Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[m4xmr]

Hi,
have you found a solution or a workaround?
I have the same problem, you experienced.
I configured freeradius to "talk" with LDAP on Mac but at the end I realized
that in the userPassword field isn't saved the clear-text password of the
LDAP user.
OpenDirectory doesn't use that field and implements the authentication thru
Kerberos.
I've just recompiled freeradius with the rlm_opendirectory module enabled
and now I'm experiencing the problem you was talking about..., I suppose I
have to install freeradius on the same machine as OpenDirectory.
I'm pretty upset about it..., it's a little odd
Have you got some useful information about it?

Let me know, please.

Max

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008

[Alan Buxey]

Hi,

>I've followed the following howto :
>[1]http://deployingradius.com/documents/configuration/active_directory.html
>and everything goes fine with the radtest, wbinfo, ntlm_auth and my user
>is correctly authentified.

my first question is why so old a version of FreeRADIUS is you are
only just starting out?  2.1.10 has a LOT of bug fixes compared to the
very old 2.1.7 version...dated 14 September 2009, 2.1.7 came out before Windows 
7 (*)

Win7 is also VERY fussy about certs.have you installed the CA cert
that your RADIUS server is signed with i know you havent ticked the validate
button..but Win7 is fussy(!)


alan

(*) release to manufaturing was july 2009, release to retail was oct 2009 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+peap+mschap+AD

[Aniss Nazerian]

Hi,

This is what I get.
--
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password
[mschap]expand: %{Stripped-User-Name} -> username
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=username
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} ->
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} ->
--domain=LNU.SE
[mschap]  mschap2: 67
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=756cc36d609e7393
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb
Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
---

I'm using WPA2-enterprise (tried WPA-ent to)
I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is
used on the client.


On 2010-04-26 15:37, Alan Buxey wrote:
> Hi,
> 
>> Info: ++[mschap] returns ok
>> Debug: MSCHAP Success
>> 
>> So i assume that the auth. against AD is OK
> 
> not if you havent done the EAP inner-tunnel stuff yet - unless you mean
> basic authorize has completed.
> 
>> but then the inner tunnel does something
> 
> well, it tries to
> 
>> Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
>> Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
>> Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
>> EAP-Message =
>> 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
>> Message-Authenticator = 0x
>> State = 0x3b975d133d90441898602b7c0076958a
> 
> it sends a challenge back to the NAS/AP - but nothign else is happening.
> so, either the NAS or the client.  how have you got the AP set up? 802.1X or
> WPA-Enterprise? how is the client configured?  to use PEAP/MSCHAPv2 or 
> EAP-TTLS/MSCHAPv2?
> got the required certificate installed on the client?
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+peap+mschap+AD

[Alan Buxey]

Hi,

> Info: ++[mschap] returns ok
> Debug: MSCHAP Success
> 
> So i assume that the auth. against AD is OK

not if you havent done the EAP inner-tunnel stuff yet - unless you mean
basic authorize has completed.

> but then the inner tunnel does something

well, it tries to

> Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
> Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
> Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
> EAP-Message =
> 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
> Message-Authenticator = 0x
> State = 0x3b975d133d90441898602b7c0076958a

it sends a challenge back to the NAS/AP - but nothign else is happening.
so, either the NAS or the client.  how have you got the AP set up? 802.1X or
WPA-Enterprise? how is the client configured?  to use PEAP/MSCHAPv2 or 
EAP-TTLS/MSCHAPv2?
got the required certificate installed on the client?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Alan DeKok]

Bruno Kremel wrote:
> I am posting full log with first is radtest accepted and others are
> failde login from wifi client with 2 different accounts...
> 
> FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29
> 2010 at 15:58:09

  You should probably upgrade to 2.1.8.  It has a lot of fixes &&
features over 2.0.4.


> server inner-tunnel {
> +- entering group authorize
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
> rlm_realm: No '@' in User-Name = "123", looking up realm NULL
> rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
>   rlm_eap: EAP packet type response id 8 length 62
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop

  And no "sql".  Edit raddb/sites-available/inner-tunnel, and add "sql"
to the "authorize" section.  It's already there, so you likely just have
to uncomment it.

>   rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  Yup.  No "known good" password means no authentication.

  You could also try:  http://networkradius.com/freeradius.html

  This lets you cut && paste the debug output into a form.  The response
is a colorized HTML page indicating common errors, and things you should
look into.  It won't catch this problem, but it will highlight the fact
that there was no "known good" password for the user.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Bruno Kremel]

2010/4/1 Alan DeKok :
> Bruno Kremel wrote:
>> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
>>         EAP-Message = 0x010c00061900
>>         Message-Authenticator = 0x
>>         State = 0x53b1704557bd694fbe3359243d2a2638
>> Finished request 40.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 40 ID 0 with timestamp +589
>> Ready to process requests.
>
>  This is documented in the FAQ, in the comments in raddb/eap.conf, and
> on my web site (http://deployingradius.com/).
>
>  Please read the existing documentation,
>
>> That Access-Challenge should authenticate my client if I am not wrong,
>
>  No.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

Thank you for that links... I have read that FAQ and so I copyed over
default eap.conf  and tryed it with uses file.. it is working OK i can
connect to AP with username/password, but when I tryed to use SQL (I
have corret format in SQL now) again it ends up this with
Accept-Reject:

  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [pokus2/] (from client
ciscorouter port 44 cli 001e650ece6c)
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> pokus2
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 0 to 192.168.3.1 port 1327
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 23 ID 0 with timestamp +735
Ready to process requests.


Bud radtest gives me:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 54224,
id=218, length=57
User-Name = "test2"
User-Password = "pokus2"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "test2", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> test2
rlm_sql (sql): sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = 'test2'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply   WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply   WHERE username = 'test2'   ORDER BY id
expand: SELECT groupname   FROM radusergroup
WHERE username = '%{SQL-User-Name}'   ORDER BY priority ->
SELECT groupname   FROM radusergroup   WHERE username
= 'test2'   ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "pokus2"
rlm_pap: Using clear text password "pokus2"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test2/pokus2] (from client localhost port 1812)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 218 to 127.0.0.1 port 54224
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 218 with timestamp +263
Ready to process requests.

So is it sql problem or something with eap?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Alan DeKok]

Bruno Kremel wrote:
> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
> EAP-Message = 0x010c00061900
> Message-Authenticator = 0x
> State = 0x53b1704557bd694fbe3359243d2a2638
> Finished request 40.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 40 ID 0 with timestamp +589
> Ready to process requests.

  This is documented in the FAQ, in the comments in raddb/eap.conf, and
on my web site (http://deployingradius.com/).

  Please read the existing documentation,

> That Access-Challenge should authenticate my client if I am not wrong,

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Matt Harlum]

On 01/04/2010, at 8:40 PM, Bruno Kremel wrote:

> 2010/4/1 Matt Harlum :
>> 
>> On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
>> 
>> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
>> 
>> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
>> What should be there?
>> Beacuse I don't know I am using Daloradius web interafce for adding data to
>> database, so I just loaded default daloradius sql which was intendet
>> (according to readme od daloradius) for 2.X Freeradius... and added accounts
>> in web interface...
>> 
>> Here's an example from my radcheck table in the SQL Database
>>  id | UserName | Attribute | op | Value  |
>> ++--+---+++
>> |  1 | exampleuser | User-Password | == | password123 |
>> This is how yours should be set up, otherwise you will get the "validating"
>> issue in Windows.
>> 
>> I was wrong
>> it should be
>> Here's an example from my radcheck table in the SQL Database
>>  id | UserName | Attribute | op | Value  |
>> ++--+---+++
>> |  1 | exampleuser | Cleartext-Password | := | password123 |
>> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily
>> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to
>> 2.x
>> Regards,
>> Matt Harlum
>> 
>> 
>> To me it seems that name/password was accepted so I have no clue where
>> 
>> is the problem..
>> 
>>  The password was NOT accepted.  It was *ignored*.
>> 
>> And what is that Accept-Accept on the end of the log?... also radtest gives
>> me
>> Accept-Accept only on correct login and password so I think that it's not
>> that
>> SQL...
>> 
>> 
>> As Alan said, it was simply ignored because of the misconfiguration
>> Regards,
>> Matt Harlum
>> 
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> 
> Thank you for answer.. You are right with that sql it is some mess in
> daloradius, but I tryed to disable SQL and use /etc/freeradius/users
> file instead, but I am stuck on Attempting to authenticate now.. log
> says this:

Are you trying to use EAP-TTLS?

> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0,
> length=137
> Cleaning up request 39 ID 0 with timestamp +589
>User-Name = "pokus"
>NAS-IP-Address = 192.168.3.1
>Called-Station-Id = "00259c523046"
>Calling-Station-Id = "001e650eb532"
>NAS-Identifier = "00259c523046"
>NAS-Port = 9
>Framed-MTU = 1400
>State = 0x53b1704550ba694fbe3359243d2a2638
>NAS-Port-Type = Wireless-802.11
>EAP-Message = 0x020b00061900
>Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL
>rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
>  rlm_eap: EAP packet type response id 11 length 6
>  rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake fragment handler
>  eaptls_verify returned 1
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
>EAP-Message = 0x010c00061900
>Message-Authenticator = 0x
>State = 0x53b1704557bd694fbe3359243d2a2638
> Finished request 40.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 40 ID 0 with timestamp +589
> Ready to process requests.

Hard for me to tell what's going wrong here, radiusd -X should give more 
diagnostic information that would help

also, what was the exact section of your users file like? with obfuscated login 
credentials of course.
  
