Re: Freeradius 2 , TTLS/PAP, multiples questions

2012-06-19 Thread Matthew Newton 
On Tue, Jun 19, 2012 at 03:02:09AM -0700, akkouche wrote:
> I try to configure TLS withPAP it does not work?

http://wiki.freeradius.org/FAQ#It-still-doesn%27t-work%21



-- 
Matthew Newton, Ph.D. 

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2012-06-19 Thread akkouche 
I try to configure TLS withPAP it does not work?

-
kahina akkouche
--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-2-TTLS-PAP-multiples-questions-tp2782263p5713841.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2012-06-19 Thread akkouche 
hello, 
I try to configure TLS with RAP BUT it does not work?
how to do this

-
kahina akkouche
--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-2-TTLS-PAP-multiples-questions-tp2782263p5713840.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Alan DeKok 
Jérôme BERTHIER wrote:
> When no cache is enabled on radius (eap.conf / cache / enable=no),
> clients using NetworkManager are not able to re-negociate
> authentification because they are always trying to resume their session.

  Maybe I'm missing something... those clients worked with 2.0.5, didn't
they?

  If you disable the session cache, then OpenSSL should tell the clients
during SSL negotiation that sessions can't be resumed.  FreeRADIUS sets
the "no cache" flag in OpenSSL.

  But... that flag wasn't set in earlier versions of FreeRADIUS.  So
maybe setting it causes OpenSSL to *allow* session resumption?

  I don't know... OpenSSL is *weird*.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Jérôme BERTHIER 

Alan DeKok a écrit :

Jérôme BERTHIER wrote:
  

Sorry. It means that when the NAS asks for reauthentification (after
reauth-period timeout has expired), clients won't stop trying to
re-connect using session resumption option again and again
Here, an extract from freeradius debug :
[ttls] eaptls_process returned 3
[ttls] Skipping Phase2 due to session resumption
[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.



  What's "reauth-period"?

  If the session cache is enabled, then the entries should be deleted
after "lifetime" hours.  Once the entries are deleted, they will not be
in the cache, and attempts to re-used the cached session should cause a
re-negotiation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
reauth-period is a NAS parameter. It specifies period after 
reauthentification is needed.
When no cache is enabled on radius (eap.conf / cache / enable=no), 
clients using NetworkManager are not able to re-negociate 
authentification because they are always trying to resume their session. 
I can't find any option to fix that on the client.


--
Jérôme BERTHIER
INRIA Bordeaux - Sud-Ouest
Service des Moyens Informatiques
05 24 57 40 50




smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Alan DeKok 
Jérôme BERTHIER wrote:
> Sorry. It means that when the NAS asks for reauthentification (after
> reauth-period timeout has expired), clients won't stop trying to
> re-connect using session resumption option again and again
> Here, an extract from freeradius debug :
> [ttls] eaptls_process returned 3
> [ttls] Skipping Phase2 due to session resumption
> [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.

  What's "reauth-period"?

  If the session cache is enabled, then the entries should be deleted
after "lifetime" hours.  Once the entries are deleted, they will not be
in the cache, and attempts to re-used the cached session should cause a
re-negotiation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Jérôme BERTHIER 

Alan DeKok a écrit :

Jérôme BERTHIER wrote:
  

I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP
authentication method on my Cisco AP1242. It works but I'd like some
precisions to get configuration files as small as possible.



  Why?  It's not like there are any CPU / memory / disk issues with
having the files 10K larger than their "optimal" size.

  

Files could be read more easily. :-)

First, what's the right way to implement check for Simultaneous-Use ?
For cisco nas type, Freeradius seems to use snmp check but where should
I configure SNMP read community in order to make it possible ?



  In the checkrad script.
  

OK
  

Then, during EAP process, is it possible to check if inner identity
equal outer identity and if not to reject request ?



  Yes.  See "man unlang".  You can check inner/outer attributes.
  

OK I'm going to read this man page.

Finally, I've got problem with NetworkManager under Fedora 9 (not tested
on other distribution). If Session resumption / fast reauthentication
cache  is not enabled, clients can't reassociate and ask for session
resumption again. Is there a workaround ?



  What does that mean?  "if session resumption isn't enabled, clients
ask for session resumption" ?
  
Sorry. It means that when the NAS asks for reauthentification (after 
reauth-period timeout has expired), clients won't stop trying to 
re-connect using session resumption option again and again

Here, an extract from freeradius debug :
[ttls] eaptls_process returned 3
[ttls] Skipping Phase2 due to session resumption
[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.

This problem is not present on Windows SecureW2 client cause fast 
reauthentification is an option. On NetworkManager, I don't find any 
similar option.


Thanks

--
Jérôme BERTHIER
INRIA Bordeaux - Sud-Ouest
Service des Moyens Informatiques
05 24 57 40 50




smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Alan DeKok 
Jérôme BERTHIER wrote:
> I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP
> authentication method on my Cisco AP1242. It works but I'd like some
> precisions to get configuration files as small as possible.

  Why?  It's not like there are any CPU / memory / disk issues with
having the files 10K larger than their "optimal" size.

> What is the shortest way to configure it ?

  Have test cases for what you need.  Delete modules until the test
cases fail.  Then, ensure that only those modules are in the configuration.

> First, what's the right way to implement check for Simultaneous-Use ?
> For cisco nas type, Freeradius seems to use snmp check but where should
> I configure SNMP read community in order to make it possible ?

  In the checkrad script.

> Then, during EAP process, is it possible to check if inner identity
> equal outer identity and if not to reject request ?

  Yes.  See "man unlang".  You can check inner/outer attributes.

> Finally, I've got problem with NetworkManager under Fedora 9 (not tested
> on other distribution). If Session resumption / fast reauthentication
> cache  is not enabled, clients can't reassociate and ask for session
> resumption again. Is there a workaround ?

  What does that mean?  "if session resumption isn't enabled, clients
ask for session resumption" ?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 2 , TTLS/PAP, multiples questions

2009-04-17 Thread Jérôme BERTHIER 

Hi,

I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP 
authentication method on my Cisco AP1242. It works but I'd like some 
precisions to get configuration files as small as possible.

What is the shortest way to configure it ?
authorize {
   preprocess
   auth_log
   suffix
   eap {
   ok = return
   }
   files
   ldap
   pap
}

authenticate {
   Auth-Type PAP {
   pap
   }
   Auth-Type LDAP {
   ldap
   }
   eap
}
Are the lines correct ?

Moreover, I've got trouble to implement few functions.
First, what's the right way to implement check for Simultaneous-Use ? 
For cisco nas type, Freeradius seems to use snmp check but where should 
I configure SNMP read community in order to make it possible ?


Then, during EAP process, is it possible to check if inner identity 
equal outer identity and if not to reject request ?


Finally, I've got problem with NetworkManager under Fedora 9 (not tested 
on other distribution). If Session resumption / fast reauthentication 
cache  is not enabled, clients can't reassociate and ask for session 
resumption again. Is there a workaround ?


Thanks

--
Jérôme BERTHIER
Network administrator
INRIA Bordeaux - Sud-Ouest
Service des Moyens Informatiques
05 24 57 40 50




smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html