Re: freeRADIUS and WPA-2 Enterprise
Hi, We are trying to setup WPA2 Enterprise authentication to work with the FreeRadius server. We have configured EAP-PEAP authentication. We have installed all the certificates and corrected the EAP.conf certificate paths. We tried to connect from the supplicant from Windows XP. Windows asked for the login/password and this is the output of the radiusd -X. The user is configured in the users file. We couldn't see any error, however the authentication didn't succeed. i see you have th user in your unix password file - what type of password is stored there? with PEAP, you cannot auth against a plain password. also, you say you 'installed the certificates and corrected the eap.conf certificate paths' - what certs did you install, how did you make them? what was wrong with the paths? why did you not just put the certs in the $raddb/certs directory? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS and WPA-2 Enterprise
William E. Russell wrote: We are trying to setup WPA2 Enterprise authentication to work with the FreeRadius server. We have configured EAP-PEAP authentication. We have installed all the certificates and corrected the EAP.conf certificate paths. We tried to connect from the supplicant from Windows XP. Windows asked for the login/password and this is the output of the radiusd -X. The user is configured in the users file. We couldn't see any error, however the authentication didn't succeed. This problem is because the certificates don't have the magic Windows OID's, OR because the Windows client doesn't have the CA cert in it's list. 1) install freeradius-2.0.4 2) add a username/password 'bob/bob'. See the FAQ. 3) start it as root. Watch it create temporary certificates 4) Use radtest for 'bob/bob' to see if it works. 5) Configure PEAP on the Windows client. 6) un-check validate server certificate on the Windows client 7) point Access point to FreeRADIUS 8) Add access point IP/secret to the server (and re-start) 9) validate that PEAP works, with 'bob/bob' That's most of it. After that, you want *real* certificates. Edit the files in raddb/certs/*cnf, and re-make the certificates. Copy ca.der to your Windows desktop, and double-click on it. This should install the certificate into the root store. If you want to use your own certificates for RADIUS. See raddb/certs/README. You MUST also include the magic Windows OID's. If you don't know what these are, see raddb/certs/* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS and WPA-2 Enterprise
All, We are trying to setup WPA2 Enterprise authentication to work with the FreeRadius server. We have configured EAP-PEAP authentication. We have installed all the certificates and corrected the EAP.conf certificate paths. We tried to connect from the supplicant from Windows XP. Windows asked for the login/password and this is the output of the radiusd -X. The user is configured in the users file. We couldn't see any error, however the authentication didn't succeed. Can anyone help? -- Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = Sushil NAS-IP-Address = 172.27.10.54 Called-Station-Id = 001d7ef3e8d2 Calling-Station-Id = 0019d24ee9a8 NAS-Identifier = 001d7ef3e8d2 NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000b0153757368696c Message-Authenticator = 0x8ee1244bc3cdc5889f20f495cfb28373 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = Sushil, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xe5e45815e5e741bebb28e527c6b37a8d Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +35 Ready to process requests. User-Name = Sushil NAS-IP-Address = 172.27.10.54 Called-Station-Id = 001d7ef3e8d2 Calling-Station-Id = 0019d24ee9a8 NAS-Identifier = 001d7ef3e8d2 NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0153757368696c Message-Authenticator = 0xc7c1127b55267c9b175f4af387037759 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = Sushil, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0xabace459abadfd4a371c1e7c34cafda3 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 1 with timestamp +144 Ready to process requests. William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 14, 2008 2:11 PM To: FreeRadius users mailing list Subject: Re: freeRADIUS and WPA-2 Enterprise Hi, All, I have recently set up a freeRADIUS v2 server and would like some help configuring the server to use WPA-2 Enterprise. I was wondering if anyone had any tutorials, .conf files, etc. that would assist me in setting up my server with the correct configuration. I have noticed some help on the Internet, but most of the help is directed towards freeRADIUS v1, so I need v2-specfic help. Thanks. a lot of the things regarding authorization, authentication, SQL and LDAP is true for v2 as it is for v1 when you say 'set up a freeradius v2 server' what have you done? ouyt of the box as a straight install, FR2 is ready to handle WPA2-enterprise. all you need to do is install your own certs, or make the default ones longer lasting and suitable for you (by editing the server.cnf and client.cnf stuff and rerunning the bootstrap), then add NAS devices to clients.conf and ensure that the authentication you want to use
