Re: EAP-TLS Authentication
-->Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . wrote: > Hi, > I am facing some issues with 802.1x EAP-TLS Authentication. > Please suggest any document which can help in better understanding on TLS > Authentication. > Thanks. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Authentication
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a "eap inner-eap" section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus wrote: > On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: > > I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. > > EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it > > doesn't. > > Hi. > > make fragment_size in modules/inner-eap smaller then fragment_size in > eap.conf > > I've got 1200 in inner-eap and 1400 in eap.conf > > cheers > mk > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: > I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. > EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it > doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS works but not PEAP/EAP-TLS
Hi, I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Is there anything I'm missing? The problem appears to be that the client doesn't send over the client cert. I know Windows is very fussy with what it accepts as a cert for EAP-TLS, but I'm confused as to why it works for one and not the other. Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11 Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client hello A Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server hello A Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 053e], Certificate Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate A Mon Sep 16 12:56:55 2013 : Info: [tls] >>> TLS 1.0 Handshake [length 000d], CertificateRequest Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate request A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase ... Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state 0x7c569f3d755a860c did not finish! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Info: Ready to process requests. radius.log: http://pastebin.com/9fBdxfYt eap.conf: http://pastebin.com/7dL69pmQ inner-tunnel: http://pastebin.com/BGzJSKz0 Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 "ken.farrington" wrote: > Hi All, > > Is there a way if I had 10 clients in my home lab and all the certs expire > tomorrow, that rather than re-provide all the certs to my clients, I can frigg > the radius server time, to still accpet them. > > Im guessing this is a no, but from what I see, the client cert is presented, > and check against the server time. > > Would this be correct? > > Many thanks in advanced > Ken > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls ignore client cert expiry check - crazy idea?
Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and TLS record protocol
On 05/24/2013 09:12 AM, Pieter Hulshoff wrote: Hello all, I'm new to the list, relatively new to authentication, and I'm trying to figure out some details regarding the RFCs. I was hoping some of you might be able and willing to help me out here. As I understand it, using TLS you can authenticate the server and optionally the client, negotiate the encryption/signing algorithm(s) for the TLS record protocol, and exchange the key information before switching to the selected encryption/signing algorithm(s) for secure data transport. EAP-TLS however seems focused on authorization and exchanging the key information, leaving the actual data encryption to be determine by other means (e.g. IEEE 802.1X MKA i.c.w. MACsec). My questions: 1. Is this understanding correct? Sort of. You've focussed on EAP-TLS, but that's misleading. *All* EAP methods are solely for authentication; the EAP protocols are not used to forward traffic, they merely authenticate and, if the link-layer requries it, derive encryption keys. By way of illustrating the implications - note that, on a non-MACSEC 802.1x wired connection, you can (but shouldn't!) use EAP-MD5 which does not derive key material, because there's no link-layer encryption. Similarly, on wireless 802.1x, you can use EAP-PWD or EAP-EKE, both of which derive key material and both of which have nothing to do with TLS. 2. Does this imply that the negotiated encryption/signing algorithm(s) are only used for the EAP-TLS Finished messages? For *all* EAP methods, the only output is success/failure and optionally key material, and the key material is just a securely-derived set of bits. The cryptographic primitives used by the EAP method have no bearing on the cryptographc primitives used by the link layer. Also - this not not a FreeRADIUS question really, and if you have more questions, they might be better off in another forum. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and TLS record protocol
Hello all, I'm new to the list, relatively new to authentication, and I'm trying to figure out some details regarding the RFCs. I was hoping some of you might be able and willing to help me out here. As I understand it, using TLS you can authenticate the server and optionally the client, negotiate the encryption/signing algorithm(s) for the TLS record protocol, and exchange the key information before switching to the selected encryption/signing algorithm(s) for secure data transport. EAP-TLS however seems focused on authorization and exchanging the key information, leaving the actual data encryption to be determine by other means (e.g. IEEE 802.1X MKA i.c.w. MACsec). My questions: 1. Is this understanding correct? 2. Does this imply that the negotiated encryption/signing algorithm(s) are only used for the EAP-TLS Finished messages? Any and all insights would be most welcome. :) Kind regards, Pieter Hulshoff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On Tue, May 21, 2013 at 03:21:33PM +0800, Robert wrote: > Thank you! The configuration in the link works. The key is setting > fragment_size correctly. Yes, that was the gotcha. > But I am confused about the two methods : > Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ? > Or they are two different methods? Same thing, but usually referred to as PEAP/EAP-TLS (or sometimes, probably incorrectly, EAP-PEAP/EAP-TLS). Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: > Just confirming that I've tested this in the past and it works, but I > believe the poster of the article is dubious about a production > environment. Not at all - we are running it in production. The warning at the bottom is to make you think about what you're doing first, rather than to blindly copy my examples and then open yourself up to security issues that you haven't thought through. The examples are stripped down to their utter bare minimum - which is unlikely to be what you want in production. > When I tried it on wifi it took a second or so more to > authenticate for some reason, so we eventually went with eap-tls > instead because of this and because it was simpler. I did also > get quite a few "The EAP message did not complete" but that > could be coincidental. It's been running fine here with a lot of laptops for over a year now. We usually see the "EAP did not complete" errors from bad wireless signals or misconfigured EAP timers. As the article says - the only real benefit is to get SoH data from the device. If you don't want/need that, you're fine with plain EAP-TLS (and with less round trips, it will auth faster, too). Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Thank you! The configuration in the link works. The key is setting fragment_size correctly. But I am confused about the two methods : Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ? Or they are two different methods? -Original Message- From: freeradius-users-bounces+robert_chen=favite@lists.freeradius.org [mailto:freeradius-users-bounces+robert_chen=favite@lists.freeradius.org ] On Behalf Of Phil Mayers Sent: Monday, May 20, 2013 5:51 PM To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 09:02, Robert wrote: > Hi > > I use freeradius v2.1.10 in Debian Squeeze 6.0.1. > > I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft -soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 未在此訊息中找到病毒。 已透過 AVG 檢查 - www.avg.com 版本: 2012.0.2242 / 病毒庫: 3162/5839 - 發佈日期: 05/19/13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Just confirming that I've tested this in the past and it works, but I believe the poster of the article is dubious about a production environment. When I tried it on wifi it took a second or so more to authenticate for some reason, so we eventually went with eap-tls instead because of this and because it was simpler. I did also get quite a few "The EAP message did not complete" but that could be coincidental. -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 20 May 2013 10:51 To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 09:02, Robert wrote: > Hi > > I use freeradius v2.1.10 in Debian Squeeze 6.0.1. > > I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-micro soft-soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote: Ahhh. According to this conversation: That's a really old conversation. See instead the link I posted in my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Ahhh. According to this conversation: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html - FR does support PEAP-EAP-TLS :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: 20 May 2013 10:49 To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: > It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you > can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main advantage to this is anonymous outer ID. I *think* FR supports this, but I can't remember the details or if there are any caveats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 09:02, Robert wrote: Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main advantage to this is anonymous outer ID. I *think* FR supports this, but I can't remember the details or if there are any caveats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can configure all supported options in there. Regards Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Robert Sent: 20 May 2013 09:03 To: freeradius-users@lists.freeradius.org Subject: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: > Telling students how to install a internal CA root isn't going to work, > it already > didn't work for teachers in the past ... Yes. That is a problem. > But allowing only (internal) devices with certs from the internal CA > through CA_file > would allow us to more easily integrate those non-personal but > school-owned devices. That would work. > I just hope I'm not telling complete bullshit... ;-) Nope. > Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: > >> The real-life example would be that people could use PEAP-MSCHAPv2 for >> credential-based logins (server certificate being signed by a "trusted" >> external CA) > While that works, it's not recommended. It means that the client will > trust *any* certificate signed by that CA, for network access. > > It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the "trusted" CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) > > > You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: > Usually I've seen example for EAP-TLS setups that used a server-side > certificate > issued from the same CA as the one it should allow EAP-TLS clients who > present > their certificate to FR. Yes. > Am I guessing correctly that CA_file can contain a different list of CA(s) > than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. > The real-life example would be that people could use PEAP-MSCHAPv2 for > credential-based logins (server certificate being signed by a "trusted" > external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. > while some devices could login using EAP-TLS but only when they present > a certificate from an internal CA (that usually isn't being trusted by > devices > outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)
eap.conf:
tls {
[...]
certificate_file = "/etc/freeradius/ssl/cert.p
# Trusted Root CA list
CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem"
[...]
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a "trusted"
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).
Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Blah blah. But you don't say what the issue is with the documentation...in fact your issue was with the default config and your requirements...which are actually both fully documented in the config. I don't see why you've dropped in from nowhere, thrown your ego around and then claim to be leaving. Expect help/advice in the future? Because if so, you've gone about it the wrong way really alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: > The difference from your response to Arran's response to my questions is > night and day. He was moderately polite while you were and are > downright rude. As always, my first response is polite and answers your questions. I only get blunt when people argue with me. I'll also note that you've conveniently deleted all of my other points. I'll take that as evidence you agree with them. > That's the other key factor - making sure stuff > can be found via Google as a top result on the official site. Google is > your first line of defense against newbies and, when you host the > content yourself, you control that line of defense. Another lecture about how superior you are. > On a different note, I've also found that telling people how long I've > been writing software does nothing beneficial. You just get into a > yelling match with those who have been writing software longer. If you've been writing software for a long time, you should have been able to figure out how to edit the default config. > I can tell when I'm not wanted, so I'll just drop off this list. Later. I have no patience for people who are ignorant about a subject, and lecture me on it. This list is for people who want to solve RADIUS problems. If you focus on that, you're OK. If you complain about "red flags" because of your RADIUS ignorance, you will get told off, and rightly so. It's rude to be condescending to experts, and I won't have it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/24/2013 5:59 AM, Alan DeKok wrote: Thomas Hruska wrote: Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read "man radiusd". That documents the correct approach. The difference from your response to Arran's response to my questions is night and day. He was moderately polite while you were and are downright rude. I've met grizzled veteran developers before. You are one of those. As a developer myself, I know I've got two options: 1) Fend off the newbies constantly. 2) Write better documentation. With a dash of humor in the mix. If it isn't fun, then it isn't worth reading (or writing) it. I've found that the latter creates a MUCH better experience for everyone (i.e. the "nuisances" go away - hey, I've been where you are at as well). I've also found that *I* have to actually write the documentation because no one else will do it for me (e.g. Wikis don't really work for software). And it isn't a FAQ, it is real documentation naturally covering a wide range of common (and even uncommon) topics. I always include a documentation cycle in my software releases - and it takes about a week to two weeks to complete, but it is so worth it. Whenever a user asks a question, I check the documentation to make sure I wrote something about it, write a quick paragraph in a polite response, and link to the right place, knowing someone else will find the post + reply via a Google search later and won't ask the same question as a result. That's the other key factor - making sure stuff can be found via Google as a top result on the official site. Google is your first line of defense against newbies and, when you host the content yourself, you control that line of defense. On a different note, I've also found that telling people how long I've been writing software does nothing beneficial. You just get into a yelling match with those who have been writing software longer. Anyway, just a few things I've picked up over the years. I can tell when I'm not wanted, so I'll just drop off this list. Later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: > Nowhere in there does it explain why proxying is on by default. It just > says that it can be turned off. I want to know why it is on by default > in the first place. From what I'm beginning to understand, based on > your reply, FreeRADIUS opens a port that isn't necessary for basic > functionality as part of its default installation. That sort of > behavior should at least raise an eyebrow if not a few red flags. You're unhappy that your questions got push-back. So you're pushing back in return. However... you know little or nothing about RADIUS, and I've been doing this for 20 years. I won't explain why there are no "red flags" in the default configuration. I *will* explain that it's unproductive for newbies to second-guess experts. > The default client secrets(s) should be different from the default proxy > secret(s) to avoid confusion for first-time users. So as a first-time user, you know more about their needs than someone who's done this for 20 years? > I missed that it is there for testing. And I see why: Don't quote the config files at me. I wrote them. This just comes across as condescending, and lecturing me about the text I wrote. > Again, defaults exist for a reason. The reasons for the defaults are > what I'm actually after here. The reasons are given in the documentation, web pages, "man" pages, config files, etc. The defaults enable the server to do the Right Thing in the widest possible set of circumstances. i.e. so that newbies like you can get the server running with minimal work. Your response is to insult the developers, by claiming that the defaults "raise red flags". Stop it. It's ignorant and annoying. > All I was asking here was if commenting out those protocols in > 'eap.conf' was all I have to do to disable them? A simple confirmation > would suffice. I answered that. >> You're looking for reassurance that editing the config files won't >> cause the server to explode in flaming metal. It won't. Edit them. > > I admit that there is a little of that, but I'm just trying to save > myself from breaking things too badly by understanding why the defaults > are the defaults before I go and blow away large portions of config. The defaults are documented. See the comments in the config files. The procedure for editing the defaults is documented. See "man radiusd". It's really not rocket science. You're looking for emotional reassurance that the server won't explode. I'm not going to give it. Instead, you should follow the documentation, and follow the documented methods for editing the configuration. If something goes wrong, it's just text. Put the old config back, and start again. And after doing this for 20 years, your message is typical of a particular class of newbie. The existing documentation is too complicated. Yet you don't ask a specific question. Instead, you have a long complicated post complaining about many things, and asking many questions. When I point this out, you start putting me down. I've had hundreds of conversations like this, and it's always annoying. Your entire approach is wrong. Read "man radiusd". That documents the correct approach. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
All that stuff is on by default to ensure that people who want more than a really dumb and minimal server can get up and running without having to try to find what combination of stuff needs to be enabled. So, eg proxying is enabled ..whats the issue? Unless you have actually edited proxy.conf to do something it won't do anything , there's no entry in clients.conf other than localhost too, so even if you had the required ports open to the world, nothing is going to happen. If all you want is EAP-TLS auth then its very easy to minimise to that configmuch much easier than having to learn the server better and trying to get there from a minimal config that doesn't work out if the box (ask those who have tried doing it that way...look at mailing list history for those that stripped the config out before then trying to get things to work) This isn't Apache, which does have a whole load of things on and can get you p0wned on port 80 if you have that open to the world alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 23 Mar 2013, at 23:32, Thomas Hruska wrote:
> On 3/23/2013 3:54 PM, Alan DeKok wrote:
>> Thomas Hruska wrote:
>
>> Read proxy.conf.
>
> [Sigh] I have. It doesn't make sense to me. Why enable it as a default if
> it isn't necessary for basic functionality? Hopefully you can see how the
> average user might be confused, "Hey the authors enabled this by default.
> Maybe there is a very important reason for that.
Nope, just means more things work with less tweaking.
> I'll go ahead and leave it alone because they know better." But I see an
> open port and wonder if it is actually necessary. So I figured I would ask
> to obtain some knowledge of why it is enabled by default, hence the original
> questions. Here's the text from 'radiusd.conf':
>
> # PROXY CONFIGURATION
> #
> # proxy_requests: Turns proxying of RADIUS requests on or off.
> #
> # The server has proxying turned on by default. If your system is NOT
> # set up to proxy requests to another server, then you can turn proxying
> # off here. This will save a small amount of resources on the server.
> #
> # If you have proxying turned off, and your configuration files say
> # to proxy a request, then an error message will be logged.
> #
> # To disable proxying, change the "yes" to "no", and comment the
> # $INCLUDE line.
> #
> # allowed values: {no, yes}
> #
>
>
> Nowhere in there does it explain why proxying is on by default. It just says
> that it can be turned off. I want to know why it is on by default in the
> first place. From what I'm beginning to understand, based on your reply,
> FreeRADIUS opens a port that isn't necessary for basic functionality as part
> of its default installation. That sort of behavior should at least raise an
> eyebrow if not a few red flags.
Why is authentication on by default, you might just want to do accounting? why
is accounting on by default, you might just want to do authentication? It's on
by default because it does no harm having it on by default, and makes it easier
for people with no knowledge of the server to use the server.
You just add a realm, and it works, instead of having to toggle different bits
of config to make it work.
I think the configs could probably do with trimming a bit, but it does not make
sense to disable these things by default, as there are no security
implications, just a slight increase in memory usage.
>>> Not sure why I would need this either. Based on the 'secret' string's
>>> value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
>>> not 100% confident about that.
>>
>> No. Clients have nothing to do with proxies.
>>
>> Do you plan on testing your server? If so, that entry can be useful.
>
> The default client secrets(s) should be different from the default proxy
> secret(s) to avoid confusion for first-time users.
>
> I missed that it is there for testing. And I see why:
>
That sentence is ambiguous.
>
>
>>> Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
>>> password - it can expire, but the message "Password Has Expired" seems
>>> like it will never appear (or, if it does, it'll be confusing to a
>>> user). I'm probably not going to use the 'logintime' features. 'exec'
>>> might be useful since I probably will use the external 'openssl' based
>>> 'verify' method in 'eap.conf' (unless someone can suggest a better
>>> approach).
>>
>> So... delete the things you're not using. That's why there are
>> comments explaining what those modules do. So you can learn, and think
>> for yourself.
>
> Again, defaults exist for a reason. The reasons for the defaults are what
> I'm actually after here.
Again it's so things just work. For rlm_logintime, if you read the code:
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_logintime/rlm_logintime.c#L157
If there's no Login-Time attribute in the request it does nothing. If there is
a Login-Time attribute in the request it ensures the user can only login before
that time.
It means you can add Login-Time in a users file, and it'll just work, instead
if hunting through the server to figure out where to turn on the Login-Time
module.
