Re: Having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves
Elizabeth, We have had mixed results with Ubuntu's default network manager from 12.04 until the current. Have you tried an alternative wireless manager like WICD? http://www.lawn.gatech.edu/help/gtwifi/ubuntu_troubleshooting.html - John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology On 05/23/2013 12:47 AM, Elizabeth Fife wrote: HI I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves Setup: I have a Cisco AP1252 wireless Access Point connected to a Cisco ASA5510 on subnet X.X.5.ZThe access point ip address is X.X.5.101 The ASA on another port is also connected to the wired network on a different subnet X.X.0.Z On the wired network are two radius servers - Ubuntus servers running FreeRadius 2.1.10 which are running fine and reliably authenticate wired users for ssh connections to the ASA and importantly to the AP1252 as well (The radius servers ip addresses are X.X.0.191 and X.X.0.192) Problem: When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP - Both ubuntu servers are running in debug mode so they show any activity - there is none Oddly: If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command ssh user1@X.X.5.101 THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED and assigned an IP address (and the ubuntu server shows the authentication activity for the wireless user) Please help me understand what might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request Help Elizabeth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves
Elizabeth Fife wrote: HI I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves You should upgrade to 2.2.0, but that likely won't fix the problem. Problem: When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP - Both ubuntu servers are running in debug mode so they show any activity - there is none Well, that's the issue. If FreeRADIUS doesn't receive traffic, then it can't authenticate the user. So the problem is either the Ubuntu box (which isn't sending data to the access point), or the access point (which isn't sending data to the RADIUS server). Oddly: If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command ssh user1@X.X.5.101 THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED and assigned an IP address (and the ubuntu server shows the authentication activity for the wireless user) Wow... that looks like the AP is broken. Please help me understand what might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request Which is probably the case. I'd say you should try another AP. If it works, toss your current one in the garbage. It's not worth your time to debug weird issues with closed-source vendor equipment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves
HI I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves Setup: I have a Cisco AP1252 wireless Access Point connected to a Cisco ASA5510 on subnet X.X.5.ZThe access point ip address is X.X.5.101 The ASA on another port is also connected to the wired network on a different subnet X.X.0.Z On the wired network are two radius servers - Ubuntus servers running FreeRadius 2.1.10 which are running fine and reliably authenticate wired users for ssh connections to the ASA and importantly to the AP1252 as well (The radius servers ip addresses are X.X.0.191 and X.X.0.192) Problem: When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP - Both ubuntu servers are running in debug mode so they show any activity - there is none Oddly: If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command ssh user1@X.X.5.101 THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED and assigned an IP address (and the ubuntu server shows the authentication activity for the wireless user) Please help me understand what might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request Help Elizabeth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set up wireless-network-connections using WPA/WPA2 enterprise authentication?
Hi all. I have posted my query at * http://www.linuxquestions.org/questions/showthread.php?p=4527255posted=1#post4527255 * but think that it might be more relevant at this list. Anyways, I will be grateful for help from either side :-| For brevity, here is the query detail :: Hi all. Let me confess at the beginning, that this is my first major networking assignment; so the terminology might not be absolutely adequate. However, I will try my level best to explain my requirements, and the steps that I have already taken. So, my motive is to allocate a network-connection on Fedora 14, using WPA/WPA2 enterprise authentication. I have a F14 base machine, and a F11 virtual-image hosted in a VirtualBox. Now, I have been able to carry out the stages of installing, configuring and testing a Freeradius server (which provides RADIUS authentication protocol) using the links :: *http://olex.openlogic.com/wazi/2011/...th-freeradius/http://olex.openlogic.com/wazi/2011/authenticating-wi-fi-users-with-freeradius/ * *http://deployingradius.com/scripts/eapol_test/* The Freeradius server is running on my F14 machine. Also, I have been able to carry out the testing both locally, and remotely (with the aid of F11 machine), with the Freeradius server. Now.. comes the actual thing I have a router, on which I have set WPA/WPA2 enterprise authentication, using TKIP/AES protocol. Upon rebooting the router firmware, I am no longer able to connect (on either of F14 or F11) via the wireless interface. I am however, able to connect (on both F14 or F11), if I connect a two-jack-wire, with one jack into the router, and another jack on my F14 laptop (remebering that F11 is a virtually hosted image). Now, I intend to do the testing for connecting to the network via wireless interface. I believe :: *a. That I continue to need the two-jack-wire, so as to provide a network-communication medium between the router, and the Freeradius server (which is running on my F14-laptop). b. To actually test connecting to the network via wireless interface, I need to somehow be able to have two connections simultaneously (one which I already have of the wired connection). Assuming part a. is true, how can b. be accomplished?* I am using NetworkManager as the backend, and nm-applet as the frontend, to manage connections. Just for brevity, *lspci* lists two interfaces (amongst others) - one for ethernet; other for wireless. 03:00.0 Network controller: Intel Corporation Centrino Wireless-N 1000 04:00.0 Ethernet controller: Atheros Communications AR8152 v1.1 Fast Ethernet (rev c1) So, I think, the following question summarises all my queries :: How to have simultaneous *wired connection* and *wireless connection* on Fedora 14? Looking forward to some enlightenment. Regards, Ajay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set up wireless-network-connections using WPA/WPA2 enterprise authentication?
