Re: FreeRadius/eDirectory/802.1X authentication issue
See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least I know it is possible to use EAP-TLS, and then use some attribute from the certificate and query LDAP about it. If that's the case in your configuration, you should be able to see that from the config files in your $raddb directory. You can post the config if you have questions. Matt On Wed, Jun 11, 2008 at 6:44 PM, Newall, Bryce [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 1:14 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue Newall, Bryce wrote: See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. Yes. Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Thursday, June 12, 2008 12:20 PM To: FreeRadius users mailing list Subject: RE: FreeRadius/eDirectory/802.1X authentication issue Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ahh, your answer just made our current RADIUS configuration more understandable to me! As I may have mentioned, I inherited this setup from someone else who left the district. The way it is currently working, we do not have to install certificates on a laptop. The Validate server certificate option on our laptops' wireless configuration is turned off. The idea was to keep it as simple as possible for users, yet maintain some semblance of security. Apparently, the way we're doing it right now is using EAP-TLS with PEAP authentication, which is passing the user's credentials through an encrypted tunnel to the RADIUS server, which is in turn passing the credentials through to eDirectory via LDAP. At least, I *think* I'm explaining that correctly. :) I'd like to maintain that setup with FreeRADIUS 2.0.5, but I'm still having a hard time following the configuration and authentication path with the current 1.1.0 setup. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Hi, No, it's not. The laptop is not storing the password; it's using the login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. thats because it IS cached - it gets cached in a different HIVE area. still an EAPOL though. this is proved by what you've just stated. run a regedit and look for lurking EAPOL. the RADIUS logs dont lie. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 10, 2008 11:08 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue Hi, on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. thats because it IS cached - it gets cached in a different HIVE area. still an EAPOL though. this is proved by what you've just stated. run a regedit and look for lurking EAPOL. the RADIUS logs dont lie. I'll take another look if I can get my hands on the laptop again. But it still doesn't make sense that a different user (me) has no problem logging in. Plus, these laptops were brand new, and when I tested User3's account on User2's laptop and vice versa, I had the same problem. That was the first time either user had logged in to the other's laptop, and I know I logged in with the correct password; otherwise, I wouldn't have been able to log in to Novell or Windows. Yet, they would still fail to authenticate wirelessly. I'm convinced that it has SOMETHING to do with how Windows is passing the credentials through to FreeRadius, rather than a FreeRadius problem; I'm just not sure where to troubleshoot. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: I'm convinced that it has SOMETHING to do with how Windows is passing the credentials through to FreeRadius, rather than a FreeRadius problem; I'm just not sure where to troubleshoot. You'll know from reading this list where *my* biases are. For most problem interactions with external devices, it's usually the external devices that are buggy. For behavior that's internal to the server, it's often administrator misconfiguration. For some rare cases, it's a FreeRADIUS bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without reset the users profile. we've had the same problem here and that fixed it. the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 11, 2008 2:00 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without reset the users profile. we've had the same problem here and that fixed it. Tried that first thing; no luck, unfortunately. And again, these were brand new laptops with brand new profiles, so that shouldn't have mattered, but I did it anyway just to be safe. I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, since the current server is running 1.1.0. As I mentioned before, though, I don't know a lot about RADIUS, and would love to find some HOW-TO's to help me make it work. We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, since the current server is running 1.1.0. As I mentioned before, though, I don't know a lot about RADIUS, and would love to find some HOW-TO's to help me make it work. As would I. This isn't a RADIUS thing. It's a Windows thing. FreeRADIUS is at the mercy of the Windows system, which is doing weird things. And that's not just me blaming everything on other people's software. There's really no other conclusion possible from your description. We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. Yes. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. The configuration files that the server comes with are pretty complete. To be honest, it's pretty much impossible to write any good HOWTO's for RADIUS. With tiny edits (as documented and explained in the configs), the default configuration works with PAP, CHAP, MS-CHAP, Digest, EAP-MD5, EAP-MSCHAPv2, PEAP, EAP-TTLS Follow the explanations in the config files, and add support for LDAP, SQL, ... Any HOWTO will be not much more than read the config files, and follow their instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect (Cached) password for that user on that laptop is wrong. Changing that wrong password will require a bit of registry hacking: http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 5:35 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect (Cached) password for that user on that laptop is wrong. No, it's not. The laptop is not storing the password; it's using the login credentials each time. The Use Windows login credentials (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html