Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hi, have you found a solution or a workaround? I have the same problem, you experienced. I configured freeradius to "talk" with LDAP on Mac but at the end I realized that in the userPassword field isn't saved the clear-text password of the LDAP user. OpenDirectory doesn't use that field and implements the authentication thru Kerberos. I've just recompiled freeradius with the rlm_opendirectory module enabled and now I'm experiencing the problem you was talking about..., I suppose I have to install freeradius on the same machine as OpenDirectory. I'm pretty upset about it..., it's a little odd Have you got some useful information about it? Let me know, please. Max -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008
Hi, >I've followed the following howto : >[1]http://deployingradius.com/documents/configuration/active_directory.html >and everything goes fine with the radtest, wbinfo, ntlm_auth and my user >is correctly authentified. my first question is why so old a version of FreeRADIUS is you are only just starting out? 2.1.10 has a LOT of bug fixes compared to the very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 7 (*) Win7 is also VERY fussy about certs.have you installed the CA cert that your RADIUS server is signed with i know you havent ticked the validate button..but Win7 is fussy(!) alan (*) release to manufaturing was july 2009, release to retail was oct 2009 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, This is what I get. -- [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password [mschap]expand: %{Stripped-User-Name} -> username [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=username [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} -> [mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} -> --domain=LNU.SE [mschap] mschap2: 67 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=756cc36d609e7393 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success --- I'm using WPA2-enterprise (tried WPA-ent to) I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is used on the client. On 2010-04-26 15:37, Alan Buxey wrote: > Hi, > >> Info: ++[mschap] returns ok >> Debug: MSCHAP Success >> >> So i assume that the auth. against AD is OK > > not if you havent done the EAP inner-tunnel stuff yet - unless you mean > basic authorize has completed. > >> but then the inner tunnel does something > > well, it tries to > >> Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge >> Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled >> Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 >> EAP-Message = >> 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 >> Message-Authenticator = 0x >> State = 0x3b975d133d90441898602b7c0076958a > > it sends a challenge back to the NAS/AP - but nothign else is happening. > so, either the NAS or the client. how have you got the AP set up? 802.1X or > WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or > EAP-TTLS/MSCHAPv2? > got the required certificate installed on the client? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O< ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, > Info: ++[mschap] returns ok > Debug: MSCHAP Success > > So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. > but then the inner tunnel does something well, it tries to > Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge > Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled > Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 > EAP-Message = > 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 > Message-Authenticator = 0x > State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > I am posting full log with first is radtest accepted and others are > failde login from wifi client with 2 different accounts... > > FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 > 2010 at 15:58:09 You should probably upgrade to 2.1.8. It has a lot of fixes && features over 2.0.4. > server inner-tunnel { > +- entering group authorize > ++[chap] returns noop > ++[mschap] returns noop > ++[unix] returns notfound > rlm_realm: No '@' in User-Name = "123", looking up realm NULL > rlm_realm: No such realm "NULL" > ++[suffix] returns noop > ++[control] returns noop > rlm_eap: EAP packet type response id 8 length 62 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > ++[pap] returns noop And no "sql". Edit raddb/sites-available/inner-tunnel, and add "sql" to the "authorize" section. It's already there, so you likely just have to uncomment it. > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Yup. No "known good" password means no authentication. You could also try: http://networkradius.com/freeradius.html This lets you cut && paste the debug output into a form. The response is a colorized HTML page indicating common errors, and things you should look into. It won't catch this problem, but it will highlight the fact that there was no "known good" password for the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Alan DeKok : > Bruno Kremel wrote: >> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 >> EAP-Message = 0x010c00061900 >> Message-Authenticator = 0x >> State = 0x53b1704557bd694fbe3359243d2a2638 >> Finished request 40. >> Going to the next request >> Waking up in 4.9 seconds. >> Cleaning up request 40 ID 0 with timestamp +589 >> Ready to process requests. > > This is documented in the FAQ, in the comments in raddb/eap.conf, and > on my web site (http://deployingradius.com/). > > Please read the existing documentation, > >> That Access-Challenge should authenticate my client if I am not wrong, > > No. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Thank you for that links... I have read that FAQ and so I copyed over default eap.conf and tryed it with uses file.. it is working OK i can connect to AP with username/password, but when I tryed to use SQL (I have corret format in SQL now) again it ends up this with Accept-Reject: rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus2/] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> pokus2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 23 ID 0 with timestamp +735 Ready to process requests. Bud radtest gives me: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54224, id=218, length=57 User-Name = "test2" User-Password = "pokus2" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test2", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> test2 rlm_sql (sql): sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "pokus2" rlm_pap: Using clear text password "pokus2" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test2/pokus2] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 218 to 127.0.0.1 port 54224 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 218 with timestamp +263 Ready to process requests. So is it sql problem or something with eap? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 > EAP-Message = 0x010c00061900 > Message-Authenticator = 0x > State = 0x53b1704557bd694fbe3359243d2a2638 > Finished request 40. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 40 ID 0 with timestamp +589 > Ready to process requests. This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation, > That Access-Challenge should authenticate my client if I am not wrong, No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: > 2010/4/1 Matt Harlum : >> >> On 01/04/2010, at 1:44 PM, Matt Harlum wrote: >> >> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: >> >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... >> >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | User-Password | == | password123 | >> This is how yours should be set up, otherwise you will get the "validating" >> issue in Windows. >> >> I was wrong >> it should be >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | Cleartext-Password | := | password123 | >> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily >> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to >> 2.x >> Regards, >> Matt Harlum >> >> >> To me it seems that name/password was accepted so I have no clue where >> >> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> >> >> As Alan said, it was simply ignored because of the misconfiguration >> Regards, >> Matt Harlum >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Thank you for answer.. You are right with that sql it is some mess in > daloradius, but I tryed to disable SQL and use /etc/freeradius/users > file instead, but I am stuck on Attempting to authenticate now.. log > says this: Are you trying to use EAP-TTLS? > Going to the next request > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, > length=137 > Cleaning up request 39 ID 0 with timestamp +589 >User-Name = "pokus" >NAS-IP-Address = 192.168.3.1 >Called-Station-Id = "00259c523046" >Calling-Station-Id = "001e650eb532" >NAS-Identifier = "00259c523046" >NAS-Port = 9 >Framed-MTU = 1400 >State = 0x53b1704550ba694fbe3359243d2a2638 >NAS-Port-Type = Wireless-802.11 >EAP-Message = 0x020b00061900 >Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd > +- entering group authorize > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop >rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL >rlm_realm: No such realm "NULL" > ++[suffix] returns noop > rlm_eap: EAP packet type response id 11 length 6 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake fragment handler > eaptls_verify returned 1 > eaptls_process returned 13 > rlm_eap_peap: EAPTLS_HANDLED > ++[eap] returns handled > Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 >EAP-Message = 0x010c00061900 >Message-Authenticator = 0x >State = 0x53b1704557bd694fbe3359243d2a2638 > Finished request 40. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 40 ID 0 with timestamp +589 > Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. > That Access-Challenge should authenticate my client if I am not wrong, > but it still shows me validating identity and the attempting to > authenticate... > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
