Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: even with this option, the problem is always present! an idea ? shrug Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: freeradius-users [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems Hi, I
RE: Freeradius PEAP Problems
Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive default_eap_type (in EAP module) must be fixed at tls. It's right And the default_eap_type (in TTLS module) to md5. It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be = 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!! If you want to send me your radiusd.conf, it will be très bien for me. So, please send me your file if it's possible. À tout!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 5:31 PM Subject: RE: Freeradius PEAP Problems Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive default_eap_type (in EAP module) must be fixed at tls. It's right And the default_eap_type (in TTLS module) to md5. It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For default_eap_type is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: Lionel Gavage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key Certificate are located in the # same file, then private_key_file certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added copy_request_to_tunnel = yes in the PEAP module and set default_eap_type = peap in EAP module to default_eap_type = tls Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : default_eap_type = peap in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Lionel Gavage [EMAIL PROTECTED] wrote: I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error rlm_mschap: We require a User-Name for MS-CHAPv2. However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set copy_request_to_tunnel = yes in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html