Re: Cache for machine authentication
Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory (for a > short amount of time) Calling-Station-Id from successful machine > authentications so that subsequent user authentications can test whether > the user is connecting from an authorized device? This is a feature > that is available with Cisco ACS version 5 (using attribute > Was-Machine-Authenticated) that I am trying to emulate in FR. My suggestion would be to use the "redis" module. Cisco ACS seems to do it internally, because it's a monolithic application. FreeRADIUS is built out of pieces. We're not a database, so we recommend using one where necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache for machine authentication
On Fri, Oct 04, 2013 at 09:54:29AM -0400, Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory > (for a short amount of time) Calling-Station-Id from successful rlm_cache ? http://wiki.freeradius.org/modules/Rlm_cache Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache for machine authentication
Using EAP? use the EAP cache and populate the entry with whatever is needed. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cache for machine authentication
Can someone tell me if it is possible in FR to cache in memory (for a short amount of time) Calling-Station-Id from successful machine authentications so that subsequent user authentications can test whether the user is connecting from an authorized device? This is a feature that is available with Cisco ACS version 5 (using attribute Was-Machine-Authenticated) that I am trying to emulate in FR. If it's possible and anyone can share ideas, I would appreciate it. I thought about using a database, but it seems horribly inneficient compared to caching something in memory. I know I could write a custom module or use perl and maintain the cache in a file, but I don't want to reinvent the wheel and I'm hoping there's an easier and more efficient way to accomplish this.. Thanks for your time.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine Authentication
Hi to All, I need configure Freeradius, with machine authentication (hosts) in LDAP database. Anybody have a tutorial ? Who can help me ? Thanks, Leonardo Leonardo José Drumond Analista de Suporte Seção de Infraestrutura de Tecnologia da Informação - SECITI Câmara Municipal de Belo Horizonte Tel.: 55-31-3555-1241/1135 <mailto:leodrum...@cmbh.mg.gov.br> leonardo.drum...@cmbh.mg.gov.br <http://www.cmbh.mg.gov.br> http://www.cmbh.mg.gov.br Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se voce nao e o destinatario ou pessoa autorizada a recebe-la, informamos que o seu uso, divulgacao, copia ou arquivamento sao proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
mjonesmcne wrote: > Is there any documentation someone can point me to on doing machine > authentication with edirectory, or with an ldap backend? Nope. The machine authentication passwords are normally controlled by Active Directory. Your role is to find out what password the machine is using, and then configure that in LDAP. After that, it *should* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Is there any documentation someone can point me to on doing machine authentication with edirectory, or with an ldap backend? Thanks Mark -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authentication-tp4394421p4462448.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
I have enabled ldap in the inner-tunnel...here is the lastest debug log (part 1)
Mark
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at
11:28:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading
Re: Renaming during Machine Authentication
Mark Jones wrote: > Ok Im going to try following that guide Monday morning, just one > question before I get started...does it work with an edir backend and a > samba server acting as a PDC on an OES2 server? Uh... no. The guide is for getting Active Directory to work. Active Directory is not Samba. eDir is just an LDAP server. You've configured it as an LDAP server: [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access ... But you *HAVEN'T* changed the "inner-tunnel" virtual server to use the LDAP module. Go read it, and un-comment the line saying "ldap". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Ok Im going to try following that guide Monday morning, just one question before I get started...does it work with an edir backend and a samba server acting as a PDC on an OES2 server? Thanks for the advice Alan Mark >>> Alan DeKok 6/4/2011 1:22 PM >>> Mark Jones wrote: > Ok so where or how do I tell it? http://deployingradius.com/ Follow the "Active Directory" guide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Mark Jones wrote: > Ok so where or how do I tell it? http://deployingradius.com/ Follow the "Active Directory" guide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Ok so where or how do I tell it?
Mark
>>> Alan DeKok 6/3/2011 11:57 PM >>>
mjonesmcne wrote:
> Here is the rest of the debug
...
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
That's pretty definitive.
You didn't tell the server how to authenticate the user.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
mjonesmcne wrote:
> Here is the rest of the debug
...
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
That's pretty definitive.
You didn't tell the server how to authenticate the user.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
host/TEST-11501.hpsd48.ab.ca
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 26 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 26
Sending Access-Reject of id 126 to 10.152.0.100 port 32819
EAP-Message = 0x04090004
Message-Authenticator = 0x
Waking up in 0.9 seconds.
Cleaning up request 0 ID 100 with timestamp +45
Cleaning up request 1 ID 101 with timestamp +45
Cleaning up request 2 ID 102 with timestamp +45
Cleaning up request 3 ID 103 with timestamp +45
Cleaning up request 4 ID 104 with timestamp +45
Cleaning up request 5 ID 105 with timestamp +45
Cleaning up request 6 ID 106 with timestamp +45
Cleaning up request 7 ID 107 with timestamp +45
Waking up in 1.0 seconds.
Cleaning up request 8 ID 108 with timestamp +45
Waking up in 0.3 seconds.
Cleaning up request 9 ID 109 with timestamp +46
Cleaning up request 10 ID 110 with timestamp +46
Cleaning up request 11 ID 111 with timestamp +46
Cleaning up request 12 ID 112 with timestamp +46
Cleaning up request 13 ID 113 with timestamp +46
Cleaning up request 14 ID 114 with timestamp +46
Cleaning up request 15 ID 115 with timestamp +46
Cleaning up request 16 ID 116 with timestamp +46
Waking up in 1.0 seconds.
Cleaning up request 17 ID 117 with timestamp +46
Waking up in 0.3 seconds.
Cleaning up request 18 ID 118 with timestamp +48
Cleaning up request 19 ID 119 with timestamp +48
Cleaning up request 20 ID 120 with timestamp +48
Cleaning up request 21 ID 121 with timestamp +48
Cleaning up request 22 ID 122 with timestamp +48
Cleaning up request 23 ID 123 with timestamp +48
Cleaning up request 24 ID 124 with timestamp +48
Cleaning up request 25 ID 125 with timestamp +48
Waking up in 1.0 seconds.
Cleaning up request 26 ID 126 with timestamp +48
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authentication-tp4394421p4451755.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
uot;10.152.0.100"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0205014019800136160301010611020100b0943f5f64fa2282445f363ac440b64c37fb18cf4763326ec0e402a023da264ce7cc7a130998beadf6b1f6bc3a512207a7342f7ebd20467c050ff31fc12e9ea8a0de0e4458981c22e12280e9ebbf12578698db93fb15b01d445d5c0efa99f691827dede72db6391749b3def236fc3d09fcc03f42a8a7de92a4016589a1739642ffe3174280b275afc31e6d65404efea2d76e7b4455fdb049a5050f4f1832126cd9bec305bdc050e172b3ab877d3dfdecf36dcda7fb99b964a2e6692e42af12241078c724b9de44d94f5b7f9e571092cb536e4fb2ee26a199fcb81e2f897b33cb8c24fcf401767a3a
EAP-Message =
0xa4355e662e9950b8933b040af55133487ac046b9417defd814030100010116030100202189ed42f5c686a93a7b80563149c8ec9c01a092f8ab4636d1c594e0d1e44f03
State = 0xaf0b06b8ac0e1f13414e4025002a7e0a
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
Message-Authenticator = 0x4f0f6002da5fa6dafa6fe46827e2ed2c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 113 to 10.152.0.100 port 32819
EAP-Message =
0x01060031190014030100010116030100203c5e6364785ff9c2b98e606384d0ae00a07e305e10c79c4ccbbea4e20f469c2d
Message-Authenticator = 0x
State = 0xaf0b06b8ab0d1f13414e4025002a7e0a
Finished request 13.
Going to the next request
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authentication-tp4394421p4451744.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
I tried to paste the full log in but it was rejected because of size, what the best option to cut it into pieces and post a few times or is there another way to do it? Thanks Mark -- View this message in context: http://freeradius.1045715.n5.nabble.com/Renaming-during-Machine-Authentication-tp4394421p4425379.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/24/2011 06:00 PM, Mark Jones wrote: Here is the latest debug with termination on Aruba turned off: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 Sending Access-Challenge of id 152 to 10.152.0.100 port 32819 EAP-Message = 0x010403fc1940a003020102020900a014abbd42e47192300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303231303136333231325a170d3132303231303136333231325a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aad4b906b8f15d9efa212c359bbae114566f2f9b0c75bf45ab4def0f4a617b3fe4e56795ecf32f378d128990b6317f25252528a101362bf9345a0a394dba35688e07e2eae969c4913c3796c1c224aced4e41e9d51f5335e6b9ec030da7c36217b48835b1df864ff9 EAP-Message = 0xd82ada8cda0de980115896e4bd8ec5bab2a6b9111c109dafdb3e07d6ee4a5cebfa21f39e4efeb6a45e8a8cefc278ef3418aa2ccdb710ebe491eda4ed31df9156020958cddc21ce23a5749c9f06eeb098f3894184707af45719ff0d29350defa774ea4dbda2d0c61b7939abb1757a3ee271f1bb8d4b9868bc6289db9516b6a3d7fa5ad8abdbe57b5ce5359c9eb6a6169647d1310a53e40e930203010001a381fb3081f8301d0603551d0e0416041493331cbb1ef41d0e3c45f31449266f0c304c9b193081c80603551d230481c03081bd801493331cbb1ef41d0e3c45f31449266f0c304c9b19a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a014abbd42e47192300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003cf11452f274ea06f72222248542b6934b4f9aa2e919e20fb227801b1addbd2626d3570f8e4c20db411f132aa313a4e877f352772d0414b67207468978a5727bc5a22843f42390103f EAP-Message = 0x53c8cb22d3f8f1f7 Message-Authenticator = 0x State = 0x1ab6f10518b2e8e1468070e7a1c1e9d1 Finished request 2. Is this *really* the last thing it printed out? It didn't print something about session expiry and a URL for you to look at? Anyway - this is probably because the client doesn't know the CA cert. You were previously terminating PEAP on the Aruba, so the cert was the one belonging to Aruba. Now, it'll be the cert belonging to FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Your email client is mangling the quoting, which makes it really hard to read your replies. Please fix it! So this is a full host/name.domain.com now - what did you change? as per above i added the dns suffix to the computer (under name change...more) Just renaming the machine won't help. Is the machine a member of a windows domain? If it is, you shouldn't be able to do this renaming. If it isn't, machine auth will NEVER WORK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
>>> Phil Mayers 5/21/2011 3:08 AM >>>
On 05/20/2011 10:33 PM, Mark Jones wrote:
> Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
I added the dns suffix to the computer name
> rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
> id=186, length=216
> NAS-IP-Address = 10.152.0.100
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> User-Name = "host/TEST-11501.hpsd48.ab.ca"
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f
> MS-CHAP2-Response =
> 0x0800afc6531b8f43785e186a0578c795c13b5f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba
equipment is still terminating the PEAP itself, and translating the
EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you
change this.