On 11/18/2011 03:02 AM, Ajay Garg wrote: *a. That I continue to need the two-jack-wire, so as to provide a network-communication medium between the router, and the Freeradius server (which is running on my F14-laptop). The access point needs a network connection for two primary purposes, 1) to provide network access to the wireless client connected to it, 2) to connect to a radius server for authentication purposes. The access point's network connection is typically provided via wired ethernet, so yes you need this. b. To actually test connecting to the network via wireless interface, I need to somehow be able to have two connections simultaneously (one which I already have of the wired connection). Assuming part a. is true, how can b. be accomplished?* I am using NetworkManager as the backend, and nm-applet as the frontend, to manage connections. NetworkManager allows you to have multiple interfaces (i.e. network connections). If you open the NM applet you'll see both wired (for f-15 and higher it's labeled wired, for f-14 and lower it's probably labeled eth0) and wireless connections. If you've got a wired connections (because you've plugged your ethernet cable into your ethernet port) and you want wireless as well all you have to do is open the NM applet and locate the wireless access point you want to connect to and connect (possibly needing to configure some connection parameters for that ap). It's pretty straight forward. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypted password with FR+LDAP+Wireless Network
The password is encoded for PAP (when a User-Password is present). Its the only authentication method that uses decodable passwords. FR is displaying it in plain text for your convenience. Inýcio Alves wrote: Good Morning to all. I would like if is possible use FR+LDAP with Use-Password encrypted? I'm using FR 2.1.8 + OpenLDAP 2.4.21. I'm trying configure FR to authenticate users in wireless network. This is my debug output. When I try a radtest with login/pass from the users file I don't get warning, but LDAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Hi, The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? err no. EAP-TLS uses client and server certificates. if you want to use just the server cert then EAP-PEAP or EAP-TTLS is your way. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Hi, network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million it wouldnt be in your eap.conf for a start - if you want to use PEAP against your LDAP then you'll most likely need to put the NT hash of their password into your LDAP directory and point to that instead in your LDAP checks. a lot (a LOT) of people do this and are present on this list. if you want to use plain test password checks then EAP-TTLS with PAP inner is one of the only ways - but for that you'll need to install extra software on the WinXP machines alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network