> That Access-Challenge should authenticate my client if I am not wrong,
> but it still shows me validating identity and the attempting to
> authenticate...
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Bruno Kremel]

2010/4/1 Matt Harlum :
>
> On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
>
> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
>
> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
> What should be there?
> Beacuse I don't know I am using Daloradius web interafce for adding data to
> database, so I just loaded default daloradius sql which was intendet
> (according to readme od daloradius) for 2.X Freeradius... and added accounts
> in web interface...
>
> Here's an example from my radcheck table in the SQL Database
>  id | UserName | Attribute     | op | Value      |
> ++--+---+++
> |  1 | exampleuser     | User-Password | == | password123 |
> This is how yours should be set up, otherwise you will get the "validating"
> issue in Windows.
>
> I was wrong
> it should be
> Here's an example from my radcheck table in the SQL Database
>  id | UserName | Attribute     | op | Value      |
> ++--+---+++
> |  1 | exampleuser     | Cleartext-Password | := | password123 |
> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily
> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to
> 2.x
> Regards,
> Matt Harlum
>
>
> To me it seems that name/password was accepted so I have no clue where
>
> is the problem..
>
>  The password was NOT accepted.  It was *ignored*.
>
> And what is that Accept-Accept on the end of the log?... also radtest gives
> me
> Accept-Accept only on correct login and password so I think that it's not
> that
> SQL...
>
>
> As Alan said, it was simply ignored because of the misconfiguration
> Regards,
> Matt Harlum
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Thank you for answer.. You are right with that sql it is some mess in
daloradius, but I tryed to disable SQL and use /etc/freeradius/users
file instead, but I am stuck on Attempting to authenticate now.. log
says this:

Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0,
length=137
Cleaning up request 39 ID 0 with timestamp +589
User-Name = "pokus"
NAS-IP-Address = 192.168.3.1
Called-Station-Id = "00259c523046"
Calling-Station-Id = "001e650eb532"
NAS-Identifier = "00259c523046"
NAS-Port = 9
Framed-MTU = 1400
State = 0x53b1704550ba694fbe3359243d2a2638
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b00061900
Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 11 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.3.1 port 1320
EAP-Message = 0x010c00061900
Message-Authenticator = 0x
State = 0x53b1704557bd694fbe3359243d2a2638
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 40 ID 0 with timestamp +589
Ready to process requests.

That Access-Challenge should authenticate my client if I am not wrong,
but it still shows me validating identity and the attempting to
authenticate...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Matt Harlum]

On 01/04/2010, at 1:44 PM, Matt Harlum wrote:

> 
> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
> 
>> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
>> What should be there?
>> Beacuse I don't know I am using Daloradius web interafce for adding data to 
>> database, so I just loaded default daloradius sql which was intendet 
>> (according to readme od daloradius) for 2.X Freeradius... and added accounts 
>> in web interface...
> 
> Here's an example from my radcheck table in the SQL Database
>  id | UserName | Attribute | op | Value  | 
> ++--+---+++
> |  1 | exampleuser | User-Password | == | password123 |  
> 
> This is how yours should be set up, otherwise you will get the "validating" 
> issue in Windows.
> 

I was wrong
it should be 
Here's an example from my radcheck table in the SQL Database
 id | UserName | Attribute | op | Value  | 
++--+---+++
|  1 | exampleuser | Cleartext-Password | := | password123 |  

My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using 
EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x

Regards,
Matt Harlum

> 
>>> 
 To me it seems that name/password was accepted so I have no clue where
 is the problem..
>>> 
>>>  The password was NOT accepted.  It was *ignored*.
>>> 
>> And what is that Accept-Accept on the end of the log?... also radtest gives 
>> me 
>> Accept-Accept only on correct login and password so I think that it's not 
>> that 
>> SQL...
>> 
> 
> As Alan said, it was simply ignored because of the misconfiguration
> 
> Regards,
> Matt Harlum
> 
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Matt Harlum]

On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:

> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
> What should be there?
> Beacuse I don't know I am using Daloradius web interafce for adding data to 
> database, so I just loaded default daloradius sql which was intendet 
> (according to readme od daloradius) for 2.X Freeradius... and added accounts 
> in web interface...

Here's an example from my radcheck table in the SQL Database
 id | UserName | Attribute | op | Value  | 
++--+---+++
|  1 | exampleuser | User-Password | == | password123 |  

This is how yours should be set up, otherwise you will get the "validating" 
issue in Windows.


>> 
>>> To me it seems that name/password was accepted so I have no clue where
>>> is the problem..
>> 
>>  The password was NOT accepted.  It was *ignored*.
>> 
> And what is that Accept-Accept on the end of the log?... also radtest gives 
> me 
> Accept-Accept only on correct login and password so I think that it's not 
> that 
> SQL...
> 

As Alan said, it was simply ignored because of the misconfiguration

Regards,
Matt Harlum


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Alan DeKok]

Bruno Kremel wrote:
>>   Why did you put "Auth-Type = Accept" in SQL?
>>
>>   It's breaking the server.  Delete it.
> What should be there?

  The user's password?

> Beacuse I don't know I am using Daloradius web interafce for adding data to 
> database, so I just loaded default daloradius sql which was intendet 
> (according to readme od daloradius) for 2.X Freeradius... and added accounts 
> in web interface...

I don't use daloradius.  All I know is from the debug output,
which shows that the server isn't configured properly.

> And what is that Accept-Accept on the end of the log?...

  It's useless.  The EAP conversation has been short-circuited, and the
user WILL NOT end up being online.

> also radtest gives me 
> Accept-Accept only on correct login and password so I think that it's not 
> that 
> SQL...

  Since you obviously know the product better than I do, good luck
solving the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Bruno Kremel]

On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
> Bruno Kremel wrote:
> > My configuration is pretty much default except of enabling MySQL and
> > setting paths and passwords to certificates (generated with make
> > script in /etc/freeradius/certs, so they should be OK) and addresses
> > of clients.
> 
>   And what did you put in SQL?
> 
> > expand: %{User-Name} -> pokus
> > rlm_sql (sql): sql_set_user escaped user --> 'pokus'
> > rlm_sql (sql): Reserving sql socket id: 3
> > expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
> > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> > attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
> > id
> > rlm_sql (sql): User found in radcheck table
> > expand: SELECT id, username, attribute, value, op FROM radreply WHERE
> > username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> > attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
> > id
> > expand: SELECT groupname FROM radusergroup WHERE username =
> > '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM
> > radusergroup WHERE username = 'pokus' ORDER BY priority
> 
> ...
> 
> > rad_check_password: Found Auth-Type Accept
> > rad_check_password: Auth-Type = Accept, accepting the user
> 
>   Why did you put "Auth-Type = Accept" in SQL?
> 
>   It's breaking the server.  Delete it.
What should be there?
Beacuse I don't know I am using Daloradius web interafce for adding data to 
database, so I just loaded default daloradius sql which was intendet 
(according to readme od daloradius) for 2.X Freeradius... and added accounts 
in web interface...
> 
> > To me it seems that name/password was accepted so I have no clue where
> > is the problem..
> 
>   The password was NOT accepted.  It was *ignored*.
> 
And what is that Accept-Accept on the end of the log?... also radtest gives me 
Accept-Accept only on correct login and password so I think that it's not that 
SQL...


>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 
Thank you for answer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP.. stuck on validating identity..

[Alan DeKok]

Bruno Kremel wrote:
> My configuration is pretty much default except of enabling MySQL and
> setting paths and passwords to certificates (generated with make
> script in /etc/freeradius/certs, so they should be OK) and addresses
> of clients.

  And what did you put in SQL?

> expand: %{User-Name} -> pokus
> rlm_sql (sql): sql_set_user escaped user --> 'pokus'
> rlm_sql (sql): Reserving sql socket id: 3
> expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
> username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY
> id
> rlm_sql (sql): User found in radcheck table
> expand: SELECT id, username, attribute, value, op FROM radreply WHERE
> username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY
> id
> expand: SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM
> radusergroup WHERE username = 'pokus' ORDER BY priority
...
> rad_check_password: Found Auth-Type Accept
> rad_check_password: Auth-Type = Accept, accepting the user

  Why did you put "Auth-Type = Accept" in SQL?

  It's breaking the server.  Delete it.

> To me it seems that name/password was accepted so I have no clue where
> is the problem..

  The password was NOT accepted.  It was *ignored*.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[John]

I attached the captured packets. Please open it with wireshark. 
The password from OD is “”.  It is neither cleartext password nor 
encrypted password.


--- 10年3月18日，周四, John  写道：


发件人: John 
主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
收件人: "FreeRadius users mailing list" 
日期: 2010年3月18日,周四,下午7:01







I configured the LDAP module talks to Open Directory, based on the debug looks 
the password fetched from OD, but the authentication always failed. Is there 
any guide for freeRADIUS+ldap+OD integrating?
I setup freeRADIUS talks to OpenLDAP, it works well.  Can OD return cleartext 
password like OpenLDAP do?

John.

--- 10年3月15日，周一, Alan DeKok  写道：


发件人: Alan DeKok 
主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
收件人: "FreeRadius users mailing list" 
日期: 2010年3月15日,周一,下午12:59


John wrote:
> Hello,
> We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open
> Directory. I found this option 'use_open_directory'. But looks we need
> to install freeRADIUS on the same machine with Open
> Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html)
>  
> Do we have to run freeRADIUS on the same machine with OpenDirectory?

  Yes.

> Is
> there a work-around that we can run freeRADIUS seperate from OpenDirectory?

  OpenDirectory is an LDAP server.  Configure that way in FreeRADIUS.
It might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 
-下面为附件内容-


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  

ODldap.pcap
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[John]

I configured the LDAP module talks to Open Directory, based on the debug looks 
the password fetched from OD, but the authentication always failed. Is there 
any guide for freeRADIUS+ldap+OD integrating?
I setup freeRADIUS talks to OpenLDAP, it works well.  Can OD return cleartext 
password like OpenLDAP do?

John.

--- 10年3月15日，周一, Alan DeKok  写道：


发件人: Alan DeKok 
主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
收件人: "FreeRadius users mailing list" 
日期: 2010年3月15日,周一,下午12:59


John wrote:
> Hello,
> We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open
> Directory. I found this option 'use_open_directory'. But looks we need
> to install freeRADIUS on the same machine with Open
> Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html)
>  
> Do we have to run freeRADIUS on the same machine with OpenDirectory?

  Yes.

> Is
> there a work-around that we can run freeRADIUS seperate from OpenDirectory?

