant mailing list.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP TLS client

2013-02-15 Thread Muhammad Nadeem
On 2/15/13, Stefan Winter  wrote:
> Hi,
>
>> I have configured freeradius to entertain EAP-TLS requests. And i am
>> using the freeradius certificate (shipped with software). I got stuck
>> at end, now i don't know how to send EAP-TLS request to server.
>> I read man radeapclient, but it only support md5. Could you please
>> tell me how could i send request to server using EAP-TLS
>> authentication method.
>
> Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or
> for a command-line test use eapol_test, which is part of wpa_supplicant.
>
> Stefan
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
>
Thanks  Stefan, for your answer.
I preferred command line tool"eapol_test". I also wpasupplicant from
official website.
But i have a problem, when I want to "make eapol_test" it give the
follwoing error.
/usr/bin/ld: cannot find -lnl
collect2: ld returned 1 exit status
make: *** [eapol_test] Error 1
Any idea about this error?//

-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP TLS client

2013-02-14 Thread Stefan Winter
Hi,

> I have configured freeradius to entertain EAP-TLS requests. And i am
> using the freeradius certificate (shipped with software). I got stuck
> at end, now i don't know how to send EAP-TLS request to server.
> I read man radeapclient, but it only support md5. Could you please
> tell me how could i send request to server using EAP-TLS
> authentication method.

Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or
for a command-line test use eapol_test, which is part of wpa_supplicant.

Stefan


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [EAP/TLS] Authenfication through a certificate

2013-02-08 Thread vazoumana fofana


here is the output : 



 Evaluating ("%{TLS-Client-Cert-Subject}" =~//) -> TRUE
++? if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) -> TRUE
++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/O=\// ) {...}
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} -> 
/
? Evaluating ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\//) -> TRUE
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/x\// ) -> TRUE
+++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) 
{...}
[noop] returns noop
+++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\// ) returns 
noop
+++ ... skipping else for request 21: Preceding "if" was taken
++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) returns 
noop
Login OK: [xx] (from client xxx


I understand that eap returns ok so user is authenticated.
It's not what i want to do. 
i want client certificate to be authenticated by :
- be in users files
- have the "right" certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +






As already said, post output of radiusd -X

(that will clearly show the logic taken)



alan




  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [EAP/TLS] Authenfication through a certificate

2013-02-08 Thread Alan Buxey
As already said, post output of radiusd -X
(that will clearly show the logic taken)

alan


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [EAP/TLS] Authenfication through a certificate

2013-02-08 Thread vazoumana fofana

i begin setting up configuration. bit i got two problems : 

client with good certificate can be authenticated even if they're not in 
"users" file.
I assume it's due to my code. Here is under authenticate section of default : 

Auth-Type eap {
eap
if ( "%{TLS-Client-Cert-Subject}" =~ /\/\// ) {
if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxx\// 
) {
  ok
}
else {
fail
}
It's like when condition is checked, it bypassed "users" file.

Maybe, i must move these lines under authorize ?
anyone to confirm it ?

cheers
 

> Date: Mon, 4 Feb 2013 10:32:22 -0500
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: [EAP/TLS] Authenfication through a certificate
> 
> vazoumana fofana wrote:
> > i've got question about EAP/TLS and authentification for a client
> > through a certificate ?
> > I succeed setting up. But , i notice that freeradius matches client
> > login with certificate CNAME.
> > Is it possible to change it in order to match email instead of CNAME ?
> 
>   Yes.
> 
>   Read the eap.conf file, and the raddb/sites-available/default.  This
> is documented.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [EAP/TLS] Authenfication through a certificate

2013-02-04 Thread Alan DeKok
vazoumana fofana wrote:
> i've got question about EAP/TLS and authentification for a client
> through a certificate ?
> I succeed setting up. But , i notice that freeradius matches client
> login with certificate CNAME.
> Is it possible to change it in order to match email instead of CNAME ?

  Yes.

  Read the eap.conf file, and the raddb/sites-available/default.  This
is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[EAP/TLS] Authenfication through a certificate

2013-02-04 Thread vazoumana fofana

Dear everybody,

i've got question about EAP/TLS and authentification for a client through a 
certificate ?
I succeed setting up. But , i notice that freeradius matches client login with 
certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?

Best regards. 
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: EAP-TLS Failed in handler question

2013-01-02 Thread PENZ Robert
Hi!

Phil, thx again for your help - according to Extreme the bug has been fixed in 
summitX-15.2.2.7-patch1-2

PD4-3163943281 802.1x re-authentication fails when EAP ID reaches 255.

This version fixes also a bug we reported which is related to 802.1x

PD4-3271740739 While using Dot1x and MAC-based netlogin on the same port, the 
MAC reauthentication
timer should stop after the client is authenticated with dot1x credentials.

-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org 
[mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] 
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 11. Dezember 2012 16:30
An: FreeRadius users mailing list
Betreff: AW: AW: AW: EAP-TLS Failed in handler question

Hi!

Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Enforcing use of Eap-TLS or PEAP

2012-12-24 Thread Alan DeKok
Kamil Jońca wrote:
> I try to set up radius authentication in my WiFi network.
> I want to have:
> 1. one user (samsung phone) should be authenticated with PEAP 
> 2. others should be authenticated with EAP-TLS.

  Give user (1) a password.  Give each of the other users a client
certificate.

   Done.

> Naive approach is to use Auth-Type but its treated as "misuse" at
> http://deployingradius.com/documents/configuration/auth_type.html
> But example is only for ms-chap, and I don't know which attribute(?)
> use to force PEAP /EAP-TLS
> 
> Any help? Am I missing something?