network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million it wouldnt be in your eap.conf for a start - if you want to use PEAP against your LDAP then you'll most likely need to put the NT hash of their password into your LDAP directory and point to that instead in your LDAP checks. a lot (a LOT) of people do this and are present on this list. if you want to use plain test password checks then EAP-TTLS with PAP inner is one of the only ways - but for that you'll need to install extra software on the WinXP machines securew2 is free and enables winxp to recognize ttls-pap packets. arjuna begin:vcard fn:Arjuna Scagnetto n:Scagnetto;Arjuna org:Universita' degli Studi di Trieste;Dipartimento Fisica Teorica adr:ICTP Main Building Office Number 222;;Via Strada Costiera 11;Trieste;TS;34100;Italy email;internet:[EMAIL PROTECTED] title:Co-System Administrator tel;work:+390402240 288 note;quoted-printable:-BEGIN PGP PUBLIC KEY BLOCK-=0D=0A= Version: GnuPG v1.4.6 (MingW32)=0D=0A= =0D=0A= mQGiBEWVcvERBACcPQOh85PwZDa9NOLVV1y4mUdN3h4Fgt+YsWmd02JVL+y+2/Zg=0D=0A= 2AqvNVX8s/jp/jjhRYdpLCCOv3/3V6BkasBnFCxA56i1S2BLfcMR1YuDuqOJOi93=0D=0A= JzlkA4+Hok6HKMfXInJeATRvhYF6y/NdTFSq5YQLFry88bXQblYodLW8ZwCgtewA=0D=0A= 1AbK6o8/LFAYGbmRZCzfLtcD/0ufAx+vGtBgw6zwCzLYSx9bhi8rh7k0PeSS51WT=0D=0A= 1Gs+V79yLsTPehj2g1FKwufSIdEAguyFfK/VWj1CCYtYtc2nnhRfveTjKsqVau2E=0D=0A= cWAQJALdJQgycZM+rFqzkinIgN7xjCVnVVR7hB4aJ9/6xTnQAFdtaADIDF2miLo8=0D=0A= jJbBA/9ZT+hBW628jKLiJMr0tldSNbPPdn9mGql1AhNSZRXKyq8wL1RORaT5elWN=0D=0A= pskirYRksBGUmL2sadvUx7QYeDUvtnqIbTD/PZH0bFQF2O0HKbRkTyKoR7/h1hw0=0D=0A= y7uaYYX5bXEfwoWReIVmLVYewnCNDKt+a/pqal/jdJmbuTpFvbQlbXlOYW1lIChj=0D=0A= b21tZW50KSA8bXllbWFpbEBhZGRyZXNzLml0PohmBBMRAgAmBQJFlXLxAhsDBQkB=0D=0A= 4TOABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQaWpNBkqM0mREEwCfSLbikTLs=0D=0A= xeJrEZruZHbAaBcRzl8AoJnp8BCmuKaUfqYM8sNqxCTG5EA+uQENBEWVcvIQBACH=0D=0A= Bq9xYHqZvDE1jqK63amQAPvxIih9R0+1JGhm1LNKmpTX/JiRcnjc/PvYdjXLcmkL=0D=0A= f96SMArWU0jOMZP4ncebxGQ/DxjRw2ZHMvKQKJLTXd3emFv0pQeACFbyByzndBsX=0D=0A= BRpbxJQ7S2N2FJ35MtDYFUN8P29A+9MZSpF7KShpMwADBQP+K8xS2hOM3B36Sli8=0D=0A= alq4XpJdRZTTjb7mBYgK4os9knqoFMRgPZlxzQA/LDlvfUNzXpGH82dl6YY7E60G=0D=0A= 4AhA2nYesldbCSKUXWGsB1suo++5DCYk0giWHxlLI8D1QIv+x0petiY66GjxfoK7=0D=0A= KVe/7chBMSVX1M+q3fA4hXs3o2GITwQYEQIADwUCRZVy8gIbDAUJAeEzgAAKCRBp=0D=0A= ak0GSozSZKY/AJ4+Kbp6k/99jb5tsYCreT04AEhclwCgg+gvqapWTC5EI/g66tVh=0D=0A= pYCNowM=3D=0D=0A= =3DaATJ=0D=0A= -END PGP PUBLIC KEY BLOCK-=0D=0A= x-mozilla-html:FALSE url:http://www-dft.ts.infn.it/~arjuna version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Controlling access to my Wireless network.