  OpenDirectory is an LDAP server.  Configure that way in FreeRADIUS.
It might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[Alan DeKok]

John wrote:
> Hello,
> We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open
> Directory. I found this option 'use_open_directory'. But looks we need
> to install freeRADIUS on the same machine with Open
> Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html)
>  
> Do we have to run freeRADIUS on the same machine with OpenDirectory?

  Yes.

> Is
> there a work-around that we can run freeRADIUS seperate from OpenDirectory?

  OpenDirectory is an LDAP server.  Configure that way in FreeRADIUS.
It might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[Alan DeKok]

Moritz Dereschkewitz wrote:
> Wow, that sounds great. I haven't read about the use_open_directory
> option yet. Do I have to configure the mschap-module to connect to the
> OD, since Freeradius is not running on the Apple server? E.g. specify
> the server adress? Or does it find the server automatically?

  You need to run FreeRADIUS on the same machine as Open Directory.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[Moritz Dereschkewitz]

Am 13.02.2010 08:21, schrieb Alan DeKok:

Moe D. wrote:
   

I got a machine up and running Freeradius 2.1.0 with SSL support to
secure a Wireless LAN. In our school’s network we (have to) use an Apple
Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user
information using the OpenDirectory on the same server – using the NTLM
password hashes… so far, there should be no problem for Freeradius using
LDAP to connect to the OD an retrieve the NTLM hash to authenticate the
wireless clients.
 

   Use the "mschap" module.  Apple has contributed code to make
FreeRADIUS work with Open Directory.

   Edit the "mschap" configuration, and add:

use_open_directory = yes

   That's it.

   You may need to use a more recent version of FreeRADIUS.  I suggest 2.1.8.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

   
Wow, that sounds great. I haven't read about the use_open_directory 
option yet. Do I have to configure the mschap-module to connect to the 
OD, since Freeradius is not running on the Apple server? E.g. specify 
the server adress? Or does it find the server automatically?


Thanks four your help so far, Alan!

moenster
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[Alan DeKok]

Moe D. wrote:
> I got a machine up and running Freeradius 2.1.0 with SSL support to
> secure a Wireless LAN. In our school’s network we (have to) use an Apple
> Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user
> information using the OpenDirectory on the same server – using the NTLM
> password hashes… so far, there should be no problem for Freeradius using
> LDAP to connect to the OD an retrieve the NTLM hash to authenticate the
> wireless clients.

  Use the "mschap" module.  Apple has contributed code to make
FreeRADIUS work with Open Directory.

  Edit the "mschap" configuration, and add:

use_open_directory = yes

  That's it.

  You may need to use a more recent version of FreeRADIUS.  I suggest 2.1.8.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[tnt]

Use:

--username=%{mschap:User-Name}

and it should work.

Ivan Kalik
Kalik Informatika ISP


Dana 3/10/2008, "Vieri" <[EMAIL PROTECTED]> piše:

>--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote:
>
>> I'm running freeradius-2.0.5 on Linux.
>>
>> My setup is as follows:
>>
>> Windows Vista native client - Linksys AP - FreeRadius Linux
>> server (PEAP/mschapv2) - Active Directory Windows server
>>
>> Everything works smoothly with the following ntlm_auth
>> parameters in the mschap module:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> However, user authentication is rejected when I add the
>> --domain parameter:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> (from the Windows Vista client I obviously set the DOMAIN
>> filed; besides, if I run the freeradius daemon with debug
>> enabled I see that it "correclty" reeives
>> 'DOMAIN\username')
>>
>> For starters, I don't understand why authentication
>> fails if I add --domain. How can I find out why?
>>
>> Then, adding --require-membership-of with or without
>> --domain also fails.
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --require-membership-of='DOMAIN\\WIFI'
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> Finally, running ntlm_auth from the command line yields:
>>
>> # ntlm_auth --request-nt-key --domain=DOMAIN
>> --username=myuser
>> --require-membership-of='DOMAIN\\WIFI'
>> password:
>> NT_STATUS_OK: Success (0x0)
>
>I found this in the radiusd debug log:
>
>[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
>  Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
>
>so I removed the '' in the ntlm_auth string like this:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key  
>--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN 
>--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} 
>--nt-response=%{mschap:NT-Response:-00}"
>
>and now it works.
>
>So this leads me to ask how I can specify group names with spaces such as 
>'WIFI 1'.
>
>Also, I had to specify the domain explicitly either via --domain=DOMAIN or 
>--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication 
>succeeds only if the client does NOT specify a domain in the domain or user 
>field.
>So I'm attaching some debug outputs with the hope that someone can shed some 
>light on this aspect which I obviously don't grasp.
>
>Thanks,
>
>Vieri
>
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[tnt]

Don't hijack other peoples thread. BTW did you fix the users file entry
so the server can start up?

Ivan Kalik
Kalik Informatika ISP

Dana 3/10/2008, "luis a" <[EMAIL PROTECTED]> piše:

>pal if you are using freeradius binary version as i was using before 
>
>you can debug typing freeradius -X
>
>if you are using the compiled version as i did a few days ago , should work 
>only tipping radiusd -X
>
>PD:
>my freeradius still does not authenticating against AD :-(
>
>
>--- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribiĂł:
>De: Nicolas Goutte <[EMAIL PROTECTED]>
>Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of
>Para: "FreeRadius users mailing list" 
>Fecha: jueves, 2 octubre, 2008 6:09
>
>Am 02.10.2008 um 19:46 schrieb Vieri:
>
>>
>> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>>
>>> As with every other freeradius problem - when it doesn't
>>> work - debug
>>> (radiusd -X).
>>
>> That's how I'm running it. Does the list mind if I post the debug 
>
>> lines?
>
>Asking for the output of radiusd -X is the most frequent answer on  
>this mailing list and so it is not  a problem to see such outputs on  
>this mailing list.
>
>However please check first by yourself that you do not have missed an  
>error message that would bring you in the right direction. (Because  
>that is probably the second frequent answer.)
>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
>> users.html
>
>
>Have a nice day!
>
>Nicolas Goutte
>
>
>extragroup GmbH - Karlsruhe
>Waldstr. 49
>76133 Karlsruhe
>Germany
>
>Geschäftsfßhrer: Stephan MÜnninghoff, Hans Martin Kern, Tilman Haerdle
>Registergericht: Amtsgericht MĂźnster / HRB: 5624
>Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[luis a]

pal if you are using freeradius binary version as i was using before 

you can debug typing freeradius -X

if you are using the compiled version as i did a few days ago , should work 
only tipping radiusd -X

PD:
my freeradius still does not authenticating against AD :-(


--- El jue, 2/10/08, Nicolas Goutte <[EMAIL PROTECTED]> escribió:
De: Nicolas Goutte <[EMAIL PROTECTED]>
Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of
Para: "FreeRadius users mailing list" 
Fecha: jueves, 2 octubre, 2008 6:09

Am 02.10.2008 um 19:46 schrieb Vieri:

>
> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>> As with every other freeradius problem - when it doesn't
>> work - debug
>> (radiusd -X).
>
> That's how I'm running it. Does the list mind if I post the debug 

> lines?

Asking for the output of radiusd -X is the most frequent answer on  
this mailing list and so it is not  a problem to see such outputs on  
this mailing list.

However please check first by yourself that you do not have missed an  
error message that would bring you in the right direction. (Because  
that is probably the second frequent answer.)

>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Vieri]

--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote:

> I'm running freeradius-2.0.5 on Linux.
> 
> My setup is as follows:
> 
> Windows Vista native client - Linksys AP - FreeRadius Linux
> server (PEAP/mschapv2) - Active Directory Windows server
> 
> Everything works smoothly with the following ntlm_auth
> parameters in the mschap module:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> 
> However, user authentication is rejected when I add the
> --domain parameter:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> 
> (from the Windows Vista client I obviously set the DOMAIN
> filed; besides, if I run the freeradius daemon with debug
> enabled I see that it "correclty" reeives
> 'DOMAIN\username')
> 
> For starters, I don't understand why authentication
> fails if I add --domain. How can I find out why?
> 
> Then, adding --require-membership-of with or without
> --domain also fails.
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --require-membership-of='DOMAIN\\WIFI'
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> 
> Finally, running ntlm_auth from the command line yields:
> 
> # ntlm_auth --request-nt-key --domain=DOMAIN
> --username=myuser
> --require-membership-of='DOMAIN\\WIFI'
> password:
> NT_STATUS_OK: Success (0x0)

I found this in the radiusd debug log:

[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
  Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!

so I removed the '' in the ntlm_auth string like this:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key  
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN 
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"

and now it works.

So this leads me to ask how I can specify group names with spaces such as 'WIFI 
1'.

Also, I had to specify the domain explicitly either via --domain=DOMAIN or 
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication 
succeeds only if the client does NOT specify a domain in the domain or user 
field.
So I'm attaching some debug outputs with the hope that someone can shed some 
light on this aspect which I obviously don't grasp.

Thanks,

Vieri



  

radiusd.log.tar.gz
Description: GNU Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Alan DeKok]

Vieri wrote:
> However, user authentication is rejected when I add the --domain parameter:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

  And you didn't post the debug output as suggested in the FAQ, README,
INSTALL, and daily on this list.

  Knowing WHY it was rejected, and WHAT ERROR was produced is key
information that is needed to be able to solve the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Nicolas Goutte]

Am 02.10.2008 um 19:46 schrieb Vieri:



--- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


As with every other freeradius problem - when it doesn't
work - debug
(radiusd -X).


That's how I'm running it. Does the list mind if I post the debug  
lines?


Asking for the output of radiusd -X is the most frequent answer on  
this mailing list and so it is not  a problem to see such outputs on  
this mailing list.


However please check first by yourself that you do not have missed an  
error message that would bring you in the right direction. (Because  
that is probably the second frequent answer.)







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Lech Karol Pawłaszek]

Vieri wrote:
> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
>> As with every other freeradius problem - when it doesn't
>> work - debug
>> (radiusd -X).
> 
> That's how I'm running it. Does the list mind if I post the debug lines?

You're supposed to do so!

It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML
front page).

http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21

PS: I followed your Reply-To however I don't think that was necessary -
do you really have to set it that way?

Kind regards,

-- 
Lech Karol Pawłaszek 
"You will never see me fall from grace" [KoRn]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Vieri]

I forgot to mention that I already tried:

with_ntdomain_hack = yes

I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind.




