Re: What cert import to Windows Clients
Hi,
Thanks guys, I have done test imported only certificate of the Root CA
to windowS 7 and seem it's working
but now I fall in other old question as follow bellow.
I'm using PEAP on Wireless configuration and the client machine is a Windows 7
that user: d1am is on LDAP/SAMBA with attributes LM-Password and NT-Password
Why does complain about No Cleartext-Password configured. Cannot
create LM-Password
What I have do in my system ( FreeRadius, LDAP or Client machine ) to
work that integration ?
I should like my Wireless users ( Windows 7, XP and MAC OS ) were
authenticate on LDAP through FreeRadius.
any tip is welcome
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: d1am
[mschap] Told to do MS-CHAPv2 for d1am with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
thanks!
2013/3/14 freeradius-users-requ...@lists.freeradius.org
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: errors when check with huntgroup (a.l.m.bu...@lboro.ac.uk)
2. What cert import to Windows Clients (Usu?rio do Sistema)
3. Re: What cert import to Windows Clients (Alan DeKok)
4. Re: What cert import to Windows Clients (a.l.m.bu...@lboro.ac.uk)
5. Re: How to use checkval (Danny Kurniawan)
6. Re: How to use checkval (Fajar A. Nugraha)
--
Message: 1
Date: Thu, 14 Mar 2013 19:51:38 +
From: a.l.m.bu...@lboro.ac.uk
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: errors when check with huntgroup
Message-ID: 20130314195138.gc31...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii
hi,
you've edited a whole lot of stuff out of your debug log...including
the stuff which actually matters where the failure actually occurs
(you just kept the part where the end result was recorded).
alan
--
Message: 2
Date: Thu, 14 Mar 2013 17:27:18 -0300
From: Usu?rio do Sistema maico...@ig.com.br
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: What cert import to Windows Clients
Message-ID:
CAMTjHryiBvaQuDFcK4Ysf+ybk1=4nd7umrgc+jlkyojkyvz...@mail.gmail.com
Content-Type: text/plain; charset=ISO-8859-1
Hello everyone,
I have just deploy a Freeradius on CentOS 5.9 Linux machine.
I should like use EAP method with TLS so I have genetated the certs. I
had just ran bootstrap script from /etc/raddb/certs and it generated
many files as follow
01.pem
ca.der
ca.key
ca.pem
dh
server.crt
server.csr
server.key
server.p12
server.pem
What are that files I have import to windows clients machine ?
I have installed ca.der on an windows XP but unseccessfull. I can't to
connect at the network Wireless.
I wonderful any tip about how to generate certs on freeradius and
import they to windows machine.
thanks
--
Message: 3
Date: Thu, 14 Mar 2013 16:40:37 -0400
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: What cert import to Windows Clients
Message-ID: 514235c5.7050...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Usu?rio do Sistema wrote:
I should like use EAP method with TLS so I have genetated the certs. I
had just ran bootstrap script from /etc/raddb/certs and it generated
many files as follow
...
What are that files I have import to windows clients machine ?
Just the ca.der and client certificate.
I have installed ca.der on an windows XP but unseccessfull. I can't to
connect at the network Wireless.
Well... there's more to it than that.
I wonderful any tip about how to generate certs on freeradius and
import they to windows machine.
Read this:
http://deployingradius.com/
It has a detailed set of instructions.
Or click on the documentation link on www.freeradius.org. There's
an EAP-TLS Howto.
This is all very well documented.
Alan
What cert import to Windows Clients
Hello everyone, I have just deploy a Freeradius on CentOS 5.9 Linux machine. I should like use EAP method with TLS so I have genetated the certs. I had just ran bootstrap script from /etc/raddb/certs and it generated many files as follow 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. I wonderful any tip about how to generate certs on freeradius and import they to windows machine. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Usuário do Sistema wrote: I should like use EAP method with TLS so I have genetated the certs. I had just ran bootstrap script from /etc/raddb/certs and it generated many files as follow ... What are that files I have import to windows clients machine ? Just the ca.der and client certificate. I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. Well... there's more to it than that. I wonderful any tip about how to generate certs on freeradius and import they to windows machine. Read this: http://deployingradius.com/ It has a detailed set of instructions. Or click on the documentation link on www.freeradius.org. There's an EAP-TLS Howto. This is all very well documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Hi, 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? for EAP-TLS ? as thats a certificate authentication method you need to generate client certificatesthe standard provided script will make client.* files and you'll need the client.der or client.cer file. I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. doing what if you only have ca.der installed - and you put it into the correct certificate store as per microsoft docs (or various correct online resources) then you can only be doing PEAP with that windows XP client - so ensure its using a username/password that is known to the RADIUS server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
Craig White wrote: I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... Because you've likely configured an anonymous outer identity, and it's not proceeding to the inner session. So it's not asking for the username or password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Tue, 2008-11-25 at 10:06 +0100, Alan DeKok wrote: Craig White wrote: I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... Because you've likely configured an anonymous outer identity, and it's not proceeding to the inner session. So it's not asking for the username or password. OK perhaps I am just looking in the wrong place and I'm using an older version of freeradius (part or RHEL/CentOS 5) but eap.conf, in peap section only has these options and I haven't found any combination that works... copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes proxy_tunneled_request_as_eap = no and I have the ttls section commented out. Am I in the right place? Am I missing something really obvious? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