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
simplest, don't turn it on. On 9/18/07, Kent Thomas [EMAIL PROTECTED] wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you are in control of Ldap server then you can enforce whatever password scheme you see fit. If you map Clertext-Password attribute to plain text passwords in Ldap everything will work fine. But if you are using crypt, sha or such on your passwords, mschap will never work. Your eap.conf is likely to be OK if you are getting that far. Mschapv2 is failing because passwords in Ldap are encrypted or mapped to some other password attribute (most often User-Password). But you will need to post the whole eap conversation in order to be sure. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with older wireless network drivers.In-Reply-To=
I have more info.. I turned on debugging on the Radius Server and this is what I saw.. EAP-Message = 0x03030004 Message-Authenticator = 0x State = 0x4432dbd90b6b53254567784c2809c028 rad_recv: Access-Request packet from host 10.0.x.x:1645, id=195, length=147 User-Name = test Framed-MTU = 1400 Called-Station-Id = 0011.925e.9170 Calling-Station-Id = 0012.cf4f.1471 Service-Type = Login-User Message-Authenticator = 0x692f16e735g754a853180379a493551 EAP-Message = 0x01020010110100067886e374f19bec88 NAS-Port-Type = Wireless-802.11 NAS-Port = 1144 State = 0x4432dbd90b6b5345675504c2809c028 NAS-IP-Address = 10.0.x.x NAS-Identifier = ap2 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rad_recv: Access-Request packet from host 10.0.254.61:1645, id=195, length=147 Sending Access-Reject of id 195 to 10.0.x.xport 1645 But then I use a newer wireless NIC, and it works perfectly.. I was using freeradius 1.1.4, but then put on 1.1.7 and still the same results. I have no idea why it is doing that for some of the older drivers, and not all. I looked also for time out periods, and have tried to increase them, but no such luck. Its driving me bonkers! Thanks for any help! Rick Confidentiality Notice: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information, or Protected Health Information as such term is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any unauthorized review, use, disclosure, copying or distribution is prohibited and may be unlawful. If you believe you have received this e-mail in error, please contact the sender by reply e-mail and delete all copies of the original message, including attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with older wireless network drivers.In-Reply-To=
I have more info.. I turned on debugging on the Radius Server and this is what I saw.. EAP-Message = 0x03030004 Message-Authenticator = 0x State = 0x4432dbd90b6b53254567784c2809c028 rad_recv: Access-Request packet from host 10.0.x.x:1645, id=195, length=147 User-Name = test Framed-MTU = 1400 Called-Station-Id = 0011.925e.9170 Calling-Station-Id = 0012.cf4f.1471 Service-Type = Login-User Message-Authenticator = 0x692f16e735g754a853180379a493551 EAP-Message = 0x01020010110100067886e374f19bec88 NAS-Port-Type = Wireless-802.11 NAS-Port = 1144 State = 0x4432dbd90b6b5345675504c2809c028 NAS-IP-Address = 10.0.x.x NAS-Identifier = ap2 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rad_recv: Access-Request packet from host 10.0.254.61:1645, id=195, length=147 Sending Access-Reject of id 195 to 10.0.x.xport 1645 But then I use a newer wireless NIC, and it works perfectly.. I was using freeradius 1.1.4, but then put on 1.1.7 and still the same results. I have no idea why it is doing that for some of the older drivers, and not all. I looked also for time out periods, and have tried to increase them, but no such luck. Its driving me bonkers! Thanks for any help! Rick Confidentiality Notice: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information, or Protected Health Information as such term is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any unauthorized review, use, disclosure, copying or distribution is prohibited and may be unlawful. If you believe you have received this e-mail in error, please contact the sender by reply e-mail and delete all copies of the original message, including attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with older wireless network drivers.In-Reply-To=
Richard Elder wrote: I have more info.. I turned on debugging on the Radius Server and this is what I saw.. ... rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request The supplicant is broken. But then I use a newer wireless NIC, and it works perfectly.. shrug If the Windows machine doesn't do EAP right, there's very little you can do to FreeRADIUS to fix the problem. I have no idea why it is doing that for some of the older drivers, and not all.I looked also for time out periods, and have tried to increase them, but no such luck. Its driving me bonkers! Thanks for any help! The old drivers are buggy. Stop using them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with older wireless network drivers.