  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[Vieri]

--- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

> As with every other freeradius problem - when it doesn't
> work - debug
> (radiusd -X).

That's how I'm running it. Does the list mind if I post the debug lines?



  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

[tnt]

As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).

Ivan Kalik
Kalik Infromatika ISP

Dana 2/10/2008, "Vieri" <[EMAIL PROTECTED]> piše:

>Hi,
>
>I'm running freeradius-2.0.5 on Linux.
>
>My setup is as follows:
>
>Windows Vista native client - Linksys AP - FreeRadius Linux server 
>(PEAP/mschapv2) - Active Directory Windows server
>
>Everything works smoothly with the following ntlm_auth parameters in the 
>mschap module:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
>--username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>However, user authentication is rejected when I add the --domain parameter:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I 
>run the freeradius daemon with debug enabled I see that it "correclty" reeives 
>'DOMAIN\username')
>
>For starters, I don't understand why authentication fails if I add --domain. 
>How can I find out why?
>
>Then, adding --require-membership-of with or without --domain also fails.
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} 
>--nt-response=%{mschap:NT-Response:-00}"
>
>Finally, running ntlm_auth from the command line yields:
>
># ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser 
>--require-membership-of='DOMAIN\\WIFI'
>password:
>NT_STATUS_OK: Success (0x0)
>
>Could it be a "bug" in the freeradius version I'm running?
>
>Can anyone please suggest how I can debug this (not a radius expert ;-) )?
>
>Regards,
>
>Vieri
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP and Wireless

[tnt]

Read provided instructions in eap.conf.

Ivan Kalik
Kalik Informatika ISP


Dana 18/6/2007, "Cody Jarrett" <[EMAIL PROTECTED]> piše:

>Alan Dekok wrote:
>> Cody Jarrett wrote:
>>
>>> I'm trying to setup freeradius with ldap for use with a wireless
>>> network. I don't want to have to deal with tls and certificates if
>>> possible,
>>>
>>
>>   Then you won't be doing PEAP.  It requires TLS and certificates.
>>
>Is what I want possible then? And if so could you provide me with
>details on what its called or how its configured?
>> ...
>>
>>> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
>>>
>>
>>   What is unclear about that message?  It's telling you that you need
>> TLS for PEAP to work.
>>
>>   All of the howto's show that you have to configure TLS before PEAP.
>> The comments in "eap.conf" say you have to configure TLS before PEAP.
>>
>>   What's the problem?
>>
>>   Alan DeKok.
>> --
>>   http://deployingradius.com   - The web site of the book
>>   http://deployingradius.com/blog/ - The blog
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP and Wireless

[Cody Jarrett]

Alan Dekok wrote:

Cody Jarrett wrote:
  
I'm trying to setup freeradius with ldap for use with a wireless 
network. I don't want to have to deal with tls and certificates if 
possible,



  Then you won't be doing PEAP.  It requires TLS and certificates.
  
Is what I want possible then? And if so could you provide me with 
details on what its called or how its configured?

...
  

rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.



  What is unclear about that message?  It's telling you that you need
TLS for PEAP to work.

  All of the howto's show that you have to configure TLS before PEAP.
The comments in "eap.conf" say you have to configure TLS before PEAP.

  What's the problem?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP and Wireless

[Alan Dekok]

Cody Jarrett wrote:
> I'm trying to setup freeradius with ldap for use with a wireless 
> network. I don't want to have to deal with tls and certificates if 
> possible,

  Then you won't be doing PEAP.  It requires TLS and certificates.
...
> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.

  What is unclear about that message?  It's telling you that you need
TLS for PEAP to work.

  All of the howto's show that you have to configure TLS before PEAP.
The comments in "eap.conf" say you have to configure TLS before PEAP.

  What's the problem?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius PEAP and Wireless

[Josh Howlett]

> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is 
> required first.

You need to uncomment the tls section in eap.conf, even if yoo're not
intending to use EAP-TLS.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[Sam Schultz]

>reference the initial thread where i said i was authenticating off 
>of 
>active directories, using eap-peap.  which i had previously 
>working just 
>fine. 
>Since i didn't specify an instance name in my eap.conf, it is 
>referenced 
>as 'eap' (which i did read, but was following your advice).

Once you configure the eap module, it tends to take care of itself.
Setting Auth-Type & Autz-Type are for when you want to force a user
(or all users, as with DEFAULT entries) to be authorized & 
authenticated 
by the respective modules.

If you're purely using ldap for authorization & authentications, you
wouldn't shouldn't need to set either one. I know in my case I had 
to
set access_attr_used_for_allow to 'no' because I wasn't using the 
ldap
schema extension packaged with freeradius.

>
>Joe 
>
>
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click for free info on accredited degrees with 150K/ year potential
http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[joe vieira]

Sam Schultz wrote:
>>> DEFAULT 
>>> Autz-Type := ,
>>> Auth-Type := 
>>>   
>
>   
>> so i did what you recommended, which makes sense to do... i have
>> Autz-type := eap, and in debug mode i get this clearly an access-
>> 
> reject
>   
>> follows. 
>>
>> auth: No authenticate method (Auth-Type) configuration found for 
>> 
> the
>   
>> request: Rejecting the user
>> auth: Failed to validate the user.
>> 
>
> First off, eap shouldn't be used this way. The top line of eap.conf
> clearly states:
>
> "Whatever you do, do NOT set 'Auth-Type := EAP'.  The server is 
> smart
> enough to figure this out on its own"
>
> Typical modules that would be used here are things like 'files', 
> 'ldap',
> or 'sql'. There are also special types like 'Local' & 'System', 
> which
> you'd have to use one of if you were using an sql table to store 
> user
> credentials.
>
> The second thing you have to understand is the difference between 
> modules & instances. An instance is a specific configuration of a
> module. The instance itself has a name that is user-specified.
> I suggest you read through the configurable_failover document, which
> is usually in /usr/share/doc/freeradius-, it isn't long and
> offers pretty good insight into how freeradius' configuration gets
> processed.
>
> Also, if you need to use a seperate back-end for authentication, 
> maybe you should tell us what you need to use so we can give you 
> more specific
> answers.
>
>   
reference the initial thread where i said i was authenticating off of 
active directories, using eap-peap.  which i had previously working just 
fine. 
Since i didn't specify an instance name in my eap.conf, it is referenced 
as 'eap' (which i did read, but was following your advice).

Joe 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: freeradius -peap ad/ldap

[Sam Schultz]

>> DEFAULT 
>> Autz-Type := ,
>> Auth-Type := 

>so i did what you recommended, which makes sense to do... i have
>Autz-type := eap, and in debug mode i get this clearly an access-
reject
>follows. 
>
>auth: No authenticate method (Auth-Type) configuration found for 
the
>request: Rejecting the user
>auth: Failed to validate the user.

First off, eap shouldn't be used this way. The top line of eap.conf
clearly states:

"Whatever you do, do NOT set 'Auth-Type := EAP'.  The server is 
smart
enough to figure this out on its own"

Typical modules that would be used here are things like 'files', 
'ldap',
or 'sql'. There are also special types like 'Local' & 'System', 
which
you'd have to use one of if you were using an sql table to store 
user
credentials.

The second thing you have to understand is the difference between 
modules & instances. An instance is a specific configuration of a
module. The instance itself has a name that is user-specified.
I suggest you read through the configurable_failover document, which
is usually in /usr/share/doc/freeradius-, it isn't long and
offers pretty good insight into how freeradius' configuration gets
processed.

Also, if you need to use a seperate back-end for authentication, 
maybe you should tell us what you need to use so we can give you 
more specific
answers.

--
Click for free info on online degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[joe vieira]

Sam Schultz wrote:
> On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <[EMAIL PROTECTED]> 
> wrote:
>   
>> Alan DeKok wrote:
>> 
>>> joe vieira wrote:
>>>   
>>>   
 i have eap-peap authentication working against our ad domain.  
 
>> peachy 
>> 
 keen.  what i would like to be able to do is, in our openldap 
 environment, store attributes for retrieval by radius, cisco 
 
>> stuff/ 
>> 
 etc... i assume the way to do this would be to use the 
 
>> authorization  
>> 
 sections, but if you add ldap to that then it automatically 
 
>> adds ldap 
>> 
 authentication...which i don't want..
 
 
>>>   Upgrade to a newer version of the server, which doesn't do 
>>>   
>> that.
>> 
>>>   
>>>   
>> which versions would that be?
>> 
>
> OK, I think I understand what you're asking. If you want to use LDAP
> for authorization ONLY, and something else for authentication, you
> could put an entry like this in your 'users' file:
>
> DEFAULT 
> Autz-Type := ,
> Auth-Type := 
>
> Setting Autz-Type forces a certain type of authorization. Setting
> Auth-Type forces a certain type of authentication. Doing this in a
> DEFAULT entry causes ALL users that have Fall-Through set to yes to
> be passed through the specified authorization & authentication 
> method.
> This could also be set on a per-user basis by changing DEFAULT to 
> the
> a given user's username.
>   
so i did what you recommended, which makes sense to do... i have 
Autz-type := eap, and in debug mode i get this clearly an access-reject 
follows. 

auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.

obviously their is a module called eap..else the daemon would not start...

what do you think?
Joe


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[Sam Schultz]

On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <[EMAIL PROTECTED]> 
wrote:
>Alan DeKok wrote:
>> joe vieira wrote:
>>   
>>> i have eap-peap authentication working against our ad domain.  
>peachy 
>>> keen.  what i would like to be able to do is, in our openldap 
>>> environment, store attributes for retrieval by radius, cisco 
>stuff/ 
>>> etc... i assume the way to do this would be to use the 
>authorization  
>>> sections, but if you add ldap to that then it automatically 
>adds ldap 
>>> authentication...which i don't want..
>>> 
>>
>>   Upgrade to a newer version of the server, which doesn't do 
>that.
>>   
>which versions would that be?