  You're making it too complicated.  There's no need to "force"
anything.  Just configure the users, and it will work.

  If you don't give the users from (2) any passwords, PEAP won't work
for them.  If you don't give users from (1) any client certificates,
EAP-TLS won't work for them.

  It's that simple.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Enforcing use of Eap-TLS or PEAP

2012-12-24 Thread Kamil Jońca

I try to set up radius authentication in my WiFi network.
I want to have:
1. one user (samsung phone) should be authenticated with PEAP 
2. others should be authenticated with EAP-TLS.
Naive approach is to use Auth-Type but its treated as "misuse" at
http://deployingradius.com/documents/configuration/auth_type.html
But example is only for ms-chap, and I don't know which attribute(?)
use to force PEAP /EAP-TLS

Any help? Am I missing something?
KJ

-- 
http://blogdebart.pl/2009/12/22/mamy-chorych-dzieci/
QOTD:
"It's been real and it's been fun, but it hasn't been real fun."

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


AW: AW: AW: EAP-TLS Failed in handler question

2012-12-11 Thread PENZ Robert
Hi!

Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AW: AW: EAP-TLS Failed in handler question

2012-12-11 Thread Phil Mayers

On 10/12/12 20:00, PENZ Robert wrote:

@PhilMayers: Did you get the Mail with the full logfile? do you need more?


Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it 
is not handling the wrapping of EAP id values from 255 to 0.


The following sequence of (redacted) packets shows the problem (see line 
~2389268 in your debug for this example, but there are lots of others in 
there):


Access-Request packet from host NAS port 54217, id=183, length=151
User-Name = "host/blah"
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = "MAC"
NAS-Port-Id = "x:y"
NAS-Port = x00y
NAS-Port-Type = Ethernet
Message-Authenticator = 0x26710066ee2e161ba4979519e82cde59
...
[eap] EAP packet type response id 255 length 33
...
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
...
Sending Access-Challenge of id 183 to 10.15.132.5 port 54217
EAP-Message = 0x01060d20
Message-Authenticator = 0x
State = 0xe043a0c1e043ad9227375e26b2f8cb62

Note that the access-request contains an EAP response with id=255, and 
we return an EAP request with id=0, having wrapped around. The NAS 
follows up with:


Access-Request packet from host 10.15.132.5 port 54217, id=184, length=241
User-Name = "host/blah"
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = "MAC"
NAS-Port-Id = "x:y"
NAS-Port = x00y
NAS-Port-Type = Ethernet
State = 0xe043a0c1e043ad9227375e26b2f8cb62
Message-Authenticator = 0x03a814fd68371689281f1e66a4728614
...
[eap] EAP packet type response id 255 length 105
...
rlm_eap: No EAP session matching the State variable.

That is - we send an Access-Challenge containing an EAP request id=0, 
the client responds with an Access-Request containing EAP response 
id=255. This is obviously wrong.


FreeRADIUS mixes certain data into the "State" value with a "xor" 
including the EAP id - that's why you're getting that particular error 
message, but the underlying problem is that the NAS is not always 
handling EAP id value wrap correctly.


I'm curious as to why the EAP id values are so large - I don't think 
most NASes do this, they start from id=1 on every conversation, but I 
don't know if it's legal.


The ID wrapping seems to work in other cases; I'm not certain, but it 
*may* be that it only fails if the sequence is:


C: access-request EAP-response id=255 EAP-Identity
S: access-challenge EAP-request id=0 PEAP-start
C: access-request EAP-response id=255 PEAP-data

i.e. if the initial EAP-identity is the one with id=255.

But anyway - I think your NAS is buggy. There's no way you can solve 
this in FreeRADIUS - you obviously can't rewrite the EAP id, so I think 
you'll need to open a bug report with the vendor.


There is one thing you *might* be able to do which *might* work, but 
it's dependent on what the NAS does - if I'm right and it's only 
Identity packets that don't wrap properly, you might be able to detect 
EAP identity packets and modify the ID and *maybe* the Extreme switch 
will reply in-sequence. Like so:


authorize {
  if ("%{EAP-Message[0]}" =~ /^0x02ff()01(.+)/) {
# we have an EAP-identity packet id=255, see if we can force a wrap
update request {
  EAP-Message := "0x0201%{1}01%{2}"
}
  }
  
}

However - I have no idea if this syntax will even work, and to be honest 
I'm extremely dubious that, if it does, the Extreme would respond properly.


Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AW: AW: EAP-TLS Failed in handler question

2012-12-11 Thread Phil Mayers

On 12/10/2012 08:00 PM, PENZ Robert wrote:

@PhilMayers: Did you get the Mail with the full logfile? do you need more?


I did, but honestly I prioritise personal "help" emails lower than ones 
to the list, sorry.


I'll see if I have time to look today.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: AW: AW: EAP-TLS Failed in handler question

2012-12-10 Thread PENZ Robert
@PhilMayers: Did you get the Mail with the full logfile? do you need more?

Mit freundlichen Grüßen
Robert Penz


Dipl. Inf. Robert Penz
DVT-Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 512 508 3334 / Fax: +43 512 508 3355
eMail: robert.p...@tirol.gv.at

From: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org 
[freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] On 
Behalf Of PENZ Robert [robert.p...@tirol.gv.at]
Sent: Wednesday, December 05, 2012 8:32 AM
To: FreeRadius users mailing list
Subject: AW: AW: AW: EAP-TLS Failed in handler question

> > There is no other packet between this two and only 5 seconds, server has
> > not been restarted.
> Weird.
> But we need the *full* debug please!

some special option or the full log file? The second I send you in a private 
mail.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


AW: AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread PENZ Robert

> > There is no other packet between this two and only 5 seconds, server has
> > not been restarted.
> Weird.
> But we need the *full* debug please!

some special option or the full log file? The second I send you in a private 
mail.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread Phil Mayers

On 12/04/2012 03:59 PM, PENZ Robert wrote:


There is no other packet between this two and only 5 seconds, server has
not been restarted.