Your right I turned it off and then re-enabled it my next post will be with it
off
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name =
> "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
as per above i added the dns suffix to the computer (under name change...more)
> [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)
> [ldap] expand: o=hpsd_48 -> o=hpsd_48
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to 172.17.152.4:636, authentication 0
> [ldap] setting TLS mode to 1
> [ldap] bind as cn=admin,o=hpsd_48/xx to 172.17.152.4:636
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)
> [ldap] Added the eDirectory password xx in check items as
> Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW?
Edir only
I know almost nothing about Novell, but a recent poster to the list was
using eDir and DFSW, and he suggested that you need to:
1. use LDAP/eDir for users
2. use Samba/ntlm_auth for machines
See here:
https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.html
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices:
1. The client is sending the wrong data (i.e password - unlikely)
2. The server is using the wrong data (i.e. password from LDAP is
incorrect)
3. Something is fiddling with the data in-flight (e.g. Aruba messing
with the EAP)
I will post a new debug with termination off in a couple minutes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/20/2011 10:33 PM, Mark Jones wrote:
Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
id=186, length=216
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "host/TEST-11501.hpsd48.ab.ca"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f
MS-CHAP2-Response =
0x0800afc6531b8f43785e186a0578c795c13b5f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba
equipment is still terminating the PEAP itself, and translating the
EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you
change this.
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name =
"host/TEST-11501.hpsd48.ab.ca", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.17.152.4:636, authentication 0
[ldap] setting TLS mode to 1
[ldap] bind as cn=admin,o=hpsd_48/xx to 172.17.152.4:636
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)
[ldap] Added the eDirectory password xx in check items as
Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW?
I know almost nothing about Novell, but a recent poster to the list was
using eDir and DFSW, and he suggested that you need to:
1. use LDAP/eDir for users
2. use Samba/ntlm_auth for machines
See here:
https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.html
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
[mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices:
1. The client is sending the wrong data (i.e password - unlikely)
2. The server is using the wrong data (i.e. password from LDAP is
incorrect)
3. Something is fiddling with the data in-flight (e.g. Aruba messing
with the EAP)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Renaming during Machine Authentication
Yeah, not sure what "Abooba" does when it terminates PEAP, but it weirds things
out sometimes. Still doesn't explain why XP just worked but W7 had bunches of
issues, but I can attest that making the Abooba controllers pas *eap to FR
works better - maybe works 100%.
The only thing we noticed is, if Abooba does NOT terminate PEAP - there is no
"local" login option available. We had our two FR servers configured as well
as local login (as last resort). I guess now we need to be REALLY sure at
least one FR server is up all the time!
G
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Mark Jones
Sent: Thursday, May 19, 2011 12:15 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Renaming during Machine Authentication
This is on a samba domain Phil as per the cool solutions article I mentioned in
an earlier post. I am looking into my Aruba settings now for termination
Mark
>>> Phil Mayers 5/19/2011 1:58 AM >>>
> User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as:
host/name.domain.com
i.e. there is a "domain.com" at the end of the name.
The absence of that suggests to me that the machine is not a domain
member. Is that the case? If so, it cannot do machine auth.
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd
> MS-CHAP2-Response =
> 0x0700226e95f1d0ae4efe8f381fd3714c7b0f904f33f5941ab6017f433da0f45438dc665447e9d6510a2d
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky
product.
See other posts on the list in the past few days - you should DISABLE
"terminate PEAP" (or whatever the option is) on your Aruba equipment,
and let it do the EAP/PEAP.
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TECH-11501
> [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled
with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
This is on a samba domain Phil as per the cool solutions article I mentioned in
an earlier post. I am looking into my Aruba settings now for termination
Mark
>>> Phil Mayers 5/19/2011 1:58 AM >>>
> User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as:
host/name.domain.com
i.e. there is a "domain.com" at the end of the name.
The absence of that suggests to me that the machine is not a domain
member. Is that the case? If so, it cannot do machine auth.
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd
> MS-CHAP2-Response =
> 0x0700226e95f1d0ae4efe8f381fd3714c7b0f904f33f5941ab6017f433da0f45438dc665447e9d6510a2d
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky
product.
See other posts on the list in the past few days - you should DISABLE
"terminate PEAP" (or whatever the option is) on your Aruba equipment,
and let it do the EAP/PEAP.
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TECH-11501
> [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled
with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as:
host/name.domain.com
i.e. there is a "domain.com" at the end of the name.
The absence of that suggests to me that the machine is not a domain
member. Is that the case? If so, it cannot do machine auth.
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd
MS-CHAP2-Response =
0x0700226e95f1d0ae4efe8f381fd3714c7b0f904f33f5941ab6017f433da0f45438dc665447e9d6510a2d
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky
product.
See other posts on the list in the past few days - you should DISABLE
"terminate PEAP" (or whatever the option is) on your Aruba equipment,
and let it do the EAP/PEAP.
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TECH-11501
[mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled
with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Thanks Phil. I am out of the office until Thursday but on my first message I
posted the debug from bootup where it fails..is there more output I need to
post later this week?
Mark
Sent from my Blackberry® wireless device
-Original Message-
From: Phil Mayers
To:
Sent: 5/16/2011 3:01:35 AM
Subject: Re: Renaming during Machine Authentication
On 05/16/2011 01:03 AM, Mark Jones wrote:
> Hi Phil thanks for answering. I am trying to authenticate the
> machines on bootup. I have an edir backend and am following this cool
> solutions article which is fairly old:
> http://www.novell.com/coolsolutions/feature/17044.html In it they
> talk about atrrib-rewrite but use it in the radiusd.conf file which
> in my limited knowledge of freeradius I think is an older way of
> doing it.
Yeah, don't do it that way. Aside from the config in the article being
subtly wrong (regexp in the 2nd rewrite module isn't right), there are
easier ways to accomplish mutating the username if you need to do that,
which you don't because you can just use %{mschap:User-Name} and it'll
do it for you (as well as being more obvious IMHO)
>
> Right now if i join a machine to the samba domain I have created, it
> automatically is imported into edirectory and named "machinename$".
> The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say.
Is it working for you now? If not, post a debug and someone can probably
suggest what needs changing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/16/2011 01:03 AM, Mark Jones wrote:
Hi Phil thanks for answering. I am trying to authenticate the
machines on bootup. I have an edir backend and am following this cool
solutions article which is fairly old:
http://www.novell.com/coolsolutions/feature/17044.html In it they
talk about atrrib-rewrite but use it in the radiusd.conf file which
in my limited knowledge of freeradius I think is an older way of
doing it.
Yeah, don't do it that way. Aside from the config in the article being
subtly wrong (regexp in the 2nd rewrite module isn't right), there are
easier ways to accomplish mutating the username if you need to do that,
which you don't because you can just use %{mschap:User-Name} and it'll
do it for you (as well as being more obvious IMHO)
Right now if i join a machine to the samba domain I have created, it
automatically is imported into edirectory and named "machinename$".
The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say.
Is it working for you now? If not, post a debug and someone can probably
suggest what needs changing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Hi Phil thanks for answering. I am trying to authenticate the machines on
bootup. I have an edir backend and am following this cool solutions article
which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html
In it they talk about atrrib-rewrite but use it in the radiusd.conf file which
in my limited knowledge of freeradius I think is an older way of doing it.
Right now if i join a machine to the samba domain I have created, it
automatically is imported into edirectory and named "machinename$". The article
is not complete so I am really not sure if the machine is supposed to
authenticate to edir or samba during bootup but the end result I want is the
machine to authenticate on startup so the user has a single sign on experience
like they would if they plugged into the network.
Thanks again
Mark
>>> Phil Mayers 05/14/11 2:50 AM >>>
On 05/13/2011 11:21 PM, Mark Jones wrote:
> That sounds good...where exactly do I put that in the config files?
Well, since you didn't explain why you wanted to rename it (for what
purpose) I can't say for sure.
Usually, a lot of what goes on in FreeRADIUS is done with string
expansions - for example you might have an SQL query defined in sql.conf:
some_query = "select something from table where
username='%{SQL-User-Name}"
In this case, you're replace that with:
some_query = "select something from table where
username='%{mschap:User-Name}"
But this is just an example. You need to be more specific about the
problem(s) you're having if you want people to give you advice.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/13/2011 11:21 PM, Mark Jones wrote:
That sounds good...where exactly do I put that in the config files?
Well, since you didn't explain why you wanted to rename it (for what
purpose) I can't say for sure.
Usually, a lot of what goes on in FreeRADIUS is done with string
expansions - for example you might have an SQL query defined in sql.conf:
some_query = "select something from table where
username='%{SQL-User-Name}"
In this case, you're replace that with:
some_query = "select something from table where
username='%{mschap:User-Name}"
But this is just an example. You need to be more specific about the
problem(s) you're having if you want people to give you advice.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
That sounds good...where exactly do I put that in the config files?
>>> Phil Mayers 5/13/2011 4:15 PM >>>
On 05/13/2011 11:03 PM, Mark Jones wrote:
> Hi all i have freeradius 2.1.10 setup on a SLES server. When the
> workstation boots it sends an mschapv2 request in the form
> host/machinename. What is the best way to convert this to machinename$ ?
> Sorry if this has been asked before Im stumped and cannot find the answer.
Why do you need to "rename" it?
If you want to do LDAP or SQL queries, you can use this in the query:
%{mschap:User-Name}
...which expands:
user -> user
DOMAIN\user -> user
host/name.domain.com -> name$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/13/2011 11:03 PM, Mark Jones wrote:
Hi all i have freeradius 2.1.10 setup on a SLES server. When the
workstation boots it sends an mschapv2 request in the form
host/machinename. What is the best way to convert this to machinename$ ?
Sorry if this has been asked before Im stumped and cannot find the answer.
Why do you need to "rename" it?
If you want to do LDAP or SQL queries, you can use this in the query:
%{mschap:User-Name}
...which expands:
user -> user
DOMAIN\user -> user
host/name.domain.com -> name$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Renaming during Machine Authentication
Hi all i have freeradius 2.1.10 setup on a SLES server. When the workstation
boots it sends an mschapv2 request in the form host/machinename. What is the
best way to convert this to machinename$ ? Sorry if this has been asked before
Im stumped and cannot find the answer.
Here is part of the log:
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=79,
length=203
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "host/TECH-11501"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0x0568442cb1608fce03cb2662dcf52694
MS-CHAP2-Response =
0x07007e63e9fa7fb503e4cfff2a2c0056869857f0c5ece05913c5eeaf48096b25dcbd01f39d20a71404e1
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TECH-11501", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for host/TECH-11501
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TECH-11501$)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=hpsd_48, with filter (uid=TECH-11501$)
[ldap] Added the eDirectory password x in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user host/TECH-11501 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TECH-11501
[mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/TECH-11501
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 79 to 10.152.0.100 port 32819
Waking up in 4.9 seconds.
Cleaning up request 13 ID 79 with timestamp +926
Ready to process requests.
Here is the log from same machine after logging in:
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=82,
length=194
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "mjones"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0xe744e26bd3741ff3a339f931e5d541cc
MS-CHAP2-Response =
0x070001ee52a851770be78f667189c6bdec3b50e99570745eb5a68f290dfe79879837d3997b7aa9b7b3cc
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "mjones", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for mjones
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=mjones)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=hpsd_48, with filter (uid=mjones)
[ldap] Added the eDirectory password in check items as Cleartext-Password
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mjones authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap]
RE: Help with machine authentication
> Once you've done it once, you can export it as a "netsh" XML
> profile, then re-import it on other machines. Or use group
> policy on domain members.
