Re: PEAP with MSCHAPv2
Hi, > Hello everyone. > Im trying to understand how the certificates work in Freeradius. > Last time I asked about why I need to install a root certificate on all the > windows clients I got the answer that it is because PEAP works that way. But > when I read about it on other sites it says that EAP-TTLS and PEAP was > created so that you wont need client-side certificates? client-side certificate means a specific cert for the client..not the root CA. you need a root CA installed because thats that the RADIUS server has been signed with. if you've used a CA to sign the RADIUS cert that is commonly in the client you wont need to install the CA...but eg self-signed CA will need to be installed. > The PEAP0 I want to use is EAP-MSCHAPv2 since that one should not require > client-side certificates if I have understood it correctly. RADIUS server signed by CA CA needs to be on the client if you want to really trust/verify the cert alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSCHAPv2
Hello everyone. Im trying to understand how the certificates work in Freeradius. Last time I asked about why I need to install a root certificate on all the windows clients I got the answer that it is because PEAP works that way. But when I read about it on other sites it says that EAP-TTLS and PEAP was created so that you wont need client-side certificates? Is there a difference in client-side certificates and the root certificate? The PEAP0 I want to use is EAP-MSCHAPv2 since that one should not require client-side certificates if I have understood it correctly. Best Regards/ Peter Carlstedt _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP with MSCHAPV2 (windows xp remembers the username/passwor d in cache)
Thanks alot Peter, it worked for me. I really appreciate your help. Regards Khurram --- Peter Hicks <[EMAIL PROTECTED]> wrote: > No it is not possible, according to MS at least. > Their article is at > http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 > > You could create a login script that resets the > registry everytime someone > logs in. You could also provide your users with a > NAL object or some other > deployed mechanism to do this if they want to change > credentials. > > An easy way to clear the username on the fly > (especially for testing) is to > use a .reg file. Create a file called > UserEapInfo.reg file and paste in the > following information: > > REGEDIT4 > > [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] > > > Now double click on the file to merge it. This will > delete the existing info > and you will be prompted again. I got this solution > came from www.jsiinc.com > and it works a treat. > > Peter > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Khurram > Jahangir > Sent: Friday, 15 October 2004 12:14 AM > To: [EMAIL PROTECTED] > Subject: PEAP with MSCHAPV2 (windows xp remembers > the username/password in > cache) > > Hi All, > > I have set up freeradius server 1.0.1 and I am using > windows XP 802.1x client. The authenticator is an HP > 2524 switch. > > I have test the setup with PEAP using MSCHAP V2 and > it > worked fine for me. My problem is that I want to use > this mechanism for VLAN selection so that depending > on > the username/password, the user gets the VLAN from > the > freeradius server. Now the problem here is that > windows xp stores the username and password in the > cache and in case user wants to get reauthenticated > to > and get assigned to another vlan, the > username/password should be entered again. I can go > in registry and delete the file and in that case, > when > I reconnect the client, I will be asked to enter the > username/password. I wonder if it is possible to > tell > windows not to store the username/password in the > cache. May be any of you knows about this. I dont > know > may be I can set some parameter in radisu > configuration that trigers the windows xp 802.1x > client to enter the username and password everytime > the user connects the computer to the network. > > Probably someone knows about an open source 802.1x > client which works for windows and linux both. I > will > really appreciate any kind of help regarding this. > > Best Regards > > Khurram > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP with MSCHAPV2 (windows xp remembers the username/passwor d in cache)
No it is not possible, according to MS at least. Their article is at http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 You could create a login script that resets the registry everytime someone logs in. You could also provide your users with a NAL object or some other deployed mechanism to do this if they want to change credentials. An easy way to clear the username on the fly (especially for testing) is to use a .reg file. Create a file called UserEapInfo.reg file and paste in the following information: REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] Now double click on the file to merge it. This will delete the existing info and you will be prompted again. I got this solution came from www.jsiinc.com and it works a treat. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khurram Jahangir Sent: Friday, 15 October 2004 12:14 AM To: [EMAIL PROTECTED] Subject: PEAP with MSCHAPV2 (windows xp remembers the username/password in cache) Hi All, I have set up freeradius server 1.0.1 and I am using windows XP 802.1x client. The authenticator is an HP 2524 switch. I have test the setup with PEAP using MSCHAP V2 and it worked fine for me. My problem is that I want to use this mechanism for VLAN selection so that depending on the username/password, the user gets the VLAN from the freeradius server. Now the problem here is that windows xp stores the username and password in the cache and in case user wants to get reauthenticated to and get assigned to another vlan, the username/password should be entered again. I can go in registry and delete the file and in that case, when I reconnect the client, I will be asked to enter the username/password. I wonder if it is possible to tell windows not to store the username/password in the cache. May be any of you knows about this. I dont know may be I can set some parameter in radisu configuration that trigers the windows xp 802.1x client to enter the username and password everytime the user connects the computer to the network. Probably someone knows about an open source 802.1x client which works for windows and linux both. I will really appreciate any kind of help regarding this. Best Regards Khurram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSCHAPV2 (windows xp remembers the username/password in cache)
Hi All, I have set up freeradius server 1.0.1 and I am using windows XP 802.1x client. The authenticator is an HP 2524 switch. I have test the setup with PEAP using MSCHAP V2 and it worked fine for me. My problem is that I want to use this mechanism for VLAN selection so that depending on the username/password, the user gets the VLAN from the freeradius server. Now the problem here is that windows xp stores the username and password in the cache and in case user wants to get reauthenticated to and get assigned to another vlan, the username/password should be entered again. I can go in registry and delete the file and in that case, when I reconnect the client, I will be asked to enter the username/password. I wonder if it is possible to tell windows not to store the username/password in the cache. May be any of you knows about this. I dont know may be I can set some parameter in radisu configuration that trigers the windows xp 802.1x client to enter the username and password everytime the user connects the computer to the network. Probably someone knows about an open source 802.1x client which works for windows and linux both. I will really appreciate any kind of help regarding this. Best Regards Khurram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSCHAPV2 (windows xp remembers the username/password in cache)
Hi All, I have set up freeradius server 1.0.1 and I am using windows XP 802.1x client. The authenticator is an HP 2524 switch. I have test the setup with PEAP using MSCHAP V2 and it worked fine for me. My problem is that I want to use this mechanism for VLAN selection so that depending on the username/password, the user gets the VLAN from the freeradius server. Now the problem here is that windows xp stores the username and password in the cache and in case user wants to get reauthenticated to and get assigned to another vlan, the username/password should be entered again. I can go in registry and delete the file and in that case, when I reconnect the client, I will be asked to enter the username/password. I wonder if it is possible to tell windows not to store the username/password in the cache. May be any of you knows about this. I dont know may be I can set some parameter in radisu configuration that trigers the windows xp 802.1x client to enter the username and password everytime the user connects the computer to the network. Probably someone knows about an open source 802.1x client which works for windows and linux both. I will really appreciate any kind of help regarding this. Best Regards Khurram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with MSChapV2 on wireless network
Bragg Mario-mbragg1 <[EMAIL PROTECTED]> wrote: > I am unable to get PEAP working with WinXP (using MSChapV2) on my > wireless network. I am using Freeradius Version 1.0.0-pre1. For > authentication I am using etc_smbpassword. Ok... > I saw an earlier message in the archive stating that MSChap wasn't > supposed to be used for wireless, Huh? I don't think so. > Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added LM-Password: > '9D4426742166CA54695109AB020E401C' to config_items > Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added NT-Password: > '90A3404003BACDBE506C86F110DB7AE0' to config_items > Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to > config_items > Thu Jun 10 10:57:34 2004 : Info: rlm_passwd: Adding Auth-Type: MS-CHAP That's your problem. You've configured the "passwd" module to force MS-CHAP authentication. > Thu Jun 10 10:57:34 2004 : Debug: rad_check_password: Found Auth-Type EAP > Thu Jun 10 10:57:34 2004 : Debug: rad_check_password: Found Auth-Type MS-CHAP > Thu Jun 10 10:57:34 2004 : Error: Warning: Found 2 auth-types on request for user > 'mbragg1' That message would appear to be informative. My suggestion is to comment out the "authtype" entry in the "smbpasswd" configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSChapV2 on wireless network
Title: Message
I am unable to get
PEAP working with WinXP (using MSChapV2) on my wireless network. I am using
Freeradius Version 1.0.0-pre1. For authentication I am using
etc_smbpassword. I saw an earlier message in the archive stating that MSChap
wasn't supposed to be used for wireless, however, under WinXP, this is the only
option with PEAP. TLS works fine. I am receiving the following error message.