Weird.

But we need the *full* debug please!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


AW: AW: EAP-TLS Failed in handler question

2012-12-04 Thread PENZ Robert
Hi!



I was still not able to get a trace on the client site, but I believe these 
debug log entries should help. This time I got the start packet and it is 
within some seconds that I get the 2 packet to the radius server and the State 
variable seems to be the same.



Ready to process requests.

rad_recv: Access-Request packet from host 10.xx.xx.5 port 54217, id=11, 
length=152

User-Name = "host/x.local"

EAP-Message = 
0x02ff002101686f73742f4456542d303039363832322e7469726f6c2e6c6f63616c

NAS-IP-Address = 10.xx.xx.5

Service-Type = Login-User

Calling-Station-Id = "xx-xx-xx-xx-xx-xx"

NAS-Port-Id = "1:29"

NAS-Port = 1029

NAS-Port-Type = Ethernet

Message-Authenticator = 0xd080844ef3e47a9bc21e8c848b5a8548

..

[eap] EAP packet type response id 255 length 33

[eap] No EAP Start, assuming it's an on-going EAP conversation

+++[eap] returns updated

++- else else returns updated

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group EAP {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Requiring client certificate

[tls] Initiate

[tls] Start returned 1

..

Sending Access-Challenge of id 11 to 10.xx.xx.5 port 54217

EAP-Message = 0x01060d20

Message-Authenticator = 0x

State = 0x642534cc642539e20b4be1e3ae0328c0

Finished request 62603.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10. xx.xx.5 port 54217, id=12, 
length=242

User-Name = "host/x.tirol.local"

EAP-Message = 
0x02ff00690d80005f160301005a0156030150bd9377fb696c9f5eaedc568220f9aa35ab65930cf2232f4131c054b056295418002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100

NAS-IP-Address = 10.xx.xx.5

Service-Type = Login-User

Calling-Station-Id = "xx-xx-xx-xx-xx-xx"

NAS-Port-Id = "1:29"

NAS-Port = 1029

NAS-Port-Type = Ethernet

State = 0x642534cc642539e20b4be1e3ae0328c0

Message-Authenticator = 0xeada93f9da1ca47a6f0325e8ad0414a9

...

[eap] EAP packet type response id 255 length 105

[eap] No EAP Start, assuming it's an on-going EAP conversation

+++[eap] returns updated

++- else else returns updated

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group EAP {...}

rlm_eap: No EAP session matching the State variable.

[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

[eap] Failed in handler

++[eap] returns invalid



There is no other packet between this two and only 5 seconds, server has not 
been restarted.



Robert





-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org 
[mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] 
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 27. November 2012 17:38
An: FreeRadius users mailing list
Betreff: AW: AW: EAP-TLS Failed in handler question



> > With first packet I meant first packet the radius server saw in some time 
> > ... the switch forces a reauthentification every 2h

> A re-auth is a fresh EAP session. So even on a re-auth, the first packet

> would not have a "State" attribute, absent software bugs.



ok



> >> It *could* be that the client just got stuck and is responding (very)

> >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before

> >> that.

> >

> > We're running Extreme Networks Switches with following timers set:

> >

> > configure netlogin dot1x timers quiet-period 30

> > configure netlogin dot1x timers reauth-period 7200

> We run SummitX edge, and when I've tested dot1x netlogin in the past, I

> haven't seen this issue. We've never widely deployed it, however, so

> it's possible there's an XOS bug where a small percentage of re-auths

> erroneously re-use the "State". You'd need to get a packet capture to be

> sure.



ok ... will try to get one .. is not easy ...



> > but reject means the switch sets the port to the guest vlan, and therefor 
> > the PC loses the connections ... is there a way to request a new full 
> > eap/tls handshake from the client?

>

> You're not understanding, or I'm not making myself clear.

>

> Suggestion: fire up wireshark, and take a careful look at a normal EAP

> authentication. You'll see that the first packet is an EAP-Identity

> without a "State" attribute, which the server responds to with an

> Access-Challenge containing the default eap type "start"

AW: AW: EAP-TLS Failed in handler question

2012-11-27 Thread PENZ Robert
> > With first packet I meant first packet the radius server saw in some time 
> > ... the switch forces a reauthentification every 2h
> A re-auth is a fresh EAP session. So even on a re-auth, the first packet 
> would not have a "State" attribute, absent software bugs.

ok

> >> It *could* be that the client just got stuck and is responding (very)
> >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before
> >> that.
> >
> > We're running Extreme Networks Switches with following timers set:
> >
> > configure netlogin dot1x timers quiet-period 30
> > configure netlogin dot1x timers reauth-period 7200
> We run SummitX edge, and when I've tested dot1x netlogin in the past, I 
> haven't seen this issue. We've never widely deployed it, however, so 
> it's possible there's an XOS bug where a small percentage of re-auths 
> erroneously re-use the "State". You'd need to get a packet capture to be 
> sure.

ok ... will try to get one .. is not easy ... 