OK, I think I understand what you're asking. If you want to use LDAP
for authorization ONLY, and something else for authentication, you
could put an entry like this in your 'users' file:

DEFAULT 
Autz-Type := ,
Auth-Type := 

Setting Autz-Type forces a certain type of authorization. Setting
Auth-Type forces a certain type of authentication. Doing this in a
DEFAULT entry causes ALL users that have Fall-Through set to yes to
be passed through the specified authorization & authentication 
method.
This could also be set on a per-user basis by changing DEFAULT to 
the
a given user's username.

>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click here for free information on nursing jobs, up to $150/hour
http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[joe vieira]

Alan DeKok wrote:
> joe vieira wrote:
>   
>> i have eap-peap authentication working against our ad domain.  peachy 
>> keen.  what i would like to be able to do is, in our openldap 
>> environment, store attributes for retrieval by radius, cisco stuff/ 
>> etc... i assume the way to do this would be to use the authorization  
>> sections, but if you add ldap to that then it automatically adds ldap 
>> authentication...which i don't want..
>> 
>
>   Upgrade to a newer version of the server, which doesn't do that.
>   
which versions would that be?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[Alan DeKok]

joe vieira wrote:
>
> i have eap-peap authentication working against our ad domain.  peachy 
> keen.  what i would like to be able to do is, in our openldap 
> environment, store attributes for retrieval by radius, cisco stuff/ 
> etc... i assume the way to do this would be to use the authorization  
> sections, but if you add ldap to that then it automatically adds ldap 
> authentication...which i don't want..

  Upgrade to a newer version of the server, which doesn't do that.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius -peap ad/ldap

[Sam Schultz]

On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira <[EMAIL PROTECTED]> 
wrote:
>Hi all,
>
>I'm using the RHEL build of freeradius 1.0.1.  I'm trying to do 

You really should upgrade that. If I recall correctly, there were
some nasty bugs in the early 1.0.x builds.

>something  that might seem totally stupid, so let me know if i am 
>(no 
>need to flame).   I'm new to freeradius so bear with me a bit.
>

We were all new at some point, some people just forget that :)

>i have eap-peap authentication working against our ad domain.  
>peachy 
>keen.  what i would like to be able to do is, in our openldap 
>environment, store attributes for retrieval by radius, cisco 
>stuff/ 
>etc... i assume the way to do this would be to use the 
>authorization  
>sections, but if you add ldap to that then it automatically adds 
>ldap 
>authentication...which i don't want..
>
>ideas?

You could try using one of the SQL modules. Unlike ldap, the sql
modules only retrieve attributes from an sql table, and sets the
attributes for use by later modules (or freeradius, if the
'Auth-Type := Local' has been set) 

>
>Joe Vieira
>UNIX Systems Administrator
>Clark University
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click for free info on online doctorate degrees and make $250k/ year
http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Phil Mayers]

Alan DeKok wrote:

Phil Mayers <[EMAIL PROTECTED]> wrote:

PEAP can have several inner types. One of these is "GTC" (generic token 
card) which sends a prompt and asks for a response. I believe the prompt 
can be "password" and the response the actual password.


How well windows' GTC support works I couldn't tell you, though I know 
it's there.



  Windows doesn't support it, so far as I can tell.


My mistake - I was convinced I'd seen it.

(I suppose it's possible that I had the Cisco wireless card software 
installed, along with it's supplicant-fiddling extensions.)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Alan DeKok]

Phil Mayers <[EMAIL PROTECTED]> wrote:
> PEAP can have several inner types. One of these is "GTC" (generic token 
> card) which sends a prompt and asks for a response. I believe the prompt 
> can be "password" and the response the actual password.
> 
> How well windows' GTC support works I couldn't tell you, though I know 
> it's there.

  Windows doesn't support it, so far as I can tell.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Phil Mayers]

James Taylor wrote:

Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?  Do I do
this in the EAP.CONF file?  What we are basically trying to do is use
FreeRadius to authenticate against our current user database on our linux
server while still maintaining the PEAP-TLS security with wireless.  Is that
even possible?  



PEAP can have several inner types. One of these is "GTC" (generic token 
card) which sends a prompt and asks for a response. I believe the prompt 
can be "password" and the response the actual password.


How well windows' GTC support works I couldn't tell you, though I know 
it's there.


See the "gtc" section in "eap.conf"

PAM would not help; as Josh says, MSCHAPv2 needs the NT/LM hashes, which 
means either having the hashes, or the plaintext password to generate 
them from, not a "crypt". In any event, PAM seems to work very badly 
because of threading issues.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Alan DeKok]

"James Taylor" <[EMAIL PROTECTED]> wrote:
> Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?

  Your question doesn't make sense.  Pam and Unix /etc/passwd are both
systems that store "known good" passwords.  MSCHAPv2 is an
authentication protocol where a user tries to authenticate based on an
unknown password.

> What we are basically trying to do is use FreeRadius to authenticate
> against our current user database on our linux server while still
> maintaining the PEAP-TLS security with wireless.  Is that even
> possible?

  No the crypt'd passwords stored in /etc/passwd are 100% incompatible
with PEAP.  You can:

  a) store clear-text passwords
  b) use EAP-TTLS with tunneled PAP.

  You don't really have many other choices.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Michael Griego]

/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive.  You can 
store the NT hashed passwords in the users file if you'd like, but, 
other than that, you'll have to use plaintext passwords.  It's just the 
nature of the beast.


--Mike

James Taylor wrote:


Hi,

 

I am trying to secure my wireless connections using PEAP-TLS MSChapv2 
to authenticate users against my Linux /etc/shadow; /etc/password/; 
and /etc/group files.  I would like to use PAM but UNIX will work 
too.  I do not want to use the USERS file as it stores passwords in 
clear text and that is what we are trying to avoid. 

 

All my tests conclude that this functionality will not work.  I am 
able to Auth just fine using the USERS file with a username and password.


 


Any info or direction would be greatly appreciated.

 


Thank you

 


James



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Josh Howlett]

No - your user database needs to store passwords in plaintext or NTLM.

You basically have two options: use a TTLS supplicant instead (such as 
wpa_supplicant or SecureW2), or change your user database.


best regards, josh.

James Taylor wrote:

Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?  Do I do
this in the EAP.CONF file?  What we are basically trying to do is use
FreeRadius to authenticate against our current user database on our linux
server while still maintaining the PEAP-TLS security with wireless.  Is that
even possible?  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh
Howlett
Sent: Thursday, October 13, 2005 2:25 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius/PEAP

James,

MSChapv2 needs plaintext or NTLM credentials. You won't be able to do 
what you're trying. It works with users file because you specify the 
plaintext.


josh.

James Taylor wrote:


Hi,



I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to 
authenticate users against my Linux /etc/shadow; /etc/password/; and 
/etc/group files.  I would like to use PAM but UNIX will work too.  I do 
not want to use the USERS file as it stores passwords in clear text and 
that is what we are trying to avoid. 




All my tests conclude that this functionality will not work.  I am able 
to Auth just fine using the USERS file with a username and password.




Any info or direction would be greatly appreciated.



Thank you



James




- 
List info/subscribe/unsubscribe? See


http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Yuri Francalacci]

I have everything working with the users file.
Josh, do you think if I have sambaNTpassword attribute in my ldap (I use ldap for authenticating users) with the ntlm credential it could work?
Yuri 
On 10/13/05, Josh Howlett <[EMAIL PROTECTED]> wrote:
James,MSChapv2 needs plaintext or NTLM credentials. You won't be able to dowhat you're trying. It works with users file because you specify the
plaintext.josh.James Taylor wrote:> Hi, I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to> authenticate users against my Linux /etc/shadow; /etc/password/; and
> /etc/group files.  I would like to use PAM but UNIX will work too.  I do> not want to use the USERS file as it stores passwords in clear text and> that is what we are trying to avoid.>>
>> All my tests conclude that this functionality will not work.  I am able> to Auth just fine using the USERS file with a username and password. Any info or direction would be greatly appreciated.
 Thank you James>>> >> -> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Yuri Francalacci[EMAIL PROTECTED] 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius/PEAP

[James Taylor]

Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?  Do I do
this in the EAP.CONF file?  What we are basically trying to do is use
FreeRadius to authenticate against our current user database on our linux
server while still maintaining the PEAP-TLS security with wireless.  Is that
even possible?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh
Howlett
Sent: Thursday, October 13, 2005 2:25 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius/PEAP

James,

MSChapv2 needs plaintext or NTLM credentials. You won't be able to do 
what you're trying. It works with users file because you specify the 
plaintext.

josh.

James Taylor wrote:
> Hi,
> 
>  
> 
> I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to 
> authenticate users against my Linux /etc/shadow; /etc/password/; and 
> /etc/group files.  I would like to use PAM but UNIX will work too.  I do 
> not want to use the USERS file as it stores passwords in clear text and 
> that is what we are trying to avoid. 
> 
>  
> 
> All my tests conclude that this functionality will not work.  I am able 
> to Auth just fine using the USERS file with a username and password.
> 
>  
> 
> Any info or direction would be greatly appreciated.
> 
>  
> 
> Thank you
> 
>  
> 
> James
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Josh Howlett]

James,

MSChapv2 needs plaintext or NTLM credentials. You won't be able to do 
what you're trying. It works with users file because you specify the 
plaintext.


josh.

James Taylor wrote:

Hi,

 

I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to 
authenticate users against my Linux /etc/shadow; /etc/password/; and 
/etc/group files.  I would like to use PAM but UNIX will work too.  I do 
not want to use the USERS file as it stores passwords in clear text and 
that is what we are trying to avoid. 

 

All my tests conclude that this functionality will not work.  I am able 
to Auth just fine using the USERS file with a username and password.


 


Any info or direction would be greatly appreciated.

 


Thank you

 


James




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + PEAP

[Alan DeKok]

"Gustafson, Tim" <[EMAIL PROTECTED]> wrote:
> FreeRADIUS does get the authentication requests, but it
> seems that I've done something wrong and the requests are not being
> authenticated properly.  Here's what I get in my FreeRADIUS log:

  That's nice.  Did you try running it in debugging mode as suggested
in the README, INSTALL, FA, and daily on this list?