I have run across a number of machines that seem to have a problem authenticating to the radius server via Cisco 1200 AP using LEAP. All the newer Cisco/Intel cards don't have a problem with current or recent drivers, but a model of Atheros and Belkin drivers that have a copyright date of 2004/2005 seem to have a problem authenticating. These are specific medical equipment from venders that the obtaining updated drivers may not be available. As a test, I setup a test, I setup a standalone AP with it's built in Radius Server, and then had the device with the older drivers try to authenticate to it, and it worked just fine. So the problem seems to be with the FreeRadius server with the older drivers!?? Below is a sample of te debug of the radius from the Cisco 1200 with the device with the old driver. Aug 27 19:13:52.864: RADIUS: User-Name [1] 9 LAPTOP1 Aug 27 19:13:52.864: RADIUS: Framed-MTU [12] 6 1400 Aug 27 19:13:52.864: RADIUS: Called-Station-Id [30] 16 0013.8038.1fa0 Aug 27 19:13:52.864: RADIUS: Calling-Station-Id [31] 16 0012.cf4f.1471 Aug 27 19:13:52.864: RADIUS: Service-Type[6] 6 Login [1] Aug 27 19:13:52.865: RADIUS: Message-Authenticato[80] 18 * Aug 27 19:13:52.865: RADIUS: EAP-Message [79] 18 Aug 27 19:13:52.865: RADIUS: 01 03 00 10 11 01 00 08 92 27 97 77 53 89 5D 2F [? ]/] Aug 27 19:13:52.866: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] Aug 27 19:13:52.866: RADIUS: NAS-Port[5] 6 955446 Aug 27 19:13:52.866: RADIUS: State [24] 18 Aug 27 19:13:52.866: RADIUS: 1F A2 5E E8 18 DB 27 25 A8 42 8D EA EE 48 89 F9 [??^???'?? ??] Aug 27 19:13:52.866: RADIUS: NAS-IP-Address [4] 6 10.0.1.5 Aug 27 19:13:52.866: RADIUS: Nas-Identifier [32] 12 WDS Aug 27 19:19:20.265: RADIUS: NAS-IP-Address [4] 6 10.0.1.5 Aug 27 19:19:20.265: RADIUS: Nas-Identifier [32] 12 WDS Aug 27 19:19:25.561: RADIUS: no sg in radius-timers: ctx 0xD368A8 sg 0x Aug 27 19:19:25.561: RADIUS: Retransmit to (10.0.2.2:1812,1813) for id 1645/38 Aug 27 19:19:25.562: RADIUS: Received from id 1645/38 10.0.2.2:1812, Access-Reject, len 20 Aug 27 19:19:25.562: RADIUS: authenticator A7 6D 43 3E E8 75 98 B9 - 2E 28 22 48 95 06 81 78 Aug 27 19:19:25.563: RADIUS(000E980E): Received from id 1645/38er drivers. Thanks for any assistance. Confidentiality Notice: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information, or Protected Health Information as such term is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any unauthorized review, use, disclosure, copying or distribution is prohibited and may be unlawful. If you believe you have received this e-mail in error, please contact the sender by reply e-mail and delete all copies of the original message, including attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless network: WindowsXP supplicant, EAP-TLS and computer certificates.