> > but reject means the switch sets the port to the guest vlan, and therefor 
> > the PC loses the connections ... is there a way to request a new full 
> > eap/tls handshake from the client?
> 
> You're not understanding, or I'm not making myself clear.
> 
> Suggestion: fire up wireshark, and take a careful look at a normal EAP 
> authentication. You'll see that the first packet is an EAP-Identity 
> without a "State" attribute, which the server responds to with an 
> Access-Challenge containing the default eap type "start" payload, and a 
> "State" attribute.
> 
> Are you *absolutely sure* that these packets are really the first RADIUS 
> packet in the auth/re-auth?

will check again and get back to you

> If you're sure, your problem seems to be that the correct first packet 
> isn't being sent; the switch is just jumping straight in with the EAP 
> payload *and* a "State" attribute. I am curious to know where it's 
> getting that "State" attribute.
> 
> The server source code assumes that a "State" attribute will be valid. 
> There's no setting to "just accept it".
> 
> Interestingly, I see the RADIUS RFC does actually allow clients to send 
> a previous "State" if you send an Access-Accept with:
> 
>   Termination-Action = RADIUS-request
> You're not doing that, are you?

no, I'm not


> No. As above, re-auths start new EAP sessions. You would only reject any 
> EAP sessions that were in the *middle* of performing an auth, as the 
> "state" would be lost across restarts. But this is a very narrow window.

so I would be best to set iptables to drop requests for 1min than restart the 
radius und remove the iptables rules? or can I set freeradius in a mode where 
is does not accept new sessions? and after 2 minutes I restart it? So that the 
switch is forced onto the other switch.

or what is the best practice to never have falls rejects?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS constant disconnects

2012-11-26 Thread Uros Kolar
Thanks for the additional info on timers.

Here are the values, hope i didn't leave out something. Basically we left
them set to default.

timer expire for eap is 60
cleanup delay is se to 5
reject delay to 1
max request time is 30

uros


On Mon, Nov 26, 2012 at 12:14 PM, alan buxey wrote:

> Hi,
>
> >I've interrupted the test after the described process was allready
> going
> >on for 2 min.
> >
> >Don't know exactly what timers you mean. I checked time setings on
> >servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS
> time to
> >GMT. Please correct me if that's not what you meant.
>
> I mean the number of seconds you have for eg RADIUS authentication,
> failure time,
> cleapup delay etc.  also, if your clients and RADIUS server dont have
> correct time
> synchonisation then things will go wrong.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS constant disconnects

2012-11-26 Thread alan buxey
Hi,

>I've interrupted the test after the described process was allready going
>on for 2 min.
> 
>Don't know exactly what timers you mean. I checked time setings on
>servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to
>GMT. Please correct me if that's not what you meant.

I mean the number of seconds you have for eg RADIUS authentication, failure 
time,
cleapup delay etc.  also, if your clients and RADIUS server dont have correct 
time
synchonisation then things will go wrong.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS constant disconnects

2012-11-26 Thread Uros Kolar
Hi,

I've interrupted the test after the described process was allready going on
for 2 min.

Don't know exactly what timers you mean. I checked time setings on servers.
NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT.
Please correct me if that's not what you meant.


On Mon, Nov 26, 2012 at 10:29 AM, alan buxey wrote:

> Hi,
>
> >The results are really interesting and not expected.
>
> how long does the process take? what are your NAS timers and FreeRADIUS
> timers?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS constant disconnects

2012-11-26 Thread alan buxey
Hi,

>The results are really interesting and not expected.

how long does the process take? what are your NAS timers and FreeRADIUS timers?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS constant disconnects

2012-11-26 Thread Uros Kolar
Phil, thank you for your reply!

I've tried to debug as you suggest. I run wireshark on the remote side +
tcpdump on the server side.

The results are really interesting and not expected.

As the client is disconnected, it sends an auth request to the server.
Server gets the request and after a successful authentication it sends back
Access-Accept. Client gets this message. However, immediately after a
successful authantication, it starts with the authentication process again
and it loops like that. In the test time Access-Accept was granted 7 times,
but client was still without connection and retrying.

For tests I used a linux client on the remote side. After running dhclient
for a couple of times the connection is usualy restored, sometimes it even
takes to take down the interface and bring it up again to restore the
connection.

As of my understanding this does not prove a weak wifi as a reason for
failure, as it does not prove that it is not the cause for trouble.
Additionaly, there seems te be something else, besides wireless, which I
can't explain, so feel free to commend and sugest!

Regards!


On Fri, Nov 23, 2012 at 10:54 AM, Phil Mayers wrote:

> On 11/23/2012 08:03 AM, Uros Kolar wrote:
>
>> Hi all!
>>
>> We've been using freeradius 2.1.12 with EAP-TLS authentication. The
>> problem we experience is constant disconnects of the clients. After an
>> some time (it seems like the intervals are random) of usage the
>> connection drops. I don't have a debug output, since the server is in
>> production allready and because of the valid traffic it's hard to
>> efficiently debug it that way.
>>
>> A similar problem was allready reported some years ago (without an
>> answer - at least not in that thread): http://bit.ly/10o9xkG
>>
>
> The issue described in that post is symptomatic of wireless problems -
> interference, low signal, etc. - not RADIUS problems. The "EAP Identity"
> retries he mentions are on the *wireless* side i.e. the AP asking the
> client to start a re-auth.
>
> You problem also sounds like wireless to me; FreeRADIUS either:
>
>  * receives auth requests and sends an accept
>  * receives auth requests and sends a reject
>  * receives auth requests that the client never completes
>
> It doesn't somehow magically disconnect the client (well, unless you're
> using the CoA functionality and you *ask* it to).
>
> I would suggest starting the debugging at the wireless side. Wait for a
> report of a disconnect, then search your logs.
>
> You could also start a rolling tcpdump on the RADIUS server of all auth
> traffic, and then search it for an auth request - I bet you don't see one.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: EAP-TLS Failed in handler question

2012-11-21 Thread Phil Mayers

On 21/11/12 12:00, PENZ Robert wrote:


With first packet I meant first packet the radius server saw in some time ... 
the switch forces a reauthentification every 2h


A re-auth is a fresh EAP session. So even on a re-auth, the first packet 
would not have a "State" attribute, absent software bugs.