> Fri Mar  4 13:11:41 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/ User-Password attribute>] (from client wireless.meitech.com port 9 cli
> 000b7d0fa264)
> 
> Why is there no username attribute?

  I have no idea why you would ask that.  Perhaps you could try
reading the log message again.

> I have configured the Windows XP workstation to use PEAP and it asks
> me for my login name and password, which I entered, but it seems
> that the password attribute is not being sent to FreeRADIUS, or
> maybe it's being sent in a way that FreeRADIUS isn't understanding?

  When PEAP is used, the password is not sent to the server directly,
so the server can't print it in a log message.

> My wireless users are connecting using login names and passwords,
> not certificates, but I think that eap needs certificates anyhow,
> correct?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I tried the configure switch and got another Segment Fault(coredump).

  If you look, you'll probably see the same problem.

  Delete ALL of the previously installed FreeRADIUS binaries and
libraries.  Then re-configure and re-make.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)

[john . ctr . gauntt]

[EMAIL PROTECTED]
wrote:
>> This is my second try at this post; the first was too long.
 I read the 
>> archives and then attempted to
>> configure freeRadius using PEAP MSCHAP.  After some
initial success I am
>> stuck with a Segment Fault(coredump).

Alan Dekok wrote:
>  It's another stupid bug in libltdl.  The fix is to do:

>$ configure --disable-shared
>$ make
>$ make install

>  Alan DeKok.

I tried the configure switch and got another Segment Fault(coredump).  Is
there other debug information that is useful for resolving this problem?
Thanks,
John Gauntt 
[EMAIL PROTECTED]

Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> This is my second try at this post; the first was too long.  I read the 
> archives and then attempted to
> configure freeRadius using PEAP MSCHAP.  After some initial success I am
> stuck with a Segment Fault(coredump).

  It's another stupid bug in libltdl.  The fix is to do:

$ configure --disable-shared
$ make
$ make install

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Alan DeKok]

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> I'm still not seeing it.

  If it's listed in the "authorize" section, it will be printed out in
debugging mode.

  Are you willing to provide debug logs?

> Let's start over. What is the best way of authenticating users to an
> NT domain over PEAP? Am I even on the right track?

  ntlm_auth.

  It works, and other people have gotten it to work.  The issue now
becomes poking your configuration so that it works.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Hand, Chris]

I'm still not seeing it.

Let's start over. What is the best way of authenticating users to an NT
domain over PEAP? Am I even on the right track?

Chris Hand

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Tuesday, August 24, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client 

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> Yes, I am using the ntdomain realm. However, I do not see it show up
in
> the debugging output. Do I need to do anything other than list
> "ntdomain" in the 'authorize' section to make freeradius use it?

  If it's listed there, you should see it printed out in debugging mode.

  Try listing it immediately after "preprocess", and double-checking
the debug output.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Alan DeKok]

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> Yes, I am using the ntdomain realm. However, I do not see it show up in
> the debugging output. Do I need to do anything other than list
> "ntdomain" in the 'authorize' section to make freeradius use it?

  If it's listed there, you should see it printed out in debugging mode.

  Try listing it immediately after "preprocess", and double-checking
the debug output.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Hand, Chris]

Yes, I am using the ntdomain realm. However, I do not see it show up in
the debugging output. Do I need to do anything other than list
"ntdomain" in the 'authorize' section to make freeradius use it?

Chris Hand

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 5:19 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client 

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> Exactly... The username is not getting fed into ntlm_auth. It seems
that
> the stripping of the domain from the username is not working.

  Are you using the "ntdomain" realm, as given in radiusd.conf?

  Are you running it in debugging mode, to see that the "ntdomain"
realm is working?

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Alan DeKok]

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> Exactly... The username is not getting fed into ntlm_auth. It seems that
> the stripping of the domain from the username is not working.

  Are you using the "ntdomain" realm, as given in radiusd.conf?

  Are you running it in debugging mode, to see that the "ntdomain"
realm is working?

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Hand, Chris]

Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working. If I use 
--username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth.

-Chris Hand

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client 

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
> > --username= --challenge=3d66c96d9aa150e6
> > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
> > Exec-Program-Wait: plaintext: Logon failure (0xc06d)

  Where's the username?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Alan DeKok]

"Hand, Chris" <[EMAIL PROTECTED]> wrote:
> > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
> > --username= --challenge=3d66c96d9aa150e6
> > --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
> > Exec-Program-Wait: plaintext: Logon failure (0xc06d)

  Where's the username?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Hand, Chris]

I retyped the config. That is a typo. It should be '--challenge'.

-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client

Did you cut and paste or type the lines from your config file? According

the the config file ntlm_auth has the argument '--challence', but the 
debug output has the argument '--challenge'.

Hand, Chris wrote:

> I am trying to set up 802.1x on our network and I would like the users
> to be able to use their current Active Directory credentials.
> 
> I need the AD domain to be stripped from the username so that I can
feed
> it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
> server.
> 
> Here is part of my config file.
> 
> Modules {
> realm ntdomain {
>   format = prefix
>   delimiter = "\\"
>   ignore_default = no
>   ignore_null = no
> }
> 
> eap {
>   default_eap_type = peap
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = yes
>   tls {
>   private_key_password = whatever
>   private_key_file = ${raddbdir}/certs/cert-srv.pem
>   certificate_file = ${raddbdir}/certs/cert-srv.pem
>   CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>   dh_file = ${raddbdir}/certs/dh
>   random_file = ${raddbdir}/certs/random
>   fragment_size = 1024
>   include_length = yes
>   }
>   peap {
>   default_eap_type = mschapv2
>   }
>   mschapv2 {
>   }
> }
> 
> mschap {
>   authtype = MS-CHAP
>   with_ntdomain_hack = no
>   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI /
> --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
> --nt-response=%{mschap:NT-Response:-00}"
> }
> }
> 
> authorize {
>   preprocess
>   ntdomain
>   eap
>   files
> }
> 
> authenticate {
>   Auth-Type MS-CHAP {
>   Mschap
>   }
>   eap
> }
> 
> From the debug output:
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
> --username= --challenge=3d66c96d9aa150e6
> --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
> Exec-Program-Wait: plaintext: Logon failure (0xc06d) 
> Exec-Program: returned: 1
> 
> If I try ntlm_auth manually, it works fine:
> [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
> --username=chand
> password: 
> NT_STATUS_OK: Success (0x0)
> 
> Has anyone successfully used freeradius to authenticate against Active
> Directory (Windows 2003)?
> 
> Chris Hand 
> Network Engineer
> [EMAIL PROTECTED]
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client

[Paul Bender]

Did you cut and paste or type the lines from your config file? According 
the the config file ntlm_auth has the argument '--challence', but the 
debug output has the argument '--challenge'.

Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}"
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d) 
Exec-Program: returned: 1

If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password: 
NT_STATUS_OK: Success (0x0)

Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand 
Network Engineer
[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Alan DeKok]

"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> I patched the rlm_mschap.c file (attached). I pulled code from
> rlm_preprocess.c that handles the with_ntdomain_hack and modified it to
> work.

  Similar code already existed in rlm_mschap.c.  The fix was 1 line.

>  The user_name argument being passed to challenge_hash() function
> now honors the with_ntdomain_hack but my problem still exists. :-(
> Back to the drawing board.

  Hmm... you hacked the User-Name attribute, which isn't generally a
good idea.

  Try the CVS snapshot tomorrow, or grab the latest via anonymous cvs.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Dourty, Brian R. \(IATS\)]

I patched the rlm_mschap.c file (attached). I pulled code from
rlm_preprocess.c that handles the with_ntdomain_hack and modified it to
work. The user_name argument being passed to challenge_hash() function
now honors the with_ntdomain_hack but my problem still exists. :-( Back
to the drawing board.

Brian D.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Alan DeKok
> Sent: Monday, May 03, 2004 1:07 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question 
> 
> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> > To clarify things here, the --domain and --username arguments are 
> > right, but the --challenge argument is incorrect.
> 
>   Ah, OK.
> 
> > The username being used in this function still contains the DOMAIN! 
> > This is what is keeping the auth from working. I've added debug 
> > statements to my code. Its using the domain/user. This won't work.
> 
>   Then the "with_ntdomain_hack" should be set...
> 
> > I can't change the client. I can change freeradius. The client 
> > presents freeradius with a domain/username. We all know 
> that is the case.
> 
>   Yes, that's a problem.  The client is *lying* to FreeRADIUS.
> 
> > The challenge and nt-response are both hashes based in part on the 
> > username. The username that freeradius uses when it generates these 
> > hashes is the full username, not the stripped username. 
> This is what 
> > is causing my problem.
> > 
> > Now, the question is how to go about fixing the problem.
> 
>   Theoretically, using "with_ntdomain_hack" should help. 
> 
>   Hmm... the code you pointed out does appear to ignore 
> "with_ntdomain_hack".  I'll fix that.  See tomorrow's CVS snapshot.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> 


with_ntdomain_hack.patch
Description: with_ntdomain_hack.patch

Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Alan DeKok]

"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> To clarify things here, the --domain and --username arguments are right,
> but the --challenge argument is incorrect.

  Ah, OK.

> The username being used in this function still contains the DOMAIN! This
> is what is keeping the auth from working. I've added debug statements to
> my code. Its using the domain/user. This won't work.

  Then the "with_ntdomain_hack" should be set...

> I can't change the client. I can change freeradius. The client presents
> freeradius with a domain/username. We all know that is the case.

  Yes, that's a problem.  The client is *lying* to FreeRADIUS.

> The challenge and nt-response are both hashes based in part on the
> username. The username that freeradius uses when it generates these
> hashes is the full username, not the stripped username. This is what is
> causing my problem.
> 
> Now, the question is how to go about fixing the problem.

  Theoretically, using "with_ntdomain_hack" should help. 

