Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
On Apr 6, 2009, at 3:49 PM, john wrote: On Sat, Apr 4, 2009 at 1:16 AM, a.l.m.bu...@lboro.ac.uk wrote: The howto you sent me says If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. I (0x0) the output being referred to or is something missing here? what version of samba are you running? what distro are you running? alan Samba/winbind version 2:32.5-4 on Debian Lenny (stable). We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html See the Debain APT manual for information on package pinning. That said, your debug output (if that was all of it) didn't seem to suggest you're running into this particular issue just yet. I say that because your EAP exchange never progresses to the point where ntlm_auth is executed by FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is established, which may point to a certificate problem. Are you sure your server certificate is OK? Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
On Apr 8, 2009, at 10:07 AM, Mike Loosbrock wrote: We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html List, I'd be willing to report this bug to the Samba team as seems to be an upstream issue. Is there any other specific info they might want or need? Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html See the Debain APT manual for information on package pinning. Thanks Mike! I'll look into this a bit more although as you say I am not quite having that issue (yet). :- That said, your debug output (if that was all of it) didn't seem to suggest you're running into this particular issue just yet. I say that because your EAP exchange never progresses to the point where ntlm_auth is executed by FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is established, which may point to a certificate problem. Are you sure your server certificate is OK? I am not sure that it is, I am a noob. I built freeradius from the current stable source, but I used apt to install openssl. My understanding was that when I fired freeradius up for the first time it would automatically populate /etc/freeradius/certs with all of the files necessary to make a proper peap connection. Can you suggest a way to test the cert? Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something? Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing. Thanks for the reply! John Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
On Apr 8, 2009, at 11:28 AM, john wrote: Can you suggest a way to test the cert? Well, you can use the openssl utility to see what your server certificate contains: $ openssl x509 -text -in server-cert-file Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something? Your switch doesn't *need* to support any particular EAP type because the EAP exchange is actually between the supplicant and RADIUS. Your switch just passes the messages back and forth between the two. If you see your switch doing EAP with the supplicant (i.e. EAP is happening, but you don't see it at the RADIUS server), your switch may be doing what some vendors call 'EAP off-loading'. In other words, the switch is handling EAP to get at the credentials it eventually authenticates against RADIUS. But I don't know if 3Com switches do this, and if they do, it's probably not default. Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing. Just add the freerad user to the winbindd_priv group. Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
On Sat, Apr 4, 2009 at 1:16 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, The howto you sent me says If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. I (0x0) the output being referred to or is something missing here? what version of samba are you running? what distro are you running? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan, Samba/winbind version 2:32.5-4 on Debian Lenny (stable). John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
Hi, The howto you sent me says If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. I (0x0) the output being referred to or is something missing here? what version of samba are you running? what distro are you running? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
Let's not. Updated howto is on: http://deployingradius.com/documents/configuration/active_directory.html Thanks for the updated howto. I followed and it and can successfully complete every step except the last, (e.g. the one where I must use a windows client to send an MS-CHAP authentication request). As a side note when I do ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser --password=testing123 I get NT_STATUS_OK: Success (0x0) The howto you sent me says If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. I (0x0) the output being referred to or is something missing here? Have you imported CA certificate (ca.der) onto the client? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have imported the ca.der onto the client (allowing Windows to automatically choose where to palce it) but still no joy. Likely I have the client configured incorrectly. In fact, I am having a great deal of trouble getting the network adapter to reliably make a request to the free radius server. Any advice is much appreciated. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP hangs forever during PEAP auth on freeradius with winbind/AD backend
