Re: Problems with PEAP

2009-12-07 Thread Alan Buxey 
hi,

the request gets sent to inner-tunnel (as per standard EAP
configuration) but then inner-tunnel cant authenticate the user -
ie no authentication method in which your user 'Jens' can be found.

check that the requires method is in inner-tunnel

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP

2009-12-07 Thread tnt 

 Hello everyone,
 I know that it is something I have forgot to configure but I cant for my
 life remember what it is.
 What I want to do is to authenticate a user from a windows machine using
 PEAP.

 Things I´ve have configured in raddb and in raddb/modules is:

 1. Added a user called Jens with Cleartext-Password := kaffe

No, you haven't:

 ++[files] returns noop

There is no entry for that user in users file. At least not the one server
is using. If you have multiple installations make sure that you are
configuring fioles belonging to the instance you are running. Have a look
at the debug of the server startup - it will tell you where users file is
(when files module is instantiated).

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: Problems with PEAP

2009-12-07 Thread Peter Carlstedt 


 
 Message: 6
 Date: Mon, 7 Dec 2009 23:00:02 - (UTC)
 From: t...@kalik.net
 Subject: Re: Problems with PEAP
 To: FreeRadius users mailing list
 freeradius-users@lists.freeradius.org
 Message-ID: 50214.87.194.16.13.1260226802.squir...@www.kalik.net
 Content-Type: text/plain;charset=iso-8859-1
 
 
  Hello everyone,
  I know that it is something I have forgot to configure but I cant for my
  life remember what it is.
  What I want to do is to authenticate a user from a windows machine using
  PEAP.
 
  Things I?ve have configured in raddb and in raddb/modules is:
 
  1. Added a user called Jens with Cleartext-Password := kaffe
 
 No, you haven't:
 
  ++[files] returns noop
 
 There is no entry for that user in users file. At least not the one server
 is using. If you have multiple installations make sure that you are
 configuring fioles belonging to the instance you are running. Have a look
 at the debug of the server startup - it will tell you where users file is
 (when files module is instantiated).
 
 Ivan Kalik

 

Hi Ivan Kalik,

 

Yes I do have an input for Jens with Cleartext-Password := kaffe in the users 
file.

Also I do not have several installations of Freeradius on the same installation 
of Ubuntu Desktop 9.04.

This one was newly installed yesterday so there is only one installation.

Also I could login using a different user which was a row above the user Jens.

My users file have two users:

 

peter Cleartext-Password := kaffe

 

jens  Cleartext-Password := kaffe

 

After I logged in with the user peter I could login using jens. 

 

Best regards/ Peter Carlstedt



 
  
_
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail 
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP

2007-05-10 Thread Alan DeKok 
pippo metallaro wrote:
 i use freeradius with eap -peap and MySQL...but the freeradius don't send an 
 access-accept at the end of authentication  ...the server send an 
 access-challenge,i don't know what's the problem...

  Perhaps you could try reading eap.conf, or the FAQ, or other
documentation that comes with the server.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP

2007-05-10 Thread Martin Gadbois 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alan DeKok wrote:
 pippo metallaro wrote:
 i use freeradius with eap -peap and MySQL...but the freeradius don't send an 
 access-accept at the end of authentication  ...the server send an 
 access-challenge,i don't know what's the problem...
 
   Perhaps you could try reading eap.conf, or the FAQ, or other
 documentation that comes with the server.
 

What Alan points to is in the default eap.conf from the disto:

##
#
#  ! WARNINGS for Windows compatibility  !
#
##
#
#  If you see the server send an Access-Challenge,
#  and the client never sends another Access-Request,
#  then
#
#   STOP!
#
#  The server certificate has to have special OID's
#  in it, or else the Microsoft clients will silently
#  fail.  See the scripts/xpextensions file for
#  details, and the following page:
#
#   http://support.microsoft.com/kb/814394/en-us
#
#  For additional Windows XP SP2 issues, see:
#
#   http://support.microsoft.com/kb/885453/en-us
#
#  Note that we do not necessarily agree with their
#  explanation... but the fix does appear to work.
#
##

RTFM!

- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGQyvZ9Y3/iTTCEDkRAkAmAJ9A7Fk22hZNBtliHlb2dMYs49nYawCgiFxk
EQ/1vhPi3RL0h1wuC/vAATc=
=Rc9S
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP/MSCHAPv2 and LDAP Server

2005-02-03 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 If i understood it right, the Radius Server should do a bind to LDAP Server
  with DN and Password provided.

  What password?  There's no password in MSCHAPv2, and LDAP doesn't do
MSCHAPv2.

 The success answer from LDAP tells the Radius Server authentication
 successful finished.

  LDAP servers are not authentication servers.  RADIUS servers are
authentication servers.  That's the root cause of your confusion.

 Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
 directory?

  No.  See any number of posts on this list about this topic.

  LDAP has to provide a clear-text, or NT password to FreeRADIUS.
FreeRADIUS will then do the work.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP/MSCHAPv2 and LDAP Server

2005-02-03 Thread Benjamin . Doellwanger1 
Thanks for the fast answer! 
 