It *could* be that the client just got stuck and is responding (very)
late. But I'm quite surprised the NAS didn't timeout the EAP auth before
that.


We're running Extreme Networks Switches with following timers set:

configure netlogin dot1x timers quiet-period 30
configure netlogin dot1x timers reauth-period 7200


We run SummitX edge, and when I've tested dot1x netlogin in the past, I 
haven't seen this issue. We've never widely deployed it, however, so 
it's possible there's an XOS bug where a small percentage of re-auths 
erroneously re-use the "State". You'd need to get a packet capture to be 
sure.



but reject means the switch sets the port to the guest vlan, and therefor the 
PC loses the connections ... is there a way to request a new full eap/tls 
handshake from the client?


You're not understanding, or I'm not making myself clear.

Suggestion: fire up wireshark, and take a careful look at a normal EAP 
authentication. You'll see that the first packet is an EAP-Identity 
without a "State" attribute, which the server responds to with an 
Access-Challenge containing the default eap type "start" payload, and a 
"State" attribute.


Are you *absolutely sure* that these packets are really the first RADIUS 
packet in the auth/re-auth?


If you're sure, your problem seems to be that the correct first packet 
isn't being sent; the switch is just jumping straight in with the EAP 
payload *and* a "State" attribute. I am curious to know where it's 
getting that "State" attribute.


The server source code assumes that a "State" attribute will be valid. 
There's no setting to "just accept it".


Interestingly, I see the RADIUS RFC does actually allow clients to send 
a previous "State" if you send an Access-Accept with:


 Termination-Action = RADIUS-request

You're not doing that, are you?




Is this a client problem or a misconfiguration on my part?

It's probably a client or NAS problem, unless you've set timer_expire
too low.



However: I guess this could also happen right after the server is
restarted. Could that be it - is a cron job restarting it maybe?


no the server is running for > 10 days

but if I would restart the server I would reject all clients to the guest vlan 
on reauthentication after that ... that can't be the designed way.


No. As above, re-auths start new EAP sessions. You would only reject any 
EAP sessions that were in the *middle* of performing an auth, as the 
"state" would be lost across restarts. But this is a very narrow window.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


AW: EAP-TLS Failed in handler question

2012-11-21 Thread PENZ Robert
Hi!

first thx for your response.

> My first question is, how can I decode a EAP-Message from the debug
> Wireshark, or read the EAP RFC and decode it manually (see below)

ok, I'll believe i got lucky and got a tcpdump trace on a client yesterday ... 
need to check it and if it is the same problem I'll provide more info.

> > log to check if the request is itself ok. Here is first packet from
> No, this is *not* the first packet, because it has a "State" attribute, 
> which is only present in 2nd and subsequent packets of the EAP exchange.

With first packet I meant first packet the radius server saw in some time ... 
the switch forces a reauthentification every 2h

> The reason you're getting the error message is that the "State" 
> attribute is unknown, so FR can't proceed with the EAP session and has 
> no choice but to drop it.
> Check you haven't reduced the "timer_expire" value in eap.conf to a 
> too-low value.

#  A list is maintained to correlate EAP-Response
#  packets with EAP-Request packets.  After a
#  configurable length of time, entries in the list
#  expire, and are deleted.
#
timer_expire = 120

default was 60 .. I doubled it some weeks ago, as I saw "No EAP session 
matching the State variable" entries in the log.

> How many FR servers do you have serving this NAS? Is it possible the NAS 
> is sending packets in a round-robin fashion (which is bad) which is why 
> you're seeing a packet for which you don't have State?

In this case it is only one .. we're running in pre-production with the IT 
department clients (about 100 clients) to make sure it is stable before 
rollout. But in production it will be more than one ... good point, we need to 
check that too, before going into production.
 
> I guess it's possible something is mangling the State attribute from the 
> previous packet (which is *actually* the first packet).
> Otherwise, the client or NAS is doing something odd.

> It *could* be that the client just got stuck and is responding (very) 
> late. But I'm quite surprised the NAS didn't timeout the EAP auth before 
> that.

We're running Extreme Networks Switches with following timers set:

configure netlogin dot1x timers quiet-period 30
configure netlogin dot1x timers reauth-period 7200

following other timers are set to the default values:

  server-timeout Configure RADIUS server timeout for 802.1X
  supp-resp-timeout  Configure supplicant response timeout

> > rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519,
> > id=151, length=244 User-Name = "host/x.tirol.local"
> > EAP-Message = 0x02ff00690d80005f160301005a01
> >
> 
> Ok so this says:
> 
> 02 - eap response
> ff - eap ID 255 - bit odd..
> 0069 - length in hex
> 0d - eap type 13 (EAP-TLS)
> 80 - eap TLS flags = length included
> 005f - tls length
> 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0)
> 005a - record length
> 01 - handshake=client hello

cool !!