Hello all, I've been at this for two full days with no luck so I hope that folks here will take me under their wing. :- I am trying to setup freeradius so that hosts running windows XP/SP2 can be authenticated via .1x. when plugged in to a 3Com 3226 switch. The freeradius server version is 2.1.4, built from source, I added SSL libraries since Debian's deb for freeradius doesn't ship with them. My server is running Debian Lenny. I am using winbind to provide authentication services to Windows AD 2003/sp2. I am following the directions posted on the freeradius wiki (which is a bit out of date btw) http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I can list domain users via wbinfo -u and getent passwd. and doing wbinfo -a raduser%testing123 yields plaintext password authentication succeeded challenge/response password authentication succeeded ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser password: NT_STATUS_OK: Success (0x0) However doing radtest fails, but read on before you jump to conclusions... radtest raduser testing123 localhost 0 testing123 Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = raduser User-Password = testing123 NAS-IP-Address = 10.1.1.51 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=144, length=20 I believe my problem resembles the description on the FAQ re: windows machines http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine I have patched the windows client per the instructions but no dice. I read the link http://support.microsoft.com/kb/814394/en-us but it is my understanding that freeradius supports winxp crafted certificates (via certs/xpextensions) out of the box when it builds the example certs in /etc/freeradius/certs so I am not sure what to do here Wireshark shows me that after the windows machine is plugged into my 3com switch on a port which is configured for radius that the windows client makes an Access-Request and receives and Access-Challenge. This happen twice and then nothing I'd appreciate any guidance folks could give me! Thanks! John Below is my output via /usr/sbin/freeradius -X: FreeRADIUS Version 2.1.5, for host i486-pc-linux-gnu, built on Apr 1 2009 at 10:01:13 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap.back including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/realm including configuration file
Re: Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
I am trying to setup freeradius so that hosts running windows XP/SP2 can be authenticated via .1x. when plugged in to a 3Com 3226 switch. The freeradius server version is 2.1.4, built from source, I added SSL libraries since Debian's deb for freeradius doesn't ship with them. My server is running Debian Lenny. I am using winbind to provide authentication services to Windows AD 2003/sp2. I am following the directions posted on the freeradius wiki (which is a bit out of date btw) http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I can list domain users via wbinfo -u and getent passwd. and doing wbinfo -a raduser%testing123 yields plaintext password authentication succeeded challenge/response password authentication succeeded ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser password: NT_STATUS_OK: Success (0x0) However doing radtest fails, but read on before you jump to conclusions... Let's not. Updated howto is on: http://deployingradius.com/documents/configuration/active_directory.html Have you imported CA certificate (ca.der) onto the client? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Retrieve an user attribute from AD for vlan assignment in PEAP auth
Hi everyone, I am configuring a freeradius server with authentication PEAP/Mschap with an Active Directory. The authentication works :) There is my question: I have on my AD an attribute for each user such as vlanId = 12 and I would like to get this value to assign the user authenticated on this VLAN. Any idea ? Thanks, Frad -- View this message in context: http://www.nabble.com/Retrieve-an-user-attribute-from-AD-for-vlan-assignment-in-PEAP-auth-tp22720035p22720035.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve an user attribute from AD for vlan assignment in PEAP auth
I am configuring a freeradius server with authentication PEAP/Mschap with an Active Directory. The authentication works :) There is my question: I have on my AD an attribute for each user such as vlanId = 12 and I would like to get this value to assign the user authenticated on this VLAN. Any idea ? Configure AD as ldap server in raddb/modules/ldap and map that attribute to Tunnel-Private-Group-Id in ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius, 802.1x with peap, auth via LDAP
Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
Windows 2000 is not supported, only windows XP On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issuing certificates with a Windows CA for PEAP auth
When generating certificates for use by FreeRadius EAP-TLS, there is an extension which is to be added to the certificate in order for the client to be able to validate the certificate against a root CA certificate. If such extension is not present in your FreeRadius certificate, the auth process will fail, because the client will stop communicating with your server due that it can't validate your cert. Some people would say that it is better to have EAP-TTLS, but sometimes it is not easy to deploy such a PKI. If you want to use EAP-TLS and if you happen to have your CA running on a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file. There are two ways of doing this. For either of them, you need to have openssl installed in the computer where your freeradius server is and a Certification Authority running on a Winbugs box. The first way, and the best one, is as follows: From the computer where your freeradius is, you generate a request and a private key by: shell:~ # openssl req -new -nodes -keyout mykey.pem -out server.csr The challenge password is important because it'll be used in the freeradius configuration The file mykey.pem is the private key. Copy this file to /usr/local/etc/raddb/certs shell:~ # cp mykey.pem /usr/local/etc/raddb/certs server.csr is the certificate request. Copy this file to the