  Hmm... the code you pointed out does appear to ignore
"with_ntdomain_hack".  I'll fix that.  See tomorrow's CVS snapshot.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Dourty, Brian R. \(IATS\)]

> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> > Ok, but isn't the "with_ntdomain_hack =3D yes" directive in the 
> > raidusd.conf file suppose to correct this behavior?
> 
>   Theoretically, yes.  But when you're calling ntlm_auth, the 
> "with_ntdomain_hack" isn't being used.  Why would it?  You're 
> passing the exact attributes you want to ntlm_auth.  If you 
> don't like the attributes, change them.  Why would we need 
> another configuration option to do the same thing?
> 
> > So now my args for ntlm_auth are right, but I think something is up 
> > with mschap still.
> 
>   If the arguments to ntlm_auth are right, then it should work.

To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect. 

I'm looking at the code in rlm_mschap.c. I believe this is the code that
creates the value for the --challenge argument for ntlm_auth. It is my
understanding that this is a hash created with this code:

challenge_hash(response->strvalue + 2,
   chap_challenge->strvalue,
   user_name->strvalue, buffer);

The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working. I've added debug statements to
my code. Its using the domain/user. This won't work. 

> 
> > When the Challenge or Response message is generated is it 
> still trying 
> > to user domain/user as the username?
> 
>   Ask the client, not FreeRADIUS.

I can't change the client. I can change freeradius. The client presents
freeradius with a domain/username. We all know that is the case.

> 
>   And when you're using ntlm_auth, *you* configure it to use 
> "domain\user", or just "user".  So to answer your question on 
> FreeRADIUS's side, go back and read your configuration.
> 
> > I'm confused on this point. When PEAP identity is set to 
> username my 
> > auths work. When the PEAP identity is of the form 
> domain/user MSCHAP 
> > fails.
> 
>   Yes.  This is the problem.  But it has nothing to do with PEAP.

You are right, it has nothing to do with PEAP. Freeradius gets what the
client gives it. The problem occurs in the mschap module. 

>   There's no point trying to configure FreeRADIUS to do the "right"
> thing, when you don't even know what the "right" thing is.  
> Find that out first, and THEN configure the server.

I know what the right thing is. In order for the ntlm_auth to return OK
all of its arguments have to be right. When a client is setup to send
domain/user instead of just user things breakdown in the MSCHAP module.
The NTLM_AUTH function takes 4 arguments from freeradius. They are as
follows:

--domain %{Realm}
--username %{Stripped-User-Name}
--challenge %{mschap:Challenge:-00}
--nt-response %{mschap:NT-Response:-00}

The challenge and nt-response are both hashes based in part on the
username. The username that freeradius uses when it generates these
hashes is the full username, not the stripped username. This is what is
causing my problem.

Now, the question is how to go about fixing the problem.

Brian D.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Alan DeKok]

"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> Ok, but isn't the "with_ntdomain_hack =3D yes" directive in the
> raidusd.conf file suppose to correct this behavior?

  Theoretically, yes.  But when you're calling ntlm_auth, the
"with_ntdomain_hack" isn't being used.  Why would it?  You're passing
the exact attributes you want to ntlm_auth.  If you don't like the
attributes, change them.  Why would we need another configuration
option to do the same thing?

> So now my args for ntlm_auth are right, but I think something is up with
> mschap still.

  If the arguments to ntlm_auth are right, then it should work.

> When the Challenge or Response message is generated is it
> still trying to user domain/user as the username?

  Ask the client, not FreeRADIUS.

  And when you're using ntlm_auth, *you* configure it to use
"domain\user", or just "user".  So to answer your question on
FreeRADIUS's side, go back and read your configuration.

> I'm confused on this point. When PEAP identity is set to username my
> auths work. When the PEAP identity is of the form domain/user MSCHAP
> fails.

  Yes.  This is the problem.  But it has nothing to do with PEAP.

> Am I wrong in thinking that with the correct configuration Freeradius
> will allow me to have users from all trusted domains use the MSCHAP
> module for 802.1x auth? Where am I going wrong?

  Yes.  I don't know where you're going wrong.  It may be the client.

  You have debug output which runs ntlm_auth.  Try cutting & pasting
those commands into the command-line, and running them there.  Play
games with "domain\user" and "users", until you get something that
works.

  There's no point trying to configure FreeRADIUS to do the "right"
thing, when you don't even know what the "right" thing is.  Find that
out first, and THEN configure the server.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Dourty, Brian R. \(IATS\)]

 
> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> > 1. Keeping in mind that user1 in domain1 can auth as long 
> as domain1 
> > isn't supplied why does supplying domain1 cause the auth to fail?
> 
>   Because the MS client does the MS-CHAP calculations using 
> the username without the domain, but supplies the username to 
> the RADIUS server WITH the domain.
> 
>   See the list archives for more explanations.

Ok, but isn't the "with_ntdomain_hack = yes" directive in the
raidusd.conf file suppose to correct this behavior?

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion.  This hack
# corrects for that incorrect behavior.

> 
> > 2. What does preprocess do with realm is strips off? I'd like to be 
> > able to pass the realm as a --domain option to ntlm_auth.
> 
>   Read the debug log.  It adds it as an attribute.

Ah yes, I see that now. New attribute is called Realm so the line in
radiusd.conf is now:

ntlm_auth = "/usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

So now my args for ntlm_auth are right, but I think something is up with
mschap still. When the Challenge or Response message is generated is it
still trying to user domain/user as the username?

> 
> > 3. Why does PEAP think the username is still domain/user? I see the 
> > following in the logs while running "radius -X -A"
> > 
> >   PEAP: Setting User-Name to UMC-USERS\dourtyb
> 
>   Because that's the name in the EAP identity packet.  Read 
> the debug log, it says this.
> 
> >   Should it be using Stripped-User-Name instead?
> 
>   No.

I'm confused on this point. When PEAP identity is set to username my
auths work. When the PEAP identity is of the form domain/user MSCHAP
fails. 

Am I wrong in thinking that with the correct configuration Freeradius
will allow me to have users from all trusted domains use the MSCHAP
module for 802.1x auth? Where am I going wrong?

Thanks!

Brian Dourty
IAT Services
University of Columbia - Missouri

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....

[Alan DeKok]

"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> 1. Keeping in mind that user1 in domain1 can auth as long as domain1
> isn't supplied why does supplying domain1 cause the auth to fail?

  Because the MS client does the MS-CHAP calculations using the
username without the domain, but supplies the username to the RADIUS
server WITH the domain.

  See the list archives for more explanations.

> 2. What does preprocess do with realm is strips off? I'd like to be able
> to pass the realm as a --domain option to ntlm_auth.

  Read the debug log.  It adds it as an attribute.

> 3. Why does PEAP think the username is still domain/user? I see the
> following in the logs while running "radius -X -A"
> 
>   PEAP: Setting User-Name to UMC-USERS\dourtyb

  Because that's the name in the EAP identity packet.  Read the debug
log, it says this.

>   Should it be using Stripped-User-Name instead?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP Problems

[Alan DeKok]

"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> even with this option, the problem is always present!
> 
> an idea ?

Buy a better client?

  The tunneled session MUST include an EAP-Identity packet, which is
where the user name comes from.  If the client doesn't send it, don't
complain that FreeRADIUS is broken.  Fix the client.

  The user name is REQUIRED for MS-CHAP, which is what PEAP uses
inside of the TLS tunnel.  Any client that doesn't send a user name is
broken.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius PEAP Problems

[Lionel Gavage]

Sorry it doesn't work :(


Lionel Gavage


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 17:48
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems


Oki thks Alan i found thanks to you.

I added "copy_request_to_tunnel = yes" in the PEAP module and set
"default_eap_type = peap"  in EAP module to "default_eap_type = tls"

Thanks you

Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]Tél: +32-4-3664845
Fax: +32-4-3662920
Bat. B26 SeGI


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 17:19
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems



I speficied : "default_eap_type = peap"  in EAP module ...

Lionel Gavage



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 16:49
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems


even with this option, the problem is always present!

an idea ?

Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alan
DeKok
Envoyé : lundi 9 février 2004 16:45
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.

  Look again.  The tunneled authentication session doesn't have a username.

 You can set "copy_request_to_tunnel = yes" in the PEAP module.  That
should help.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius PEAP Problems

[Lionel Gavage]

Oki thks Alan i found thanks to you.

I added "copy_request_to_tunnel = yes" in the PEAP module and set
"default_eap_type = peap"  in EAP module to "default_eap_type = tls"

Thanks you

Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]Tél: +32-4-3664845
Fax: +32-4-3662920
Bat. B26 SeGI


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 17:19
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems



I speficied : "default_eap_type = peap"  in EAP module ...

Lionel Gavage



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 16:49
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems


even with this option, the problem is always present!

an idea ?

Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alan
DeKok
Envoyé : lundi 9 février 2004 16:45
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.

  Look again.  The tunneled authentication session doesn't have a username.

 You can set "copy_request_to_tunnel = yes" in the PEAP module.  That
should help.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP Problems

[José Luis Solano]

Hi again and sorry if I ask you a lot!!


If you want to send me your radiusd.conf, it will be "très bien" for me. So,
please send me your file if it's possible.


À tout!!