> 
> etc. etc.
> 
> So, it's the start of an EAP-TLS exchange, but as above, it's *not* the 
> first packet. If you start a tcpdump on the server, you'll see how this 
> works:
> 
> C: Access-Request, no state, EAP-Identity=abc
> S: Access-Challenge, state=, EAP-TLS blah
> C: Access-Request, state=, EAP-TLS blah

ok

> i.e. the NAS has to reflect the "State" back to FreeRADIUS on each 
> packet. Something is interfering with that, or erasing the "State" at 
> your end (a timer or restart).
> 
> > rlm_eap: No EAP session matching the State variable
> See?

But I didn't see a reason for it ;-)

> > Invalid means I return a reject ... should I return something else?
> No.

but reject means the switch sets the port to the guest vlan, and therefor the 
PC loses the connections ... is there a way to request a new full eap/tls 
handshake from the client?

> > Is this a client problem or a misconfiguration on my part?
> It's probably a client or NAS problem, unless you've set timer_expire 
> too low.

> However: I guess this could also happen right after the server is 
> restarted. Could that be it - is a cron job restarting it maybe?

no the server is running for > 10 days

but if I would restart the server I would reject all clients to the guest vlan 
on reauthentication after that ... that can't be the designed way.

Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-21 Thread Swaraj

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.

   The client is broken.  It's not doing SSL correctly.


Do we require different certificates for arm boards, as I was able to
run without any issues on x86 with same certificates.

   Because it has different software.

May I know, what is that different software?


Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read
certificate verify B
Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01

   You CANNOT fix this by poking FreeRADIUS.


I created certificates with the following commands:

   This is NOT a certificate issue.  Notice that the error is NOT
complaining about certificates.

   And why use your own commands to create certs?  The scripts in
raddb/certs WORK.

   Alan DeKok.



Regards,
Swaraj
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Phil Mayers

On 20/11/12 12:38, Swaraj wrote:


Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01


That's very odd. It looks like a problem with OpenSSL - maybe 
endian-ness or something?





I created certificates with the following commands:


Did you create them *on* the ARM device? Can you verify them with 
"openssl verify" *on* the ARM device?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Phil Mayers

On 20/11/12 13:26, Alan DeKok wrote:

Swaraj wrote:

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.


   The client is broken.  It's not doing SSL correctly.


Oops yes ignore my email; I thought the *server* was running on the IMX.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Alan DeKok
Swaraj wrote:
> I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
> (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
> server I am receiving the following errors.

  The client is broken.  It's not doing SSL correctly.

> Do we require different certificates for arm boards, as I was able to
> run without any issues on x86 with same certificates.

  Because it has different software.
> Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
> Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read
> certificate verify B
> Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01

  You CANNOT fix this by poking FreeRADIUS.

> I created certificates with the following commands:

  This is NOT a certificate issue.  Notice that the error is NOT
complaining about certificates.

  And why use your own commands to create certs?  The scripts in
raddb/certs WORK.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Swaraj


Hi All,

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using 
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius 
server I am receiving the following errors.
Do we require different certificates for arm boards, as I was able to 
run without any issues on x86 with same certificates.


openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)


/*ERROR:
---
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8, 
length=166

User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
Calling-Station-Id = "00-23-A7-3B-29-2C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300060d00
State = 0xba89e950b88ae454eff4b9964b6ca194
Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/radiusd.conf

Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = 
"testuser", looking up realm NULL

Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3 
length 6
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an 
on-going EAP conversation

Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser 
at line 131

Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file 
/usr/local/etc/raddb/radiusd.conf

Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
EAP-Message = 
0x0104020d0d8005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af
EAP-Message = 
0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0da502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613

EAP-Message = 0x026161310a300806035504031301610e00
Message-Authenticator = 0x
State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9, 
length=1287

User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
Calling-Station-Id = "00-23-A7-3B-29-2C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 
0x0204045f0d0016030103030b0002ff0002fc0002f9308202f53082025ea003020102020900958dbc5fc22a1e39300d06092a864886f70d0101040500305b310a30080

Re: EAP-TLS Failed in handler question

2012-11-19 Thread Phil Mayers

On 11/19/2012 08:23 AM, PENZ Robert wrote:


My first question is, how can I decode a EAP-Message from the debug


Wireshark, or read the EAP RFC and decode it manually (see below)


log to check if the request is itself ok. Here is first packet from


No, this is *not* the first packet, because it has a "State" attribute, 
which is only present in 2nd and subsequent packets of the EAP exchange.


The reason you're getting the error message is that the "State" 
attribute is unknown, so FR can't proceed with the EAP session and has 
no choice but to drop it.


Check you haven't reduced the "timer_expire" value in eap.conf to a 
too-low value.


How many FR servers do you have serving this NAS? Is it possible the NAS 
is sending packets in a round-robin fashion (which is bad) which is why 
you're seeing a packet for which you don't have State?


I guess it's possible something is mangling the State attribute from the 
previous packet (which is *actually* the first packet).


Otherwise, the client or NAS is doing something odd.


this client in some time, and it already generates the error. But the
same client worked before and after it for days without a problem:


It *could* be that the client just got stuck and is responding (very) 
late. But I'm quite surprised the NAS didn't timeout the EAP auth before 
that.




rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519,
id=151, length=244 User-Name = "host/x.tirol.local"
EAP-Message = 0x02ff00690d80005f160301005a01



Ok so this says:

02 - eap response
ff - eap ID 255 - bit odd..
0069 - length in hex
0d - eap type 13 (EAP-TLS)
80 - eap TLS flags = length included
005f - tls length
160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0)
005a - record length
01 - handshake=client hello

etc. etc.