computer where you CA is. Then, let's feed this request into your Winbugs CA. Open a command prompt window and type C:\certreq -submit server.csr A window will popup asking you to select the CA where your request is to be submited to. Select the one that you own. This will give you a RequestID. This number is important because it'll be used for the next part. When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, Microsoft specifies that certificates must have the Enhanced Key Usage attribute with the value Server Authentication (OID 1.3.6.1.5.5.7.3.1). [Ref.: http://support.microsoft.com/kb/814394/en-us] Since the certificate request generated in openssl according to the procedure above does not provide this attribute, it is necessary to add it to the pending request with the Windows CLI command certutil. The general syntax is C:\certutil -setextension RequestID ExtensionOID Flags @InFile - The OID for the attribute Enhanced Key Usage is : 2.5.29.37 - The flag value is set to 0. - Create an input text file eku.txt : C:\echo 30 0a 06 08 2b 06 01 05 05 07 03 01 eku.txt Finally, run the following command : C:\certutil -setextension RequestID 2.5.29.37 0 @eku.txt [Comment: to discover the OID of an attribute, it is possible to dump the contents of an existing valid certificate containing the needed attribute with : certutil -v certfile.cer Ref.: http://technet2.microsoft.com/WindowsServer/en/library/165ee684-1c3a-4cc1-9c5b-0bc1ec1e710a1033.mspx?mfr=true] Then, open your Certification Authority application, go to Pending request, right click on the one you modified (RequestID), All tasks-Issue Go to Issued certificates and double-click on the one you just issued (RequestID). A window will open displaying cert's info. Go to the tab Details and check that the field Enhanced Key Usage is present and its value is Server Authentication (1.3.6.1.5.5.7.3.1). Click on the button Copy to file... and save it as either DER encoded or Base-64 encoded, give a filename (let's call it certificate for now) and finish the wizard. This will give you a file certificate.cer. Copy this file to your freeradius server in /usr/local/etc/raddb/certs shell:~ # cd /usr/local/etc/raddb/certs If you exported the certificate as DER encoded there is a final step you have to perform. We need to convert this file to a format FreeRadius can understand. So, now type: shell:/usr/local/etc/raddb/certs # openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem If the certificate is Base-64 encoded, then just rename the file (this step is optional, it's just to be consistent with the eap.conf file at the end of this file). shell:/usr/local/etc/raddb/certs # mv certificate.cer certificate.pem Get your CA certificate, and put it in /usr/local/etc/raddb/certs. Suppose that your CA certificate is DER enconded in a file named ca.cer, then your convert it to PEM by shell:~ # openssl x509 -inform DER -in ca.cer -outform PEM -out ca.pem shell:~ # cp ca.pem /usr/local/etc/raddb/certs Now edit your eap.conf file and you are done. A sample eap.conf is at the end of this guide. Configure your clients to use PEAP, check the checkbox Validate server certificate and select your Trusted Root Certification Authority from the list. The second way of doing this, which is not very neat, is
Re: PEAP Auth
Hi, Freeradius. I still get the same error message on startup regarding no file for TLS. I have searched the Debian site, the Freeradius site, and the web in general and cannot seem to find out how to fix this. Does anyone know? How should we? You don't even tell us what the error is. OMG, an error! is not enough to effectively help you. Please stick to the common, well-documented process of posting your log files. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpoLeNcE5HCR.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: PEAP Auth
The exact error is: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. The entire startup log is here: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. Thanks, Scott --- Original Message --- From: Stefan Winter[mailto:[EMAIL PROTECTED] Sent: 6/22/2006 12:51:54 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: PEAP Auth Hi, Freeradius. I still get the same error message on startup regarding no file for TLS. I have searched the Debian site, the Freeradius site, and the web in general and cannot seem to find out how to fix this. Does anyone know? How should we? You don't even tell us what the error is. OMG, an error! is not enough to effectively help you. Please stick to the common, well-documented process of posting your log files. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Auth
Scott Hughes [EMAIL PROTECTED] wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. If you're running debian, re-build the server from source. See the debian directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Auth
Hi! rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. Ah, thank you. That's much more enlightening. For some reason the TLS module was not compiled and installed. There was some issue Debian has with OpenSSL support, they don't like the licensing and so they exclude this module. Please read the mailing list archives of this list, this issue is quite common for Debian users and it gets discussed (including solutions) here on this list every once in a while. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: PEAP Auth
On Thu, Jun 22, 2006 at 11:29:39AM -0500, Scott Hughes said: The exact error is: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. I assume this is Debian, since you said you searched the Debian site. Please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289253 for an explanation if that's the case. -- -- | Stephen Gran | A bug in the code is worth two in the | | [EMAIL PROTECTED] | documentation. | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Auth