José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 5:31 PM
Subject: RE: Freeradius PEAP Problems


> Hi José,
>
> I use a freeradius snapshot because TTLS isn't in rpm package.
> You must have the TLS module to use TTLS module.
>
> The directive "default_eap_type" (in EAP module) must be fixed at "tls".
> It's right
> And the "default_eap_type" (in TTLS module) to "md5". It's right too.
>
> I can send my config file to you if u want.
>
> Lionel Gavage
>
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:32
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
>
> Sorry Lionel!!! Another question.
>
> I have changed my radiusd.conf and I have activated the TTLS module. But
> now, there are two modules activated, is it a problem?
>
>
> eap {
>default_eap_type = tls !!
>timer_expire = 60
>
> #md5 {
> #}
>
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> fragment_size = 600
> include_length = yes
> }
>
> ttls {
> default_eap_type = md5
> !
>  use_tunneled_reply = no
> }
> }
>
> is it correct
>
> My freeRADIUS is 0.8.1, TTLS runs with this version?
> For "default_eap_type" is possible md5 value only?
>
>
>
> Thanks again Lionel
>
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:59 PM
> Subject: RE: Freeradius PEAP Problems
>
>
> >
> > Activated the TTLS module:
> >
> > ttls {
> > default_eap_type = md5
> > use_tunneled_reply = no
> > }
> >
> > and it's all.
> >
> >
> > Lionel Gavage
> >
> > -Message d'origine-
> > De : [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] la part de José
> > Luis Solano
> > Envoyé : lundi 9 février 2004 17:03
> > À : [EMAIL PROTECTED]
> > Objet : Re: Freeradius PEAP Problems
> >
> >
> > Hi Lionel!!
> >
> >
> > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The
first
> > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
> run
> > TTLS and I will run PEAP after. So, can you help me please?. Currently,
my
> > radiusd.conf is:
> >
> > 
> >  # Extensible Authentication Protocol
> > #
> > #  For all EAP related authentications
> > eap {
> > # Invoke the default supported EAP type when
> > # EAP-Identity response is received
> > default_eap_type = tls
> >
> > # Default expiry time to clean the EAP list,
> > # It is maintained to co-relate the
> > # EAP-response for each EAP-request sent.
> > timer_expire = 60
> >
> > # Supported EAP-types
> > #md5 {
> > #}
> >
> > ## EAP-TLS is highly experimental EAP-Type at the
moment.
> > #   Please give feedback on the mailing list.
> > tls {
> > private_key_password = izadisa

RE: Freeradius PEAP Problems

[Lionel Gavage]

Hi José,

I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.

The directive "default_eap_type" (in EAP module) must be fixed at "tls".
It's right
And the "default_eap_type" (in TTLS module) to "md5". It's right too.

I can send my config file to you if u want.

Lionel Gavage


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems



Sorry Lionel!!! Another question.

I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?


eap {
   default_eap_type = tls !!
   timer_expire = 60

#md5 {
#}

tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}

ttls {
default_eap_type = md5
!
 use_tunneled_reply = no
}
}

is it correct

My freeRADIUS is 0.8.1, TTLS runs with this version?
For "default_eap_type" is possible md5 value only?



Thanks again Lionel




José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems


>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
> 
>  # Extensible Authentication Protocol
> #
> #  For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> #   Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   If Private key & Certificate are located in the
> #   same file, then private_key_file &
certificate_file
> #   must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> #   This can never exceed MAX_RADIUS_LEN (4096)
> #   preferably half the MAX_RADIUS_LEN, to
> #   accomodate other attributes in RADIUS packet.
> #   On most APs the MAX packet length is configured
> #   between 1500 - 1600. In these cases, fragment
> #   size should be

Re: Freeradius PEAP Problems

[José Luis Solano]

Sorry Lionel!!! Another question.

I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?


eap {
   default_eap_type = tls !!
   timer_expire = 60

#md5 {
#}

tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}

ttls {
default_eap_type = md5
!
 use_tunneled_reply = no
}
}

is it correct

My freeRADIUS is 0.8.1, TTLS runs with this version?
For "default_eap_type" is possible md5 value only?



Thanks again Lionel




José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems


>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
> 
>  # Extensible Authentication Protocol
> #
> #  For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> #   Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   If Private key & Certificate are located in the
> #   same file, then private_key_file &
certificate_file
> #   must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> #   This can never exceed MAX_RADIUS_LEN (4096)
> #   preferably half the MAX_RADIUS_LEN, to
> #   accomodate other attributes in RADIUS packet.
> #   On most APs the MAX packet length is configured
> #   between 1500 - 1600. In these cases, fragment
> #   size should be <= 1024.
> #
> fragment_size = 600
>
> #   include_length is a flag which is by default set
to
> yes
> #   If set to yes, Total Length of the message is
> included
> #   in EVERY packet we send.
> #   If set to no, Total Length of the message is
> included
> #   ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }

RE: Freeradius PEAP Problems

[Lionel Gavage]

I speficied : "default_eap_type = peap"  in EAP module ...

Lionel Gavage



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Lionel
Gavage
Envoyé : lundi 9 février 2004 16:49
À : [EMAIL PROTECTED]
Objet : RE: Freeradius PEAP Problems


even with this option, the problem is always present!

an idea ?

Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alan
DeKok
Envoyé : lundi 9 février 2004 16:45
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.

  Look again.  The tunneled authentication session doesn't have a username.

 You can set "copy_request_to_tunnel = yes" in the PEAP module.  That
should help.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius PEAP Problems

[Lionel Gavage]

Hi José,

If you always have a problem don't hesitate ;)


Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:17
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


Thanks Thanks Thanks Thanks a lot Lionel!!!

Good luck with your problem


José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems


>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
> 
>  # Extensible Authentication Protocol
> #
> #  For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> #   Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   If Private key & Certificate are located in the
> #   same file, then private_key_file &
certificate_file
> #   must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> #   This can never exceed MAX_RADIUS_LEN (4096)
> #   preferably half the MAX_RADIUS_LEN, to
> #   accomodate other attributes in RADIUS packet.
> #   On most APs the MAX packet length is configured
> #   between 1500 - 1600. In these cases, fragment
> #   size should be <= 1024.
> #
> fragment_size = 600
>
> #   include_length is a flag which is by default set
to
> yes
> #   If set to yes, Total Length of the message is
> included
> #   in EVERY packet we send.
> #   If set to no, Total Length of the message is
> included
> #   ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:23 PM
> Subject: Freeradius PEAP Problems
>
>
> > Hi,
> >
> > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We
require
> a
> > User-Name for MS-CHAPv2".
> > However I sending well a login/pass. I use Aegis Client under Windows
XP.
> >
> > Extract of

Re: Freeradius PEAP Problems

[José Luis Solano]

Thanks Thanks Thanks Thanks a lot Lionel!!!

Good luck with your problem


José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems


>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
> 
>  # Extensible Authentication Protocol
> #
> #  For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> #   Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   If Private key & Certificate are located in the
> #   same file, then private_key_file &
certificate_file
> #   must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> #   Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> #   This can never exceed MAX_RADIUS_LEN (4096)
> #   preferably half the MAX_RADIUS_LEN, to
> #   accomodate other attributes in RADIUS packet.
> #   On most APs the MAX packet length is configured
> #   between 1500 - 1600. In these cases, fragment
> #   size should be <= 1024.
> #
> fragment_size = 600
>
> #   include_length is a flag which is by default set
to
> yes
> #   If set to yes, Total Length of the message is
> included
> #   in EVERY packet we send.
> #   If set to no, Total Length of the message is
> included
> #   ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:23 PM
> Subject: Freeradius PEAP Problems
>
>
> > Hi,
> >
> > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We
require
> a
> > User-Name for MS-CHAPv2".
> > However I sending well a login/pass. I use Aegis Client under Windows
XP.
> >
> > Extract of the log:
> >
> >   rad_check_password:  Found Auth-Type EAP
> > auth: type "EAP"
> > modcall: entering group authenticate for request 6
> >   rlm_eap: Request found, released from the list
> >   rlm_eap: EAP/mschapv2
> >   rlm_eap

RE: Freeradius PEAP Problems

[Lionel Gavage]

Activated the TTLS module:

ttls {
default_eap_type = md5
use_tunneled_reply = no
}

and it's all.


Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


Hi Lionel!!


I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:


 # Extensible Authentication Protocol
#
#  For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls

# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60

# Supported EAP-types
#md5 {
#}

## EAP-TLS is highly experimental EAP-Type at the moment.
#   Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem

#   If Private key & Certificate are located in the
#   same file, then private_key_file & certificate_file
#   must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem

#   Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt

dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
#   This can never exceed MAX_RADIUS_LEN (4096)
#   preferably half the MAX_RADIUS_LEN, to
#   accomodate other attributes in RADIUS packet.
#   On most APs the MAX packet length is configured
#   between 1500 - 1600. In these cases, fragment
#   size should be <= 1024.
#
fragment_size = 600

#   include_length is a flag which is by default set to
yes
#   If set to yes, Total Length of the message is
included
#   in EVERY packet we send.
#   If set to no, Total Length of the message is
included
#   ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--

What changes I need to use TTLS?



Thanks in advance Lionel!!!



José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems


> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
>   modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
>   PEAP: Got tunneled reply RADIUS code 3
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>   modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
> EAP-Message =
>
0x01090048190017030100

Re: Freeradius PEAP Problems

[José Luis Solano]

Hi Lionel!!


I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:


 # Extensible Authentication Protocol
#
#  For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls

# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60

# Supported EAP-types
#md5 {
#}

## EAP-TLS is highly experimental EAP-Type at the moment.
#   Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem

#   If Private key & Certificate are located in the
#   same file, then private_key_file & certificate_file
#   must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem

#   Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt

dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
#   This can never exceed MAX_RADIUS_LEN (4096)
#   preferably half the MAX_RADIUS_LEN, to
#   accomodate other attributes in RADIUS packet.
#   On most APs the MAX packet length is configured
#   between 1500 - 1600. In these cases, fragment
#   size should be <= 1024.
#
fragment_size = 600

#   include_length is a flag which is by default set to
yes
#   If set to yes, Total Length of the message is
included
#   in EVERY packet we send.
#   If set to no, Total Length of the message is
included
#   ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--

What changes I need to use TTLS?



Thanks in advance Lionel!!!



José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems


> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
>   modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
>   PEAP: Got tunneled reply RADIUS code 3
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>   modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
> EAP-Message =
>
0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703
> 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4
> Message-Authenticator = 0x
> State = 0x13eb44c46fbe30f082eaf7522f3c315e
> Finished request 6
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180,
> length=168
> User-Name = "lga"
> Framed-MTU = 1400
> Called-Station-Id = "000c.304f.75da"
> Calling-Station-Id = "000c

RE: Freeradius PEAP Problems

[Lionel Gavage]

even with this option, the problem is always present!

an idea ?

Lionel Gavage

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alan
DeKok
Envoyé : lundi 9 février 2004 16:45
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems


"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.

  Look again.  The tunneled authentication session doesn't have a username.

 You can set "copy_request_to_tunnel = yes" in the PEAP module.  That
should help.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius PEAP Problems

[Alan DeKok]

"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.

  Look again.  The tunneled authentication session doesn't have a username.

 You can set "copy_request_to_tunnel = yes" in the PEAP module.  That
should help.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html