Group policy is the plan.
> %{mschap:NT-Domain} will expand the above to "ppmenergy". So,
> if the short-form (NT4-style name) of your AD realm is
> "ppmenergy" that'll be fine.
Perfect, thanks.
> > Sending Access-Challenge of id 219 to 10.56.160.5 port 32768
> > EAP-Message = 0x010700061900
> > Message-Authenticator = 0x
> > State = 0x1c7725f518703c6d6a5dce719626f316
> > Finished request 14.
> > Going to the next request
> > Waking up in 4.9 seconds.
>
> ...and what happens next? This is just a single request. EAP
> authentication involves lots of pairs of request/challenge,
> with a final
> request/accept or request/reject.
>
> I am going to take a wild guess - you are using "ntlm_auth"
> and you need
> to edit the command line in raddb/modules/mschap to read:
>
>ntlm_auth = " --username=%{mschap:User-Name} ..."
>
> If not, please show the full authentication attempt so we can
> see where
> it fails.
Well The issue turned out to be client-side. The root certificate
had not imported successfully. Once I fixed that, it all automagically
worked. Thank you very much for your response.
Bob
Please be advised that email addresses for Iberdrola Renewables personnel have
changed to first.l...@iberdrolaren.com effective Aug. 16, 2010. Please make a
note. Thank you.
This message is intended for the exclusive attention of the recipient(s)
indicated. Any information contained herein is strictly confidential and
privileged. If you are not the intended recipient, please notify us by return
e-mail and delete this message from your computer system. Any unauthorized use,
reproduction, alteration, filing or sending of this message and/or any attached
files may lead to legal action being taken against the party(ies) responsible
for said unauthorized use. Any opinion expressed herein is solely that of the
author(s) and does not necessarily represent the opinion of the Company. The
sender does not guarantee the integrity, speed or safety of this message, and
does not accept responsibility for any possible damage arising from the
interception, incorporation of viruses, or any other damage as a result of
manipulation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with machine authentication
On 04/21/2011 08:08 PM, Eldred, Bob wrote:
After configuring a Windows XP SP3 supplicant for machine authentication
(which is stupidly complex, given the required registry hacks to make it
work)
Once you've done it once, you can export it as a "netsh" XML profile,
then re-import it on other machines. Or use group policy on domain members.
> I get this in the debug output:
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
Now, I can clearly see that there *is* no '\' in the hostname there, nor
should there be. But everything I've found on the web indicates that
with the version of FreeRADIUS and Samba I have, %{mschap:User-Name}
should be rewritten as C776669$. Getting the domain of the thing will
Correct, it should be rewritten from host/name to name$
be another challenge of its own, I imagine.
%{mschap:NT-Domain} will expand the above to "ppmenergy". So, if the
short-form (NT4-style name) of your AD realm is "ppmenergy" that'll be fine.
If not you'll have to hard-code the domain or get it otherwise. This is
one reason why microsoft were DUMB to pick host/dnsname.domain.com - the
DNS name and authentication realm need not match. They should have just
sent host$@AUTH.REALM as the EAP-Identity and made everyones life
easier... :o(
++[mschap] returns noop
This is as-expected. The request is EAP, not mschap, so mschap returns
noop. This is completely independent of using "%{mschap:User-Name}"
anywhere.
[ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
Again, as expected.
Sending Access-Challenge of id 219 to 10.56.160.5 port 32768
EAP-Message = 0x010700061900
Message-Authenticator = 0x
State = 0x1c7725f518703c6d6a5dce719626f316
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
...and what happens next? This is just a single request. EAP
authentication involves lots of pairs of request/challenge, with a final
request/accept or request/reject.
I am going to take a wild guess - you are using "ntlm_auth" and you need
to edit the command line in raddb/modules/mschap to read:
ntlm_auth = " --username=%{mschap:User-Name} ..."
If not, please show the full authentication attempt so we can see where
it fails.
Better yet, carefully read through the full debug output yourself. The
failure code *will* be in there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with machine authentication
Hello there,
I've spent the last couple days combing the interwebs, hoping to find
the (probably stupid and minor) config issue with a FreeRADIUS server
I've been asked to implement. I've successfully enabled and tested user
authentication as a first step, but the next step is to move from that
to machine authentication. I'll tackle proxying after I can make this
work (hopefully without having to bother the list).
Environment:
CentOS (dmesg gives: Linux version 2.6.18-194.el5
(mockbu...@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat
4.1.2-48)) #1 SMP Fri Apr 2 14:58:35 EDT 2010)
Samba v 3.0.33-3.29.el5_5.1
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Problem:
After configuring a Windows XP SP3 supplicant for machine authentication
(which is stupidly complex, given the required registry hacks to make it
work), I get this in the debug output:
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
Now, I can clearly see that there *is* no '\' in the hostname there, nor
should there be. But everything I've found on the web indicates that
with the version of FreeRADIUS and Samba I have, %{mschap:User-Name}
should be rewritten as C776669$. Getting the domain of the thing will
be another challenge of its own, I imagine.
Thank you in advance, for any help you can offer.
-Bob
Following is the complete output of the server startup, and then the
output of a request:
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/linelog
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including di
Machine Authentication and Active Directory group lookups
Hello all,
I have FreeRadius v 2.1.10 installed and configured to authenticate
users against Active Directory using PEAP/MSChapV2 and perform Group
membership lookups via the ldap module so that I can configure radius
reply attributes to provide VLAN assignment and Dymanic ACL's. All is
working extremely well, but one item that I would also like to get
working is the Machine Authentication.Machine Authentication is
working with the exception of the ldap group lookup. From what I can
tell, when the machine authenticates, the ntlm_auth knows that the
request is a Machine Authentication and appends the $ to the end of the
username for the sAMAccountName:
# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[inner-eap] Request found, released from the list
[inner-eap] EAP/mschapv2
[inner-eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr//etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/lab..com
[mschap] Told to do MS-CHAPv2 for host/lab..XXX with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} ->
--username=lab$
[mschap] mschap2: 78
[mschap] Creating challenge hash with username: host/lab..XXX
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a9c34f78fae78fd0
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=961d047adaedc84346d00fcd2a0a67139ff4a95c9e13ae61
Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
Since I am using:
filter = "(&(sAMAccountName=%{mschap:User-Name}))" in the ldap module,
FreeRadius is trying to do a group lookup on: lab$ which is not found in
any Active Directory groups:
# Executing section post-auth from file
/usr//etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[ldap] Entering ldap_groupcmp()
[files] expand: ou=,dc=,dc=XXX -> ou=,dc=,dc=XXX
[files] expand: (&(sAMAccountName=%{mschap:User-Name})) ->
(&(sAMAccountName=lab$))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=,dc=,dc=XXX, with filter
(&(sAMAccountName=lab$))
[ldap] object not found
Is it possible to remove the "$" from the sAMAccountName in the LDAP
module without breaking the User Authentication?
Thanks
Robert Graham
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
On 21/10/10 10:54, Chidanand Gangur wrote: Thanks Phil, thanks a lot It worked. I have multiple home servers configured so I am using your logic like this Excellent, glad to hear you solved it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
Thanks Phil, thanks a lot
It worked. I have multiple home servers configured so I am using your
logic like this
if ("%{User-Name}"=~ /^host\/.*testad1.com$/) {
update control {
Proxy-To-Realm := "testad1.com"
}
}
elsif ("%{User-Name}"=~ /^host\/.*si-test.dssc.com$/) {
update control {
Proxy-To-Realm := "si-test.dssc.com"
}
}
Thanks,
Chidanand
On Thu, Oct 21, 2010 at 1:52 PM, Phil Mayers wrote:
> On 10/21/2010 08:55 AM, Chidanand Gangur wrote:
>>
>> I have collected logs for full session of host authentication, log is
>> pasted below.
>>
>> As mentioned in my previous mail I just want to proxy the host
>> authentication request to the home server, is it possible?
>
> You didn't mention that in your original email.
>
> As I've said - the "host/foo" syntax is NOT an IPASS username. It may have
> the same format, but you do not want to process it using that realm.
>
> If you want to proxy these requests, I would recommend doing the following:
>
> 1. Define the realm you are proxying to in "proxy.conf"
> 2. In "authorize", do the following:
>
> authorize {
> ... # N.B do not have the "IPASS", "suffix" or "ntdomain"
> ... # modules before this point, they'll confuse things
>
> if (User-Name =~ /^host\//) {
> update control {
> Proxy-To-Realm := THEREALM
> }
> }
> ...
> }
>
> ...then FreeRadius will do the right thing.
>
> Out of interest, why do you want to proxy them? You are presumably aware
> that FreeRadius can, if correctly setup, perform the machine authentication
> itself?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
On 10/21/2010 08:55 AM, Chidanand Gangur wrote:
I have collected logs for full session of host authentication, log is
pasted below.
As mentioned in my previous mail I just want to proxy the host
authentication request to the home server, is it possible?
You didn't mention that in your original email.
As I've said - the "host/foo" syntax is NOT an IPASS username. It may
have the same format, but you do not want to process it using that realm.
If you want to proxy these requests, I would recommend doing the following:
1. Define the realm you are proxying to in "proxy.conf"
2. In "authorize", do the following:
authorize {
... # N.B do not have the "IPASS", "suffix" or "ntdomain"
... # modules before this point, they'll confuse things
if (User-Name =~ /^host\//) {
update control {
Proxy-To-Realm := THEREALM
}
}
...
}
...then FreeRadius will do the right thing.
Out of interest, why do you want to proxy them? You are presumably aware
that FreeRadius can, if correctly setup, perform the machine
authentication itself?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
Thanks Phil.
I am still not clear.. I just want to proxy the host authentication request
to the actual RADIUS server which is Microsoft AD. In such cases what
configuration is required on proxy server? Can it be done?
Well I mentioned realm type as IPASS as IPASS type is of format
realm/username as mentioned in modules/realm file.
Hence forth I will post full logs.
Thanks,
Chidanand
On Wed, Oct 20, 2010 at 7:47 PM, Phil Mayers wrote:
> On 20/10/10 12:22, Chidanand Gangur wrote:
>
>> Hi,
>>
>> I have following setup
>>
>> where windows host is connected to Cisco 2960 which is connected to
>> Microsoft AD via RADIUS proxy
>>
>> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
>> Microsoft AD (2003)
>>
>> In the above setup user authentication goes fine. I am using PEAP v1
>> authentication.
>>
>> I am struggling hard to make host authentication successful.
>>
>> When the machine boots I see radius Access-Request with User-Name =
>> "host/radhost1.testad1.com" which
>> qualifies to IPASS type realm and searches for realm as "host" and
>> things do not work.
>>
>
> No - it's not an IPASS realm. You need to disable the IPASS module.
>
> host/machine.domain.com
>
> corresponds to:
>
> DOMAIN\machine$
>
> i.e. the machine account.