Title: Message Hello, I am attempting to use the latest Debian build with Freeradius and cannot seem to get PEAP/TLS/TTLS to work. I have even gone as far as reloading the box fresh and installing the sources of OpenSSL and then Freeradius. I still get the same error message on startup regarding no file for TLS. I have searched the Debian site, the Freeradius site, and the web in general and cannot seem to find out how to fix this. Does anyone know? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
thanks for the help until now! I have another problem on freeradius, related to PEAP. The MSCHAP module needs a couple user-pw to perform authentication... and in the radiusd log I can read that is not possible to retrieve a NT-password or NL-password. But I don't want to use such thing (I read is related to Samba). I would like to submit user and password to my LDAP server, and this one have to check the right relationship! But I know EAP doesn't allow plain text PW, as LDAP needs! Now: is it possible to tell MSCHAP to use LDAP or passwd file to authenticate the user? And, before this, is it possible to obtain the PW from the EAP challenge in order to submit it further? Please give me a little advice... it seems it should be a problem s simple to solve! I already lost 10 days .. to help: I'm working with such a system. - Standard Windows XP client, PEAP-MSCHAPv2 - Aegis supplicant, with all types of EAP - Access Point Cisco Aironet 1200, set to use WPA-TKIP and EAP authentication -Freeradius server, working on GENTOO linux 2005 thank you very much, for everything you could suggest! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
Gandalf the Gray [EMAIL PROTECTED] wrote: I would like to submit user and password to my LDAP server, and this one have to check the right relationship! LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. Now: is it possible to tell MSCHAP to use LDAP or passwd file to authenticate the user? And, before this, is it possible to obtain the PW from the EAP challenge in order to submit it further? No. It's impossible, and designed to be impossible. Make the LDAP server return a clear-text, or NT-Password to FreeRADIUS, and it will Just Work. Any other combination is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
--- Alan DeKok [EMAIL PROTECTED] wrote: Gandalf the Gray [EMAIL PROTECTED] wrote: It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2. The AEGIS client works with FreeRADIUS. What the debug log shows Is that the client is not seeing the response from FreeRADIUS. It's probably because you have multiple IP's on the radius server, and the client is sending to one address, and seeing the response from another. Use 'tcpdump' to verify the problem, and make the server listen on only one IP. Alan DeKok. I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 User-Name = attoo Framed-MTU = 1400 Called-Station-Id = 00-12-D9-B3-26-90 Calling-Station-Id = 00-50-FC-F1-7A-91 Message-Authenticator = 0x17e90f1da3ab8ca6003b033cdfa7926d EAP-Message = 0x0202000a016174746f6f NAS-Port-Type = Wireless-802.11 NAS-Port = 337 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = appi Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = attoo, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 123 to 192.168.127.36:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x305eceed6a3b96ee99d532871dffa83f Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 Sending duplicate reply to client appi:21646 - ID: 123 Re-sending Access-Challenge of id 123 to 192.168.127.36:21646 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 42ca647d Nothing to do. Sleeping until we see a request. thank you for your attention! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
I changed the settings of the AP, allowing Aironet Extensions and the result is a little different, now TLS is performed, but it still doesn't work fine... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=158, length=145 User-Name = fresh Framed-MTU = 1400 Called-Station-Id = 00-12-D9-B3-26-90 Calling-Station-Id = 00-50-FC-F1-7A-91 Message-Authenticator = 0x44ebb1858de22fda1162620cce508446 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 364 State = 0x730ee4d85739cac2db03508048550566 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = appi Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = fresh, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 158 to 192.168.127.36:21646 EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e00 Message-Authenticator = 0x State = 0xaf2e1d273a634f616e56bde68cbf0106 Finished request 6 Going to the next request Waking up in 6 seconds... __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
Gandalf the Gray [EMAIL PROTECTED] wrote: I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: ... Which shows that the client is sending a duplicate request to the server. i.e. the client is probably never seeing the response from the server. I don't think this is a RADIUS problem. Try using 'tcpdump' or 'ethereal' to see what's going wrong in your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and PEAP auth problem
Hi, I'm new on this mailing list, please help me clearly. I need to build a Wireless-net based on Freeradius as authentication server, a Cisco aironet 1200 AP, and WPA with TKIP encryption. I need to use TTLS or PEAP, for they allow users to don't user their own certificates, to make connection a little bit easier. when I start my freeradius server, this is what I see: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/root.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail
EAP-TTLS and PEAP auth problem ... sorry!!