Am I in the right place? No. You are looking at the radius server for something configured on the suppicant. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 02:59 -0600, Alan DeKok wrote: Craig White wrote: OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Then the supplicant is misconfigured. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. No. PEAP does MS-CHAP for username/passwd authentication. If you want authentication via client certs, use TLS. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. There's something else in your windows configuration that is making it *not* ask you for the username/password. Maybe it's cached in the registry. HLCU\Software\Microsoft doesn't even have an EAPOL entry at all. fixed the cert issue but still it's trying to authenticate as anonymous ;-( I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... rad_recv: Access-Request packet from host 192.168.1.250:2054, id=168, length=161 User-Name = anonymous NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Called-Station-Id = 00-21-29-E3-D1-84 Calling-Station-Id = 00-04-23-62-BD-3D Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x026300061900 State = 0x7de5407f2f55958f61578bc598c219a9 Message-Authenticator = 0x0682bd2213fba7b19656a91ac1454267 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module preprocess returns ok for request 46 modcall[authorize]: module chap returns noop for request 46 modcall[authorize]: module mschap returns noop for request 46 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 46 rlm_eap: EAP packet type response id 99 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 46 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 46 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 46 modcall: leaving group authorize (returns updated) for request 46 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 46 modcall: leaving group authenticate (returns handled) for request 46 Sending Access-Challenge of id 168 to 192.168.1.250 port 2054 EAP-Message = 0x0164040619400355040b130b4d61696e204f696365311a301806035504031311772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d301e170d3038313132333030333435375a170d3138313132313030333435375a3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f696365311a301806035504031311 EAP
Re: last hurdle...windows clients
Craig White wrote: OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Then the supplicant is misconfigured. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. No. PEAP does MS-CHAP for username/passwd authentication. If you want authentication via client certs, use TLS. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. There's something else in your windows configuration that is making it *not* ask you for the username/password. Maybe it's cached in the registry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Thus since my Default Auth Type = LDAP (in users), these clients always fail authentication. Then there must be a setting in the supplicant that changes user name to anonymous for the outer tunnel negotiation. If you upgrade to 2.1.1. you can leave anonymous as it is and enable ldap only for inner-tunnel virtual server (where true user name will be used). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. It probably wants cacert.der. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: last hurdle...windows clients
On Sun, 2008-11-23 at 00:24 +0100, [EMAIL PROTECTED] wrote: I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. It probably wants cacert.der. OK - that quiets the notification but I still can't figure out the issue where I can authenticate RRAS, Macintosh and iPod clients against radius via LDAP using mschapv2 but even with the certificates on Windows XP clients, with the 'xpextensions' they always try to authenticate as 'uid=anonymous' and never ask me for name/password credentials to supply for authentication. Thus since my Default Auth Type = LDAP (in users), these clients always fail authentication. While I probably would agree that the certificates should be enough and not need the user/password authentication, I can't figure out how to tell radiusd to accept those with the certificates. Either way I would be happy...getting windows clients to provide username/password or getting radius to accept a client with the certificate. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
last hurdle...windows clients
freeradius-1.1.3-1.2.el5 I am authenticating Windows RRAS connections, Macintosh wifi, iPhone wifi all with LDAP and mschapv2 (using sambaNTPassword hashes in OpenLDAP) My users basically consists of... DEFAULT Auth-Type = LDAP eap.conf default_eap_type = mschapv2 and of course my certificates and LDAP setup which works for all the above authentications. My problem is Windows XP laptops (updated to SP3) and I have generated certificates for them. I have loaded both the CA and p12 certificates on a Windows client, set for WPA, TKIP, PEAP but it never asks me for a user name and password and thus always tries to authenticate as anonymous (log below)...even if I check the box to 'Automatically use my Windows name and password' - it still comes in as 'anonymous' Is there some thing else I need to add so that Windows also uses name/password or do I have something else in Auth-Type to just allow those with the certificates? How do I do this? I don't understand the message about unknown_ca in the log below either because I am acting as my own CA and this same cacert.pem seems to be happy on the Windows system I imported it on and I've been using it for a bunch of other daemons. Craig rad_recv: Access-Request packet from host 192.168.1.251:2050, id=112, length=172 User-Name = anonymous NAS-IP-Address = 192.168.1.251 NAS-Port = 0 Called-Station-Id = 00-21-29-E3-D1-8A Calling-Station-Id = 00-04-23-62-BD-3D Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02880011198715030100020230 State = 0xce80cf1b72bd9479de376550dc6d9052 Message-Authenticator = 0x90183570c2ef1940d04e9e5dc579a1bd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 59 modcall[authorize]: module preprocess returns ok for request 59 modcall[authorize]: module chap returns noop for request 59 modcall[authorize]: module mschap returns noop for request 59 rlm_realm: No '@' in User-Name = anonymous, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 59 rlm_eap: EAP packet type response id 136 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 59 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 59 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 59 modcall: leaving group authorize (returns updated) for request 59 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 59 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 59 modcall: leaving group authenticate (returns reject) for request 59 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows clients
[EMAIL PROTECTED] schrieb: this is my config files: ##EAP.conf## [EMAIL PROTECTED]:/etc/freeradius# vi eap.conf # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Did you do that? Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows clients
Hi Everybody!