>
> The "mschap" module can expand this, for example if you have the
> "ntlm_auth" helper to authenticate MS-CHAP against a windows domain using
> samba as a helper:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
>
> ...will do the right thing.
>
>
>
>> Please point me to links/docs or give me pointer where/how to start.
>>
>
> Post the full debug output, not an edited version.
>
>
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
>> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
>> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
>>
>
> This is EAP-MD5. You have not configured your windows client correctly.
> Configure it correctly for PEAP/MS-CHAP.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
On 20/10/10 12:22, Chidanand Gangur wrote:
Hi,
I have following setup
where windows host is connected to Cisco 2960 which is connected to
Microsoft AD via RADIUS proxy
Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)
In the above setup user authentication goes fine. I am using PEAP v1
authentication.
I am struggling hard to make host authentication successful.
When the machine boots I see radius Access-Request with User-Name =
"host/radhost1.testad1.com" which
qualifies to IPASS type realm and searches for realm as "host" and
things do not work.
No - it's not an IPASS realm. You need to disable the IPASS module.
host/machine.domain.com
corresponds to:
DOMAIN\machine$
i.e. the machine account.
The "mschap" module can expand this, for example if you have the
"ntlm_auth" helper to authenticate MS-CHAP against a windows domain
using samba as a helper:
ntlm_auth = "... --username=%{mschap:User-Name} ..."
...will do the right thing.
Please point me to links/docs or give me pointer where/how to start.
Post the full debug output, not an edited version.
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
This is EAP-MD5. You have not configured your windows client correctly.
Configure it correctly for PEAP/MS-CHAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
Hi,
Is it fine to do some jugglery with the user-name and convert it to a format
which can be proxied to home server ?
Thanks,
Chidanand
On Wed, Oct 20, 2010 at 4:52 PM, Chidanand Gangur <
chidanand.gan...@gmail.com> wrote:
> Hi,
>
> I have following setup
>
> where windows host is connected to Cisco 2960 which is connected to
> Microsoft AD via RADIUS proxy
>
> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
> Microsoft AD (2003)
>
> In the above setup user authentication goes fine. I am using PEAP v1
> authentication.
>
> I am struggling hard to make host authentication successful.
>
> When the machine boots I see radius Access-Request with User-Name = "host/
> radhost1.testad1.com" which qualifies to IPASS type realm and searches for
> realm as "host" and things do not work.
>
> Please point me to links/docs or give me pointer where/how to start.
>
> rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
> length=165
> User-Name = "host/radhost1.testad1.com"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "00-21-D7-00-51-89"
> Calling-Station-Id = "00-13-20-38-33-27"
> EAP-Message =
> 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
> Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
> NAS-Port-Type = Ethernet
> NAS-Port = 50009
> NAS-IP-Address = 192.168.6.200
> Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
> Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
> Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for
> User-Name = "host/radhost1.testad1.com"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "
> radhost1.testad1.com"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
> Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26
> length 30
> Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an
> on-going EAP conversation
> Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
> Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
> Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
> Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password
> found for the user. Authentication may fail because of this.
> Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
> Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
> /usr/local/etc/raddb/sites-enabled/default
> Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
> Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
> Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
> EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
> Message-Authenticator = 0x
> State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
> Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
> Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
> Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.
>
>
> Thanks & Regards
>
> --
> Chidanand Gangur
> Pune.
>
--
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
This isn't a comment on FreeRadius, but in our recent experiences with 802.1x
and Windows XP clients it was a total waste of time. The built-in XP dot1x
client is not up to the job. We had contractors in trying to make it work and
everything was perfect on the network setup. In the end, Windows XP simple had
issues authenticating 100% of the time (probably closer to 65%). When you do
get it to authenticate properly you'll run into problems with anyone else doing
an RDP to the Windows server (say your helpdesk folks) because
re-authentication will kick in and drop the connection.
Your best bets are: Windows 7 for the improved dot1x client; scrap dot1x and do
port-based access-lists; do VMPS with FreeRadius.
From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org
To: FreeRadius users mailing list
Sent: Wed Oct 20 07:22:56 2010
Subject: 802.1x host/machine authentication
Hi,
I have following setup
where windows host is connected to Cisco 2960 which is connected to Microsoft
AD via RADIUS proxy
Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft
AD (2003)
In the above setup user authentication goes fine. I am using PEAP v1
authentication.
I am struggling hard to make host authentication successful.
When the machine boots I see radius Access-Request with User-Name =
"host/radhost1.testad1.com<http://radhost1.testad1.com>" which qualifies to
IPASS type realm and searches for realm as "host" and things do not work.
Please point me to links/docs or give me pointer where/how to start.
rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
length=165
User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for User-Name
= "host/radhost1.testad1.com<http://radhost1.testad1.com>"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name =
"radhost1.testad1.com<http://radhost1.testad1.com>"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length 30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an on-going
EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password found
for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next re
802.1x host/machine authentication
Hi,
I have following setup
where windows host is connected to Cisco 2960 which is connected to
Microsoft AD via RADIUS proxy
Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)
In the above setup user authentication goes fine. I am using PEAP v1
authentication.
I am struggling hard to make host authentication successful.
When the machine boots I see radius Access-Request with User-Name = "host/
radhost1.testad1.com" which qualifies to IPASS type realm and searches for
realm as "host" and things do not work.
Please point me to links/docs or give me pointer where/how to start.
rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
length=165
User-Name = "host/radhost1.testad1.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for
User-Name = "host/radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "
radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length
30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.
Thanks & Regards
--
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD authenication issue with machine authentication
On 10/19/2010 10:37 PM, Cannady, Mike wrote:
Our AD (2003) setup has the domain name as "htc.com". The pre-windows
2000 domain name is "HORRY".
Uh oh. Then I think you're going to have problems. ntlm_auth when it
expands %{mschap:NT-Domain} assumes that the username will be of the form:
host/machinename.prewin2kname.domain.com
That is, that the downlevel domain is the first component of the new
domain. You can either hardcode the domain, or write some unlang/regexp
to extract the domain yourself e.g.
if (User-Name =~ /host\/([^.]+)\.(.+)/) {
update request {
User-Name = "%{1}$"
Tmp-String-0 = "%{2}"
}
if (Tmp-String-0 =~ /.*\.htc\.com/i) {
update config {
My-Mschap-Domain := "HTC.COM"
}
}
}
...and set your ntlm_auth command to contain:
... --domain=%{%{My-Mschap-Domain}:-%{mschap:NT-Domain}}
...making sure to define the My-Mschap-Domain in /etc/raddb/dictionary:
ATTRIBUTE My-Mschap-Domain 3000 string
TBH I'm not sure what the "right" approach for FreeRadius to take is.
It's possible for the host/name syntax to contain lots of stuff e.g. DNS
names which are children of (or completely unrelated to) either the
downlevel or win2k-style domain. Short of hard-coding the domain or
doing something like above, it's difficult to see how FreeRadius could
handle this. I wonder what Microsoft NPS does?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD authenication issue with machine authentication
I'm having a problem with XP (and windows 7) machine authentication from
a Procurve switch (802.1x and eap-radius) and the supplicant using PEAP
to an AD domain. The FreeRadius version is 2.1.7.
My configuration works for the following style authentication requests:
jmct...@htc.com
horry\jmctest
but doesn't work for the machine login of the following form:
host/pcname.htc.com
>From the output of "radiusd -X", it thinks the domain is "htc" and the
authentication fails since there is no "htc" domain (there is a
"htc.com"). I verified that the "HTC" domain doesn't work using
ntlm_auth. "horry" and "htc.com" do work.
Our AD (2003) setup has the domain name as "htc.com". The pre-windows
2000 domain name is "HORRY".
As a test, I changed the mschap ntlm_auth "--domain" parameter from
"--domain=%{mschap:NT-Domain}" to "--domain=HORRY" and it worked in all
three cases. I'm not comfortable with this fix.
How can I make the "htc" one work without hard-coding the HORRY domain?
If the mschap module would have returned the full domain name, I
wouldn't have this problem.
Thanks for any assistance!
My smb.conf file:
[global]
workgroup = HORRY
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
realm = HTC.COM
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
My krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HTC.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
HTC.COM = {
admin_server = htcaddc01.htc.com:749
default_domain = htc.com
}
[domain_realm]
.htc.com = HTC.COM
htc.com = HTC.COM
htc= HTC.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
pkinit = {
allow_pkinit = false
}
Radiusd -x output:
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/ldap
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/pam
including con
Re: windows7 machine authentication solved
Hello Thank you all for the tips - one put me in the rigth direction : "keeping in mind that SSIDs ARE case sensitive." And this was my problem - that i created a wireless-lan on the laptop with false cases and so windows ignores this one and used allways the default settings. Also it was not a Radius problem ! Thanks and bye luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 54 to 10.53.240.10 port 32769
> EAP-Message =
> 0x010700bf19003d27993820693a246572680ce31e26e01560ed876cefb1fb622ad56b2d329c800af4ce229afce81561597ef797cbc618308623af786a5dc8e9594168f283c10464d91b3fb37d9d97f55380fb67c04e759705f3f158d6753467f9f2afc201119071697daea6dc83396f5b41d08c740c7891bc6c8dbbccdd4e7fcf37ab63faac552fe972d3dfed0dd0688f2a2217ad437eb3e45bdd44079a9f954095ab6143353e9398c2b57b1dcc7c1d325d308d38158816030100040e00
> Message-Authenticator = 0x
> State = 0xa4b56f0aa0b276a726c3f3167b686aac
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
> id=55, length=205
> User-Name = "host/lap-med22"
> Calling-Station-Id = "70-F1-A1-49-50-41"
> Called-Station-Id = "00-0B-85-95-70-80:Info"
> NAS-Port = 29
> NAS-IP-Address = 10.53.240.10
> NAS-Identifier = "WS4404_Pri"
> Airespace-Wlan-Id = 3
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "156"
> EAP-Message = 0x02070011198715030100020230
> State = 0xa4b56f0aa0b276a726c3f3167b686aac
> Message-Authenticator = 0xf43e6a6a20f23d5df0a151325c5d1711
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 17
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
> TLS_accept:failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
> [peap] eaptls_process returned 4
> [peap] EAPTLS_OTHERS
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect: [host/lap-med22] (from client ciscosw port 29 cli
> 70-F1-A1-49-50-41)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> host/lap-med22
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 5 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 5
> Sending Access-Reject of id 55 to 10.53.240.10 port 32769
> EAP-Message = 0x04070004
> Message-Authenticator = 0x
> Waking up in 3.9 seconds.
> Cleaning up request 0 ID 50 with timestamp +9
> Cleaning up request 1 ID 51 with timestamp +9
> Cleaning up request 2 ID 52 with timestamp +9
> Cleaning up request 3 ID 53 with timestamp +9
> Cleaning up request 4 ID 54 with timestamp +9
> Waking up in 1.0 seconds.
> Cleaning up request 5 ID 55 with timestamp +9
> Ready to process requests.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://old.nabble.com/windows7-machine-authentication-tp29522542p29538908.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
Hello list
Thank you for all the hints.
I have created a new certificate and installed the ca.der on my laptop.
I alos upgraded my freeradius to the latest version 2.1.9
But no luck i get allways the same error.