RE: freeRADIUS and WPA-2 Enterprise
Go to 802.1x XP supplicant configuration. Below the box where you choose between certificate and PEAP authentication is a button Properties. Click on that and uncheck the Validate server certificate box. Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, William E. Russell [EMAIL PROTECTED] piše: All, We are trying to setup WPA2 Enterprise authentication to work with the FreeRadius server. We have configured EAP-PEAP authentication. We have installed all the certificates and corrected the EAP.conf certificate paths. We tried to connect from the supplicant from Windows XP. Windows asked for the login/password and this is the output of the radiusd -X. The user is configured in the users file. We couldn't see any error, however the authentication didn't succeed. Can anyone help? -- Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = Sushil NAS-IP-Address = 172.27.10.54 Called-Station-Id = 001d7ef3e8d2 Calling-Station-Id = 0019d24ee9a8 NAS-Identifier = 001d7ef3e8d2 NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000b0153757368696c Message-Authenticator = 0x8ee1244bc3cdc5889f20f495cfb28373 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = Sushil, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xe5e45815e5e741bebb28e527c6b37a8d Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +35 Ready to process requests. User-Name = Sushil NAS-IP-Address = 172.27.10.54 Called-Station-Id = 001d7ef3e8d2 Calling-Station-Id = 0019d24ee9a8 NAS-Identifier = 001d7ef3e8d2 NAS-Port = 15 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0153757368696c Message-Authenticator = 0xc7c1127b55267c9b175f4af387037759 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = Sushil, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry Sushil at line 126 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0xabace459abadfd4a371c1e7c34cafda3 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 1 with timestamp +144 Ready to process requests. William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 14, 2008 2:11 PM To: FreeRadius users mailing list Subject: Re: freeRADIUS and WPA-2 Enterprise Hi, All, I have recently set up a freeRADIUS v2 server and would like some help configuring the server to use WPA-2 Enterprise. I was wondering if anyone had any tutorials, .conf files, etc. that would assist me in setting up my server with the correct configuration. I have noticed some help on the Internet, but most of the help is directed towards freeRADIUS v1, so I need v2-specfic help. Thanks. a lot of the things regarding authorization, authentication, SQL and LDAP is true for v2 as it is for v1 when you say 'set up a freeradius v2 server' what have you done? ouyt of the box as a straight install, FR2 is ready to handle
freeRADIUS and WPA-2 Enterprise
All, I have recently set up a freeRADIUS v2 server and would like some help configuring the server to use WPA-2 Enterprise. I was wondering if anyone had any tutorials, .conf files, etc. that would assist me in setting up my server with the correct configuration. I have noticed some help on the Internet, but most of the help is directed towards freeRADIUS v1, so I need v2-specfic help. Thanks. Thank you, William Russell William E. W. Russell Member of Technical Staff (Software Development) 198 Brighton Avenue Long Branch, New Jersey 07740 Home #: 732-752-2037 Cell #: 732-744-6483 attachment: winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS and WPA-2 Enterprise
Hi, All, I have recently set up a freeRADIUS v2 server and would like some help configuring the server to use WPA-2 Enterprise. I was wondering if anyone had any tutorials, .conf files, etc. that would assist me in setting up my server with the correct configuration. I have noticed some help on the Internet, but most of the help is directed towards freeRADIUS v1, so I need v2-specfic help. Thanks. a lot of the things regarding authorization, authentication, SQL and LDAP is true for v2 as it is for v1 when you say 'set up a freeradius v2 server' what have you done? ouyt of the box as a straight install, FR2 is ready to handle WPA2-enterprise. all you need to do is install your own certs, or make the default ones longer lasting and suitable for you (by editing the server.cnf and client.cnf stuff and rerunning the bootstrap), then add NAS devices to clients.conf and ensure that the authentication you want to use is configured correctly. whatever you do, dont madly hack and edit down the default config files! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html