2010/4/1 Matt Harlum : > > On 01/04/2010, at 1:44 PM, Matt Harlum wrote: > > On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > > On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > What should be there? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... > > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | User-Password | == | password123 | > This is how yours should be set up, otherwise you will get the "validating" > issue in Windows. > > I was wrong > it should be > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | Cleartext-Password | := | password123 | > My configuration was wrong it'd seem, I hadn't noticed as I'm primarily > using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to > 2.x > Regards, > Matt Harlum > > > To me it seems that name/password was accepted so I have no clue where > > is the problem.. > > The password was NOT accepted. It was *ignored*. > > And what is that Accept-Accept on the end of the log?... also radtest gives > me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... > > > As Alan said, it was simply ignored because of the misconfiguration > Regards, > Matt Harlum > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: > > On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... > > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | User-Password | == | password123 | > > This is how yours should be set up, otherwise you will get the "validating" > issue in Windows. > I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum > >>> To me it seems that name/password was accepted so I have no clue where is the problem.. >>> >>> The password was NOT accepted. It was *ignored*. >>> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> > > As Alan said, it was simply ignored because of the misconfiguration > > Regards, > Matt Harlum > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > What should be there? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows. >> >>> To me it seems that name/password was accepted so I have no clue where >>> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> > And what is that Accept-Accept on the end of the log?... also radtest gives > me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... > As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: >> Why did you put "Auth-Type = Accept" in SQL? >> >> It's breaking the server. Delete it. > What should be there? The user's password? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly. > And what is that Accept-Accept on the end of the log?... It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online. > also radtest gives me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > Bruno Kremel wrote: > > My configuration is pretty much default except of enabling MySQL and > > setting paths and passwords to certificates (generated with make > > script in /etc/freeradius/certs, so they should be OK) and addresses > > of clients. > > And what did you put in SQL? > > > expand: %{User-Name} -> pokus > > rlm_sql (sql): sql_set_user escaped user --> 'pokus' > > rlm_sql (sql): Reserving sql socket id: 3 > > expand: SELECT id, username, attribute, value, op FROM radcheck WHERE > > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > > attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY > > id > > rlm_sql (sql): User found in radcheck table > > expand: SELECT id, username, attribute, value, op FROM radreply WHERE > > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > > attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY > > id > > expand: SELECT groupname FROM radusergroup WHERE username = > > '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM > > radusergroup WHERE username = 'pokus' ORDER BY priority > > ... > > > rad_check_password: Found Auth-Type Accept > > rad_check_password: Auth-Type = Accept, accepting the user > > Why did you put "Auth-Type = Accept" in SQL? > > It's breaking the server. Delete it. What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... > > > To me it seems that name/password was accepted so I have no clue where > > is the problem.. > > The password was NOT accepted. It was *ignored*. > And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thank you for answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
Bruno Kremel wrote: > My configuration is pretty much default except of enabling MySQL and > setting paths and passwords to certificates (generated with make > script in /etc/freeradius/certs, so they should be OK) and addresses > of clients. And what did you put in SQL? > expand: %{User-Name} -> pokus > rlm_sql (sql): sql_set_user escaped user --> 'pokus' > rlm_sql (sql): Reserving sql socket id: 3 > expand: SELECT id, username, attribute, value, op FROM radcheck WHERE > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY > id > rlm_sql (sql): User found in radcheck table > expand: SELECT id, username, attribute, value, op FROM radreply WHERE > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, > attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY > id > expand: SELECT groupname FROM radusergroup WHERE username = > '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM > radusergroup WHERE username = 'pokus' ORDER BY priority ... > rad_check_password: Found Auth-Type Accept > rad_check_password: Auth-Type = Accept, accepting the user Why did you put "Auth-Type = Accept" in SQL? It's breaking the server. Delete it. > To me it seems that name/password was accepted so I have no clue where > is the problem.. The password was NOT accepted. It was *ignored*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I attached the captured packets. Please open it with wireshark. The password from OD is “”. It is neither cleartext password nor encrypted password. --- 10年3月18日,周四, John 写道: 发件人: John 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月18日,周四,下午7:01 I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok 写道: 发件人: Alan DeKok 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月15日,周一,下午12:59 John wrote: > Hello, > We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open > Directory. I found this option 'use_open_directory'. But looks we need > to install freeRADIUS on the same machine with Open > Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) > > Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. > Is > there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -下面为附件内容- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ODldap.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok 写道: 发件人: Alan DeKok 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月15日,周一,下午12:59 John wrote: > Hello, > We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open > Directory. I found this option 'use_open_directory'. But looks we need > to install freeRADIUS on the same machine with Open > Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) > > Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. > Is > there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
John wrote: > Hello, > We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open > Directory. I found this option 'use_open_directory'. But looks we need > to install freeRADIUS on the same machine with Open > Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) > > Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. > Is > there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moritz Dereschkewitz wrote: > Wow, that sounds great. I haven't read about the use_open_directory > option yet. Do I have to configure the mschap-module to connect to the > OD, since Freeradius is not running on the Apple server? E.g. specify > the server adress? Or does it find the server automatically? You need to run FreeRADIUS on the same machine as Open Directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Am 13.02.2010 08:21, schrieb Alan DeKok: Moe D. wrote: I got a machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user information using the OpenDirectory on the same server – using the NTLM password hashes… so far, there should be no problem for Freeradius using LDAP to connect to the OD an retrieve the NTLM hash to authenticate the wireless clients. Use the "mschap" module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the "mschap" configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wow, that sounds great. I haven't read about the use_open_directory option yet. Do I have to configure the mschap-module to connect to the OD, since Freeradius is not running on the Apple server? E.g. specify the server adress? Or does it find the server automatically? Thanks four your help so far, Alan! moenster - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Moe D. wrote: > I got a machine up and running Freeradius 2.1.0 with SSL support to > secure a Wireless LAN. In our school’s network we (have to) use an Apple > Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user > information using the OpenDirectory on the same server – using the NTLM > password hashes… so far, there should be no problem for Freeradius using > LDAP to connect to the OD an retrieve the NTLM hash to authenticate the > wireless clients. Use the "mschap" module. Apple has contributed code to make FreeRADIUS work with Open Directory. Edit the "mschap" configuration, and add: use_open_directory = yes That's it. You may need to use a more recent version of FreeRADIUS. I suggest 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use: --username=%{mschap:User-Name} and it should work. Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, "Vieri" <[EMAIL PROTECTED]> piše: >--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote: > >> I'm running freeradius-2.0.5 on Linux. >> >> My setup is as follows: >> >> Windows Vista native client - Linksys AP - FreeRadius Linux >> server (PEAP/mschapv2) - Active Directory Windows server >> >> Everything works smoothly with the following ntlm_auth >> parameters in the mschap module: >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> However, user authentication is rejected when I add the >> --domain parameter: >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --domain=%{mschap:NT-D >> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> (from the Windows Vista client I obviously set the DOMAIN >> filed; besides, if I run the freeradius daemon with debug >> enabled I see that it "correclty" reeives >> 'DOMAIN\username') >> >> For starters, I don't understand why authentication >> fails if I add --domain. How can I find out why? >> >> Then, adding --require-membership-of with or without >> --domain also fails. >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --domain=%{mschap:NT-D >> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --require-membership-of='DOMAIN\\WIFI' >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> Finally, running ntlm_auth from the command line yields: >> >> # ntlm_auth --request-nt-key --domain=DOMAIN >> --username=myuser >> --require-membership-of='DOMAIN\\WIFI' >> password: >> NT_STATUS_OK: Success (0x0) > >I found this in the radiusd debug log: > >[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237) > Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID! > >so I removed the '' in the ntlm_auth string like this: > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN >--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} >--nt-response=%{mschap:NT-Response:-00}" > >and now it works. > >So this leads me to ask how I can specify group names with spaces such as >'WIFI 1'. > >Also, I had to specify the domain explicitly either via --domain=DOMAIN or >--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication >succeeds only if the client does NOT specify a domain in the domain or user >field. >So I'm attaching some debug outputs with the hope that someone can shed some >light on this aspect which I obviously don't grasp. > >Thanks, > >Vieri > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, "luis a" <[EMAIL PROTECTED]> piše: >pal if you are using freeradius binary version as i was using before > >you can debug typing freeradius -X > >if you are using the compiled version as i did a few days ago , should work >only tipping radiusd -X > >PD: >my freeradius still does not authenticating against AD :-( > > >--- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribiĂł: >De: Nicolas Goutte <[EMAIL PROTECTED]> >Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of >Para: "FreeRadius users mailing list" >Fecha: jueves, 2 octubre, 2008 6:09 > >Am 02.10.2008 um 19:46 schrieb Vieri: > >> >> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >>> As with every other freeradius problem - when it doesn't >>> work - debug >>> (radiusd -X). >> >> That's how I'm running it. Does the list mind if I post the debug > >> lines? > >Asking for the output of radiusd -X is the most frequent answer on >this mailing list and so it is not a problem to see such outputs on >this mailing list. > >However please check first by yourself that you do not have missed an >error message that would bring you in the right direction. (Because >that is probably the second frequent answer.) > >> >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ >> users.html > > >Have a nice day! > >Nicolas Goutte > > >extragroup GmbH - Karlsruhe >Waldstr. 49 >76133 Karlsruhe >Germany > >GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle >Registergericht: Amtsgericht MĂźnster / HRB: 5624 >Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribió: De: Nicolas Goutte <[EMAIL PROTECTED]> Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: "FreeRadius users mailing list" Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: > > --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> As with every other freeradius problem - when it doesn't >> work - debug >> (radiusd -X). > > That's how I'm running it. Does the list mind if I post the debug > lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote: > I'm running freeradius-2.0.5 on Linux. > > My setup is as follows: > > Windows Vista native client - Linksys AP - FreeRadius Linux > server (PEAP/mschapv2) - Active Directory Windows server > > Everything works smoothly with the following ntlm_auth > parameters in the mschap module: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > However, user authentication is rejected when I add the > --domain parameter: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-D > omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > (from the Windows Vista client I obviously set the DOMAIN > filed; besides, if I run the freeradius daemon with debug > enabled I see that it "correclty" reeives > 'DOMAIN\username') > > For starters, I don't understand why authentication > fails if I add --domain. How can I find out why? > > Then, adding --require-membership-of with or without > --domain also fails. > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-D > omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} > --require-membership-of='DOMAIN\\WIFI' > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > Finally, running ntlm_auth from the command line yields: > > # ntlm_auth --request-nt-key --domain=DOMAIN > --username=myuser > --require-membership-of='DOMAIN\\WIFI' > password: > NT_STATUS_OK: Success (0x0) I found this in the radiusd debug log: [2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID! so I removed the '' in the ntlm_auth string like this: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" and now it works. So this leads me to ask how I can specify group names with spaces such as 'WIFI 1'. Also, I had to specify the domain explicitly either via --domain=DOMAIN or --domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication succeeds only if the client does NOT specify a domain in the domain or user field. So I'm attaching some debug outputs with the hope that someone can shed some light on this aspect which I obviously don't grasp. Thanks, Vieri radiusd.log.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: > However, user authentication is rejected when I add the --domain parameter: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D > omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" And you didn't post the debug output as suggested in the FAQ, README, INSTALL, and daily on this list. Knowing WHY it was rejected, and WHAT ERROR was produced is key information that is needed to be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: > --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> As with every other freeradius problem - when it doesn't >> work - debug >> (radiusd -X). > > That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > As with every other freeradius problem - when it doesn't > work - debug > (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
As with every other freeradius problem - when it doesn't work - debug (radiusd -X). Ivan Kalik Kalik Infromatika ISP Dana 2/10/2008, "Vieri" <[EMAIL PROTECTED]> piše: >Hi, > >I'm running freeradius-2.0.5 on Linux. > >My setup is as follows: > >Windows Vista native client - Linksys AP - FreeRadius Linux server >(PEAP/mschapv2) - Active Directory Windows server > >Everything works smoothly with the following ntlm_auth parameters in the >mschap module: > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >--username=%{Stripped-User-Name:-%{User-Name:-None}} >--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > >However, user authentication is rejected when I add the --domain parameter: > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D >omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > >(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I >run the freeradius daemon with debug enabled I see that it "correclty" reeives >'DOMAIN\username') > >For starters, I don't understand why authentication fails if I add --domain. >How can I find out why? > >Then, adding --require-membership-of with or without --domain also fails. > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D >omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} >--nt-response=%{mschap:NT-Response:-00}" > >Finally, running ntlm_auth from the command line yields: > ># ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser >--require-membership-of='DOMAIN\\WIFI' >password: >NT_STATUS_OK: Success (0x0) > >Could it be a "bug" in the freeradius version I'm running? > >Can anyone please suggest how I can debug this (not a radius expert ;-) )? > >Regards, > >Vieri > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Read provided instructions in eap.conf. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, "Cody Jarrett" <[EMAIL PROTECTED]> piše: >Alan Dekok wrote: >> Cody Jarrett wrote: >> >>> I'm trying to setup freeradius with ldap for use with a wireless >>> network. I don't want to have to deal with tls and certificates if >>> possible, >>> >> >> Then you won't be doing PEAP. It requires TLS and certificates. >> >Is what I want possible then? And if so could you provide me with >details on what its called or how its configured? >> ... >> >>> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. >>> >> >> What is unclear about that message? It's telling you that you need >> TLS for PEAP to work. >> >> All of the howto's show that you have to configure TLS before PEAP. >> The comments in "eap.conf" say you have to configure TLS before PEAP. >> >> What's the problem? >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in "eap.conf" say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Cody Jarrett wrote: > I'm trying to setup freeradius with ldap for use with a wireless > network. I don't want to have to deal with tls and certificates if > possible, Then you won't be doing PEAP. It requires TLS and certificates. ... > rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in "eap.conf" say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is > required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