I'm trying to confiure RADIUS client on windows XP. I have installed
freeradius on ubuntu with mysql and phpmyadmin. I don't know what i make
error. Please someone could i help me.
this is my config files:
##EAP.conf##
[EMAIL PROTECTED]:/etc/freeradius# vi eap.conf
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
##user.conf
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = PPP, since PPP might also be auto-detected
# by the terminal server in which case there may not be a P suffix.
# The terminal server sends Framed-Protocol = PPP for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Shell-User
# On no match, the user is denied access.
clients.conf##
#
# The shared secret use to encrypt and sign packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password= someadminpas
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from
Re: Windows clients
[EMAIL PROTECTED] wrote: I'm trying to confiure RADIUS client on windows XP. I have installed freeradius on ubuntu with mysql and phpmyadmin. I don't know what i make error. Please someone could i help me. this is my config files: sigh Why do you think posting the configuration files will be useful? Read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius, Cisco 1600 and Windows Clients
Dear List, I apologize if this issue has been discussed, but I couldn't find any docs that help me out. I have a network with a cisco 1601R connected to Internet and a radius server (simply an ethernet switch with windows workstations, the router and the server running freeradius). I'm trying to configure the cisco so clients dial to it, the cisco validate the user and password with the radius, and if everything is ok, it opens the door to that client for accessing Internet. I've based my freeradius installation reading http://www.frontios.com/freeradius.html so the server is running ok and the tests show me that it's validating as I need. The communication between the router and the server is also ok. The big problem is between the NAS and the clients. I read almost everything I've found in cisco about VTI, VPDN, PPP, AAA and RADIUS, but I cannot make it work... Besides I'm no sure about what kind of windows client I should use (pppoe as an ADSL connection or VPN with the ip of the router to dial-in). I'll appreciatte any comment, or perhaps you know a good howto or something that I could read. THANKS IN ADVANCE!!! Sincerely, Agustín - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setup Help: freeradius + cisco catalist + linux windows clients
Hello list,
I'm completely new on this field with the concept of radius
authentication. For the last 2 weeks i read tons of docs about this
concept. I am confused. My task looks like a simple one:
- linux workstations running xsupplicant 1.0 (wired mode)
- windows XP and 2000 with 802.1x support
- cisco catalyst 3550 switch SMI license
- freeradius 1.0.1 that have to authenticate each workstation on the
network when plugged into the switch based on their mac address.
Could someone point me to some comprehensive howto's about how should I
configure the freeradius to authenticate the clients based on their mac
address with the catalyst in the middle?
I have compiled and installed freeradius with no errors. The
configuration files are the default ones, with the following additions:
in clients.conf i have added
192.168.10.10 {
secret = 1234567
shortname = ciscocatalyst
nastype = cisco
}
in users i have addded
someuserAuth-Type := Local
Service-Type = Framed-User
the cisco catalyst is configured for radius:
aaa new-model
aaa authentication dot1x default enable group radius
radius-server host 192.168.10.217 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key 1234567
!
! freeradius connected to FE 0/1
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
no cdp enable
spanning-tree portfast
!
! client connected to FE0/2
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
dot1x port-control auto
With radius running from the cmd line radiusd -A -X
i get this messages on the screen and the client is never authenticated:
rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77,
length=122
NAS-IP-Address = 192.168.10.10
NAS-Port-Type = Async
User-Name = someuser
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = 00-10-a4-99-8c-c4
EAP-Message = 0x02150159424e494e5445524e4154494f4e414c
Message-Authenticator = 0x914c5e809544da2aacf9babe83e2542b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module preprocess returns ok for request 8
modcall[authorize]: module chap returns noop for request 8
modcall[authorize]: module mschap returns noop for request 8
rlm_realm: No '@' in User-Name = someuser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 8
rlm_eap: EAP packet type response id 0 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 8
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched someuser at 219
modcall[authorize]: module files returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 77 to 192.168.10.10:1812
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 77 with timestamp 417fb130
Nothing to do. Sleeping until we see a request.
for the above debug i used linux workstation with its mac-address
00-10-a4-99-8c-c4
Please help.
Kind Regards,
Adrian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