Any ideas?
Mario
Bragg
Thu Jun 10 10:57:31 2004 : Debug: Nothing to do. Sleeping until we see a
request.
rad_recv: Access-Request packet from host 192.168.1.1:55048, id=44,
length=148
User-Name = "NA3\\mbragg1"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0c-41-f7-f3-f6"
Calling-Station-Id = "00-0c-f1-30-67-40"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x022c0010014e41335c6d627261676731
Message-Authenticator = 0xc647195a743b7665871bdfc633922bf4
Thu Jun 10 10:57:34 2004 : Debug: Processing the authorize section of
radiusd.conf
Thu Jun 10 10:57:34 2004 : Debug: modcall: entering group authorize for
request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "preprocess"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling auth_log
(rlm_detail) for request 27
Thu Jun 10 10:57:34 2004 : Debug: radius_xlat:
'/usr/local/radius/var/log/radius/radacct/192.168.1.1/auth-detail-20040610'
Thu Jun 10 10:57:34 2004 : Debug: rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/192.168.1.1/auth-detail-20040610
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
auth_log (rlm_detail) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "auth_log"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "chap" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "mschap" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_realm: No '@' in User-Name = "mbragg1",
looking up realm NULL
Thu Jun 10 10:57:34 2004 : Debug: rlm_realm: No such realm "NULL"
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "suffix" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap)
for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_eap: EAP packet type response id 44
length 16
Thu Jun 10 10:57:34 2004 : Debug: rlm_eap: No EAP Start, assuming it's an
on-going EAP conversation
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "eap" returns
updated for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 27
Thu Jun 10 10:57:34 2004 : Debug: users: Matched DEFAULT at 158
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from files
(rlm_files) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "files" returns
ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling etc_smbpasswd
(rlm_passwd) for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added LM-Password:
'9D4426742166CA54695109AB020E401C' to config_items
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added NT-Password:
'90A3404003BACDBE506C86F110DB7AE0' to config_items
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT:
'[U ]' to config_items
Thu Jun 10 10:57:34 2004 : Info: rlm_passwd: Adding Auth-Type: MS-CHAP
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
etc_smbpasswd (rlm_passwd) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "etc_smbpasswd"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall: group authorize returns updated
for request 27
Thu Jun 10 10:57:34 2004 : Debug: rad_check_password: Found Auth-Type EAP
Thu Jun 1
Re: PEAP with MSCHAPv2
Paul Khavkine <[EMAIL PROTECTED]> wrote: > Now, everywhere i have seen examples for PEAP config, they all state in > the users: > > Auth-Type := Local, User-Password == "mypass" They're wrong. > When i tried that, the server would not recognize an EAP session and > would allways give an error that it can't find User-Password in the > request (like in a non-EAP request). Exactly. > After changing users file entry to: > > User-Password == "mypass" > > > It would work properly. > > Is that a proper behavior ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSCHAPv2
Hi folks. After some mucking around we got FreeRADIUS to work with PEAP. Now, everywhere i have seen examples for PEAP config, they all state in the users: Auth-Type := Local, User-Password == "mypass" When i tried that, the server would not recognize an EAP session and would allways give an error that it can't find User-Password in the request (like in a non-EAP request). After changing users file entry to: User-Password == "mypass" It would work properly. Is that a proper behavior ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