>>> Some of the stuff in 'eap.conf' is confusing. I've commented
>>> out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
>>> uncommented and set 'default_ea
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/23/2013 3:54 PM, Alan DeKok wrote:
Thomas Hruska wrote:
Read proxy.conf.
[Sigh] I have. It doesn't make sense to me. Why enable it as a
default if it isn't necessary for basic functionality? Hopefully you
can see how the average user might be confused, "Hey the authors enabled
this by default. Maybe there is a very important reason for that. I'll
go ahead and leave it alone because they know better." But I see an
open port and wonder if it is actually necessary. So I figured I would
ask to obtain some knowledge of why it is enabled by default, hence the
original questions. Here's the text from 'radiusd.conf':
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
Nowhere in there does it explain why proxying is on by default. It just
says that it can be turned off. I want to know why it is on by default
in the first place. From what I'm beginning to understand, based on
your reply, FreeRADIUS opens a port that isn't necessary for basic
functionality as part of its default installation. That sort of
behavior should at least raise an eyebrow if not a few red flags.
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
No. Clients have nothing to do with proxies.
Do you plan on testing your server? If so, that entry can be useful.
The default client secrets(s) should be different from the default proxy
secret(s) to avoid confusion for first-time users.
I missed that it is there for testing. And I see why:
###
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message "Password Has Expired" seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
So... delete the things you're not using. That's why there are
comments explaining what those modules do. So you can learn, and think
for yourself.
Again, defaults exist for a reason. The reasons for the defaults are
what I'm actually after here.
Some of the stuff in 'eap.conf' is confusing. I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do. Documentation on setting up an "EAP-TLS only"
RADIUS server is limited.
I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.
All I was asking here was if commenting out those protocols in
'eap.conf' was all I have to do to disable them? A simple confirmation
would suffice.
You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal. It won't. Edit them.
I admit that there is a little of that, but I'm just trying to save
myself from breaking things too badly by understanding why the defaults
are the defaults before I go and blow away large portions of config.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you might find useful.
http://cubiclesoft.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: > Since I only want EAP-TLS, output lines like the following bother me > (I've inlined my concerns): ... > Does FreeRADIUS really need to load all of those config files to > function? No. That's why they config files are editable. So you can edit them. > That is, does it hurt in any way to load all of the module > config files? I don't understand the question. What can "hurt" about loading config files > What does this do? Read raddb/proxy.conf. This is documented. Extensively. > All of this seems to be in proxy.conf. It doesn't look like I need any > of it but I'm not sure if it is safe to get rid of it/comment it out. Read proxy.conf. > Again, this will be the only RADIUS server in the network and my > understanding is that proxies are for forwarding requests to other > RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE > proxy.conf' line in 'radiusd.conf'? This is documented. The comments above the line "$INCLUDE proxy.conf" tell you. And again, the reason the config files are text is so that you can edit them. What's the worst that can happen? If something goes wrong... just put the text back. > Not sure why I would need this either. Based on the 'secret' string's > value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm > not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. > Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a > password - it can expire, but the message "Password Has Expired" seems > like it will never appear (or, if it does, it'll be confusing to a > user). I'm probably not going to use the 'logintime' features. 'exec' > might be useful since I probably will use the external 'openssl' based > 'verify' method in 'eap.conf' (unless someone can suggest a better > approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. > Even when 'default' was the only thing in 'sites-enabled', it loaded a > bunch of stuff other than EAP-TLS. I currently have nothing in > 'sites-enabled' right now, but would like insight into what the > configuration file should be to just do EAP-TLS. Read raddb/sites-enabled/default. Honestly, there is a *lot* of documentation on this included with the config files. I see no reason to cut & paste it here. Instead, you should find the time to readit. > What do I need to do to set up FreeRADIUS so that it only supports > EAP-TLS? Configure only EAP, and EAP-TLS. > Some of the stuff in 'eap.conf' is confusing. I've commented > out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left > uncommented and set 'default_eap_type = tls', but I'm not sure if that > is all I need to do. Documentation on setting up an "EAP-TLS only" > RADIUS server is limited. Nonsense. I don't mean that there's lots of documentation on setting up your exact desired configuration. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. > What is the best method of setting it up so that only the router can > communicate with the RADIUS server on port 1812? Firewalls. Then, making sure that the server is only listening on port 1812 Most of these questions are "The server does A and B, but I only want it to do A. What do I do?" And the answer is "edit the config files so that it doesn't do B". You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up EAP-TLS as the ONLY authentication mechanism?
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the
default Ubuntu/Debian apt-get package repository. I'm finding junk
scattered all over the place for configuring this thing (typical), so my
first objective is to get FreeRADIUS into a locked-down state so that
'freeradius -X' doesn't return things that bother me (i.e. pared back to
minimal functionality first).
Since I only want EAP-TLS, output lines like the following bother me
(I've inlined my concerns):
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24
2012 at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
...
including configuration file /etc/freeradius/modules/pam
...
including configuration file /etc/freeradius/modules/chap
...
^^^
Does FreeRADIUS really need to load all of those config files to
function? That is, does it hurt in any way to load all of the module
config files? From what I can tell, they don't seem to be relevant
until they are instantiated later on, but I would appreciate confirmation.
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
^
What does this do? I don't think I need a proxy server. My setup is
just a consumer router plus a single Ubuntu box with FreeRADIUS on it.
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
^
All of this seems to be in proxy.conf. It doesn't look like I need any
of it but I'm not sure if it is safe to get rid of it/comment it out.
Again, this will be the only RADIUS server in the network and my
understanding is that proxies are for forwarding requests to other
RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE
proxy.conf' line in 'radiusd.conf'?
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
^
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
^^
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message "Password Has Expired" seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
radiusd: Loading Virtual Servers
...
^^
Even when 'default' was the only thing in 'sites-enabled', it loaded a
bunch of stuff other than EAP-TLS. I currently have nothing i
Re: EAP-TLS testing, occasional errors
On 07/03/13 16:01, Bertalan Voros wrote: Has anyone seen this before? I see all kinds of weirdness from clients. Fundamentally, the problem is at the client - it didn't send a certificate - so you need to troubleshoot it there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS testing, occasional errors
Hello All, I have configured a server to test EAP-TLS. Created the CA, a server and one client certificate. The same client certificate was then installed on three different devices; OSX, Windows 7 and an Android 4.2. All is well, all the devices can authenticate successfully, however, every now and again I can see similar entries in the log like the one below. A failure. Thu Mar 7 14:30:57 2013 : Error: TLS Alert write:fatal:handshake failure Thu Mar 7 14:30:57 2013 : Error: TLS_accept: error in SSLv3 read client certificate B Thu Mar 7 14:30:57 2013 : Error: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Thu Mar 7 14:30:57 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Thu Mar 7 14:30:57 2013 : Auth: Login incorrect (TLS Alert write:fatal:handshake failure): [wifiuser] (from client CiscoAP port 289 cli 10-68-3F-48-41-46) Then a success soon after from the same device (this is the Android one) Thu Mar 7 14:32:10 2013 : Auth: Login OK: [wifiuser] (from client CiscoAP port 291 cli 10-68-3F-48-41-46) Very occasionally the Android device would give up and not attempt to reauthenticate. The AP is set to reauthenticate clients every 10 minutes. (a rickety old Cisco Aironet 1200). Has anyone seen this before? Thanks in advance, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. Thanks very much! I'll look into it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file Oh, hey, I thought I was just sharing this information with a bunch of lazy sysadmins, some of whom might be interested to know how I eventually managed to connect OS X 10.7 (Lion) hosts to my wifi network. As I mentioned in my previous post, I did not author those instructions. I'm also not in the habit of re-posting information written by others, but although they may not be perfect, I thought they were helpful and then suddenly became worried that Apple might make them disappear at one point or another (it wasn't exactly easy information to find). Moreover, I explained that I was using a WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in this thread on Sunday 17 Feb. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Hi, > Eventually, though, it turned out that the most important issue was > with OS X 10.7 (Lion). With this particular version of Apple's OS, yes, I know. Apple suck for doing this. I manage campus network at Loughborough university and eduroam federation in the UK and so am well aware of OSX and their idea of making OSX have the same .mobileconfig method as iOS. you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: SSL certs can be in various formats. Ones that are 'usable' depends on the underlying code, but the useful types are usually PEM, DER (also known as CER) and P12these are all active certs. CSR is a certificate signing request file and isn't a valid cert for client use. ... On OSX you need to ensure you have the CA installed - and TRUSTED!" Thanks, Alan. That straightened some things out for me. Eventually, though, it turned out that the most important issue was with OS X 10.7 (Lion). With this particular version of Apple's OS, the facility for adding enterprise network configurations is not as flexible as it once was. Now, if something different is required, a special (free) tool must first be obtained -- the iPhone Configuration Utility -- with which to create an XML profile that can then be applied. Not exactly what I was expecting, but that's the way it is. For anyone who might be interested, here's the set of instructions that I used: If your school uses TTLS with PAP (LDAP backend) then yah, the auto connection with ethernet will not help you. That is because the default EAP type that is supported is TTLS MSCHAPv2 (which is a bit more secure that PAP --ya ya, I know it is not fool proof). Anyway, all is not lost. You have three choices on how to get an 802.1X profie that supports TTLS with PAP onto your Mac. 1. Download iPCU and create a .mobileconfig file 2. Buy Lion server and use Profile Manager 3. Create a .mobileconfig (xml file) from scratch Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1. Please put on your learning hat now **Please note this example is for a wired OR wireless 802.1X connection that requires TTLS and PAP for Lion clients** 1. Download and install the iPCUhttp://support.apple.com/kb/DL851 2. Open the iPCU (the iPCU is install in Applications - Utilities) 3. In the right hand side click on Configuration Profiles. 4. Click on New. (upper left) 5. You will see a new profile with a bunch of payloads (general, passcode, restrictions, etc). Don't worry you do not need to fill most of these out. 6. Click on General and fill out a Profile Name, Identifier (they can be anything) the rest of the fields you can leave blank. I used spam and spam. 7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles for Ethernet (it will just ignore the SSID field). Click configure. 7a. For SSID ..If your school has a wireless network that uses TTLS with PAP, fill in the SSID name (wireless network name) that your school uses. If your school does not use wireless, then just use an label (e.g. spam). 7b. Ignore the hidden network field (unless of course your school uses a hidden SSID and you want to use wireless for this connection). 7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2 Enterprise. If this profile is going to be used for WiFi, then you need to find out what type of security your school uses. Most likely it will be WPA/WPA2 Enterprise (I hope). 7d. Once you choose WPA/WPA2 Enterprise you will see more options appear. Choose TTLS. 7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST. 7f. For Inner Authentication choose PAP. 8. You will see three tabs, one for protocol (that you already filled out), one for Authentication and one for Trust. You can ignore trust unless you have the certificate from the radius server already loaded on your client. Don't worry if you do not have the cert, the Mac will load it (with your permission) during the first authentication. Ignore the Authentication tab for now. 9. Now look at the top left of the tool and choose Export 9a. for Security, just choose none (don't worry about signing it) 9b. Hit Export. 10. You will get a Save As dialogue box. Give the profile a name (like spam or something) and choose where you would like to save the profile. 11. Now goto where you save your profile and double click it. System Prefs will launch and try to install the profile. 11a. Just hit continue and continue again. 11b. You will be prompted for "settings" which are the username and password. You can either just hit install (the eapol supplicant will ask you for your credentials during the authentication phase) or you can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION. If you insert a bad username or password into this field, it will get saved as a keychain entry (with bad info) and you will never be able to connect. The Mac will just silently fail authentication until you delete the keychain entry and do a fresh auth. Save yourself some trouble and leave the fields blank and just hit install. 11c. You will be prompted for your admin password to install the profile. 12. The profile should be installed now. 13. In system prefs, click show all then click network. 14. If you click on your Ethernet interface you should no
Re: EAP-TLS certificate problem
Muhammad Nadeem wrote: > I suucceed to authenticate the users from a database. > But when i setup the same setup on another machine, I was failed :( > The following output is the debug output of the freeradius server. (I > think EAP NAK,, is creating problems). Yes. Read the debug output. > [eap] EAP NAK > [eap] NAK asked for bad type 0 > [eap] Failed in EAP select The client is broken. Don't blame FreeRADIUS. Go fix the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate problem
On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:
On 2/19/13, Phil Mayers wrote:
On 19/02/13 09:11, Muhammad Nadeem wrote:
Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"
I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.
Yes
Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???
No. Don't set Auth-Type unless you know what you're doing.
Doesn't look like you actually heeded this advice does it? Hint, look at
your select statement. You're setting the Auth-Type.
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql] expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '001AAD3F8165'
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate problem
On 19/02/13 14:16, Muhammad Nadeem wrote: [eap] EAP NAK [eap] NAK asked for bad type 0 You've mis-configured the client. Go back and look at it again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate problem
On 2/19/13, Phil Mayers wrote:
> On 19/02/13 09:11, Muhammad Nadeem wrote:
>> Hi, everybody
>> I have used pre-shipped certificates of Freeradius for testing
>> purpose. This testing was succeed with a test user 'bob', with files
>> authentication.
>> Now in the next step I wanna authenticate a user from my Database with
>> Digital certificates. When i authenticate the user, server side
>> confirm and send "Access-Accept" packet, but at client, following
>> error occurs.
>> " No Message-Authenticator attribute found
>> Incoming RADIUS packet did not have correct Message-Authenticator -
>> dropped
>> STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
>> - dropping packet"
>>
>> I googled this problem and found a solution that the user Auth-type is
>> set to Accept (I manually checked the user in Database , and its
>> Auth-Type was Accept) and this type prevent further process.
>
> Yes
>
>> Now my question is that , could I continue EAP-TLS authentication,
>> regardless of Auth-Type is set to Accept???
>
> No. Don't set Auth-Type unless you know what you're doing.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.112 port 35397,
id=0, length=132
User-Name = "001AAD3F8165"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x021101303031414144334638313635
Message-Authenticator = 0xebcf3f94a32bf89eaabf4be3b2ce493b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
rlm_sql (sql): Reserving sql socket id: 9
[sql] expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
[sql] expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in
(SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT
NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'127.0.0.1')
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '001AAD3F8165'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.112 port 35397
Qos-Policing-Profile-Name := "128K_UL"
Qos-Metering-Profile-Name := "512K_DL"
Context-Name := "Postpaid-VR"
DHCP-Max-Leases := 1
Forward-Policy := "in:nonpayment_redirect_post"
HTTP
Re: EAP-TLS certificate problem
On 19/02/13 09:11, Muhammad Nadeem wrote: Hi, everybody I have used pre-shipped certificates of Freeradius for testing purpose. This testing was succeed with a test user 'bob', with files authentication. Now in the next step I wanna authenticate a user from my Database with Digital certificates. When i authenticate the user, server side confirm and send "Access-Accept" packet, but at client, following error occurs. " No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet" I googled this problem and found a solution that the user Auth-type is set to Accept (I manually checked the user in Database , and its Auth-Type was Accept) and this type prevent further process. Yes Now my question is that , could I continue EAP-TLS authentication, regardless of Auth-Type is set to Accept??? No. Don't set Auth-Type unless you know what you're doing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 18/02/13 10:57, Muhammad Nadeem wrote: ca_cert="/usr/local/etc/raddb/certs/ca.pem" client_cert="/usr/local/etc/raddb/certs/client.pem" private_kry="/usr/local/etc/raddb/certs/server.key" ^^^ typo - should be "client.key" This is basic stuff; please read the docs for wpa_supplicant/eapol_test more carefully, and your own configs, before posting questions, particularly as others have pointed out, this is not the eapol_test support list... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, > > (but this mailing list isnt a support forum for either of those tools!) I guess you dont read what I post..which means I'm not likely to answer you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 2/18/13, a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
>
>> Thankfully, this isn't correct. You can use "eapol_test" which comes
>> with the "wpa_supplicant" source to test pretty much every EAP type
>> there is, including EAP-TLS.
>>
>> To the OP - download wpa_supplicant sources and build eapol_test.
>
> eapol_test is VERY powerful.and there are even little test scripts
> provided
> in the FreeRADIUS source
>
> however, if you want clicky GUI then also look at JRadius Simulator:
>
> http://www.coova.org/JRadius/Simulator
>
> (but this mailing list isnt a support forum for either of those tools!)
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
thanx A.L.M,,, but actually I am not aware of what to send in request
of EAP-TLS.
I have followed the README in /raddb/certs/ and make the CA, CLIENT
and SERVER certificate.
Now I request to the server with eapol_test, with following parameter
netwrok={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="bob"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"
private_key_passwd="whatever"
}
but this request give me a FAILURE response.