I try to use FreeRADIUS for building 801.1X EAP-TLS authorization. I want to use only computer certificates (not user ones) on WinXP. such certificates contains FQDN of client in `commonName' field. But WinXP/SP2 sent `User-Name' in such case as `host/FQDN'. And checking of commonName fails. How can re-map such `User-Names'? I've tried to create realm with LOCAL mapping, but it doesn't help much :( It seems, that eap-tls `xlat' user-name before check, but xlat is not well-documented :( -- // Lev Serebryakov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous use in wireless network
i want to unable people connecting with same login more than one time in a wireless network with cisco AP1100 first when i use radcheck i have reults like that : checkrad -d cisco 195.220.107.35 981 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.981 user at port S981: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 980 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.980 user at port S980: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 900 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.900 user at port S900: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 10 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.10 user at port S10: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 1000 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.1000 user at port S1000: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # how must i understand this result it seems to me it that nas-Port and session id could be arbitrary , because the NAS-Port of the last response from server was 981 , and why does ot tell me same thing with NAS-Port = 1000 second when someone is connected on one AP and try to connect on another AP how checkrad will do to see the first connection ? here is the aaa configuration of an AP aaa new-model ! ! aaa group server radius rad_eap server xxx.xxx.xxx auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server xxx.xxx.xxx auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group radius aaa session-id common thanks for help basile -- bmathieu [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip address with radius on wireless network
hi i read mail on the list which seems to give me response ( no :( ) but i want to be sure is it possible to affect ip address with radius ippool or with users file in a wireless network ( cisco AP 1100 ) thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
You can use a wireless access point that supports 802.1q. I know that the HP J8130A WAP 420 supports this, and I believe the Cisco's and some 3Com do as well. Assign your private network users some additional attributes. For example, the following 3 additional attributes will direct the WAP to tunnel your private network users to VLAN# 20. Tunnel-Private-Group-Id: 20 Tunnel-Medium-Type: 802 Tunnel-Type: VLAN Users who don't get these attributes will be on the default (internet connected) vlan for the AP. Check dictionary.tunnel for more information. Or you can set it up in reverse, depending on your needs. If you want unauthenticated wireless users stuck on a private network (not Internet connected), set that VLAN as the default for the AP. In this case, only authenticated users get tunneled on to the internet connected VLAN 20. Or you can set up the AP to require authentication and tunnel individual users to their specified VLAN. Dean. [EMAIL PROTECTED] wrote: Hi all and thanks for the answers, I'll explain in a better way. I would like to have: a user A who can access to Internet with username A and password A (and that's ok, it works); a user B who can access to Private Network (no Internet) with username B and password B. Both connecting to the same AP. Both users have a pc with a wireless card. The AP (Colubris) is connected to Private Network through cabled LAN where the Radius works and the Private Network is connected to Internet. I tried in different ways and I read quiet all docs, but nobody seems to have this problem. Maybe there's no solution with one AP. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless Network
Hi all, I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Thanks __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
[EMAIL PROTECTED] wrote: Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Set up routing on the AP for the private network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
On 23 Sep 2004 at 10:38, [EMAIL PROTECTED] wrote: I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Does it work if they have a general Internet connection, and then you try the private connection? Depending on the AP you're using, and the network topology, you may also be able to run the access point as a bridge. (Thus, it'll just be a fancy media converter, and wireless clients should be functionally identical to wired clients.) You can't do this with most cheap APs (Linksys, DLink, anything else you'll find at Best Buy), but slightly higher-end radio gear (StarOS, old Lucent/Karlnet gear, maybe Mikrotik) won't even blink at the request. The biggest downside to this is that it's another piece of hardware you have to buy (this could be done for around $300 US) and another piece of software you have to learn how to configure. David Smith MVN.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless Network
Hi all and thanks for the answers, I'll explain in a better way. I would like to have: a user A who can access to Internet with username A and password A (and that's ok, it works); a user B who can access to Private Network (no Internet) with username B and password B. Both connecting to the same AP. Both users have a pc with a wireless card. The AP (Colubris) is connected to Private Network through cabled LAN where the Radius works and the Private Network is connected to Internet. I tried in different ways and I read quiet all docs, but nobody seems to have this problem. Maybe there's no solution with one AP. Thanks On 23 Sep 2004 at 10:38, [EMAIL PROTECTED] wrote: I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless Network