So, it's the start of an EAP-TLS exchange, but as above, it's *not* the 
first packet. If you start a tcpdump on the server, you'll see how this 
works:


C: Access-Request, no state, EAP-Identity=abc
S: Access-Challenge, state=, EAP-TLS blah
C: Access-Request, state=, EAP-TLS blah

i.e. the NAS has to reflect the "State" back to FreeRADIUS on each 
packet. Something is interfering with that, or erasing the "State" at 
your end (a timer or restart).



rlm_eap: No EAP session matching the State variable


See?


Invalid means I return a reject ... should I return something else?


No.


Is this a client problem or a misconfiguration on my part?


It's probably a client or NAS problem, unless you've set timer_expire 
too low.


However: I guess this could also happen right after the server is 
restarted. Could that be it - is a cron job restarting it maybe?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


EAP-TLS Failed in handler question

2012-11-19 Thread PENZ Robert
Hi!

I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the 
time ... just some authentications fail, but some minutes later the same client 
authenticates without a problem. As it happens only once every few days and 
always with a new client I cannot put a sniffer between the PC and switch, as I 
don't know which client is the next. But I enabled the debug logging on the 
freeradius server. The Clients are Windows 7 PCs and I'm running 
freeradius2-2.1.12-3.el5 on RHEL5.

My first question is, how can I decode a EAP-Message from the debug log to 
check if the request is itself ok. Here is first packet from this client in 
some time, and it already generates the error. But the same client worked 
before and after it for days without a problem:

rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, 
length=244
User-Name = "host/x.tirol.local"
EAP-Message = 
0x02ff00690d80005f160301005a0156030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef818002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100
NAS-IP-Address = 10.xxx.xxx.4
Service-Type = Login-User
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
NAS-Port-Id = "2:3"
NAS-Port = 2003
NAS-Port-Type = Ethernet
State = 0x8df2b5f98df2b8eb6e43e372671f4335
Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8

and the relevant other log lines:

++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 255 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid

Invalid means I return a reject ... should I return something else?  Is this a 
client problem or a misconfiguration on my part? Thx for your help!


Mit freundlichen Grüßen
Robert Penz

--
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355
E-Mail: robert.p...@tirol.gv.at


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Wireless EAP-TLS Login from Notebook with User and PASSWORD

2012-11-07 Thread Phil Mayers

On 11/07/2012 08:33 AM, sierramailp...@gmx.de wrote:

Hey there,

I’ve setup a freeradius Server and am using EAP-TLS, and would need
some help from you.

The users file contains the username and the password beeing allowed
to connect after TLS Connection has been established, and this is
working on an android phone with no problems so far.

One can setup the -CA Cert -User Cert -Login Name and -Password

But I dont’t have an option to enter a password when I try to connect
from the notebook, running Windows7.


EAP-TLS doesn't *use* a username/password. Just the client cert.

If you want passwords, you want PEAP or TTLS.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Wireless EAP-TLS Login from Notebook with User and PASSWORD

2012-11-07 Thread sierramailpapa
Hey there,

I’ve setup a freeradius Server and am using EAP-TLS, and would need some help 
from you. 

The users file contains the username and the password beeing allowed to connect 
after TLS Connection has been established, and this is working on an android 
phone with no problems so far. 

One can setup the 
-CA Cert
-User Cert
-Login Name and
-Password

But I dont’t have an option to enter a password when I try to connect from the 
notebook, running Windows7.

Is there an add on tool one can use to deliver the password as well, or do I 
have to drop the user-pass auth from ttls completely?


FR is V2
EAP is set to allow TLS only
Users file contains cleartext passwort auth (used from ttls, which has been 
used before)


Thanks in advance and best regards
Martin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Alexandros Gougousoudis

Phil Mayers schrieb:
Is it possible your wireless networking equipment is mangling the 
hostnames? Which vendor are you using?


Mhh, I can check that again, it's an old Linksys-AP. I'll see if that 
happens also with the other more professional hardware we have.
Have you verified that you really are receiving "hostname" instead of 
"host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the 
RADIUS server?

No, I just took the Debug-Mode from FR.

But it's good to know, that the normal behaviour of windows is to use a 
unique Loginname for all kind of machine-based auth.


Bye
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Phil Mayers

On 12/10/12 13:59, Alexandros Gougousoudis wrote:

Hi David,

David Mitton schrieb:

If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.


It is consistent for all machines in the network. To figure out why this
happend, is exactly what I want to do. But I need a good point to start.
At least in MS-TechNet is no usable information about that behauviour.
But  - as always - it depends also on the kind of question. Maybe I used
the wrong keywords for the search. At the moment I can't see any light
at the end of the tunnel.


It's interesting that the problem occurs on your wireless network.

Is it possible your wireless networking equipment is mangling the 
hostnames? Which vendor are you using?


Have you verified that you really are receiving "hostname" instead of 
"host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the 
RADIUS server?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Phil Mayers

On 12/10/12 13:48, David Mitton wrote:

The behavior _is_ configurable, but as you have observed for your
particular network, the default is not to attempt machine auth.   It is
configurable on a per-network connection basis, I'm getting fuzzy on if
it's adapter or SSID based.


No, you've misunderstood the point I'm making.

I am aware that machine and user auth are configurable (FYI, it's 
per-adapter on LAN, per SSID on wireless).


The issue the OP seems to be facing is that, when *doing* machine auth, 
he gets different format names on wired versus wireless.


Windows doesn't do that, so either his RADIUS config or Wi-Fi network is 
mangling them.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Alexandros Gougousoudis

Hi David,

David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what 
turned it on, is it consistent or the same for all users) and work 
with that.


It is consistent for all machines in the network. To figure out why this 
happend, is exactly what I want to do. But I need a good point to start. 
At least in MS-TechNet is no usable information about that behauviour. 
But  - as always - it depends also on the kind of question. Maybe I used 
the wrong keywords for the search. At the moment I can't see any light 
at the end of the tunnel.


