Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Hi, > proxy-inner-tunnel: > server proxy-inner-tunnel { > authorize { > update control { > Proxy-To-Realm := NULL #I want to proxy realm NULL > } > } > authenticate { > eap > } > post-proxy { > eap > } > } dont set it to NULL - that keeps it very much local. instead set it to FOOBAR and configure proxy.conf so that FOOBAR realm points to your other server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers schrieb: > On 24/05/11 08:35, Simon L. wrote: >> Phil Mayers schrieb: >>> On 05/23/2011 06:53 PM, Simon L. wrote: >>> Please have a look at my new, attached debug log. >>> >>> The server you are proxying to sends a reject. Fix that server. >>> - >>> >> >> Why accepts the home server a proxied request from radtest but not from >> a wpa supplicant. > > radtest sends (by default) a PAP request. > > WPA-Supplicant sends EAP. > >> The home server can not talk eap. as the log shows the proxy is not > > If the home server can't do EAP, how do you expect to proxy EAP to it? > > What is the home server? Thats the point, i don't want to proxy eap to the other freeradius (home server). > >> doing eap when it forwards a request. where is the difference? > > 802.1x requires EAP support at the radius server. If you are proxying > the requests to another server, it requires EAP support there, too. I thought "proxy_tunneled_request_as_eap = no" would proxy without eap. so i did this: eap.conf: eap { ... peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } } proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := NULL #I want to proxy realm NULL } } authenticate { eap } post-proxy { eap } } > > It *may* be possible to terminate the EAP at FreeRADIUS, and send the > inner EAP as non-EAP, but this is hack, and I strongly advise against > it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP the network between the two freeradius is not public or shared, so i think that would be ok. My above solution proxied eap, but is your hack just a old version ob my config?? I read several mails from last year, where that problem is solved that way (more or less). > > If you want to do that, put the proxy config into > sites-enabled/inner-tunnel, do you mean from proxy.conf or proxy-inner-tunnel? > and also see eap.conf: > > eap { >peap { > proxy_tunneled_request_as_eap = yes >} > } i had set it to "no". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 24/05/11 08:35, Simon L. wrote: Phil Mayers schrieb: On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - Why accepts the home server a proxied request from radtest but not from a wpa supplicant. radtest sends (by default) a PAP request. WPA-Supplicant sends EAP. The home server can not talk eap. as the log shows the proxy is not If the home server can't do EAP, how do you expect to proxy EAP to it? What is the home server? doing eap when it forwards a request. where is the difference? 802.1x requires EAP support at the radius server. If you are proxying the requests to another server, it requires EAP support there, too. It *may* be possible to terminate the EAP at FreeRADIUS, and send the inner EAP as non-EAP, but this is hack, and I strongly advise against it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP If you want to do that, put the proxy config into sites-enabled/inner-tunnel, and also see eap.conf: eap { peap { proxy_tunneled_request_as_eap = yes } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers schrieb: > On 05/23/2011 06:53 PM, Simon L. wrote: > >> Please have a look at my new, attached debug log. > > The server you are proxying to sends a reject. Fix that server. > - > Why accepts the home server a proxied request from radtest but not from a wpa supplicant. The home server can not talk eap. as the log shows the proxy is not doing eap when it forwards a request. where is the difference? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Hi again, now i got a real Problem. >>> >>> ... >>> >>> The debug you sent contains no reject. Please send a debug for this case. >>> >> >> > I will generate a separate log for the WPA2 scenario soon. > > I have no problems with WPA/2 and local authentication anymore. But now I try to proxy the requests to a another homeserver. At first tried with radtest from localhost - the request was proxied and accepted. >From a Win7 supplicant the homeserver says: Login incorrect: [test/] (from client ) and of course a access-reject was following. Please have a look at my new, attached debug log. Tanks a lot! Simon FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 12 2011 at 13:56:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and "proxying" MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy. FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and "use my windows credentials" option. Thanks! Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 18, 2011 12:41 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers wrote: > On 18/05/11 17:10, Gary Gatten wrote: >> I would LOVE if W7 just worked! People here are blaming FR and I'm >> trying to convince them it has nothing to do with it, but since the >> MSCHAP challenges / responses are hashed I can't PROVE it to them. > Are you / have you been able to: > 1. stop terminating the PEAP on the Aruba > 2. upgrade to FreeRADIUS 2.1.10 I can at least confirm the following from my Aruba setup here: a) _not_ terminating the outer EAP-PEAP in the Aruba and b) passing the whole thing to FR 2.1.10 works with any Windows I have so far encountered. (as far as the other things like server certificate chain, etc. are correct.) So the setup Win7->Aruba->FR _will_ work, if you don't let the Aruba gear fiddle with your EAP. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 18:41, Gary Gatten wrote: I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? The patch which handles mixed-case client username in PEAP/MSCHAP was written by Neal Garber, and is in 2.1.10. The patches I've written recently are not related to this. They're new functionality for other things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:35, Gary Gatten wrote: That's what I was afraid of... Can you expand on this: "You *can* check that a given response is valid for a given challenge, if you know the password or nt hash." At length, but I would be here all day ;o) Basically, I've got a python script that performs the MS-CHAP crypto. I'll see if I can stick it somewhere people can make use of it. But FreeRADIUS does this "right". There's no need for an external script (unless you're fiddling with the MS-CHAP module guts, which I was when I wrote it). If FreeRADIUS is telling you the mschap response is wrong, it's wrong. Either: 1. The client is sending wrong data 2. The server has wrong data (password/hash) 3. Something is fiddling with the data in transit Since we *know* your Aruba kit is doing some fiddling, it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