>reference the initial thread where i said i was authenticating off >of >active directories, using eap-peap. which i had previously >working just >fine. >Since i didn't specify an instance name in my eap.conf, it is >referenced >as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type & Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized & authenticated by the respective modules. If you're purely using ldap for authorization & authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. > >Joe > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: >>> DEFAULT >>> Autz-Type := , >>> Auth-Type := >>> > > >> so i did what you recommended, which makes sense to do... i have >> Autz-type := eap, and in debug mode i get this clearly an access- >> > reject > >> follows. >> >> auth: No authenticate method (Auth-Type) configuration found for >> > the > >> request: Rejecting the user >> auth: Failed to validate the user. >> > > First off, eap shouldn't be used this way. The top line of eap.conf > clearly states: > > "Whatever you do, do NOT set 'Auth-Type := EAP'. The server is > smart > enough to figure this out on its own" > > Typical modules that would be used here are things like 'files', > 'ldap', > or 'sql'. There are also special types like 'Local' & 'System', > which > you'd have to use one of if you were using an sql table to store > user > credentials. > > The second thing you have to understand is the difference between > modules & instances. An instance is a specific configuration of a > module. The instance itself has a name that is user-specified. > I suggest you read through the configurable_failover document, which > is usually in /usr/share/doc/freeradius-, it isn't long and > offers pretty good insight into how freeradius' configuration gets > processed. > > Also, if you need to use a seperate back-end for authentication, > maybe you should tell us what you need to use so we can give you > more specific > answers. > > reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
>> DEFAULT >> Autz-Type := , >> Auth-Type := >so i did what you recommended, which makes sense to do... i have >Autz-type := eap, and in debug mode i get this clearly an access- reject >follows. > >auth: No authenticate method (Auth-Type) configuration found for the >request: Rejecting the user >auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: "Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own" Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' & 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules & instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: > On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <[EMAIL PROTECTED]> > wrote: > >> Alan DeKok wrote: >> >>> joe vieira wrote: >>> >>> i have eap-peap authentication working against our ad domain. >> peachy >> keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco >> stuff/ >> etc... i assume the way to do this would be to use the >> authorization >> sections, but if you add ldap to that then it automatically >> adds ldap >> authentication...which i don't want.. >>> Upgrade to a newer version of the server, which doesn't do >>> >> that. >> >>> >>> >> which versions would that be? >> > > OK, I think I understand what you're asking. If you want to use LDAP > for authorization ONLY, and something else for authentication, you > could put an entry like this in your 'users' file: > > DEFAULT > Autz-Type := , > Auth-Type := > > Setting Autz-Type forces a certain type of authorization. Setting > Auth-Type forces a certain type of authentication. Doing this in a > DEFAULT entry causes ALL users that have Fall-Through set to yes to > be passed through the specified authorization & authentication > method. > This could also be set on a per-user basis by changing DEFAULT to > the > a given user's username. > so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <[EMAIL PROTECTED]> wrote: >Alan DeKok wrote: >> joe vieira wrote: >> >>> i have eap-peap authentication working against our ad domain. >peachy >>> keen. what i would like to be able to do is, in our openldap >>> environment, store attributes for retrieval by radius, cisco >stuff/ >>> etc... i assume the way to do this would be to use the >authorization >>> sections, but if you add ldap to that then it automatically >adds ldap >>> authentication...which i don't want.. >>> >> >> Upgrade to a newer version of the server, which doesn't do >that. >> >which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT Autz-Type := , Auth-Type := Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization & authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: > joe vieira wrote: > >> i have eap-peap authentication working against our ad domain. peachy >> keen. what i would like to be able to do is, in our openldap >> environment, store attributes for retrieval by radius, cisco stuff/ >> etc... i assume the way to do this would be to use the authorization >> sections, but if you add ldap to that then it automatically adds ldap >> authentication...which i don't want.. >> > > Upgrade to a newer version of the server, which doesn't do that. > which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: > > i have eap-peap authentication working against our ad domain. peachy > keen. what i would like to be able to do is, in our openldap > environment, store attributes for retrieval by radius, cisco stuff/ > etc... i assume the way to do this would be to use the authorization > sections, but if you add ldap to that then it automatically adds ldap > authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira <[EMAIL PROTECTED]> wrote: >Hi all, > >I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. >something that might seem totally stupid, so let me know if i am >(no >need to flame). I'm new to freeradius so bear with me a bit. > We were all new at some point, some people just forget that :) >i have eap-peap authentication working against our ad domain. >peachy >keen. what i would like to be able to do is, in our openldap >environment, store attributes for retrieval by radius, cisco >stuff/ >etc... i assume the way to do this would be to use the >authorization >sections, but if you add ldap to that then it automatically adds >ldap >authentication...which i don't want.. > >ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) > >Joe Vieira >UNIX Systems Administrator >Clark University >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Alan DeKok wrote: Phil Mayers <[EMAIL PROTECTED]> wrote: PEAP can have several inner types. One of these is "GTC" (generic token card) which sends a prompt and asks for a response. I believe the prompt can be "password" and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. Windows doesn't support it, so far as I can tell. My mistake - I was convinced I'd seen it. (I suppose it's possible that I had the Cisco wireless card software installed, along with it's supplicant-fiddling extensions.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
Phil Mayers <[EMAIL PROTECTED]> wrote: > PEAP can have several inner types. One of these is "GTC" (generic token > card) which sends a prompt and asks for a response. I believe the prompt > can be "password" and the response the actual password. > > How well windows' GTC support works I couldn't tell you, though I know > it's there. Windows doesn't support it, so far as I can tell. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? PEAP can have several inner types. One of these is "GTC" (generic token card) which sends a prompt and asks for a response. I believe the prompt can be "password" and the response the actual password. How well windows' GTC support works I couldn't tell you, though I know it's there. See the "gtc" section in "eap.conf" PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which means either having the hashes, or the plaintext password to generate them from, not a "crypt". In any event, PAM seems to work very badly because of threading issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
"James Taylor" <[EMAIL PROTECTED]> wrote: > Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Your question doesn't make sense. Pam and Unix /etc/passwd are both systems that store "known good" passwords. MSCHAPv2 is an authentication protocol where a user tries to authenticate based on an unknown password. > What we are basically trying to do is use FreeRadius to authenticate > against our current user database on our linux server while still > maintaining the PEAP-TLS security with wireless. Is that even > possible? No the crypt'd passwords stored in /etc/passwd are 100% incompatible with PEAP. You can: a) store clear-text passwords b) use EAP-TTLS with tunneled PAP. You don't really have many other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can store the NT hashed passwords in the users file if you'd like, but, other than that, you'll have to use plaintext passwords. It's just the nature of the beast. --Mike James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