Wath can i do ?
Maybe its a configuration problem ?
Below my full log
By luis
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=50, length=189
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x0202001301686f73742f6c61702d6d65643232
Message-Authenticator = 0x4d6e3ece3717885ed203938b4b177a2c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE
? Evaluating !(Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE
? Skipping (Service-Type)
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE
++? if (NAS-IP-Address != 10.53.240.1)
? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE
++? if (NAS-IP-Address != 10.53.240.1) -> TRUE
++- entering if (NAS-IP-Address != 10.53.240.1) {...}
[ldap-switch] performing user authorization for host/lap-med22
[ldap-switch] WARNING: Deprecated conditional expansion ":-". See
"man unlang" for details
[ldap-switch] ... expanding second conditional
[ldap-switch] expand: %{User-Name} -> host/lap-med22
[ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=host/lap-med22)
[ldap-switch] expand: ou=users,dc=sb-brixen,dc=it ->
ou=users,dc=sb-brixen,dc=it
[ldap-switch] ldap_get_conn: Checking Id: 0
[ldap-switch] ldap_get_conn: Got Id: 0
[ldap-switch] attempting LDAP reconnection
[ldap-switch] (re)connect to titan:389, authentication 0
[ldap-switch] bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to titan:389
[ldap-switch] waiting for bind result ...
[ldap-switch] Bind was successful
[ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it,
with filter (uid=host/lap-med22)
[ldap-switch] object not found
[ldap-switch] search failed
[ldap-switch] ldap_release_conn: Release Id: 0
+++[ldap-switch] returns notfound
++- if (NAS-IP-Address != 10.53.240.1) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 50 to 10.53.240.10 port 32769
EAP-Message = 0x0103001604109802abd36e067bc4f583f77e64d7fd78
Message-Authenticator = 0x
State = 0xa4b56f0aa4b66ba726c3f3167b686aac
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=51, length=194
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x020300060319
State = 0xa4b56f0aa4b66ba726c3f3167b686aac
Message-Authenticator = 0x235cc52e5b1a1f50911c8fa4f061e070
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type)
? Evaluating (NAS-IP-Address == 1
Re: windows7 machine authentication
Hi, > So far all worked ok till windows 7. > > If i need i can create a server certificate and import this on my > clients but i dont want use "client certificates". you dont need to - you just need the CA that the server was signed with to be on your Win7 clients > so Windows 7 works with EAP-TLS and PEAP only with a server zertificate ? same as winXP, vista... heck even win2k with SP4 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
On 08/24/2010 11:09 AM, alois blasbichler wrote: My situation is : I dont want user certificates Nobody said anything about user certificates. The situation is no different than any other SSL server, if the cert presented by the server is not signed by a CA trusted by the client it *should* be rejected, this is identical to what happens with a web browser. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows7 machine authentication
Hello My situation is : I dont want user certificates for the clients to authenticate. I configure my freeradius that only laptops in my domain can login to my wireless - safe enaugth - so all private laptops and strange laptops dont enter in my network. Only latops that a Administrator connect to the domain can login. So far all worked ok till windows 7. If i need i can create a server certificate and import this on my clients but i dont want use "client certificates". so Windows 7 works with EAP-TLS and PEAP only with a server zertificate ? Can you give me som link where can i read how to configure win7 for wlan? Bye luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html a server Strictly speaking this is actually true, However! You need to understand what is happening: 1) Win7 will not connect to a wireless network that is secured with a certificate enabled protocol without some prior configuration, period. This means that is you set up an AP using 802.1x with FreeRADIUS (or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL NOT Authenticate successfully unless you specifically configure the client to do so. Gone are the days of click through protected WiFi setups in Windows. I have purchased a cert from thawte hoping that my clients will trust it and allow the connection without manually touching each machine but alas, no. 2) once correctly configured (depending on the auth protocol you are using) the client will accept the server's cert (the reason the auth is failing now) and send back its own cert for the server to inspect (if needed by the protocol). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows7 machine authentication
> I dont use certificates neither on the server and neither on the client side. > I read in teh internet that also windows7 should work without certificates - is that true ? Strictly speaking this is actually true, However! You need to understand what is happening: 1) Win7 will not connect to a wireless network that is secured with a certificate enabled protocol without some prior configuration, period. This means that is you set up an AP using 802.1x with FreeRADIUS (or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL NOT Authenticate successfully unless you specifically configure the client to do so. Gone are the days of click through protected WiFi setups in Windows. I have purchased a cert from thawte hoping that my clients will trust it and allow the connection without manually touching each machine but alas, no. 2) once correctly configured (depending on the auth protocol you are using) the client will accept the server's cert (the reason the auth is failing now) and send back its own cert for the server to inspect (if needed by the protocol). So, you ARE using certs. Did you install them, no. Is that a problem, yes. When working with certs you should ALWAYS know them inside and out, they are your digital identity, and they do incur some legal implications. If you need assistance configuring the windows clients to accept the cert the server is sending, meet me on the IRC channel. That is really not a discussion for the list. ; ) Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of alois blasbichler Sent: Tuesday, August 24, 2010 9:20 AM To: freeradius-users@lists.freeradius.org Subject: windows7 machine authentication Hello list We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors : [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop and then [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 I dont use certificates neither on the server and neither on the client side. I read in teh internet that also windows7 should work without certificates - is that true ? Wath can bee the problem ? Do you need more debug-output ? Thank you and by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
Now i wanted to authenticate a Windows 7 laptop and i get the following errors : ... [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. The laptop MUST have the CA certificate on it. Thank you for the quick answer One other question : my windows xp and vista clients also use EAP-TLS and PEAP but i never have imported a certificate. Do they imported this automatically - what windows seven dont or they are working without a certificate ? Bye luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
On 24/08/10 15:19, alois blasbichler wrote: Hello list We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors : [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop and then [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap]<<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 I dont use certificates neither on the server and neither on the client side. Yes you do. PEAP requires a server cert. I read in teh internet that also windows7 should work without certificates - is that true ? No it is not. Wath can bee the problem ? The clients don't know the server CA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication
alois blasbichler wrote: > Now i wanted to authenticate a Windows 7 laptop and i get the following > errors : ... > [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert read:fatal:unknown CA > TLS_accept:failed in SSLv3 read client certificate A > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > alert unknown ca > SSL: SSL_read failed inside of TLS (-1), TLS session fails. The laptop MUST have the CA certificate on it. http://deployingradius.com/documents/configuration/ca_import.html > I dont use certificates neither on the server Nonsense. EAP-TLS and PEAP require a server certificate. > and neither on the client > side. Which is why it's failing. > I read in teh internet that also windows7 should work without > certificates - is that true ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows7 machine authentication
Hello list We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors : [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop and then [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 I dont use certificates neither on the server and neither on the client side. I read in teh internet that also windows7 should work without certificates - is that true ? Wath can bee the problem ? Do you need more debug-output ? Thank you and by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
wow!
it's working great!!!
Tests with two instances for now are working - thanks a lot!
i'm must do more tests but it seems this is the way!
regards!
Lukasz
2009/1/29 :
>>i'm not splitting user name from realm (well i don't know), below is
>>an example with NT-Domain expand: (not working host/host.domain.local
>>eap/peap but works ppp authorization from all domains User-name is
>>DOMAIN\\user and domain is correctly expanded it works also with
>>OTHERDOMAIN\\otheruser - another trusted ads domain)
>>
>>
>>server inner-tunnel {
>>+- entering group authorize
>>++[chap] returns noop
>>++[mschap] returns noop
>>++[unix] returns notfound
>>rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>>looking up realm NULL
>>rlm_realm: No such realm "NULL"
>>++[suffix] returns noop
>>++[control] returns noop
>> rlm_eap: EAP packet type response id 9 length 89
>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>++[eap] returns updated
>>++[files] returns noop
>>++[expiration] returns noop
>>++[logintime] returns noop
>>++[pap] returns noop
>> rad_check_password: Found Auth-Type EAP
>>auth: type "EAP"
>>+- entering group authenticate
>> rlm_eap: Request found, released from the list
>> rlm_eap: EAP/mschapv2
>> rlm_eap: processing type mschapv2
>>+- entering group MS-CHAP
>> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
>> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
>> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>>NT-Password
>> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
>> expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <---
>> here
>> mschap2: fa
>> expand: --challenge=%{mschap:Challenge:-00} ->
>> --challenge=19601d7be2fx
>> expand: --nt-response=%{mschap:NT-Response:-00} ->
>>--nt-response=3a04766fxxxbfaedba4977c0xxx
>>Exec-Program output: Logon failure (0xc06d)
>>Exec-Program-Wait: plaintext: Logon failure (0xc06d)
>>Exec-Program: returned: 1
>> rlm_mschap: External script failed.
>> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>>++[mschap] returns reject
>>
>>
>>and here is an example without NT-Domain expand for ntlm_auth (it is
>>working well for only "domain.local" and "DOMAIN\\user" but not for
>>thrusted OTHERDOMAIN\\otheruser ):
>>
>>
>>server inner-tunnel {
>>+- entering group authorize
>>++[chap] returns noop
>>++[mschap] returns noop
>>++[unix] returns notfound
>>rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>>looking up realm NULL
>>rlm_realm: No such realm "NULL"
>>++[suffix] returns noop
>>++[control] returns noop
>> rlm_eap: EAP packet type response id 7 length 89
>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>++[eap] returns updated
>>++[files] returns noop
>>++[expiration] returns noop
>>++[logintime] returns noop
>>++[pap] returns noop
>> rad_check_password: Found Auth-Type EAP
>>auth: type "EAP"
>>+- entering group authenticate
>> rlm_eap: Request found, released from the list
>> rlm_eap: EAP/mschapv2
>> rlm_eap: processing type mschapv2
>>+- entering group MS-CHAP
>> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
>> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
>> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>>NT-Password
>> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
>> mschap2: 96
>> expand: --challenge=%{mschap:Challenge:-00} ->
>> --challenge=2dff1a169cx
>> expand: --nt-response=%{mschap:NT-Response:-00} ->
>>--nt-response=7fa7664801defd917c241937bd4xxx
>>Exec-Program output: NT_KEY: 7C54FDDBA668A77
>>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx
>>Exec-Program: returned: 0
>>rlm_mschap: adding MS-CHAPv2 MPPE keys
>>++[mschap] returns ok
>>
>
> OK. So you need two mschap instances one for NT format (DOMAIN\\user
> type - with NT-Domain in ntlm_auth) and one for IPASS
> (host/somehost.domain.local type - without) format. Use unlang to detect
> the delimiter and switch the correct instance replacing mschap in
> authorize and inside Auth-Type MSCHAP.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
.''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid
: :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user
`. `'` [nagios plugin | udev aic9xx] relaser | 220v active user
`- http://www.goldenline.pl/lukasz-sitko3 |
http://www.linkedin.com/in/lukaszsitko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
>i'm not splitting user name from realm (well i don't know), below is
>an example with NT-Domain expand: (not working host/host.domain.local
>eap/peap but works ppp authorization from all domains User-name is
>DOMAIN\\user and domain is correctly expanded it works also with
>OTHERDOMAIN\\otheruser - another trusted ads domain)
>
>
>server inner-tunnel {
>+- entering group authorize
>++[chap] returns noop
>++[mschap] returns noop
>++[unix] returns notfound
>rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>++[control] returns noop
> rlm_eap: EAP packet type response id 9 length 89
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>++[pap] returns noop
> rad_check_password: Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>NT-Password
> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
> expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <---
> here
> mschap2: fa
> expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=19601d7be2fx
> expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=3a04766fxxxbfaedba4977c0xxx
>Exec-Program output: Logon failure (0xc06d)
>Exec-Program-Wait: plaintext: Logon failure (0xc06d)
>Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
>
>
>and here is an example without NT-Domain expand for ntlm_auth (it is
>working well for only "domain.local" and "DOMAIN\\user" but not for
>thrusted OTHERDOMAIN\\otheruser ):
>
>
>server inner-tunnel {
>+- entering group authorize
>++[chap] returns noop
>++[mschap] returns noop
>++[unix] returns notfound
>rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>++[control] returns noop
> rlm_eap: EAP packet type response id 7 length 89
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>++[pap] returns noop
> rad_check_password: Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>NT-Password
> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
> mschap2: 96
> expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=2dff1a169cx
> expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=7fa7664801defd917c241937bd4xxx
>Exec-Program output: NT_KEY: 7C54FDDBA668A77
>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>++[mschap] returns ok
>
OK. So you need two mschap instances one for NT format (DOMAIN\\user
type - with NT-Domain in ntlm_auth) and one for IPASS
(host/somehost.domain.local type - without) format. Use unlang to detect
the delimiter and switch the correct instance replacing mschap in
authorize and inside Auth-Type MSCHAP.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
thanks for reply
i'm not splitting user name from realm (well i don't know), below is
an example with NT-Domain expand: (not working host/host.domain.local
eap/peap but works ppp authorization from all domains User-name is
DOMAIN\\user and domain is correctly expanded it works also with
OTHERDOMAIN\\otheruser - another trusted ads domain)
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 9 length 89
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <---
here
mschap2: fa
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=19601d7be2fx
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3a04766fxxxbfaedba4977c0xxx
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
and here is an example without NT-Domain expand for ntlm_auth (it is
working well for only "domain.local" and "DOMAIN\\user" but not for
thrusted OTHERDOMAIN\\otheruser ):
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 7 length 89
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
mschap2: 96
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=2dff1a169cx
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=7fa7664801defd917c241937bd4xxx
Exec-Program output: NT_KEY: 7C54FDDBA668A77
Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
thanks for help!
Lukasz
2009/1/28 :
>>i know about this expand but it's expanding to only first section of
>>domain (eg. domain.com mschap expand gives only "domain")
>>i'm wondering it is possible to get to work correct expand beceause
>>sometimes radius must authorize users from other thrusted domains.
>>
>
> Can you post an example. If you are splitting the User-Name with
> something from the realm module (suffix, ntdomain etc.) you get
> Stripped-User-Name and Realm. Perhaps %{Realm} would work for you.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
>i know about this expand but it's expanding to only first section of
>domain (eg. domain.com mschap expand gives only "domain")
>i'm wondering it is possible to get to work correct expand beceause
>sometimes radius must authorize users from other thrusted domains.
>
Can you post an example. If you are splitting the User-Name with
something from the realm module (suffix, ntdomain etc.) you get
Stripped-User-Name and Realm. Perhaps %{Realm} would work for you.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
i know about this expand but it's expanding to only first section of
domain (eg. domain.com mschap expand gives only "domain")
i'm wondering it is possible to get to work correct expand beceause
sometimes radius must authorize users from other thrusted domains.
thanks for answer!
2009/1/27 :
>>thanks but nope:
>>rlm_mschap: Unknown expansion string "Domain-Name"
>>
>
> Sorry it's NT-Domain:
>
> --domain=%{NT-Domain}
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
>thanks but nope:
>rlm_mschap: Unknown expansion string "Domain-Name"
>
Sorry it's NT-Domain:
--domain=%{NT-Domain}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
thanks but nope: rlm_mschap: Unknown expansion string "Domain-Name" i'm using freeradius: FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu in other hands it is possible to get this to work together with domain\user and host/host123.domain.com ? regards! 2009/1/27 : >>hello for all! >>I've configured freeradius to work with 802.x connection, everything >>working well but rlm_mschap expanding user name and domain >>"host/host123.domain.com" to: >>username -> host123$ >>domain -> domain (without .com) >> >>in ntlm_auth i have no correct domain name (without .com) so i've >>added domainname directly to command line. >>is there better solution to expand full domain name by mschap? > > Use mschap:Doman-Name > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- .''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid : :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user `. `'` [nagios plugin | udev aic9xx] relaser | 220v active user `- http://www.goldenline.pl/lukasz-sitko3 | http://www.linkedin.com/in/lukaszsitko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
>hello for all! >I've configured freeradius to work with 802.x connection, everything >working well but rlm_mschap expanding user name and domain >"host/host123.domain.com" to: >username -> host123$ >domain -> domain (without .com) > >in ntlm_auth i have no correct domain name (without .com) so i've >added domainname directly to command line. >is there better solution to expand full domain name by mschap? Use mschap:Doman-Name Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x machine authentication ads peap domainname
hello for all! I've configured freeradius to work with 802.x connection, everything working well but rlm_mschap expanding user name and domain "host/host123.domain.com" to: username -> host123$ domain -> domain (without .com) in ntlm_auth i have no correct domain name (without .com) so i've added domainname directly to command line. is there better solution to expand full domain name by mschap? thanks! Lukasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Thank you very much indeed! luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Hi, > Nice if i can amuse you > In german we say (Abwandlung eines bekannten Sprichworts) "ein Beispiel > sagt mehr als tausend Wörter" sure. and another well-known proverb is 'give a man a fish and he can eat for a day, teach a man to fish and he can eat for ever' ie i can give you 3 lines of unlang, or I can tell you to use unlang or a reg-rewrite and you can look at the unlang and rewrite examples and work out how and why it works ..but you want good technical guide? try this sort of stuff www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf page 25 uses unlang to set an updated attribute. you'd want to modify the call and routine just to check for \blahblah and then set the end of string to have a $ likewise, official novell docs for dealing with this kind of stuff http://www.novell.com/coolsolutions/feature/17044.html tells you how to add a $ for a host auth alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Statement that appends stuff is the same in hints, users file, unlang ... Ivan Kalik Kalik Informatika ISP Dana 20/10/2008, "alois blasbichler" <[EMAIL PROTECTED]> piše: >>> can you please give an example how to use unlang to stiick a $ to >>> the username >> >> amusing. you even copied my typo/sticky key issue. >> >> I could spoonfeed you a recipe - but you'll blindly put it into >> your config without understanding it, what it does or why it might >> even open up huge security hole in your server..wouldnt you? :-| > >Nice if i can amuse you >In german we say (Abwandlung eines bekannten Sprichworts) "ein >Beispiel sagt mehr als tausend Wörter" > >Maybe sombody else could give me a link to some examples for "unlang" > >by >luis > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
There are plenty of examples in the documentation on how to append a realm (@whatever) to the username. Modify it to add $. Ivan Kalik Kalik Informatika ISP Dana 20/10/2008, "alois blasbichler" <[EMAIL PROTECTED]> piše: >Quoting [EMAIL PROTECTED]: > >> Hi, >> >> the username needs to have a $ - use unlang, for example >> to stiick a $ into stripped user name and use stripped user >> name for authentication > >Hello > >can you please give an example how to use unlang to stiick a $ to the username > >thank you >luis > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
can you please give an example how to use unlang to stiick a $ to the username amusing. you even copied my typo/sticky key issue. I could spoonfeed you a recipe - but you'll blindly put it into your config without understanding it, what it does or why it might even open up huge security hole in your server..wouldnt you? :-| Nice if i can amuse you In german we say (Abwandlung eines bekannten Sprichworts) "ein Beispiel sagt mehr als tausend Wörter" Maybe sombody else could give me a link to some examples for "unlang" by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Hi, > can you please give an example how to use unlang to stiick a $ to the username amusing. you even copied my typo/sticky key issue. I could spoonfeed you a recipe - but you'll blindly put it into your config without understanding it, what it does or why it might even open up huge security hole in your server..wouldnt you? :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Quoting [EMAIL PROTECTED]: Hi, the username needs to have a $ - use unlang, for example to stiick a $ into stripped user name and use stripped user name for authentication Hello can you please give an example how to use unlang to stiick a $ to the username thank you luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authentication
Figured it out by looking at an old radius.confhad to change user-name to
mschap-user-name
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Friday, October 17, 2008 9:42 AM
To: 'FreeRadius users mailing list'
Subject: RE: Machine Authentication
About changing it to User-Name?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 9:37 AM
To: FreeRadius users mailing list
Subject: Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Casartello, Thomas" <[EMAIL PROTECTED]> piše:
>I've tried to find something on the past posts on this list about this. I
>think I found what the problem is but was unable to find a solution. I'm
>trying to make it so I can authenticate machines using the computer name. I
>know I need to set the ntlm_auth command correctly but I couldn't find to what
>or is there another solution? Here's my output:
>[mschap] No Cleartext-Password configured. Cannot create LM-Password.
>[mschap] No Cleartext-Password configured. Cannot create NT-Password.
>[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
>NT-Password
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
>-> --username=host/billlgateway.ads.wsc.ma.edu
>[mschap] mschap2: 72
>[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
>--challenge=c0b3cf2bed56caa9
>[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
>Exec-Program output: Logon failure (0xc06d)
>Exec-Program-Wait: plaintext: Logon failure (0xc06d)
>Exec-Program: returned: 1
>[mschap] External script failed.
>[mschap] FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
>
>Thomas E. Casartello, Jr.
>Wireless Network Technician
>Linux Specialist
>Information Technology
>Westfield State College
>Westfield, MA 01086
>(413) 572-8245
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Hi, the username needs to have a $ - use unlang, for example to stiick a $ into stripped user name and use stripped user name for authentication alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authentication
About changing it to User-Name?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 9:37 AM
To: FreeRadius users mailing list
Subject: Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Casartello, Thomas" <[EMAIL PROTECTED]> piše:
>I've tried to find something on the past posts on this list about this. I
>think I found what the problem is but was unable to find a solution. I'm
>trying to make it so I can authenticate machines using the computer name. I
>know I need to set the ntlm_auth command correctly but I couldn't find to what
>or is there another solution? Here's my output:
>[mschap] No Cleartext-Password configured. Cannot create LM-Password.
>[mschap] No Cleartext-Password configured. Cannot create NT-Password.
>[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
>NT-Password
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
>-> --username=host/billlgateway.ads.wsc.ma.edu
>[mschap] mschap2: 72
>[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
>--challenge=c0b3cf2bed56caa9
>[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
>Exec-Program output: Logon failure (0xc06d)
>Exec-Program-Wait: plaintext: Logon failure (0xc06d)
>Exec-Program: returned: 1
>[mschap] External script failed.
>[mschap] FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
>
>Thomas E. Casartello, Jr.