I forgot to explain the real problem! I cannot authenticate any user, try to connect to my network through a supplicant, both from Windows and from WPA-supplicant under Linux. It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and PEAP auth problem ... sorry!!
I forgot to explain the real problem! I cannot authenticate any user, try to connect to my network through a supplicant, both from Windows and from WPA-supplicant under Linux. It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2. rad_recv: Access-Request packet from host 192.168.127.36:21646, id=105, length=131 User-Name = attoo Framed-MTU = 1400 Called-Station-Id = 00-12-D9-B3-26-90 Calling-Station-Id = 00-0C-30-28-A6-65 Message-Authenticator = 0xd58f44466d3cc004486c04c445cfc4e7 EAP-Message = 0x0202000a016174746f6f NAS-Port-Type = Wireless-802.11 NAS-Port = 507 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = appi Processing the authorize section of radiusd.conf modcall: entering group authorize for request 251 modcall[authorize]: module preprocess returns ok for request 251 modcall[authorize]: module mschap returns noop for request 251 rlm_realm: No '@' in User-Name = attoo, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 251 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 251 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 251 modcall: group authorize returns updated for request 251 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 251 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 251 modcall: group authenticate returns handled for request 251 Sending Access-Challenge of id 105 to 192.168.127.36:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xfb61d0352bd2bf83c854f36b74c91b5c Finished request 251 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=105, length=131 Sending duplicate reply to client appi:21646 - ID: 105 Re-sending Access-Challenge of id 105 to 192.168.127.36:21646 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 251 ID 105 with timestamp 42c9343a One more time, thank you very much for your help!! Gtheg Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
Gandalf the Gray [EMAIL PROTECTED] wrote: It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2. The AEGIS client works with FreeRADIUS. What the debug log shows Is that the client is not seeing the response from FreeRADIUS. It's probably because you have multiple IP's on the radius server, and the client is sending to one address, and seeing the response from another. Use 'tcpdump' to verify the problem, and make the server listen on only one IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
It never gives one with this configuration, it just keeps repeating the same request over and over again, never accepting or rejecting after the Access-Challenge is sent back to the access point. Dan On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Are you sure that you have the CA certificate you're using with FreeRADIUS installed on the XP system you're using as a supplicant? This could be a symptom of XP not recognizing the signer of the certificate presented in the 802.1x conversation and refusing to continue authentication. FYI, here, we're using the ntPassword attribute in LDAP *without* the 0x in front, and its working fine. The code will use it either way. --Mike On Thu, 2004-11-04 at 10:58, Daniel Davidson wrote: It never gives one with this configuration, it just keeps repeating the same request over and over again, never accepting or rejecting after the Access-Challenge is sent back to the access point. Dan On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Thanks for the info, now we are getting somewhere I just have unchecked the validate server certificate area for now. Now I am getting a rejection. Any ideas? thanks again for the help, Dan rad_recv: Access-Request packet from host 128.174.124.2:1024, id=0, length=224 User-Name = dbdavids NAS-IP-Address = 128.174.124.2 Called-Station-Id = 000f66e4c41c Calling-Station-Id = 009096b43336 NAS-Identifier = 000f66e4c41c NAS-Port = 49 Framed-MTU = 1400 State = 0x05d6753b0d1d6b5e153b275d9693ef57 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206005a1900170301004f8c8a20407e2068158e8d78c30ec38160e43b0f78ff2b701605b5c79b9de8900c48fb91b49db5bf9dcddd5ccabb4790c6ae46fc07f331bd23bbc88023d68b2e78a4ab7763627926a560ed58927beae5 Message-Authenticator = 0xa25e2734559e8d05f9cb602baa181907 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 PEAP: Setting User-Name to dbdavids PEAP: Adding old state with c7 00 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = dbdavids State = 0xc7001f0cb231ff08af3c8015aa53f2fd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x552ade3c50 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: Thanks for the info, now we are getting somewhere I just have unchecked the validate server certificate area for now. Now I am getting a rejection. Any ideas? You said you were storing the passwords in LDAP, but the debug log doesn't show the LDAP module being used: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 There's no mention of LDAP, so the server doesn't have the NT password. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Yup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Dan ldap { server = lap server's real name basedn = ou=People,dc=igb,dc=uiuc,dc=edu filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Un-comment other references to ldap in radiusd.conf. At least in the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