No - your user database needs to store passwords in plaintext or NTLM. You basically have two options: use a TTLS supplicant instead (such as wpa_supplicant or SecureW2), or change your user database. best regards, josh. James Taylor wrote: Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
I have everything working with the users file. Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work? Yuri On 10/13/05, Josh Howlett <[EMAIL PROTECTED]> wrote: James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the plaintext.josh.James Taylor wrote:> Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to> authenticate users against my Linux /etc/shadow; /etc/password/; and > /etc/group files. I would like to use PAM but UNIX will work too. I do> not want to use the USERS file as it stores passwords in clear text and> that is what we are trying to avoid.>> >> All my tests conclude that this functionality will not work. I am able> to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James>>> >> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yuri Francalacci[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/PEAP
Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2? Do I do this in the EAP.CONF file? What we are basically trying to do is use FreeRadius to authenticate against our current user database on our linux server while still maintaining the PEAP-TLS security with wireless. Is that even possible? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Thursday, October 13, 2005 2:25 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/PEAP James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: > Hi, > > > > I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to > authenticate users against my Linux /etc/shadow; /etc/password/; and > /etc/group files. I would like to use PAM but UNIX will work too. I do > not want to use the USERS file as it stores passwords in clear text and > that is what we are trying to avoid. > > > > All my tests conclude that this functionality will not work. I am able > to Auth just fine using the USERS file with a username and password. > > > > Any info or direction would be greatly appreciated. > > > > Thank you > > > > James > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/PEAP
James, MSChapv2 needs plaintext or NTLM credentials. You won't be able to do what you're trying. It works with users file because you specify the plaintext. josh. James Taylor wrote: Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to authenticate users against my Linux /etc/shadow; /etc/password/; and /etc/group files. I would like to use PAM but UNIX will work too. I do not want to use the USERS file as it stores passwords in clear text and that is what we are trying to avoid. All my tests conclude that this functionality will not work. I am able to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated. Thank you James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + PEAP
"Gustafson, Tim" <[EMAIL PROTECTED]> wrote: > FreeRADIUS does get the authentication requests, but it > seems that I've done something wrong and the requests are not being > authenticated properly. Here's what I get in my FreeRADIUS log: That's nice. Did you try running it in debugging mode as suggested in the README, INSTALL, FA, and daily on this list? > Fri Mar 4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/ User-Password attribute>] (from client wireless.meitech.com port 9 cli > 000b7d0fa264) > > Why is there no username attribute? I have no idea why you would ask that. Perhaps you could try reading the log message again. > I have configured the Windows XP workstation to use PEAP and it asks > me for my login name and password, which I entered, but it seems > that the password attribute is not being sent to FreeRADIUS, or > maybe it's being sent in a way that FreeRADIUS isn't understanding? When PEAP is used, the password is not sent to the server directly, so the server can't print it in a log message. > My wireless users are connecting using login names and passwords, > not certificates, but I think that eap needs certificates anyhow, > correct? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: > I tried the configure switch and got another Segment Fault(coredump). If you look, you'll probably see the same problem. Delete ALL of the previously installed FreeRADIUS binaries and libraries. Then re-configure and re-make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: >> This is my second try at this post; the first was too long. I read the >> archives and then attempted to >> configure freeRadius using PEAP MSCHAP. After some initial success I am >> stuck with a Segment Fault(coredump). Alan Dekok wrote: > It's another stupid bug in libltdl. The fix is to do: >$ configure --disable-shared >$ make >$ make install > Alan DeKok. I tried the configure switch and got another Segment Fault(coredump). Is there other debug information that is useful for resolving this problem? Thanks, John Gauntt [EMAIL PROTECTED]
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: > This is my second try at this post; the first was too long. I read the > archives and then attempted to > configure freeRadius using PEAP MSCHAP. After some initial success I am > stuck with a Segment Fault(coredump). It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
"Hand, Chris" <[EMAIL PROTECTED]> wrote: > I'm still not seeing it. If it's listed in the "authorize" section, it will be printed out in debugging mode. Are you willing to provide debug logs? > Let's start over. What is the best way of authenticating users to an > NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client "Hand, Chris" <[EMAIL PROTECTED]> wrote: > Yes, I am using the ntdomain realm. However, I do not see it show up in > the debugging output. Do I need to do anything other than list > "ntdomain" in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after "preprocess", and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
"Hand, Chris" <[EMAIL PROTECTED]> wrote: > Yes, I am using the ntdomain realm. However, I do not see it show up in > the debugging output. Do I need to do anything other than list > "ntdomain" in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after "preprocess", and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list "ntdomain" in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client "Hand, Chris" <[EMAIL PROTECTED]> wrote: > Exactly... The username is not getting fed into ntlm_auth. It seems that > the stripping of the domain from the username is not working. Are you using the "ntdomain" realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the "ntdomain" realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
"Hand, Chris" <[EMAIL PROTECTED]> wrote: > Exactly... The username is not getting fed into ntlm_auth. It seems that > the stripping of the domain from the username is not working. Are you using the "ntdomain" realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the "ntdomain" realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. If I use --username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth. -Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client "Hand, Chris" <[EMAIL PROTECTED]> wrote: > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI > > --username= --challenge=3d66c96d9aa150e6 > > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 > > Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
"Hand, Chris" <[EMAIL PROTECTED]> wrote: > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI > > --username= --challenge=3d66c96d9aa150e6 > > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 > > Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Bender Sent: Monday, August 23, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: > I am trying to set up 802.1x on our network and I would like the users > to be able to use their current Active Directory credentials. > > I need the AD domain to be stripped from the username so that I can feed > it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 > server. > > Here is part of my config file. > > Modules { > realm ntdomain { > format = prefix > delimiter = "\\" > ignore_default = no > ignore_null = no > } > > eap { > default_eap_type = peap > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = yes > tls { > private_key_password = whatever > private_key_file = ${raddbdir}/certs/cert-srv.pem > certificate_file = ${raddbdir}/certs/cert-srv.pem > CA_file = ${raddbdir}/certs/demoCA/cacert.pem > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > fragment_size = 1024 > include_length = yes > } > peap { > default_eap_type = mschapv2 > } > mschapv2 { > } > } > > mschap { > authtype = MS-CHAP > with_ntdomain_hack = no > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI / > --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / > --nt-response=%{mschap:NT-Response:-00}" > } > } > > authorize { > preprocess > ntdomain > eap > files > } > > authenticate { > Auth-Type MS-CHAP { > Mschap > } > eap > } > > From the debug output: > radius_xlat: Running registered xlat function of module mschap for > string 'Challenge' > radius_xlat: Running registered xlat function of module mschap for > string 'NT-Response' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI > --username= --challenge=3d66c96d9aa150e6 > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 > Exec-Program-Wait: plaintext: Logon failure (0xc06d) > Exec-Program: returned: 1 > > If I try ntlm_auth manually, it works fine: > [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / > --username=chand > password: > NT_STATUS_OK: Success (0x0) > > Has anyone successfully used freeradius to authenticate against Active > Directory (Windows 2003)? > > Chris Hand > Network Engineer > [EMAIL PROTECTED] > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00}" } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > I patched the rlm_mschap.c file (attached). I pulled code from > rlm_preprocess.c that handles the with_ntdomain_hack and modified it to > work. Similar code already existed in rlm_mschap.c. The fix was 1 line. > The user_name argument being passed to challenge_hash() function > now honors the with_ntdomain_hack but my problem still exists. :-( > Back to the drawing board. Hmm... you hacked the User-Name attribute, which isn't generally a good idea. Try the CVS snapshot tomorrow, or grab the latest via anonymous cvs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Brian D. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Monday, May 03, 2004 1:07 PM > To: [EMAIL PROTECTED] > Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question > > "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > > To clarify things here, the --domain and --username arguments are > > right, but the --challenge argument is incorrect. > > Ah, OK. > > > The username being used in this function still contains the DOMAIN! > > This is what is keeping the auth from working. I've added debug > > statements to my code. Its using the domain/user. This won't work. > > Then the "with_ntdomain_hack" should be set... > > > I can't change the client. I can change freeradius. The client > > presents freeradius with a domain/username. We all know > that is the case. > > Yes, that's a problem. The client is *lying* to FreeRADIUS. > > > The challenge and nt-response are both hashes based in part on the > > username. The username that freeradius uses when it generates these > > hashes is the full username, not the stripped username. > This is what > > is causing my problem. > > > > Now, the question is how to go about fixing the problem. > > Theoretically, using "with_ntdomain_hack" should help. > > Hmm... the code you pointed out does appear to ignore > "with_ntdomain_hack". I'll fix that. See tomorrow's CVS snapshot. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > with_ntdomain_hack.patch Description: with_ntdomain_hack.patch
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > To clarify things here, the --domain and --username arguments are right, > but the --challenge argument is incorrect. Ah, OK. > The username being used in this function still contains the DOMAIN! This > is what is keeping the auth from working. I've added debug statements to > my code. Its using the domain/user. This won't work. Then the "with_ntdomain_hack" should be set... > I can't change the client. I can change freeradius. The client presents > freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. > The challenge and nt-response are both hashes based in part on the > username. The username that freeradius uses when it generates these > hashes is the full username, not the stripped username. This is what is > causing my problem. > > Now, the question is how to go about fixing the problem. Theoretically, using "with_ntdomain_hack" should help. Hmm... the code you pointed out does appear to ignore "with_ntdomain_hack". I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > > Ok, but isn't the "with_ntdomain_hack =3D yes" directive in the > > raidusd.conf file suppose to correct this behavior? > > Theoretically, yes. But when you're calling ntlm_auth, the > "with_ntdomain_hack" isn't being used. Why would it? You're > passing the exact attributes you want to ntlm_auth. If you > don't like the attributes, change them. Why would we need > another configuration option to do the same thing? > > > So now my args for ntlm_auth are right, but I think something is up > > with mschap still. > > If the arguments to ntlm_auth are right, then it should work. To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. I'm looking at the code in rlm_mschap.c. I believe this is the code that creates the value for the --challenge argument for ntlm_auth. It is my understanding that this is a hash created with this code: challenge_hash(response->strvalue + 2, chap_challenge->strvalue, user_name->strvalue, buffer); The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. > > > When the Challenge or Response message is generated is it > still trying > > to user domain/user as the username? > > Ask the client, not FreeRADIUS. I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. > > And when you're using ntlm_auth, *you* configure it to use > "domain\user", or just "user". So to answer your question on > FreeRADIUS's side, go back and read your configuration. > > > I'm confused on this point. When PEAP identity is set to > username my > > auths work. When the PEAP identity is of the form > domain/user MSCHAP > > fails. > > Yes. This is the problem. But it has nothing to do with PEAP. You are right, it has nothing to do with PEAP. Freeradius gets what the client gives it. The problem occurs in the mschap module. > There's no point trying to configure FreeRADIUS to do the "right" > thing, when you don't even know what the "right" thing is. > Find that out first, and THEN configure the server. I know what the right thing is. In order for the ntlm_auth to return OK all of its arguments have to be right. When a client is setup to send domain/user instead of just user things breakdown in the MSCHAP module. The NTLM_AUTH function takes 4 arguments from freeradius. They are as follows: --domain %{Realm} --username %{Stripped-User-Name} --challenge %{mschap:Challenge:-00} --nt-response %{mschap:NT-Response:-00} The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Brian D. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > Ok, but isn't the "with_ntdomain_hack =3D yes" directive in the > raidusd.conf file suppose to correct this behavior? Theoretically, yes. But when you're calling ntlm_auth, the "with_ntdomain_hack" isn't being used. Why would it? You're passing the exact attributes you want to ntlm_auth. If you don't like the attributes, change them. Why would we need another configuration option to do the same thing? > So now my args for ntlm_auth are right, but I think something is up with > mschap still. If the arguments to ntlm_auth are right, then it should work. > When the Challenge or Response message is generated is it > still trying to user domain/user as the username? Ask the client, not FreeRADIUS. And when you're using ntlm_auth, *you* configure it to use "domain\user", or just "user". So to answer your question on FreeRADIUS's side, go back and read your configuration. > I'm confused on this point. When PEAP identity is set to username my > auths work. When the PEAP identity is of the form domain/user MSCHAP > fails. Yes. This is the problem. But it has nothing to do with PEAP. > Am I wrong in thinking that with the correct configuration Freeradius > will allow me to have users from all trusted domains use the MSCHAP > module for 802.1x auth? Where am I going wrong? Yes. I don't know where you're going wrong. It may be the client. You have debug output which runs ntlm_auth. Try cutting & pasting those commands into the command-line, and running them there. Play games with "domain\user" and "users", until you get something that works. There's no point trying to configure FreeRADIUS to do the "right" thing, when you don't even know what the "right" thing is. Find that out first, and THEN configure the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > > 1. Keeping in mind that user1 in domain1 can auth as long > as domain1 > > isn't supplied why does supplying domain1 cause the auth to fail? > > Because the MS client does the MS-CHAP calculations using > the username without the domain, but supplies the username to > the RADIUS server WITH the domain. > > See the list archives for more explanations. Ok, but isn't the "with_ntdomain_hack = yes" directive in the raidusd.conf file suppose to correct this behavior? # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. > > > 2. What does preprocess do with realm is strips off? I'd like to be > > able to pass the realm as a --domain option to ntlm_auth. > > Read the debug log. It adds it as an attribute. Ah yes, I see that now. New attribute is called Realm so the line in radiusd.conf is now: ntlm_auth = "/usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" So now my args for ntlm_auth are right, but I think something is up with mschap still. When the Challenge or Response message is generated is it still trying to user domain/user as the username? > > > 3. Why does PEAP think the username is still domain/user? I see the > > following in the logs while running "radius -X -A" > > > > PEAP: Setting User-Name to UMC-USERS\dourtyb > > Because that's the name in the EAP identity packet. Read > the debug log, it says this. > > > Should it be using Stripped-User-Name instead? > > No. I'm confused on this point. When PEAP identity is set to username my auths work. When the PEAP identity is of the form domain/user MSCHAP fails. Am I wrong in thinking that with the correct configuration Freeradius will allow me to have users from all trusted domains use the MSCHAP module for 802.1x auth? Where am I going wrong? Thanks! Brian Dourty IAT Services University of Columbia - Missouri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > 1. Keeping in mind that user1 in domain1 can auth as long as domain1 > isn't supplied why does supplying domain1 cause the auth to fail? Because the MS client does the MS-CHAP calculations using the username without the domain, but supplies the username to the RADIUS server WITH the domain. See the list archives for more explanations. > 2. What does preprocess do with realm is strips off? I'd like to be able > to pass the realm as a --domain option to ntlm_auth. Read the debug log. It adds it as an attribute. > 3. Why does PEAP think the username is still domain/user? I see the > following in the logs while running "radius -X -A" > > PEAP: Setting User-Name to UMC-USERS\dourtyb Because that's the name in the EAP identity packet. Read the debug log, it says this. > Should it be using Stripped-User-Name instead? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