Bye
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread David Mitton
The behavior _is_ configurable, but as you have observed for your  
particular network, the default is not to attempt machine auth.   It  
is configurable on a per-network connection basis, I'm getting fuzzy  
on if it's adapter or SSID based.


If the OP is observing such behavior, he needs to figure out why (what  
turned it on, is it consistent or the same for all users) and work  
with that.


Dave.

Quoting Phil Mayers :


On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:

Hi Alan,

Alan DeKok schrieb:

Freeradius. Using Linux I can send whatever I want as the loginname.


 If you know you can change the client, than change the client.


This is exactly what I want to do! Change the loginname, the clients
sends to the Authenticater. It's a Windows 802.1x question, not a
question how to configure FR. FR does everything alright. But most FR
people here have more knowlegde about Windows 802.1x, than the Windows
people in a Windows group/list.



To repeat: I don't see that behaviour. In my observation, windows sends
host/ on both wired and wireless. Are you sure you aren't mangling the
hostnames somehow?
-
List info/subscribe/unsubscribe? See   
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Alexandros Gougousoudis

Hi,

Phil Mayers schrieb:
We don't see that behaviour. We consistently see "host/". Check you 
aren't mangling the hostnames in your FreeRADIUS config.


Strange, but thanks for watching. We're not mangeling anything in FR. 
That's what I see, running FR in Debug-Mode. Maybe because we're running 
on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a 
machine-auth via exporting, textediting and importing the profile-xml of 
the specific LAN-interface, we're authenticating using EAP-TLS, CN of 
the cert is the . Machine-auth via WLAN is done by a 
registry-change. Ok, I'll keep looking.


bye
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Phil Mayers

On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote:

Hi Phil,

Phil Mayers schrieb:

I don't understand - you're saying that, for windows clients:

 1. On wi-fi they send host/name.domain.com
 2. On LAN, then send... something else?

Are you sure? We don't see that.


Exactly. On wifi they send



on LAN they send:

host/


We don't see that behaviour. We consistently see "host/". Check you 
aren't mangling the hostnames in your FreeRADIUS config.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread alan buxey
Hi,

> Phil Mayers schrieb:
> >I don't understand - you're saying that, for windows clients:
> >
> > 1. On wi-fi they send host/name.domain.com
> > 2. On LAN, then send... something else?
> >
> >Are you sure? We don't see that.

i agree

> Exactly. On wifi they send
> 
> 
> 
> on LAN they send:
> 
> host/
> 
>  is the Windowshostname from the systemsettings.

we dont see that. we see 

host/machinename.domain

on both wired and wireless


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Phil Mayers

On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:

Hi Alan,

Alan DeKok schrieb:

Freeradius. Using Linux I can send whatever I want as the loginname.


  If you know you can change the client, than change the client.


This is exactly what I want to do! Change the loginname, the clients
sends to the Authenticater. It's a Windows 802.1x question, not a
question how to configure FR. FR does everything alright. But most FR
people here have more knowlegde about Windows 802.1x, than the Windows
people in a Windows group/list.



To repeat: I don't see that behaviour. In my observation, windows sends 
host/ on both wired and wireless. Are you sure you aren't mangling the 
hostnames somehow?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Alexandros Gougousoudis

Hi Phil,

Phil Mayers schrieb:

I don't understand - you're saying that, for windows clients:

 1. On wi-fi they send host/name.domain.com
 2. On LAN, then send... something else?

Are you sure? We don't see that.


Exactly. On wifi they send



on LAN they send:

host/

 is the Windowshostname from the systemsettings.

bye
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-12 Thread Alexandros Gougousoudis

Hi Alan,

Alan DeKok schrieb:

Freeradius. Using Linux I can send whatever I want as the loginname.



  If you know you can change the client, than change the client.
  


This is exactly what I want to do! Change the loginname, the clients 
sends to the Authenticater. It's a Windows 802.1x question, not a 
question how to configure FR. FR does everything alright. But most FR 
people here have more knowlegde about Windows 802.1x, than the Windows 
people in a Windows group/list.


bye
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-11 Thread Alan DeKok
Alexandros Gougousoudis wrote:
> That's not clear. Why would that break EAP if the workstations are
> sending a different Login?

  You said you wanted to add a string to hostname.  Don't do that.
Editing it in FreeRADIUS will break things.

> It already does, depending on LAN or WLAN
> Logins. I don't mean some kind of rewrite or redirect inside of
> Freeradius. Using Linux I can send whatever I want as the loginname.

  If you know you can change the client, than change the client.

> I have now a more or less complicated regex rule in the radsecproxy, but
> I thought it's more elegant to unify both logins.  I thought doing it in
> the profile-xml-file of the LAN connection in Win, but unfortunately
> it's not the right place for it. At least all official ressources I can
> find from MS, are not pointing out how to do that.

  I can't help there.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

2012-10-11 Thread Phil Mayers

On 11/10/12 12:43, Alexandros Gougousoudis wrote:

Hi,

we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via LAN the provided username ist
, if I do it via WLAN it is host/. While we use
"host/" as a realm for our Radsecproxy, I'd like to change the
behauviour for the authentication via LAN and add a string to the
 (i.e. "host/" or something else) to unify the login for WLAN
an LAN.


I don't understand - you're saying that, for windows clients:

 1. On wi-fi they send host/name.domain.com
 2. On LAN, then send... something else?

Are you sure? We don't see that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  1   2   3   4   5   6   7   8   9   10   >