That did it, thanks everyone, Dan On Thu, 2004-11-04 at 12:49, Alan DeKok wrote: I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Un-comment other references to ldap in radiusd.conf. At least in the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
What should default Auth-type be set to then? Right now I am getting a: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user error message from the daemon. thanks again, Dan On Tue, 2004-11-02 at 17:10, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: Probably a stupid question, but I assume you mean that in the users file I do not set it to: DEFAULT Auth-type := LDAP and in the authenticate {} area of radiusd.conf the ldap areas should be commented out. Yes. Is this correct and what should the proper settings be to get this done? Do what you said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: What should default Auth-type be set to then? Right now I am getting a: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user error message from the daemon. Then you've edited the default radiusd.conf so that the server can no longer figure it out. The default radiusd.conf is designed specifically so that the server can figure out most situations, and so that you have to change as little as possible to get it to work. You said the clients were doing EAP, and that you were using an LDAP database to store user information. Use the default radiusd.conf, and make as few changes as possible to it. Uncomment ldap from a few places, and configure the ldap module. If you have clear-text passwords in LDAP, it WILL work. The only way you get the above error message when the client is using EAP is if you deleted eap from the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: I am sure this has been answered many times, but I cannot find it. I keep getting Login incorrect: [danield/no User-Password attribute] errors and I cannot figure out where the problem is I realize there is some stuff I can take out, but I Here is the log. ... rad_check_password: Found Auth-Type LDAP Why? rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 4 Exactly. LDAP doesn't do EAP. Search the list archives for long threads explaining why. Don't set Auth-Type = LDAP, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
So is there a way to have users authorize themselves with an LDAP server, and what is the process for doing that? Use PAM and set the system up to have PAM auth against LDAP? Dan On Tue, 2004-11-02 at 09:40, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: I am sure this has been answered many times, but I cannot find it. I keep getting Login incorrect: [danield/no User-Password attribute] errors and I cannot figure out where the problem is I realize there is some stuff I can take out, but I Here is the log. ... rad_check_password: Found Auth-Type LDAP Why? rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 4 Exactly. LDAP doesn't do EAP. Search the list archives for long threads explaining why. Don't set Auth-Type = LDAP, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: So is there a way to have users authorize themselves with an LDAP server, and what is the process for doing that? Use PAM and set the system up to have PAM auth against LDAP? No. You already have authorization being done via LDAP. What I said was Don't set Auth-Type LDAP, and it will work. Try that. Now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Probably a stupid question, but I assume you mean that in the users file I do not set it to: DEFAULT Auth-type := LDAP and in the authenticate {} area of radiusd.conf the ldap areas should be commented out. Is this correct and what should the proper settings be to get this done? thanks, Dan On Tue, 2004-11-02 at 11:43, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: So is there a way to have users authorize themselves with an LDAP server, and what is the process for doing that? Use PAM and set the system up to have PAM auth against LDAP? No. You already have authorization being done via LDAP. What I said was Don't set Auth-Type LDAP, and it will work. Try that. Now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: Probably a stupid question, but I assume you mean that in the users file I do not set it to: DEFAULT Auth-type := LDAP and in the authenticate {} area of radiusd.conf the ldap areas should be commented out. Yes. Is this correct and what should the proper settings be to get this done? Do what you said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GDB output : Problem with PEAP auth using xp clients
atul dhingra [EMAIL PROTECTED] wrote: Please find below the gdb output, would appreciate your comments: ... (gdb) bt #0 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 #1 0x40290ffe in tls_handshake_send (ssn=0x40290798) at tls.c:230 Look at the parameters passed by that line of code to the BIO_read function. See if any are NULL, and if so, why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP auth using xp clients