I have googled a lot to find my appropriate answer, ( what need to
send in client request etc etc).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 2/18/13, Phil Mayers wrote: > On 02/18/2013 06:31 AM, Tobias Hachmer wrote: >> Hello Muhammad, >> >> On 18.02.2013 07:17, Muhammad Nadeem wrote: >>> Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I >>> have configured eap.confg to use EAP-TLS. But i don't know , how to >>> send requests to freeradius server, so that he can authenticate the >>> user using TLS (with digital certificate). >>> Can anyone help me, thanks in advance.. >> >> You will need a RADIUS Client, e.g. >>- wireless access point >>- lan switch >> >> which acts as the RADIUS Client (Authenticator in 802.1X terminology). >> Both have to support 802.1X and RADIUS. >> Without you won't be able to test EAP-TLS. I am not aware of a simulator >> client program. > > Thankfully, this isn't correct. You can use "eapol_test" which comes > with the "wpa_supplicant" source to test pretty much every EAP type > there is, including EAP-TLS. > > To the OP - download wpa_supplicant sources and build eapol_test. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > thanks phill, eapol_test really working . thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, > Thankfully, this isn't correct. You can use "eapol_test" which comes > with the "wpa_supplicant" source to test pretty much every EAP type > there is, including EAP-TLS. > > To the OP - download wpa_supplicant sources and build eapol_test. eapol_test is VERY powerful.and there are even little test scripts provided in the FreeRADIUS source however, if you want clicky GUI then also look at JRadius Simulator: http://www.coova.org/JRadius/Simulator (but this mailing list isnt a support forum for either of those tools!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 02/18/2013 06:31 AM, Tobias Hachmer wrote: Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Thankfully, this isn't correct. You can use "eapol_test" which comes with the "wpa_supplicant" source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Regards, Tobias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Hi, > https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network > > In this example, the users are given a personalized *.cer > certificate to add to their keychain. Since I don't have any > client.cer files, I tried this approach with a client.csr file > instead, which seemed personalized enough, but still I run into the > same roadblock. > > Can anyone say what I should be doing differently? E.g. are *.cer > certificates mandatory (if so, how can I make them?), or can I not > use my self-signed certificates? rightSSL cerst can be in various formats. ones that are 'usable' depends on the underlying codebut the useful types are usually PEM, DER (also known as CER) and P12these are all active certs CSR is a certificate signing request file and isnt a valid cert for client use. if you have one type you can easily convert it to any of the other formats using 'openssl' on the command line of a Linux or OSX system - the command format isnt trivial...but its fairly obvious, the man pages over it and there are MANY web pages out there telling you how to do it. under Linux, most of the network admin tools for WPA2/WPA enterprise are fairly limited and fussy about certificates, how and where they are installed...on OSX you need to ensure you have the CA installed - and TRUSTED! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Jaap Winius wrote: > Can anyone say what I should be doing differently? E.g. are *.cer > certificates mandatory (if so, how can I make them?), or can I not use > my self-signed certificates? I'm always use pem or crt files, not *.cer. It works on my Mac. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and OS X clients
Hi folks, My WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 certificates works great with wpaspplicant on Linux, but can anyone help me understand how to get this to work for OS X (Lion) clients? My Linux client uses a copy of the ca.pem file to establish the link (after which PAP is used to authenticate), but although the same ca.pem file can be imported into the OS X client's keychain, this certificate never shows up as a selectable identity when configuring EAP-TLS wireless access, like in this case (bottom of the page): https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network In this example, the users are given a personalized *.cer certificate to add to their keychain. Since I don't have any client.cer files, I tried this approach with a client.csr file instead, which seemed personalized enough, but still I run into the same roadblock. Can anyone say what I should be doing differently? E.g. are *.cer certificates mandatory (if so, how can I make them?), or can I not use my self-signed certificates? Thanks, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, > official website. > But i have a problem, when I want to "make eapol_test" it give the > follwoing error. > /usr/bin/ld: cannot find -lnl > collect2: ld returned 1 exit status > make: *** [eapol_test] Error 1 > Any idea about this error?// compilation error due to missing libraries. however, this is NOT a freeRADIUS issue and the answer can be sought from the wpa_supplicant mailing list. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
On 2/15/13, Stefan Winter wrote: > Hi, > >> I have configured freeradius to entertain EAP-TLS requests. And i am >> using the freeradius certificate (shipped with software). I got stuck >> at end, now i don't know how to send EAP-TLS request to server. >> I read man radeapclient, but it only support md5. Could you please >> tell me how could i send request to server using EAP-TLS >> authentication method. > > Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or > for a command-line test use eapol_test, which is part of wpa_supplicant. > > Stefan > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > Thanks Stefan, for your answer. I preferred command line tool"eapol_test". I also wpasupplicant from official website. But i have a problem, when I want to "make eapol_test" it give the follwoing error. /usr/bin/ld: cannot find -lnl collect2: ld returned 1 exit status make: *** [eapol_test] Error 1 Any idea about this error?// -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, > I have configured freeradius to entertain EAP-TLS requests. And i am > using the freeradius certificate (shipped with software). I got stuck > at end, now i don't know how to send EAP-TLS request to server. > I read man radeapclient, but it only support md5. Could you please > tell me how could i send request to server using EAP-TLS > authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output :
Evaluating ("%{TLS-Client-Cert-Subject}" =~//) -> TRUE
++? if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) -> TRUE
++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/O=\// ) {...}
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} ->
/
? Evaluating ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\//) -> TRUE
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/x\// ) -> TRUE
+++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// )
{...}
[noop] returns noop
+++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\// ) returns
noop
+++ ... skipping else for request 21: Preceding "if" was taken
++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) returns
noop
Login OK: [xx] (from client xxx
I understand that eap returns ok so user is authenticated.
It's not what i want to do.
i want client certificate to be authenticated by :
- be in users files
- have the "right" certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
"users" file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( "%{TLS-Client-Cert-Subject}" =~ /\/\// ) {
if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed "users" file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
> Date: Mon, 4 Feb 2013 10:32:22 -0500
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: [EAP/TLS] Authenfication through a certificate
>
> vazoumana fofana wrote:
> > i've got question about EAP/TLS and authentification for a client
> > through a certificate ?
> > I succeed setting up. But , i notice that freeradius matches client
> > login with certificate CNAME.
> > Is it possible to change it in order to match email instead of CNAME ?
>
> Yes.
>
> Read the eap.conf file, and the raddb/sites-available/default. This
> is documented.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote: > i've got question about EAP/TLS and authentification for a client > through a certificate ? > I succeed setting up. But , i notice that freeradius matches client > login with certificate CNAME. > Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP/TLS] Authenfication through a certificate
Dear everybody, i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, thx again for your help - according to Extreme the bug has been fixed in summitX-15.2.2.7-patch1-2 PD4-3163943281 802.1x re-authentication fails when EAP ID reaches 255. This version fixes also a bug we reported which is related to 802.1x PD4-3271740739 While using Dot1x and MAC-based netlogin on the same port, the MAC reauthentication timer should stop after the client is authenticated with dot1x credentials. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 11. Dezember 2012 16:30 An: FreeRadius users mailing list Betreff: AW: AW: AW: EAP-TLS Failed in handler question Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enforcing use of Eap-TLS or PEAP
Kamil Jońca wrote: > I try to set up radius authentication in my WiFi network. > I want to have: > 1. one user (samsung phone) should be authenticated with PEAP > 2. others should be authenticated with EAP-TLS. Give user (1) a password. Give each of the other users a client certificate. Done. > Naive approach is to use Auth-Type but its treated as "misuse" at > http://deployingradius.com/documents/configuration/auth_type.html > But example is only for ms-chap, and I don't know which attribute(?) > use to force PEAP /EAP-TLS > > Any help? Am I missing something? You're making it too complicated. There's no need to "force" anything. Just configure the users, and it will work. If you don't give the users from (2) any passwords, PEAP won't work for them. If you don't give users from (1) any client certificates, EAP-TLS won't work for them. It's that simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enforcing use of Eap-TLS or PEAP
I try to set up radius authentication in my WiFi network. I want to have: 1. one user (samsung phone) should be authenticated with PEAP 2. others should be authenticated with EAP-TLS. Naive approach is to use Auth-Type but its treated as "misuse" at http://deployingradius.com/documents/configuration/auth_type.html But example is only for ms-chap, and I don't know which attribute(?) use to force PEAP /EAP-TLS Any help? Am I missing something? KJ -- http://blogdebart.pl/2009/12/22/mamy-chorych-dzieci/ QOTD: "It's been real and it's been fun, but it hasn't been real fun." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 10/12/12 20:00, PENZ Robert wrote:
@PhilMayers: Did you get the Mail with the full logfile? do you need more?
Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it
is not handling the wrapping of EAP id values from 255 to 0.
The following sequence of (redacted) packets shows the problem (see line
~2389268 in your debug for this example, but there are lots of others in
there):
Access-Request packet from host NAS port 54217, id=183, length=151
User-Name = "host/blah"
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = "MAC"
NAS-Port-Id = "x:y"
NAS-Port = x00y
NAS-Port-Type = Ethernet
Message-Authenticator = 0x26710066ee2e161ba4979519e82cde59
...
[eap] EAP packet type response id 255 length 33
...
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
...
Sending Access-Challenge of id 183 to 10.15.132.5 port 54217
EAP-Message = 0x01060d20
Message-Authenticator = 0x
State = 0xe043a0c1e043ad9227375e26b2f8cb62
Note that the access-request contains an EAP response with id=255, and
we return an EAP request with id=0, having wrapped around. The NAS
follows up with:
Access-Request packet from host 10.15.132.5 port 54217, id=184, length=241
User-Name = "host/blah"
EAP-Message = 0x02ff...