The person who is responsible for the LDAP Server told me that our LDAP does 
not send a Password out, for security reasons, but accepts bindings with 
password (see log with radtest,down). 
That means if the LDAP Server would be somehow configured to send out the 
Attribute UserPassword in cleartext, it would work with MSCHAP? 
Is there definitely at use of MSCHAP no chance to get it work by Radius Server 
sends a bind message to LDAP Directory like i did successful in the log with 
radtest? 
 
rad_recv: Access-Request packet from host X:32768, id=71, length=58 
User-Name = XX 
User-Password = XXX 
NAS-IP-Address = 255.255.255.255 
NAS-Port =  
  Processing the authorize section of radiusd.conf 
modcall: entering group authorize for request 8 
  modcall[authorize]: module preprocess returns ok for request 8 
radius_xlat:  '/var/log/radius/radacct/X/auth-detail-20050125' 
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct//auth-detail-20050125 
  modcall[authorize]: module auth_log returns ok for request 8 
  modcall[authorize]: module chap returns noop for request 8 
  modcall[authorize]: module mschap returns noop for request 8 
rlm_realm: No '@' in User-Name = XX, looking up realm NULL 
rlm_realm: No such realm NULL 
  modcall[authorize]: module suffix returns noop for request 8 
  rlm_eap: No EAP-Message, not doing EAP 
  modcall[authorize]: module eap returns noop for request 8 
users: Matched DEFAULT at 158 
users: Matched DEFAULT at 160 
  modcall[authorize]: module files returns ok for request 8 
rlm_ldap: - authorize 
rlm_ldap: performing user authorization for XXX 
radius_xlat:  '(cn=XX)' 
radius_xlat:  'cn=X,dc=XXX,dc=de' 
rlm_ldap: ldap_get_conn: Checking Id: 0 
rlm_ldap: ldap_get_conn: Got Id: 0 
rlm_ldap: performing search in cn=X,dc=,dc=de, with filter 
(cn=XX) 
rlm_ldap: looking for check items in directory... 
rlm_ldap: looking for reply items in directory... 
rlm_ldap: user XX authorized to use remote access 
rlm_ldap: ldap_release_conn: Release Id: 0 
  modcall[authorize]: module ldap returns ok for request 8 
modcall: group authorize returns ok for request 8 
  rad_check_password:  Found Auth-Type LDAP 
auth: type LDAP 
  Processing the authenticate section of radiusd.conf 
modcall: entering group Auth-Type for request 8 
rlm_ldap: - authenticate 
rlm_ldap: login attempt by XX with password XX 
rlm_ldap: user DN: cn=XX,cn=X, dc=,dc=de 
rlm_ldap: (re)connect to .X.XX.de:389, authentication 1 
rlm_ldap: bind as cn=XXX,cn=XXX, dc=XXX,dc=de/XPasswordX to 
XX.X..de:389 
rlm_ldap: waiting for bind result ... 
rlm_ldap: Bind was successful 
rlm_ldap: user XX authenticated succesfully 
  modcall[authenticate]: module ldap returns ok for request 8 
modcall: group Auth-Type returns ok for request 8 
Sending Access-Accept of id 71 to :32768 
Finished request 8 
 
 
 
 [EMAIL PROTECTED] wrote: 
  If i understood it right, the Radius Server should do a bind to LDAP Server 
   with DN and Password provided. 
  
   What password?  There's no password in MSCHAPv2, and LDAP doesn't do 
 MSCHAPv2. 
  
  The success answer from LDAP tells the Radius Server authentication 
  successful finished. 
  
   LDAP servers are not authentication servers.  RADIUS servers are 
 authentication servers.  That's the root cause of your confusion. 
  
  Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP 
  directory? 
  
   No.  See any number of posts on this list about this topic. 
  
   LDAP has to provide a clear-text, or NT password to FreeRADIUS. 
 FreeRADIUS will then do the work. 
  
   Alan DeKok. 
  
  
 -  
 List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP/MSCHAPv2 and LDAP Server

2005-02-03 Thread Stefan . Neis 
[EMAIL PROTECTED] schrieb:

 That means if the LDAP Server would be somehow configured
 to send out the 
 Attribute UserPassword in cleartext, it would work with
 MSCHAP? 

Yes. If Radius gets the cleartext password from somewhere, it
can check if the MSCHAP stuff which the user did send is correct.
If it doesn't get the cleartext password, no check is possible.

 Is there definitely at use of MSCHAP no chance to get it
 work by Radius Server 
 sends a bind message to LDAP Directory like i did
 successful in the log with 
 radtest? 

Binding to LDAP requires that the person/program sending
the bind message knows the cleartext password. You can't
obtain that from MSCHAP information, so there's no way
this can work.
 
 HTH,
   Stefan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with PEAP/MSCHAPv2 and LDAP Server

2005-02-03 Thread Mearl Danner 
You need to check the archives. But I'll answer anyway.

Here's an explanation from one of Novell's forums. It's talking about
Novells' Edirectory, but would apply to any other LDAP server.

quote
You are correct that the FreeRADIUS LDAP module cannot authenticate a
MS-CHAP password against eDirectory. This is because the RADIUS server
receives only a hash of the password from the client. To verify the
password, the server must lookup a clear-text version of the password,
then compute a hash using the clear-text password with a nonce provided
in
the access-request packet. If the server generated hash matches the
hash
provided by the client, then authentication is accepted.
unquote

The password is not sent, therefore is not available to the Radius
server to use for a bind against the LDAP server.


Mearl


 [EMAIL PROTECTED] 02/03 11:53 AM 
Thanks for the fast answer! 
 
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html