So you're still getting the core dump. Let me guess... you have two versions of OpenSSL installed, and you built the server without using --disable-shared. Fix one of those two problems, and it will work. Alan DeKok. I am still getting the same dump, I have used --disable-shared while building the radius server Please find below the gdb output, would appreciate your comments: auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076225856 (LWP 17733)] 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 (gdb) bt #0 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 #1 0x40290ffe in tls_handshake_send (ssn=0x40290798) at tls.c:230 #2 0x40295852 in eappeap_authenticate (arg=0x8194920, handler=0x819e4f8) at rlm_eap_peap.c:192 #3 0x4027b46d in eaptype_call (atype=0x8174b70, handler=0x819e4f8) at eap.c:170 #4 0x4027b5ce in eaptype_select (inst=0x81571b0, handler=0x819e4f8) at eap.c:353 #5 0x4027ab80 in eap_authenticate (instance=0x81571b0, request=0x81c1d80) at rlm_eap.c:289 #6 0x0805423c in call_modsingle (component=0, sp=0x8156730, request=0x81c1d80, default_result=0) at modcall.c:226 #7 0x080543a2 in modcall (component=0, c=0x8156730, request=0x81c1d80) at modcall.c:353 #8 0x0805432d in call_modgroup (component=0, g=0x57e58955, request=0x81c1d80, default_result=0) at modcall.c:261 #9 0x08054419 in modcall (component=0, c=0x8197120, request=0x81c1d80) at modcall.c:344 #10 0x08053f17 in module_authenticate (auth_type=6, request=0x81c1d80) at modules.c:907 #11 0x0805129c in rad_check_password (request=0x81c1d80) at auth.c:324 #12 0x080516af in rad_authenticate (request=0x81c1d80) at auth.c:586 #13 0x0804d17d in rad_respond (request=0x81c1d80, fun=0x80515c8 rad_authenticate) at radiusd.c:1555 ---Type return to continue, or q return to quit--- #14 0x0804cd85 in main (argc=2, argv=0x81c1d80) at radiusd.c:1327 #15 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 _ Sports, sports and more sports! Keep up with all thats happening! http://www.msn.co.in/sports/ Stay connected with MSN Sports! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Subject: Re: Problem with PEAP auth using xp clients
atul dhingra [EMAIL PROTECTED] wrote: I am still getting the same dump, I have used --disable-shared while building the radius server Would appreciate your comments shrug gdb and/or valgrind. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PEAP auth using xp clients
Hello, Following is the crux of what I am stuck on now: I am trying to use freeradius for xp clients, I get following messages when trying to use peap as default eap type (full log attched) : First i recieve all the success logs as follows: ...truncated... TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 161 to 172.26.6.62:44530 EAP-Message = 0x0106003119001403010001011603010020dcd1f01332d46809f26364 888ab19d2259e9d6cbda6cd4bfad8f3da4a2bdfbbf Message-Authenticator = 0x State = 0xa70046675337ee5045cb375a4b7466a0 Finished request 3 Going to the next request Waking up in 6 seconds... - And when I click on certificate prompt that says click to provide logon information I get following logs: - rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 Segmentation fault These are the steps I have followed : 1. installed openssl openssl-0.9.7b 2. installed freeradius freeradius-snapshot-20041006 3. imported certificate root.der to xp client and did the set up as in 'how to' document at freeradius web site TIA AD _ Buy or Sell. http://ads2.baazee.com/cgi-bin/banners/redirect.pl?id=1124 New and Used Items. rad_recv: Access-Request packet from host 172.26.6.62:44530, id=158, length=140 EAP-Message = 0x0202000d01737572696e646572 Calling-Station-Id = 00-09-5B-67-59-5B Called-Station-Id = 00-85-A0-01-01-01:Viking User-Name = surinder NAS-IP-Address = 172.26.6.62 NAS-Port = 3866625 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = wlan-0 Framed-MTU = 1300 Message-Authenticator = 0xbd075cd5ef2ee84b8d1ec889c3893e1b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = surinder, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module expiration returns noop for request 0 modcall[authorize]: module logintime returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 158 to 172.26.6.62:44530 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x38f2f52a431bdbaabd3cd770f91831b0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.26.6.62:44530, id=159, length=225 EAP-Message = 0x02030050198000461603010041013d0301416a7618bf49c1 0fde73665508a9676474635f287049af08d36883af96c6a64a1600040005000a000900640062 000300060013001200630100 Calling-Station-Id = 00-09-5B-67-59-5B Called-Station-Id = 00-85-A0-01-01-01:Viking User-Name = surinder NAS-IP-Address = 172.26.6.62 NAS-Port = 3866625 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = wlan-0 Framed-MTU = 1300 State = 0x38f2f52a431bdbaabd3cd770f91831b0 Message-Authenticator = 0x84cbbd34d0c669b5bf2d268398eaae3c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = surinder, looking up realm NULL rlm_realm: No such realm NULL