That's what I was afraid of... Can you expand on this: "You *can* check that a given response is valid for a given challenge, if you know the password or nt hash." TIA G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. > > I have FR debugs of a working auth and a rejected auth. I'd like to > "unhash" the MSCHAP stuff to see in clear text what's getting sent > back and forth so I can get a better idea of why the request is being > rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I don't recall doing anything with server certs either - but this was LONG ago. Plus, you are FAR more knowledgeable than I in these matters so I defer to you and stand corrected. The next sound you hear is my tail dragging on the ground as walk away, head down, in shame -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:10 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:59, Gary Gatten wrote: > One point of clarification: > > "PEAP uses TLS. PEAP needs certs too." > > Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a > common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:01 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:50, Gary Gatten wrote: > I can't comment on your problem right now, but be aware there seem to > be MANY issues with Windows 7. Our config works PERFECT with XP, > Apple IOS, and other "basic" stuff. When we started testing Windows > 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just > when we think we have a working config and have a few users start > testing it breaks. > > The web is littered with people having problems with Windows 7. I'm > convinced the W7 Supplicant is really broken. In our environment FR > doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. > > Anyway... Maybe if someone knows of a tool to dehash/decrypt the > MSCHAP stuff I could actually see what's different in the requests > between a working auth and a rejected auth. Right now we're grasping > at straws and can't figure out why MS is essentially doing nothing > about this... Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:59, Gary Gatten wrote: One point of clarification: "PEAP uses TLS. PEAP needs certs too." Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:50, Gary Gatten wrote: I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
One point of clarification: "PEAP uses TLS. PEAP needs certs too." Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:26, Simon L. wrote: > Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. > Using WPA-Enterprise results in about nine different Access-Challanges > and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? > > I have set up a testing scenario with the local test user bob. If local > authentication works properly i want to proxy all requests without EAP > to another freeradius server. I will have questions to that later :) > > radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. > I dont get a clue if the Problem is Windows, Certificates, Network oder > simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? > > certificates: > - i build the certs with and without that windows extension OID in > server.cnf with make from ../raddb/certs Why? You MUST include the OID. > - 2048 bit > > Windows 7: > - installed ca.der as root cert in win7 and configured it for the > desired WiFi network > - for my eyes no difference in debug logs if validate server cert or not. "Validate server cert" is done on the client. You won't see any difference on the server. > - unchecked using windows user or domain for auth > - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - > tls right? PEAP uses TLS. PEAP needs certs too. > > WAP: > - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. > - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:26, Simon L. wrote: Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs Why? You MUST include the OID. - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. "Validate server cert" is done on the client. You won't see any difference on the server. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? PEAP uses TLS. PEAP needs certs too. WAP: - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Simon L. Sent: Wednesday, May 18, 2011 10:27 AM To: FreeRadius users mailing list Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise Dear Users, I hope you will be patient with me, its my first time with freeradius. I have problems to authenticate Windows 7 Clients with freeradius. Using WPA2-Enterprise results in Access-Rejects after one Request. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Setting: Win7_Client<-WLAN->WAP LinksysWRT54gl<--MPLS-Network over PPPoE--->FreeRADIUS_proxy(<>FreeRADIUS_main) Windows 7 dd-wrt v24 SP2 Ubuntu Server 10.4.2, freeradius 2.1.10 generic 10.73.108.254 internal: 10.0.73.1 external: 213.x.x.x I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? WAP: - WPA2 Enterprise with AES no accept packet possible until now - WPA Enterprise with AES results in that 9-times Challenges until accept freeRADIUS: - compiled with installed openSSL dev lib - default config as it comes out of the box, exept: added user bob with cleartext password in users, added the WAP as client in clients.conf, changed default_eap_type = "peap" and private_key_password = "MYSECRET_FROM_SERVER_CERT" in eap.conf configuration and stuff pls look at attached debug.log from running radiusd -X debug.log contains the output of radiusd -X with Access-Requests over WPA-Enterprise. I hope you got a hint for me. Thanks ! Simon "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html