NAS-IP-Address = NAS
Service-Type = Login-User
Calling-Station-Id = "MAC"
NAS-Port-Id = "x:y"
NAS-Port = x00y
NAS-Port-Type = Ethernet
State = 0xe043a0c1e043ad9227375e26b2f8cb62
Message-Authenticator = 0x03a814fd68371689281f1e66a4728614
...
[eap] EAP packet type response id 255 length 105
...
rlm_eap: No EAP session matching the State variable.
That is - we send an Access-Challenge containing an EAP request id=0,
the client responds with an Access-Request containing EAP response
id=255. This is obviously wrong.
FreeRADIUS mixes certain data into the "State" value with a "xor"
including the EAP id - that's why you're getting that particular error
message, but the underlying problem is that the NAS is not always
handling EAP id value wrap correctly.
I'm curious as to why the EAP id values are so large - I don't think
most NASes do this, they start from id=1 on every conversation, but I
don't know if it's legal.
The ID wrapping seems to work in other cases; I'm not certain, but it
*may* be that it only fails if the sequence is:
C: access-request EAP-response id=255 EAP-Identity
S: access-challenge EAP-request id=0 PEAP-start
C: access-request EAP-response id=255 PEAP-data
i.e. if the initial EAP-identity is the one with id=255.
But anyway - I think your NAS is buggy. There's no way you can solve
this in FreeRADIUS - you obviously can't rewrite the EAP id, so I think
you'll need to open a bug report with the vendor.
There is one thing you *might* be able to do which *might* work, but
it's dependent on what the NAS does - if I'm right and it's only
Identity packets that don't wrap properly, you might be able to detect
EAP identity packets and modify the ID and *maybe* the Extreme switch
will reply in-sequence. Like so:
authorize {
if ("%{EAP-Message[0]}" =~ /^0x02ff()01(.+)/) {
# we have an EAP-identity packet id=255, see if we can force a wrap
update request {
EAP-Message := "0x0201%{1}01%{2}"
}
}
}
However - I have no idea if this syntax will even work, and to be honest
I'm extremely dubious that, if it does, the Extreme would respond properly.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 12/10/2012 08:00 PM, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? I did, but honestly I prioritise personal "help" emails lower than ones to the list, sorry. I'll see if I have time to look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: AW: EAP-TLS Failed in handler question
@PhilMayers: Did you get the Mail with the full logfile? do you need more? Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at From: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] On Behalf Of PENZ Robert [robert.p...@tirol.gv.at] Sent: Wednesday, December 05, 2012 8:32 AM To: FreeRadius users mailing list Subject: AW: AW: AW: EAP-TLS Failed in handler question > > There is no other packet between this two and only 5 seconds, server has > > not been restarted. > Weird. > But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
> > There is no other packet between this two and only 5 seconds, server has > > not been restarted. > Weird. > But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: EAP-TLS Failed in handler question
On 12/04/2012 03:59 PM, PENZ Robert wrote: There is no other packet between this two and only 5 seconds, server has not been restarted. Weird. But we need the *full* debug please! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TLS Failed in handler question
Hi!
I was still not able to get a trace on the client site, but I believe these
debug log entries should help. This time I got the start packet and it is
within some seconds that I get the 2 packet to the radius server and the State
variable seems to be the same.
Ready to process requests.
rad_recv: Access-Request packet from host 10.xx.xx.5 port 54217, id=11,
length=152
User-Name = "host/x.local"
EAP-Message =
0x02ff002101686f73742f4456542d303039363832322e7469726f6c2e6c6f63616c
NAS-IP-Address = 10.xx.xx.5
Service-Type = Login-User
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
NAS-Port-Id = "1:29"
NAS-Port = 1029
NAS-Port-Type = Ethernet
Message-Authenticator = 0xd080844ef3e47a9bc21e8c848b5a8548
..
[eap] EAP packet type response id 255 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
..
Sending Access-Challenge of id 11 to 10.xx.xx.5 port 54217
EAP-Message = 0x01060d20
Message-Authenticator = 0x
State = 0x642534cc642539e20b4be1e3ae0328c0
Finished request 62603.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10. xx.xx.5 port 54217, id=12,
length=242
User-Name = "host/x.tirol.local"
EAP-Message =
0x02ff00690d80005f160301005a0156030150bd9377fb696c9f5eaedc568220f9aa35ab65930cf2232f4131c054b056295418002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100
NAS-IP-Address = 10.xx.xx.5
Service-Type = Login-User
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
NAS-Port-Id = "1:29"
NAS-Port = 1029
NAS-Port-Type = Ethernet
State = 0x642534cc642539e20b4be1e3ae0328c0
Message-Authenticator = 0xeada93f9da1ca47a6f0325e8ad0414a9
...
[eap] EAP packet type response id 255 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
There is no other packet between this two and only 5 seconds, server has not
been restarted.
Robert
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org
[mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org]
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 27. November 2012 17:38
An: FreeRadius users mailing list
Betreff: AW: AW: EAP-TLS Failed in handler question
> > With first packet I meant first packet the radius server saw in some time
> > ... the switch forces a reauthentification every 2h
> A re-auth is a fresh EAP session. So even on a re-auth, the first packet
> would not have a "State" attribute, absent software bugs.
ok
> >> It *could* be that the client just got stuck and is responding (very)
> >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before
> >> that.
> >
> > We're running Extreme Networks Switches with following timers set:
> >
> > configure netlogin dot1x timers quiet-period 30
> > configure netlogin dot1x timers reauth-period 7200
> We run SummitX edge, and when I've tested dot1x netlogin in the past, I
> haven't seen this issue. We've never widely deployed it, however, so
> it's possible there's an XOS bug where a small percentage of re-auths
> erroneously re-use the "State". You'd need to get a packet capture to be
> sure.
ok ... will try to get one .. is not easy ...
> > but reject means the switch sets the port to the guest vlan, and therefor
> > the PC loses the connections ... is there a way to request a new full
> > eap/tls handshake from the client?
>
> You're not understanding, or I'm not making myself clear.
>
> Suggestion: fire up wireshark, and take a careful look at a normal EAP
> authentication. You'll see that the first packet is an EAP-Identity
> without a "State" attribute, which the server responds to with an
> Access-Challenge containing the default eap type "start"
AW: AW: EAP-TLS Failed in handler question
> > With first packet I meant first packet the radius server saw in some time > > ... the switch forces a reauthentification every 2h > A re-auth is a fresh EAP session. So even on a re-auth, the first packet > would not have a "State" attribute, absent software bugs. ok > >> It *could* be that the client just got stuck and is responding (very) > >> late. But I'm quite surprised the NAS didn't timeout the EAP auth before > >> that. > > > > We're running Extreme Networks Switches with following timers set: > > > > configure netlogin dot1x timers quiet-period 30 > > configure netlogin dot1x timers reauth-period 7200 > We run SummitX edge, and when I've tested dot1x netlogin in the past, I > haven't seen this issue. We've never widely deployed it, however, so > it's possible there's an XOS bug where a small percentage of re-auths > erroneously re-use the "State". You'd need to get a packet capture to be > sure. ok ... will try to get one .. is not easy ... > > but reject means the switch sets the port to the guest vlan, and therefor > > the PC loses the connections ... is there a way to request a new full > > eap/tls handshake from the client? > > You're not understanding, or I'm not making myself clear. > > Suggestion: fire up wireshark, and take a careful look at a normal EAP > authentication. You'll see that the first packet is an EAP-Identity > without a "State" attribute, which the server responds to with an > Access-Challenge containing the default eap type "start" payload, and a > "State" attribute. > > Are you *absolutely sure* that these packets are really the first RADIUS > packet in the auth/re-auth? will check again and get back to you > If you're sure, your problem seems to be that the correct first packet > isn't being sent; the switch is just jumping straight in with the EAP > payload *and* a "State" attribute. I am curious to know where it's > getting that "State" attribute. > > The server source code assumes that a "State" attribute will be valid. > There's no setting to "just accept it". > > Interestingly, I see the RADIUS RFC does actually allow clients to send > a previous "State" if you send an Access-Accept with: > > Termination-Action = RADIUS-request > You're not doing that, are you? no, I'm not > No. As above, re-auths start new EAP sessions. You would only reject any > EAP sessions that were in the *middle* of performing an auth, as the > "state" would be lost across restarts. But this is a very narrow window. so I would be best to set iptables to drop requests for 1min than restart the radius und remove the iptables rules? or can I set freeradius in a mode where is does not accept new sessions? and after 2 minutes I restart it? So that the switch is forced onto the other switch. or what is the best practice to never have falls rejects? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Thanks for the additional info on timers. Here are the values, hope i didn't leave out something. Basically we left them set to default. timer expire for eap is 60 cleanup delay is se to 5 reject delay to 1 max request time is 30 uros On Mon, Nov 26, 2012 at 12:14 PM, alan buxey wrote: > Hi, > > >I've interrupted the test after the described process was allready > going > >on for 2 min. > > > >Don't know exactly what timers you mean. I checked time setings on > >servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS > time to > >GMT. Please correct me if that's not what you meant. > > I mean the number of seconds you have for eg RADIUS authentication, > failure time, > cleapup delay etc. also, if your clients and RADIUS server dont have > correct time > synchonisation then things will go wrong. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, >I've interrupted the test after the described process was allready going >on for 2 min. > >Don't know exactly what timers you mean. I checked time setings on >servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to >GMT. Please correct me if that's not what you meant. I mean the number of seconds you have for eg RADIUS authentication, failure time, cleapup delay etc. also, if your clients and RADIUS server dont have correct time synchonisation then things will go wrong. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, I've interrupted the test after the described process was allready going on for 2 min. Don't know exactly what timers you mean. I checked time setings on servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT. Please correct me if that's not what you meant. On Mon, Nov 26, 2012 at 10:29 AM, alan buxey wrote: > Hi, > > >The results are really interesting and not expected. > > how long does the process take? what are your NAS timers and FreeRADIUS > timers? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, >The results are really interesting and not expected. how long does the process take? what are your NAS timers and FreeRADIUS timers? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Phil, thank you for your reply! I've tried to debug as you suggest. I run wireshark on the remote side + tcpdump on the server side. The results are really interesting and not expected. As the client is disconnected, it sends an auth request to the server. Server gets the request and after a successful authentication it sends back Access-Accept. Client gets this message. However, immediately after a successful authantication, it starts with the authentication process again and it loops like that. In the test time Access-Accept was granted 7 times, but client was still without connection and retrying. For tests I used a linux client on the remote side. After running dhclient for a couple of times the connection is usualy restored, sometimes it even takes to take down the interface and bring it up again to restore the connection. As of my understanding this does not prove a weak wifi as a reason for failure, as it does not prove that it is not the cause for trouble. Additionaly, there seems te be something else, besides wireless, which I can't explain, so feel free to commend and sugest! Regards! On Fri, Nov 23, 2012 at 10:54 AM, Phil Mayers wrote: > On 11/23/2012 08:03 AM, Uros Kolar wrote: > >> Hi all! >> >> We've been using freeradius 2.1.12 with EAP-TLS authentication. The >> problem we experience is constant disconnects of the clients. After an >> some time (it seems like the intervals are random) of usage the >> connection drops. I don't have a debug output, since the server is in >> production allready and because of the valid traffic it's hard to >> efficiently debug it that way. >> >> A similar problem was allready reported some years ago (without an >> answer - at least not in that thread): http://bit.ly/10o9xkG >> > > The issue described in that post is symptomatic of wireless problems - > interference, low signal, etc. - not RADIUS problems. The "EAP Identity" > retries he mentions are on the *wireless* side i.e. the AP asking the > client to start a re-auth. > > You problem also sounds like wireless to me; FreeRADIUS either: > > * receives auth requests and sends an accept > * receives auth requests and sends a reject > * receives auth requests that the client never completes > > It doesn't somehow magically disconnect the client (well, unless you're > using the CoA functionality and you *ask* it to). > > I would suggest starting the debugging at the wireless side. Wait for a > report of a disconnect, then search your logs. > > You could also start a rolling tcpdump on the RADIUS server of all auth > traffic, and then search it for an auth request - I bet you don't see one. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: EAP-TLS Failed in handler question
On 21/11/12 12:00, PENZ Robert wrote: With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h A re-auth is a fresh EAP session. So even on a re-auth, the first packet would not have a "State" attribute, absent software bugs. It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 We run SummitX edge, and when I've tested dot1x netlogin in the past, I haven't seen this issue. We've never widely deployed it, however, so it's possible there's an XOS bug where a small percentage of re-auths erroneously re-use the "State". You'd need to get a packet capture to be sure. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? You're not understanding, or I'm not making myself clear. Suggestion: fire up wireshark, and take a careful look at a normal EAP authentication. You'll see that the first packet is an EAP-Identity without a "State" attribute, which the server responds to with an Access-Challenge containing the default eap type "start" payload, and a "State" attribute. Are you *absolutely sure* that these packets are really the first RADIUS packet in the auth/re-auth? If you're sure, your problem seems to be that the correct first packet isn't being sent; the switch is just jumping straight in with the EAP payload *and* a "State" attribute. I am curious to know where it's getting that "State" attribute. The server source code assumes that a "State" attribute will be valid. There's no setting to "just accept it". Interestingly, I see the RADIUS RFC does actually allow clients to send a previous "State" if you send an Access-Accept with: Termination-Action = RADIUS-request You're not doing that, are you? Is this a client problem or a misconfiguration on my part? It's probably a client or NAS problem, unless you've set timer_expire too low. However: I guess this could also happen right after the server is restarted. Could that be it - is a cron job restarting it maybe? no the server is running for > 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. No. As above, re-auths start new EAP sessions. You would only reject any EAP sessions that were in the *middle* of performing an auth, as the "state" would be lost across restarts. But this is a very narrow window. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP-TLS Failed in handler question
Hi! first thx for your response. > My first question is, how can I decode a EAP-Message from the debug > Wireshark, or read the EAP RFC and decode it manually (see below) ok, I'll believe i got lucky and got a tcpdump trace on a client yesterday ... need to check it and if it is the same problem I'll provide more info. > > log to check if the request is itself ok. Here is first packet from > No, this is *not* the first packet, because it has a "State" attribute, > which is only present in 2nd and subsequent packets of the EAP exchange. With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h > The reason you're getting the error message is that the "State" > attribute is unknown, so FR can't proceed with the EAP session and has > no choice but to drop it. > Check you haven't reduced the "timer_expire" value in eap.conf to a > too-low value. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 default was 60 .. I doubled it some weeks ago, as I saw "No EAP session matching the State variable" entries in the log. > How many FR servers do you have serving this NAS? Is it possible the NAS > is sending packets in a round-robin fashion (which is bad) which is why > you're seeing a packet for which you don't have State? In this case it is only one .. we're running in pre-production with the IT department clients (about 100 clients) to make sure it is stable before rollout. But in production it will be more than one ... good point, we need to check that too, before going into production. > I guess it's possible something is mangling the State attribute from the > previous packet (which is *actually* the first packet). > Otherwise, the client or NAS is doing something odd. > It *could* be that the client just got stuck and is responding (very) > late. But I'm quite surprised the NAS didn't timeout the EAP auth before > that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 following other timers are set to the default values: server-timeout Configure RADIUS server timeout for 802.1X supp-resp-timeout Configure supplicant response timeout > > rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, > > id=151, length=244 User-Name = "host/x.tirol.local" > > EAP-Message = 0x02ff00690d80005f160301005a01 > > > > Ok so this says: > > 02 - eap response > ff - eap ID 255 - bit odd.. > 0069 - length in hex > 0d - eap type 13 (EAP-TLS) > 80 - eap TLS flags = length included > 005f - tls length > 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0) > 005a - record length > 01 - handshake=client hello cool !! > > etc. etc. > > So, it's the start of an EAP-TLS exchange, but as above, it's *not* the > first packet. If you start a tcpdump on the server, you'll see how this > works: > > C: Access-Request, no state, EAP-Identity=abc > S: Access-Challenge, state=, EAP-TLS blah > C: Access-Request, state=, EAP-TLS blah ok > i.e. the NAS has to reflect the "State" back to FreeRADIUS on each > packet. Something is interfering with that, or erasing the "State" at > your end (a timer or restart). > > > rlm_eap: No EAP session matching the State variable > See? But I didn't see a reason for it ;-) > > Invalid means I return a reject ... should I return something else? > No. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? > > Is this a client problem or a misconfiguration on my part? > It's probably a client or NAS problem, unless you've set timer_expire > too low. > However: I guess this could also happen right after the server is > restarted. Could that be it - is a cron job restarting it maybe? no the server is running for > 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly. Do we require different certificates for arm boards, as I was able to run without any issues on x86 with same certificates. Because it has different software. May I know, what is that different software? Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read certificate verify B Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 You CANNOT fix this by poking FreeRADIUS. I created certificates with the following commands: This is NOT a certificate issue. Notice that the error is NOT complaining about certificates. And why use your own commands to create certs? The scripts in raddb/certs WORK. Alan DeKok. Regards, Swaraj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
On 20/11/12 12:38, Swaraj wrote: Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 That's very odd. It looks like a problem with OpenSSL - maybe endian-ness or something? I created certificates with the following commands: Did you create them *on* the ARM device? Can you verify them with "openssl verify" *on* the ARM device? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
On 20/11/12 13:26, Alan DeKok wrote: Swaraj wrote: I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly. Oops yes ignore my email; I thought the *server* was running on the IMX. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
Swaraj wrote: > I'm using Freeradius server2.1.12 on x86 fedora14. My client is using > (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius > server I am receiving the following errors. The client is broken. It's not doing SSL correctly. > Do we require different certificates for arm boards, as I was able to > run without any issues on x86 with same certificates. Because it has different software. > Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error > Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read > certificate verify B > Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 You CANNOT fix this by poking FreeRADIUS. > I created certificates with the following commands: This is NOT a certificate issue. Notice that the error is NOT complaining about certificates. And why use your own commands to create certs? The scripts in raddb/certs WORK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
Hi All,
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
Do we require different certificates for arm boards, as I was able to
run without any issues on x86 with same certificates.
openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)
/*ERROR:
---
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8,
length=166
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
Calling-Station-Id = "00-23-A7-3B-29-2C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300060d00
State = 0xba89e950b88ae454eff4b9964b6ca194
Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name =
"testuser", looking up realm NULL
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3
length 6
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser
at line 131
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
EAP-Message =
0x0104020d0d8005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af
EAP-Message =
0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0da502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613
EAP-Message = 0x026161310a300806035504031301610e00
Message-Authenticator = 0x
State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9,
length=1287
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
Calling-Station-Id = "00-23-A7-3B-29-2C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0204045f0d0016030103030b0002ff0002fc0002f9308202f53082025ea003020102020900958dbc5fc22a1e39300d06092a864886f70d0101040500305b310a30080
Re: EAP-TLS Failed in handler question
On 11/19/2012 08:23 AM, PENZ Robert wrote: My first question is, how can I decode a EAP-Message from the debug Wireshark, or read the EAP RFC and decode it manually (see below) log to check if the request is itself ok. Here is first packet from No, this is *not* the first packet, because it has a "State" attribute, which is only present in 2nd and subsequent packets of the EAP exchange. The reason you're getting the error message is that the "State" attribute is unknown, so FR can't proceed with the EAP session and has no choice but to drop it. Check you haven't reduced the "timer_expire" value in eap.conf to a too-low value. How many FR servers do you have serving this NAS? Is it possible the NAS is sending packets in a round-robin fashion (which is bad) which is why you're seeing a packet for which you don't have State? I guess it's possible something is mangling the State attribute from the previous packet (which is *actually* the first packet). Otherwise, the client or NAS is doing something odd. this client in some time, and it already generates the error. But the same client worked before and after it for days without a problem: It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = "host/x.tirol.local" EAP-Message = 0x02ff00690d80005f160301005a01 Ok so this says: 02 - eap response ff - eap ID 255 - bit odd.. 0069 - length in hex 0d - eap type 13 (EAP-TLS) 80 - eap TLS flags = length included 005f - tls length 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0) 005a - record length 01 - handshake=client hello etc. etc. So, it's the start of an EAP-TLS exchange, but as above, it's *not* the first packet. If you start a tcpdump on the server, you'll see how this works: C: Access-Request, no state, EAP-Identity=abc S: Access-Challenge, state=, EAP-TLS blah C: Access-Request, state=, EAP-TLS blah i.e. the NAS has to reflect the "State" back to FreeRADIUS on each packet. Something is interfering with that, or erasing the "State" at your end (a timer or restart). rlm_eap: No EAP session matching the State variable See? Invalid means I return a reject ... should I return something else? No. Is this a client problem or a misconfiguration on my part? It's probably a client or NAS problem, unless you've set timer_expire too low. However: I guess this could also happen right after the server is restarted. Could that be it - is a cron job restarting it maybe? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Failed in handler question
Hi!
I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the
time ... just some authentications fail, but some minutes later the same client
authenticates without a problem. As it happens only once every few days and
always with a new client I cannot put a sniffer between the PC and switch, as I
don't know which client is the next. But I enabled the debug logging on the
freeradius server. The Clients are Windows 7 PCs and I'm running
freeradius2-2.1.12-3.el5 on RHEL5.
My first question is, how can I decode a EAP-Message from the debug log to
check if the request is itself ok. Here is first packet from this client in
some time, and it already generates the error. But the same client worked
before and after it for days without a problem:
rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151,
length=244
User-Name = "host/x.tirol.local"
EAP-Message =
0x02ff00690d80005f160301005a0156030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef818002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100
NAS-IP-Address = 10.xxx.xxx.4
Service-Type = Login-User
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
NAS-Port-Id = "2:3"
NAS-Port = 2003
NAS-Port-Type = Ethernet
State = 0x8df2b5f98df2b8eb6e43e372671f4335
Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8
and the relevant other log lines:
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 255 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Invalid means I return a reject ... should I return something else? Is this a
client problem or a misconfiguration on my part? Thx for your help!
Mit freundlichen Grüßen
Robert Penz
--
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355
E-Mail: robert.p...@tirol.gv.at
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless EAP-TLS Login from Notebook with User and PASSWORD
On 11/07/2012 08:33 AM, sierramailp...@gmx.de wrote: Hey there, I’ve setup a freeradius Server and am using EAP-TLS, and would need some help from you. The users file contains the username and the password beeing allowed to connect after TLS Connection has been established, and this is working on an android phone with no problems so far. One can setup the -CA Cert -User Cert -Login Name and -Password But I dont’t have an option to enter a password when I try to connect from the notebook, running Windows7. EAP-TLS doesn't *use* a username/password. Just the client cert. If you want passwords, you want PEAP or TTLS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless EAP-TLS Login from Notebook with User and PASSWORD
Hey there, I’ve setup a freeradius Server and am using EAP-TLS, and would need some help from you. The users file contains the username and the password beeing allowed to connect after TLS Connection has been established, and this is working on an android phone with no problems so far. One can setup the -CA Cert -User Cert -Login Name and -Password But I dont’t have an option to enter a password when I try to connect from the notebook, running Windows7. Is there an add on tool one can use to deliver the password as well, or do I have to drop the user-pass auth from ttls completely? FR is V2 EAP is set to allow TLS only Users file contains cleartext passwort auth (used from ttls, which has been used before) Thanks in advance and best regards Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Phil Mayers schrieb: Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Mhh, I can check that again, it's an old Linksys-AP. I'll see if that happens also with the other more professional hardware we have. Have you verified that you really are receiving "hostname" instead of "host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the RADIUS server? No, I just took the Debug-Mode from FR. But it's good to know, that the normal behaviour of windows is to use a unique Loginname for all kind of machine-based auth. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 12/10/12 13:59, Alexandros Gougousoudis wrote: Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. It's interesting that the problem occurs on your wireless network. Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Have you verified that you really are receiving "hostname" instead of "host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the RADIUS server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 12/10/12 13:48, David Mitton wrote: The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. No, you've misunderstood the point I'm making. I am aware that machine and user auth are configurable (FYI, it's per-adapter on LAN, per SSID on wireless). The issue the OP seems to be facing is that, when *doing* machine auth, he gets different format names on wired versus wireless. Windows doesn't do that, so either his RADIUS config or Wi-Fi network is mangling them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. Dave. Quoting Phil Mayers : On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote: Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, Phil Mayers schrieb: We don't see that behaviour. We consistently see "host/". Check you aren't mangling the hostnames in your FreeRADIUS config. Strange, but thanks for watching. We're not mangeling anything in FR. That's what I see, running FR in Debug-Mode. Maybe because we're running on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a machine-auth via exporting, textediting and importing the profile-xml of the specific LAN-interface, we're authenticating using EAP-TLS, CN of the cert is the . Machine-auth via WLAN is done by a registry-change. Ok, I'll keep looking. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote: Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactly. On wifi they send on LAN they send: host/ We don't see that behaviour. We consistently see "host/". Check you aren't mangling the hostnames in your FreeRADIUS config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, > Phil Mayers schrieb: > >I don't understand - you're saying that, for windows clients: > > > > 1. On wi-fi they send host/name.domain.com > > 2. On LAN, then send... something else? > > > >Are you sure? We don't see that. i agree > Exactly. On wifi they send > > > > on LAN they send: > > host/ > > is the Windowshostname from the systemsettings. we dont see that. we see host/machinename.domain on both wired and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote: Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactly. On wifi they send on LAN they send: host/ is the Windowshostname from the systemsettings. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Alexandros Gougousoudis wrote: > That's not clear. Why would that break EAP if the workstations are > sending a different Login? You said you wanted to add a string to hostname. Don't do that. Editing it in FreeRADIUS will break things. > It already does, depending on LAN or WLAN > Logins. I don't mean some kind of rewrite or redirect inside of > Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. > I have now a more or less complicated regex rule in the radsecproxy, but > I thought it's more elegant to unify both logins. I thought doing it in > the profile-xml-file of the LAN connection in Win, but unfortunately > it's not the right place for it. At least all official ressources I can > find from MS, are not pointing out how to do that. I can't help there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 11/10/12 12:43, Alexandros Gougousoudis wrote: Hi, we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN the provided username ist , if I do it via WLAN it is host/. While we use "host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the (i.e. "host/" or something else) to unify the login for WLAN an LAN. I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