On 23 Sep 2004 at 23:52, [EMAIL PROTECTED] wrote: I'll explain in a better way. [ snip: scenario ] Have the RADIUS server give different IP addresses to users A and B. Have a firewall somewhere between the private network and the Internet that will deny Internet traffic to someone whose IP address is on the private-only list. David Smith MVN.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
Kostas Kalevras wrote : Thanks to you and Artur Hecker for your responses that helped me. I chose to implement PEAP and EAP-TTLS on freeradius in order to have a wide support for Mac OS X and Windows 2000/XP. As I want to use LDAP to authenticate users; I may be able to use: - PAP - EAP-GTC - LDAP direct bind From the point of view of the supplicant, what is the protocol to use inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And will this protocol be handled by Mac OS X and Windows 2000/XP with or without xsupplicant ? It seems that SecureW2 implements EAP-TTLS+PAP. I found documentations saying that Windows XP handles PEAP but I didn't find what protocols inside PEAP are supported (and MSCHAPv2 does not do it as passwords are crypted in the LDAP). About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have the same problem: no mention about inside protocols. Does anyone has some informations about that ? Thanks again for your help, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
On Mon, 2 Aug 2004, Christophe Boyanique wrote: Kostas Kalevras wrote : Thanks to you and Artur Hecker for your responses that helped me. I chose to implement PEAP and EAP-TTLS on freeradius in order to have a wide support for Mac OS X and Windows 2000/XP. As I want to use LDAP to authenticate users; I may be able to use: - PAP - EAP-GTC - LDAP direct bind That's not an authentication protocol it's just a way of implementing an authentication protocol (like PAP,CHAP,MS-CHAP). From the point of view of the supplicant, what is the protocol to use inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And will this protocol be handled by Mac OS X and Windows 2000/XP with or without xsupplicant ? You should use PAP, that's the protocol which will send clear text passwords which can be used for an ldap bind It seems that SecureW2 implements EAP-TTLS+PAP. Yes it does. I found documentations saying that Windows XP handles PEAP but I didn't find what protocols inside PEAP are supported (and MSCHAPv2 does not do it as passwords are crypted in the LDAP). PEAP is protected EAP. So you 're mostly stack with MSCHAPv2. Use EAP-TTLS instead. About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have the same problem: no mention about inside protocols. Does anyone has some informations about that ? Thanks again for your help, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Donnerstag, 29. Juli 2004 17:53 schrieb Christophe Boyanique: Hello, I want to secure a wireless network (operated with Cisco Aironet 1200 aps) via freeradius connected to an OpenLDAP server; with clients running Windows 2000, Windows XP and Mac OS-X (= 10.2). (...) See: http://doris.cc/radius/ - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBCfNfqndXpO3Yl5sRAnGlAJ4v4qoMgTymaP5hWpzJ46hn2RGzBwCeOZm/ P4EqB0P7fCZefM5kmS8nR2s= =9AIL -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
On Thu, 29 Jul 2004, Christophe Boyanique wrote:
Hello,
I want to secure a wireless network (operated with Cisco Aironet 1200
aps) via freeradius connected to an OpenLDAP server; with clients
running Windows 2000, Windows XP and Mac OS-X (= 10.2).
I saw that EAP-MD5 is no recommended (and not supported by Windows XP
since SP1).
EAP-TLS is not a choice as there is no LDAP interaction from what I've
read on this mailing-list and other places.
Depends on what you mean by LDAP interaction. You can still use LDAP to
*authorize* the user. EAP-TLS just does certificate authentication so there's
not much LDAP interaction involved (apart from probably verifying the supplied
user certificate through LDAP, though that's not currently supported)
The best choice seems to be EAP-TTLS as it is supported by freeradius
and the selected clients. But I have some questions about the protocol
to use inside the TLS tunnel.
It seems that EAP-MD5 is not possible as passwords are stored in {CRYPT}
format in the LDAP.
I tried the EAP-MD5+LDAP feature and it works indeed with clear
passwords. I was wondering if it would be possible to patch the eap-md5
module to crypt the password sent by the supplicant before comparing it
with the one from the LDAP ?
Please read the CHAP/EAP-MD5 specification. That's not how the protocol works.
You *need* clear text passwords for EAP-MD5 to work.
I read some things about using PAP inside EAP-TTLS. It seems that
{CRYPT} passwords work with PAP as I see there is an encryption_scheme
parameter for PAP.
You can also use the ldap module for authentication instead of the pap module
(authentication through an ldap bind request).
But will PAP be supported by supplicants running on Windows and Mac OS-X ?
If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).
Thank you for your help,
Christophe.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
hi But will PAP be supported by supplicants running on Windows and Mac OS-X ? If you are going to use EAP-TTLS you must use the SecureW2 client since windows do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on it (Xsupplicant supports EAP-TTLS). apparently, xsupplicant works, but with some modifications. however, since Mac OS X (10.3++) there is an integrated client which is more convenient and does support TTLS. http://images.apple.com/macosx/pdf/Security_in_Mac_OS_X.pdf, page 8 ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MSChapV2 on wireless network
Title: Message
I am unable to get
PEAP working with WinXP (using MSChapV2) on my wireless network. I am using
Freeradius Version 1.0.0-pre1. For authenticationI am using
etc_smbpassword. I saw an earlier message in the archive stating that MSChap
wasn't supposed to be used for wireless, however, under WinXP, this is the only
option with PEAP. TLS works fine. I am receiving the following error message.