>Wireless Network Technician
>Linux Specialist
>Information Technology
>Westfield State College
>Westfield, MA 01086
>(413) 572-8245
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Casartello, Thomas" <[EMAIL PROTECTED]> piše:
>I've tried to find something on the past posts on this list about this. I
>think I found what the problem is but was unable to find a solution. I'm
>trying to make it so I can authenticate machines using the computer name. I
>know I need to set the ntlm_auth command correctly but I couldn't find to what
>or is there another solution? Here's my output:
>[mschap] No Cleartext-Password configured. Cannot create LM-Password.
>[mschap] No Cleartext-Password configured. Cannot create NT-Password.
>[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
>NT-Password
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
>details
>[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
>-> --username=host/billlgateway.ads.wsc.ma.edu
>[mschap] mschap2: 72
>[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
>--challenge=c0b3cf2bed56caa9
>[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
>Exec-Program output: Logon failure (0xc06d)
>Exec-Program-Wait: plaintext: Logon failure (0xc06d)
>Exec-Program: returned: 1
>[mschap] External script failed.
>[mschap] FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
>
>Thomas E. Casartello, Jr.
>Wireless Network Technician
>Linux Specialist
>Information Technology
>Westfield State College
>Westfield, MA 01086
>(413) 572-8245
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine Authentication
I've tried to find something on the past posts on this list about this. I think
I found what the problem is but was unable to find a solution. I'm trying to
make it so I can authenticate machines using the computer name. I know I need
to set the ntlm_auth command correctly but I couldn't find to what or is there
another solution? Here's my output:
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} ->
--username=host/billlgateway.ads.wsc.ma.edu
[mschap] mschap2: 72
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=c0b3cf2bed56caa9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Thomas E. Casartello, Jr.
Wireless Network Technician
Linux Specialist
Information Technology
Westfield State College
Westfield, MA 01086
(413) 572-8245
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine authentication
George KNIGHT wrote: > Thank you for your reply David. > > I have a long way to go I guess. I understand. I've been hitting the same wall for 10 years. Q: How do I get FreeRADIUS working with a proprietary, undocumented, non-compliant vendor software? A: Damned if I know. When you find out, please tell us, so other people don't run into the same problem. ... and ... silence. Repeat that exchange every month for a decade, with different NAS vendors, Microsoft, supplicants, VPN's, etc. It's no wonder I'm a little cranky at times. I've put everything I know into the server, and people *still* get upset that FreeRADIUS is a PoS because they can't get some crappy vendor's products to work with it. What are we supposed to do? Your frustration is natural, but we're stuck, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Machine authentication
Thank you for your reply David. I have a long way to go I guess. Have a nice day. /GK On Tue, May 6, 2008 at 10:02 AM, David Mitton <[EMAIL PROTECTED]> wrote: > George, > >Your message came through just fine. But this is a voluntary list of > users, and your question falls into an area that over hangs a long way > outside of FreeRadius, possibly outside of the expertise in this group. I > know a little about this space, so FWIW: > > First off, Big Picture: to a certain extent, FR doesn't care if you are > authenticating a user or a machine. It just approves (Access-Accept) the > wireless connect or not. You have to configure FR so it finds, resolves and > can authenticate the credentials supplied. > > In your case EAP-TLS would be appropriate. I believe Microsoft gives you > one of them on WinCE. You will have to install certs on the WinCE devices > that meet the criteria on the client and server EAP-TLS module. > > If you are trying to use FR to front end an Active Directory installation, > this becomes more complicated. (I cannot describe that to you) > > But even so, Remote Access authentication to AD is not a User logon, it's > just access. The defaults favor user credentials or certificates, but you > can configure anything that works, doesn't have to be users. > > Also, WinCE "machines" are not the same as WinXP systems with their > relationship to an Active Directory. They are not domain members that logon > AD users. So this is not "machine authentication" in the AD sense.That > said, the EAP system in WinCE is a fairly equivalent to the XP EAP, But I'm > not sure if there is automatic machine connection attempt or what the source > of credentials would be. (maybe from the registry?) Likely if the ability > exists, you have to define it in the EAP configuration. This is a WinCE > EAP client issue. > > Good luck, > > Dave. > > > > May 6, 2008 08:49:37 AM, freeradius-users@lists.freeradius.org wrote: > > Hi, > I sent an email to the list yesterday but it seems it wasn't delivered. > I'm resending it again. > > /GK > > On Mon, May 5, 2008 at 12:10 PM, George KNIGHT <[EMAIL PROTECTED]> > wrote: > > > Hello All, > > I've been trying to setup an environment where WinCE OS client computers > > authenticate themselves using wireless connection to the freeradius v.2.0.3 > > server with PEAP. The authenticator will eventually be Cisco AP1242 AP but > > for now I am using Symbol AP300. > > > > The way that I want to set this up is that the computers with WinCE OS > > will be used by users who shouldn't be asked any user name or input. All I > > want is WinCE machines to authenticate themselves with freeradius through > > certificates. Basically, I want machine authentication as opposed to user > > authentication. > > > > Is there specific changes I have to do on conf files for this to work? > > Or any change at the client machines? > > > > Thank you. > > George Knight > > > > > -- > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Machine authentication
George, Your message came through just fine. But this is a voluntary list of users, and your question falls into an area that over hangs a long way outside of FreeRadius, possibly outside of the expertise in this group. I know a little about this space, so FWIW: First off, Big Picture: to a certain extent, FR doesn't care if you are authenticating a user or a machine. It just approves (Access-Accept) the wireless connect or not. You have to configure FR so it finds, resolves and can authenticate the credentials supplied. In your case EAP-TLS would be appropriate. I believe Microsoft gives you one of them on WinCE. You will have to install certs on the WinCE devices that meet the criteria on the client and server EAP-TLS module. If you are trying to use FR to front end an Active Directory installation, this becomes more complicated. (I cannot describe that to you) But even so, Remote Access authentication to AD is not a User logon, it's just access. The defaults favor user credentials or certificates, but you can configure anything that works, doesn't have to be users. Also, WinCE "machines" are not the same as WinXP systems with their relationship to an Active Directory. They are not domain members that logon AD users. So this is not "machine authentication" in the AD sense. That said, the EAP system in WinCE is a fairly equivalent to the XP EAP, But I'm not sure if there is automatic machine connection attempt or what the source of credentials would be. (maybe from the registry?) Likely if the ability exists, you have to define it in the EAP configuration. This is a WinCE EAP client issue. Good luck, Dave.May 6, 2008 08:49:37 AM, freeradius-users@lists.freeradius.org wrote: Hi, I sent an email to the list yesterday but it seems it wasn't delivered. I'm resending it again. /GK On Mon, May 5, 2008 at 12:10 PM, George KNIGHT <[EMAIL PROTECTED]> wrote: Hello All, I've been trying to setup an environment where WinCE OS client computers authenticate themselves using wireless connection to the freeradius v.2.0.3 server with PEAP. The authenticator will eventually be Cisco AP1242 AP but for now I am using Symbol AP300. The way that I want to set this up is that the computers with WinCE OS will be used by users who shouldn't be asked any user name or input. All I want is WinCE machines to authenticate themselves with freeradius through certificates. Basically, I want machine authentication as opposed to user authentication. Is there specific changes I have to do on conf files for this to work? Or any change at the client machines? Thank you. George Knight -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine authentication
Hi, I sent an email to the list yesterday but it seems it wasn't delivered. I'm resending it again. /GK On Mon, May 5, 2008 at 12:10 PM, George KNIGHT <[EMAIL PROTECTED]> wrote: > Hello All, > I've been trying to setup an environment where WinCE OS client computers > authenticate themselves using wireless connection to the freeradius v.2.0.3 > server with PEAP. The authenticator will eventually be Cisco AP1242 AP but > for now I am using Symbol AP300. > > The way that I want to set this up is that the computers with WinCE OS > will be used by users who shouldn't be asked any user name or input. All I > want is WinCE machines to authenticate themselves with freeradius through > certificates. Basically, I want machine authentication as opposed to user > authentication. > > Is there specific changes I have to do on conf files for this to work? Or > any change at the client machines? > > Thank you. > George Knight > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine authentication
Hello All, I've been trying to setup an environment where WinCE OS client computers authenticate themselves using wireless connection to the freeradius v.2.0.3 server with PEAP. The authenticator will eventually be Cisco AP1242 AP but for now I am using Symbol AP300. The way that I want to set this up is that the computers with WinCE OS will be used by users who shouldn't be asked any user name or input. All I want is WinCE machines to authenticate themselves with freeradius through certificates. Basically, I want machine authentication as opposed to user authentication. Is there specific changes I have to do on conf files for this to work? Or any change at the client machines? Thank you. George Knight - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems - Resolved
Well this was an embarrassing sort of problem. The CA certificate was in the Users Trusted Root store, once I moved it to the Machine Trusted Root store all was well. For anyone else ever hunting down this problem, the Windows RASTLS.log error messages I got were: [4968] 21:57:59:046: SecurityContextFunction [4968] 21:57:59:062: InitializeSecurityContext returned 0x80090325 [4968] 21:57:59:062: State change to RecdFinished. Error: 0x321 In freeradius it seemed like the login process just cycled forever, getting to the last message and the client just gave up. In the Windows "Wireless Network Connection" dialog box it hung in attempting to verify and never moved on. Thanks all for enduring my duh moment with me. v/r -- Mike Olson Michael Olson wrote: I tried upgrading to 2.0.0, very close to a stock default config and I'm getting the same symptoms, user works, computer doesn't. Makes me even more suspicious of my certificates. I updated the files listed below to new logs generated from 2.0.0. I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to work and I posted the output from an openssl pkcs12 dump to http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately that didn't seem to help. I'm pretty much dead on ideas at this point, besides Ivan Kaliks suggestion that I look into the $ appended to the machine name. (Which I'm pursuing next.) Thanks -- Mike Olson Michael Olson wrote: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems - Resolved
Found the problem... and ummm... I'm really ashamed to admit this one. I had the CA root certificate in the users trusted root store, moved it over the machine trusted root store and all is well. Thank you for enduring my duh moment. -- Mike Olson Michael Olson wrote: I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the "TLS_accept:error in SSLv3 read client certificate A" at that stage. Looking at User cert request ID #52 and Computer cert request ID #40 (Where the "SSLv3 read client certificate A" error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again. Thanks -- Mike Olson [EMAIL PROTECTED] wrote: machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, "Michael Olson" <[EMAIL PROTECTED]> piše: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
I tried upgrading to 2.0.0, very close to a stock default config and I'm getting the same symptoms, user works, computer doesn't. Makes me even more suspicious of my certificates. I updated the files listed below to new logs generated from 2.0.0. I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to work and I posted the output from an openssl pkcs12 dump to http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately that didn't seem to help. I'm pretty much dead on ideas at this point, besides Ivan Kaliks suggestion that I look into the $ appended to the machine name. (Which I'm pursuing next.) Thanks -- Mike Olson Michael Olson wrote: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
> >Looking at User cert request ID #52 and Computer cert request ID #40 >(Where the "SSLv3 read client certificate A" error occurs) they are >pretty much identical. The next messages in the sequence (#53/#41) >are also almost identical (the freeradius reply is identical right down >to the EAP-Message blobs in the response). The message after that >is where things appear to go wrong, in User #54, a ton of EAP data >comes in from the client, the client cert details show up, and >authentication seems to be wrapping up; but in Computer #42 barely >anything appears in the EAP blobs and the process appears to start >cycling over again. > >Thanks > >-- Mike Olson > Yes, there is a mismatch that's something to do with MS adding $ to the end of machine accounts, so certificate data is not sent. I don't know how to fix this but I am sure there are people on the list that do. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the "TLS_accept:error in SSLv3 read client certificate A" at that stage. Looking at User cert request ID #52 and Computer cert request ID #40 (Where the "SSLv3 read client certificate A" error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again. Thanks -- Mike Olson [EMAIL PROTECTED] wrote: machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, "Michael Olson" <[EMAIL PROTECTED]> piše: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, "Michael Olson" <[EMAIL PROTECTED]> piše: >I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine >authentication. I set up FreeRADIUS following the guide at >http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using >OpenSSL to generate the cetificates. > >I can authenticate using user certificates fine, so I'm pretty sure all the >Certificates & CA setup is right on the RADIUS server certificate, User >certificate, and the Root Certificate. That leaves the Computer Certificate. > >I generated the computer certificate to have the common name be the machine >name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName >field as well. It has the same usage extensions as the User certificates. >(TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to >Computer Only (2), and it trys to authenticate which suggests that the >workstation is okay with the certificate. > >Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt > >Other than that I can't think of where to look for a problem. Comparing logs >between user and computer authentication I can see where it starts differing >but I can't find anything I can interpret as to why. Nothing seems to fail for >the computer, it just cycles endlessly. > >Successful User Authentication Log: >http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log > >Failed Computer Authentication Log: >http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log > >I also tossed out the windows tracing logs for both user and computer auth >and anything else that seemed useful in >http://www.cs.odu.edu/~olson/eap/ > >Can anybody give me a pointer on where to look for problems? > >Thanks > >-- Mike Olson > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Machine Authentication problems
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
Michael Patzer wrote: > i found the topic about "No logon workstation trust account > (0xc199)". > > i've the same problem using > freeradius-2.0.0-pre2 > samba 3.0.24 > on debian etch > > is it required to update to samba 3.0.28 (debian unstable) to fix this > issue, or could it be anything else? It's completely determined by Samba. I would ask the Samba people where or not this was possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
i fixed the issue by building and installing my own windbind-package
from the debian unstable source for etch: winbind_3.0.28-1_i386.deb
now i've only left the problem, that freeradius converts
username: "host/trelane.ka.foobar.de" to
username: trelane$
domain: ka
i did a workaround for this by adding the domainname directly to the
ntlm_auth command, becouse at the moment we only use one domain.