"Lionel Gavage" <[EMAIL PROTECTED]> wrote: > even with this option, the problem is always present! > > an idea ? Buy a better client? The tunneled session MUST include an EAP-Identity packet, which is where the user name comes from. If the client doesn't send it, don't complain that FreeRADIUS is broken. Fix the client. The user name is REQUIRED for MS-CHAP, which is what PEAP uses inside of the TLS tunnel. Any client that doesn't send a user name is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!! If you want to send me your radiusd.conf, it will be "très bien" for me. So, please send me your file if it's possible. À tout!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 5:31 PM Subject: RE: Freeradius PEAP Problems > Hi José, > > I use a freeradius snapshot because TTLS isn't in rpm package. > You must have the TLS module to use TTLS module. > > The directive "default_eap_type" (in EAP module) must be fixed at "tls". > It's right > And the "default_eap_type" (in TTLS module) to "md5". It's right too. > > I can send my config file to you if u want. > > Lionel Gavage > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 9 février 2004 17:32 > À : [EMAIL PROTECTED] > Objet : Re: Freeradius PEAP Problems > > > > Sorry Lionel!!! Another question. > > I have changed my radiusd.conf and I have activated the TTLS module. But > now, there are two modules activated, is it a problem? > > > eap { >default_eap_type = tls !! >timer_expire = 60 > > #md5 { > #} > > tls { > private_key_password = izadisan > private_key_file = > /usr/local/openssl/ssl/certs/server/server.pem > certificate_file = > /usr/local/openssl/ssl/certs/server/server.pem > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt > dh_file = /usr/local/openssl/ssl/certs/dh > random_file = /usr/local/openssl/ssl/certs/random > fragment_size = 600 > include_length = yes > } > > ttls { > default_eap_type = md5 > ! > use_tunneled_reply = no > } > } > > is it correct > > My freeRADIUS is 0.8.1, TTLS runs with this version? > For "default_eap_type" is possible md5 value only? > > > > Thanks again Lionel > > > > > José Luis Solano > SGI - Soluciones Globales Internet S.A. > Delegación Regional Sur > [EMAIL PROTECTED] > (+34) 954.088.060 > - Original Message - > From: "Lionel Gavage" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 09, 2004 4:59 PM > Subject: RE: Freeradius PEAP Problems > > > > > > Activated the TTLS module: > > > > ttls { > > default_eap_type = md5 > > use_tunneled_reply = no > > } > > > > and it's all. > > > > > > Lionel Gavage > > > > -Message d'origine- > > De : [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] la part de José > > Luis Solano > > Envoyé : lundi 9 février 2004 17:03 > > À : [EMAIL PROTECTED] > > Objet : Re: Freeradius PEAP Problems > > > > > > Hi Lionel!! > > > > > > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first > > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is > run > > TTLS and I will run PEAP after. So, can you help me please?. Currently, my > > radiusd.conf is: > > > > > > # Extensible Authentication Protocol > > # > > # For all EAP related authentications > > eap { > > # Invoke the default supported EAP type when > > # EAP-Identity response is received > > default_eap_type = tls > > > > # Default expiry time to clean the EAP list, > > # It is maintained to co-relate the > > # EAP-response for each EAP-request sent. > > timer_expire = 60 > > > > # Supported EAP-types > > #md5 { > > #} > > > > ## EAP-TLS is highly experimental EAP-Type at the moment. > > # Please give feedback on the mailing list. > > tls { > > private_key_password = izadisa
RE: Freeradius PEAP Problems
Hi José, I use a freeradius snapshot because TTLS isn't in rpm package. You must have the TLS module to use TTLS module. The directive "default_eap_type" (in EAP module) must be fixed at "tls". It's right And the "default_eap_type" (in TTLS module) to "md5". It's right too. I can send my config file to you if u want. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:32 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For "default_eap_type" is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems > > Activated the TTLS module: > > ttls { > default_eap_type = md5 > use_tunneled_reply = no > } > > and it's all. > > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 9 février 2004 17:03 > À : [EMAIL PROTECTED] > Objet : Re: Freeradius PEAP Problems > > > Hi Lionel!! > > > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run > TTLS and I will run PEAP after. So, can you help me please?. Currently, my > radiusd.conf is: > > > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received > default_eap_type = tls > > # Default expiry time to clean the EAP list, > # It is maintained to co-relate the > # EAP-response for each EAP-request sent. > timer_expire = 60 > > # Supported EAP-types > #md5 { > #} > > ## EAP-TLS is highly experimental EAP-Type at the moment. > # Please give feedback on the mailing list. > tls { > private_key_password = izadisan > private_key_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # If Private key & Certificate are located in the > # same file, then private_key_file & certificate_file > # must contain the same file name. > certificate_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # Trusted Root CA list > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt > > dh_file = /usr/local/openssl/ssl/certs/dh > random_file = /usr/local/openssl/ssl/certs/random > # > # This can never exceed MAX_RADIUS_LEN (4096) > # preferably half the MAX_RADIUS_LEN, to > # accomodate other attributes in RADIUS packet. > # On most APs the MAX packet length is configured > # between 1500 - 1600. In these cases, fragment > # size should be
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question. I have changed my radiusd.conf and I have activated the TTLS module. But now, there are two modules activated, is it a problem? eap { default_eap_type = tls !! timer_expire = 60 #md5 { #} tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem certificate_file = /usr/local/openssl/ssl/certs/server/server.pem CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random fragment_size = 600 include_length = yes } ttls { default_eap_type = md5 ! use_tunneled_reply = no } } is it correct My freeRADIUS is 0.8.1, TTLS runs with this version? For "default_eap_type" is possible md5 value only? Thanks again Lionel José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems > > Activated the TTLS module: > > ttls { > default_eap_type = md5 > use_tunneled_reply = no > } > > and it's all. > > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 9 février 2004 17:03 > À : [EMAIL PROTECTED] > Objet : Re: Freeradius PEAP Problems > > > Hi Lionel!! > > > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run > TTLS and I will run PEAP after. So, can you help me please?. Currently, my > radiusd.conf is: > > > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received > default_eap_type = tls > > # Default expiry time to clean the EAP list, > # It is maintained to co-relate the > # EAP-response for each EAP-request sent. > timer_expire = 60 > > # Supported EAP-types > #md5 { > #} > > ## EAP-TLS is highly experimental EAP-Type at the moment. > # Please give feedback on the mailing list. > tls { > private_key_password = izadisan > private_key_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # If Private key & Certificate are located in the > # same file, then private_key_file & certificate_file > # must contain the same file name. > certificate_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # Trusted Root CA list > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt > > dh_file = /usr/local/openssl/ssl/certs/dh > random_file = /usr/local/openssl/ssl/certs/random > # > # This can never exceed MAX_RADIUS_LEN (4096) > # preferably half the MAX_RADIUS_LEN, to > # accomodate other attributes in RADIUS packet. > # On most APs the MAX packet length is configured > # between 1500 - 1600. In these cases, fragment > # size should be <= 1024. > # > fragment_size = 600 > > # include_length is a flag which is by default set to > yes > # If set to yes, Total Length of the message is > included > # in EVERY packet we send. > # If set to no, Total Length of the message is > included > # ONLY in the First packet of a fragment series. > # > include_length = yes > } > }
RE: Freeradius PEAP Problems