Any ideas?
Mario
Bragg
Thu Jun 10 10:57:31 2004 : Debug: Nothing to do. Sleeping until we see a
request.
rad_recv: Access-Request packet from host 192.168.1.1:55048, id=44,
length=148
User-Name = "NA3\\mbragg1"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0c-41-f7-f3-f6"
Calling-Station-Id = "00-0c-f1-30-67-40"
NAS-Identifier = "Linksys BEFW11S4-V4.X"
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x022c0010014e41335c6d627261676731
Message-Authenticator = 0xc647195a743b7665871bdfc633922bf4
Thu Jun 10 10:57:34 2004 : Debug: Processing the authorize section of
radiusd.conf
Thu Jun 10 10:57:34 2004 : Debug: modcall: entering group authorize for
request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "preprocess"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling auth_log
(rlm_detail) for request 27
Thu Jun 10 10:57:34 2004 : Debug: radius_xlat:
'/usr/local/radius/var/log/radius/radacct/192.168.1.1/auth-detail-20040610'
Thu Jun 10 10:57:34 2004 : Debug: rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/192.168.1.1/auth-detail-20040610
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
auth_log (rlm_detail) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "auth_log"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "chap" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "mschap" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_realm: No '@' in User-Name = "mbragg1",
looking up realm NULL
Thu Jun 10 10:57:34 2004 : Debug: rlm_realm: No such realm "NULL"
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "suffix" returns
noop for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap)
for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_eap: EAP packet type response id 44
length 16
Thu Jun 10 10:57:34 2004 : Debug: rlm_eap: No EAP Start, assuming it's an
on-going EAP conversation
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "eap" returns
updated for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 27
Thu Jun 10 10:57:34 2004 : Debug: users: Matched DEFAULT at 158
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from files
(rlm_files) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "files" returns
ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: calling etc_smbpasswd
(rlm_passwd) for request 27
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added LM-Password:
'9D4426742166CA54695109AB020E401C' to config_items
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added NT-Password:
'90A3404003BACDBE506C86F110DB7AE0' to config_items
Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT:
'[U ]' to config_items
Thu Jun 10 10:57:34 2004 : Info: rlm_passwd: Adding Auth-Type: MS-CHAP
Thu Jun 10 10:57:34 2004 : Debug: modsingle[authorize]: returned from
etc_smbpasswd (rlm_passwd) for request 27
Thu Jun 10 10:57:34 2004 : Debug: modcall[authorize]: module "etc_smbpasswd"
returns ok for request 27
Thu Jun 10 10:57:34 2004 : Debug: modc
Re: PEAP with MSChapV2 on wireless network
Bragg Mario-mbragg1 [EMAIL PROTECTED] wrote: I am unable to get PEAP working with WinXP (using MSChapV2) on my wireless network. I am using Freeradius Version 1.0.0-pre1. For authentication I am using etc_smbpassword. Ok... I saw an earlier message in the archive stating that MSChap wasn't supposed to be used for wireless, Huh? I don't think so. Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added LM-Password: '9D4426742166CA54695109AB020E401C' to config_items Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added NT-Password: '90A3404003BACDBE506C86F110DB7AE0' to config_items Thu Jun 10 10:57:34 2004 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items Thu Jun 10 10:57:34 2004 : Info: rlm_passwd: Adding Auth-Type: MS-CHAP That's your problem. You've configured the passwd module to force MS-CHAP authentication. Thu Jun 10 10:57:34 2004 : Debug: rad_check_password: Found Auth-Type EAP Thu Jun 10 10:57:34 2004 : Debug: rad_check_password: Found Auth-Type MS-CHAP Thu Jun 10 10:57:34 2004 : Error: Warning: Found 2 auth-types on request for user 'mbragg1' That message would appear to be informative. My suggestion is to comment out the authtype entry in the smbpasswd configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