but is there any better way?
regards,
michael
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of Michael Patzer
Sent: Friday, December 14, 2007 1:04 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: 802.1x machine authentication patch help
i found the topic about "No logon workstation trust account
(0xc199)".
i've the same problem using
freeradius-2.0.0-pre2
samba 3.0.24
on debian etch
is it required to update to samba 3.0.28 (debian unstable) to fix this
issue, or could it be anything else?
thx
michael
freeradius-log:
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/trelane.ka.foobar.de with
NT-Password
expand: --username=%{mschap:User-Name} -> --username=trelane$
mschap2: 95
expand: --challenge=%{mschap:Challenge} ->
--challenge=36fc487a5fe99e03
expand: --nt-response=%{mschap:NT-Response} ->
--nt-response=b8ec109fa4b1a1ed3b2832f4e9704456febebeb4d790574e
Exec-Program output: No logon workstation trust account (0xc199)
Exec-Program-Wait: plaintext: No logon workstation trust account
(0xc199)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
-Original Message-
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Phil
Mayers
Sent: 01 October 2007 09:55
To: FreeRadius users mailing list
Subject: Re: 802.1x machine authentication patch help
On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote:
> Hi Jamie,
>
> Marco from BBC in london.
>
> I have read your message
> (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/0485
> 76.html related to the error when the radius is trying to authenticate
> in AD and I am getting exactly the same message.
>
> "No logon workstation trust account (0xc199)".
>
> The article is dated Nov 2005 so I hope you have the solution by now!
> ;-)
You need a suitably recent version of Samba. I can't remember the exact
version number, but I'm sure judicious use of Google will find it, or
just use the most recent.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
i found the topic about "No logon workstation trust account
(0xc199)".
i've the same problem using
freeradius-2.0.0-pre2
samba 3.0.24
on debian etch
is it required to update to samba 3.0.28 (debian unstable) to fix this
issue, or could it be anything else?
thx
michael
freeradius-log:
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/trelane.ka.foobar.de with
NT-Password
expand: --username=%{mschap:User-Name} -> --username=trelane$
mschap2: 95
expand: --challenge=%{mschap:Challenge} ->
--challenge=36fc487a5fe99e03
expand: --nt-response=%{mschap:NT-Response} ->
--nt-response=b8ec109fa4b1a1ed3b2832f4e9704456febebeb4d790574e
Exec-Program output: No logon workstation trust account (0xc199)
Exec-Program-Wait: plaintext: No logon workstation trust account
(0xc199)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
-Original Message-
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Phil
Mayers
Sent: 01 October 2007 09:55
To: FreeRadius users mailing list
Subject: Re: 802.1x machine authentication patch help
On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote:
> Hi Jamie,
>
> Marco from BBC in london.
>
> I have read your message
> (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/0485
> 76.html related to the error when the radius is trying to authenticate
> in AD and I am getting exactly the same message.
>
> "No logon workstation trust account (0xc199)".
>
> The article is dated Nov 2005 so I hope you have the solution by now!
> ;-)
You need a suitably recent version of Samba. I can't remember the exact
version number, but I'm sure judicious use of Google will find it, or
just use the most recent.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
On Mon, 2007-10-01 at 10:41 +0100, Marco Casulli wrote: > Touchy! :-) Read this list for a while, then you'll see why people get irate when their advice isn't followed ;o) > > I was only asking as I am not an expert on this subject and wanted to > understand why Samba came in the loop? In a domain environment, FreeRadius authenticates mschap by a callout to the Samba "ntlm_auth" program; this in turn makes an RPC call to the domain controller. In older versions of samba, the RPC call lacks the flag to say "machine accounts are acceptable here", so they fail authentication. In later versions, the flag is present. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
Touchy! :-) I was only asking as I am not an expert on this subject and wanted to understand why Samba came in the loop? Now that you have clarified the point it makes sense. I will follow your advice. Thanks Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 01 October 2007 10:20 To: FreeRadius users mailing list Subject: Re: 802.1x machine authentication patch help Marco Casulli wrote: > However how is samba related to this error? > > This is an error coming from the AD server no able to authenticate a > user. If you're not going to believe the answers on this list, I don't see why you're asking questions here. Q: Are you using Samba? Yes: upgrade as you were told to do No: You can't get the error message you posted without using Samba, so you ARE using Samba. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
Marco Casulli wrote: > However how is samba related to this error? > > This is an error coming from the AD server no able to authenticate a > user. If you're not going to believe the answers on this list, I don't see why you're asking questions here. Q: Are you using Samba? Yes: upgrade as you were told to do No: You can't get the error message you posted without using Samba, so you ARE using Samba. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x machine authentication patch help
Thanks for your reply Phil, However how is samba related to this error? This is an error coming from the AD server no able to authenticate a user. Thanks Marco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: 01 October 2007 09:55 To: FreeRadius users mailing list Subject: Re: 802.1x machine authentication patch help On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote: > Hi Jamie, > > Marco from BBC in london. > > I have read your message > (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/0485 > 76.html related to the error when the radius is trying to authenticate > in AD and I am getting exactly the same message. > > "No logon workstation trust account (0xc199)". > > The article is dated Nov 2005 so I hope you have the solution by now! > ;-) You need a suitably recent version of Samba. I can't remember the exact version number, but I'm sure judicious use of Google will find it, or just use the most recent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote: > Hi Jamie, > > Marco from BBC in london. > > I have read your message > (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048576.html > related to the error when the radius is trying to authenticate in AD > and I am getting exactly the same message. > > "No logon workstation trust account (0xc199)". > > The article is dated Nov 2005 so I hope you have the solution by > now! ;-) You need a suitably recent version of Samba. I can't remember the exact version number, but I'm sure judicious use of Google will find it, or just use the most recent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x machine authentication patch help
Hi Jamie, Marco from BBC in london. I have read your message (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048576 .html related to the error when the radius is trying to authenticate in AD and I am getting exactly the same message. "No logon workstation trust account (0xc199)". The article is dated Nov 2005 so I hope you have the solution by now! ;-) How did you fix the problem? I cant find any resolution on the net. Thanks Marco This email may contain confidential information. If you receive it in error please immediately advise the sender and delete it from your system without copying, distributing or taking any action in reliance upon it. Red Bee Media Limited has taken precautions in respect of its email communications to preserve confidentiality and to ensure that any attachment has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of interceptions and software viruses and you should take your own precautions before responding to us by email and carry out your own virus checks before opening any attachment. Red Bee Media Limited Registered No: 04257461 England Registered Office: BC2 A1 Broadcast Centre, 201 Wood Lane, London W12 7TP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Hi members, @Joe: I use Version 3.0.22-13 of Samba. But I think the "username" that windows sends for Authentication with host account is controlled by the windows client. There I use a Win XP with SP2. @Phil: Thanks, this solution works great. So I can eliminate the second Request to the radius-Service caused by the Local-realm of the ntdomain "host/". @Jacob: It seems to be a good work around, but it would increase the calls to LDAP directory, so i decided to use Phils suggestion. I solved the problem using the mschap module in the filter line of the LDAP paragraph that Phil suggested. Thanks a lot for your hints, simply great! Best regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christan,
You may be able to overcome / work around the problem by specifying a
2nd ldap module. Have one that appends the $ and checks and one that
doesnt.
On 5/9/07, Phil Mayers <[EMAIL PROTECTED]> wrote:
> Christian Hohmann wrote:
> > Hi members,
> >
> > I have a problem with the name of hosts. Here is the situation: I
> > have an LDAP Directory which is filled by samba-Deamon, for example
> > with hosts that are added to my domain. Samba signs every
> > host-account with a "$" at the end. If my laptop would be named
> > christian, the entry created by SaMBa in LDAP is "christian$"
>
> More recent versions of FreeRadius have an option in the mschap module
> to handle this - you can do:
>
> filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
>
> ...and the mschap module will strip the host/foo.bar to give foo$
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christian Hohmann wrote:
> Hi members,
>
> I have a problem with the name of hosts. Here is the situation: I
> have an LDAP Directory which is filled by samba-Deamon, for example
> with hosts that are added to my domain. Samba signs every
> host-account with a "$" at the end. If my laptop would be named
> christian, the entry created by SaMBa in LDAP is "christian$"
More recent versions of FreeRadius have an option in the mschap module
to handle this - you can do:
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
...and the mschap module will strip the host/foo.bar to give foo$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