I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Hi José, If you always have a problem don't hesitate ;) Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:17 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Thanks Thanks Thanks Thanks a lot Lionel!!! Good luck with your problem José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems > > Activated the TTLS module: > > ttls { > default_eap_type = md5 > use_tunneled_reply = no > } > > and it's all. > > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 9 février 2004 17:03 > À : [EMAIL PROTECTED] > Objet : Re: Freeradius PEAP Problems > > > Hi Lionel!! > > > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run > TTLS and I will run PEAP after. So, can you help me please?. Currently, my > radiusd.conf is: > > > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received > default_eap_type = tls > > # Default expiry time to clean the EAP list, > # It is maintained to co-relate the > # EAP-response for each EAP-request sent. > timer_expire = 60 > > # Supported EAP-types > #md5 { > #} > > ## EAP-TLS is highly experimental EAP-Type at the moment. > # Please give feedback on the mailing list. > tls { > private_key_password = izadisan > private_key_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # If Private key & Certificate are located in the > # same file, then private_key_file & certificate_file > # must contain the same file name. > certificate_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # Trusted Root CA list > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt > > dh_file = /usr/local/openssl/ssl/certs/dh > random_file = /usr/local/openssl/ssl/certs/random > # > # This can never exceed MAX_RADIUS_LEN (4096) > # preferably half the MAX_RADIUS_LEN, to > # accomodate other attributes in RADIUS packet. > # On most APs the MAX packet length is configured > # between 1500 - 1600. In these cases, fragment > # size should be <= 1024. > # > fragment_size = 600 > > # include_length is a flag which is by default set to > yes > # If set to yes, Total Length of the message is > included > # in EVERY packet we send. > # If set to no, Total Length of the message is > included > # ONLY in the First packet of a fragment series. > # > include_length = yes > } > } > -- > > What changes I need to use TTLS? > > > > Thanks in advance Lionel!!! > > > > José Luis Solano > SGI - Soluciones Globales Internet S.A. > Delegación Regional Sur > [EMAIL PROTECTED] > (+34) 954.088.060 > - Original Message - > From: "Lionel Gavage" <[EMAIL PROTECTED]> > To: "freeradius-users" <[EMAIL PROTECTED]> > Sent: Monday, February 09, 2004 4:23 PM > Subject: Freeradius PEAP Problems > > > > Hi, > > > > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require > a > > User-Name for MS-CHAPv2". > > However I sending well a login/pass. I use Aegis Client under Windows XP. > > > > Extract of
Re: Freeradius PEAP Problems
Thanks Thanks Thanks Thanks a lot Lionel!!! Good luck with your problem José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:59 PM Subject: RE: Freeradius PEAP Problems > > Activated the TTLS module: > > ttls { > default_eap_type = md5 > use_tunneled_reply = no > } > > and it's all. > > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 9 février 2004 17:03 > À : [EMAIL PROTECTED] > Objet : Re: Freeradius PEAP Problems > > > Hi Lionel!! > > > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run > TTLS and I will run PEAP after. So, can you help me please?. Currently, my > radiusd.conf is: > > > # Extensible Authentication Protocol > # > # For all EAP related authentications > eap { > # Invoke the default supported EAP type when > # EAP-Identity response is received > default_eap_type = tls > > # Default expiry time to clean the EAP list, > # It is maintained to co-relate the > # EAP-response for each EAP-request sent. > timer_expire = 60 > > # Supported EAP-types > #md5 { > #} > > ## EAP-TLS is highly experimental EAP-Type at the moment. > # Please give feedback on the mailing list. > tls { > private_key_password = izadisan > private_key_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # If Private key & Certificate are located in the > # same file, then private_key_file & certificate_file > # must contain the same file name. > certificate_file = > /usr/local/openssl/ssl/certs/server/server.pem > > # Trusted Root CA list > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt > > dh_file = /usr/local/openssl/ssl/certs/dh > random_file = /usr/local/openssl/ssl/certs/random > # > # This can never exceed MAX_RADIUS_LEN (4096) > # preferably half the MAX_RADIUS_LEN, to > # accomodate other attributes in RADIUS packet. > # On most APs the MAX packet length is configured > # between 1500 - 1600. In these cases, fragment > # size should be <= 1024. > # > fragment_size = 600 > > # include_length is a flag which is by default set to > yes > # If set to yes, Total Length of the message is > included > # in EVERY packet we send. > # If set to no, Total Length of the message is > included > # ONLY in the First packet of a fragment series. > # > include_length = yes > } > } > -- > > What changes I need to use TTLS? > > > > Thanks in advance Lionel!!! > > > > José Luis Solano > SGI - Soluciones Globales Internet S.A. > Delegación Regional Sur > [EMAIL PROTECTED] > (+34) 954.088.060 > - Original Message - > From: "Lionel Gavage" <[EMAIL PROTECTED]> > To: "freeradius-users" <[EMAIL PROTECTED]> > Sent: Monday, February 09, 2004 4:23 PM > Subject: Freeradius PEAP Problems > > > > Hi, > > > > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require > a > > User-Name for MS-CHAPv2". > > However I sending well a login/pass. I use Aegis Client under Windows XP. > > > > Extract of the log: > > > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate for request 6 > > rlm_eap: Request found, released from the list > > rlm_eap: EAP/mschapv2 > > rlm_eap
RE: Freeradius PEAP Problems
Activated the TTLS module: ttls { default_eap_type = md5 use_tunneled_reply = no } and it's all. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 9 février 2004 17:03 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key & Certificate are located in the # same file, then private_key_file & certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be <= 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: "freeradius-users" <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems > Hi, > > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. > > Extract of the log: > > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate for request 6 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > modcall: entering group Auth-Type for request 6 > rlm_mschap: We require a User-Name for MS-CHAPv2 > modcall[authenticate]: module "mschap" returns invalid for request 6 > modcall: group Auth-Type returns invalid for request 6 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 6 > modcall: group authenticate returns reject for request 6 > auth: Failed to validate the user. > PEAP: Got tunneled reply RADIUS code 3 > EAP-Message = 0x04080004 > Message-Authenticator = 0x > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > modcall[authenticate]: module "eap" returns handled for request 6 > modcall: group authenticate returns handled for request 6 > Sending Access-Challenge of id 179 to 139.165.212.248:21648 > EAP-Message = > 0x01090048190017030100
Re: Freeradius PEAP Problems
Hi Lionel!! I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run TTLS and I will run PEAP after. So, can you help me please?. Currently, my radiusd.conf is: # Extensible Authentication Protocol # # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types #md5 { #} ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem # If Private key & Certificate are located in the # same file, then private_key_file & certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem # Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be <= 1024. # fragment_size = 600 # include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } } -- What changes I need to use TTLS? Thanks in advance Lionel!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: "freeradius-users" <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:23 PM Subject: Freeradius PEAP Problems > Hi, > > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. > > Extract of the log: > > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate for request 6 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > modcall: entering group Auth-Type for request 6 > rlm_mschap: We require a User-Name for MS-CHAPv2 > modcall[authenticate]: module "mschap" returns invalid for request 6 > modcall: group Auth-Type returns invalid for request 6 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 6 > modcall: group authenticate returns reject for request 6 > auth: Failed to validate the user. > PEAP: Got tunneled reply RADIUS code 3 > EAP-Message = 0x04080004 > Message-Authenticator = 0x > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > modcall[authenticate]: module "eap" returns handled for request 6 > modcall: group authenticate returns handled for request 6 > Sending Access-Challenge of id 179 to 139.165.212.248:21648 > EAP-Message = > 0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703 > 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4 > Message-Authenticator = 0x > State = 0x13eb44c46fbe30f082eaf7522f3c315e > Finished request 6 > Going to the next request > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180, > length=168 > User-Name = "lga" > Framed-MTU = 1400 > Called-Station-Id = "000c.304f.75da" > Calling-Station-Id = "000c
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
"Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html