Re: PEAP + Windows XP
Hi I 've had the same problem some days ago. To solve it I've recompiled freeradius with the following configure and npw it's ok: /configure --with-openssl-includes=/usr/local/src/openssl-0.9.7e/include/ --with-openssl-libraries=/usr/local/src/openssl-0.9.7e/ --disable-shared I think the problem is that you have more openssl libraries installed. With the --disable-shared you shuold solve the problem. Regards Sergio Sagliocco Peter L. wrote: Hello, i got a problem with Windows XP and Freeradius using EAP/PEAP. It seems as if Windows does not reply to the Access-Challenge sent by Freeradius. Windows XP: Authentication tab - Protected EAP Enabled "Validate server certificate", In Trusted Root Certification Authorities list i enabled my root certificate. As authentication method i select "Secured password (EAP-MSCHAPv2)" See Freeradius configuration and debug output below. Any idea? kind regards, Peter users: "testuser" User-Password == "Secret149" radius.conf: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } eap.conf: eap { default_eap_type = peap [...] tls { private_key_password = secret private_key_file = ${raddbdir}/certs/my-cert-server.pem certificate_file = ${raddbdir}/certs/my-cert-server.pem CA_file = ${raddbdir}/certs/my-root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } freeradius output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem" tls: cert
Re: PEAP + Windows XP
I think that is down to not hacing the right certificate on the client trying to authenticate. There's a howto somewhere that explanis how to get the certificate on the client properly. Do a google to find that, but it sounds as though it is definately certificate related. Regards Dave - Original Message - From: "Peter L." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 02, 2004 6:03 PM Subject: PEAP + Windows XP Hello, i got a problem with Windows XP and Freeradius using EAP/PEAP. It seems as if Windows does not reply to the Access-Challenge sent by Freeradius. Windows XP: Authentication tab - Protected EAP Enabled "Validate server certificate", In Trusted Root Certification Authorities list i enabled my root certificate. As authentication method i select "Secured password (EAP-MSCHAPv2)" See Freeradius configuration and debug output below. Any idea? kind regards, Peter users: "testuser" User-Password == "Secret149" radius.conf: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } eap.conf: eap { default_eap_type = peap [...] tls { private_key_password = secret private_key_file = ${raddbdir}/certs/my-cert-server.pem certificate_file = ${raddbdir}/certs/my-cert-server.pem CA_file = ${raddbdir}/certs/my-root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } freeradius output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem" tls: certificate_file = "/etc/raddb/certs/my-cert-server.pem" tls: CA_file = "/etc/raddb/certs/my-root.pem" tls: private_key_password = "secret" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls
PEAP + Windows XP
Hello, i got a problem with Windows XP and Freeradius using EAP/PEAP. It seems as if Windows does not reply to the Access-Challenge sent by Freeradius. Windows XP: Authentication tab - Protected EAP Enabled "Validate server certificate", In Trusted Root Certification Authorities list i enabled my root certificate. As authentication method i select "Secured password (EAP-MSCHAPv2)" See Freeradius configuration and debug output below. Any idea? kind regards, Peter users: "testuser" User-Password == "Secret149" radius.conf: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } eap.conf: eap { default_eap_type = peap [...] tls { private_key_password = secret private_key_file = ${raddbdir}/certs/my-cert-server.pem certificate_file = ${raddbdir}/certs/my-cert-server.pem CA_file = ${raddbdir}/certs/my-root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } freeradius output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem" tls: certificate_file = "/etc/raddb/certs/my-cert-server.pem" tls: CA_file = "/etc/raddb/certs/my-root.pem" tls: private_key_password = "secret" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialize
Re: peap + Windows XP
Stupid AP developers. The whole point of EAP was to provide an authentication *framework* by which hardware would not require upgrades in order to be able to use new authentication methods --Mike On Mon, 2004-07-12 at 16:34, Mark Hoffer wrote: > I found out what my problem was: > > the AP-8110 does not support PEAP. > > I thought that this was odd, because it does support some EAP-types. > > I am in contact with the manufacturer to see if there is an upgrade > available. > > -Mark > > On Wed, 2004-07-07 at 15:18, Michael Griego wrote: > > Be sure you have added the CA certificate into the trusted root store on > > your windows machine. If you haven't, your PEAP conversation will stop > > at this point (right after receiving the EAP-Identity response). > > > > --Mike > > > > > > On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote: > > > Hello Rinaldo- > > > > > > I tried what you told me, and it did not help. > > > > > > I'm looking at the log here, and see that it is building the TLS > > > connection, but it is not going to the next step, whatever that may be. > > > > > > The XP machine just sits at "Attempting to authenticate" > > > > > > If I do a packet dump, then I am able to see the traffic go back and > > > forth, with no NAKs. I even tried setting a static IP for the machine. > > > > > > Is there something that I am missing? > > > > > > -Mark > > > > > > /root/start-rad -sAX > > > + LD_LIBRARY_PATH=/usr/lib > > > + LD_PRELOAD=/usr/lib/libcrypto.so > > > + export LD_LIBRARY_PATH LD_PRELOAD > > > + radiusd -sAX > > > Starting - reading configuration files ... > > > reread_config: reading radiusd.conf > > > Config: including file: /usr/local/etc/raddb/proxy.conf > > > Config: including file: /usr/local/etc/raddb/clients.conf > > > Config: including file: /usr/local/etc/raddb/snmp.conf > > > Config: including file: /usr/local/etc/raddb/eap.conf > > > Config: including file: /usr/local/etc/raddb/sql.conf > > > main: prefix = "/usr/local" > > > main: localstatedir = "/usr/local/var" > > > main: logdir = "/usr/local/var/log/radius" > > > main: libdir = "/usr/local/lib" > > > main: radacctdir = "/usr/local/var/log/radius/radacct" > > > main: hostname_lookups = no > > > main: max_request_time = 30 > > > main: cleanup_delay = 5 > > > main: max_requests = 1024 > > > main: delete_blocked_requests = 0 > > > main: port = 0 > > > main: allow_core_dumps = no > > > main: log_stripped_names = no > > > main: log_file = "/usr/local/var/log/radius/radius.log" > > > main: log_destination = "files" > > > main: log_auth = no > > > main: log_auth_badpass = no > > > main: log_auth_goodpass = no > > > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > > > main: user = "(null)" > > > main: group = "(null)" > > > main: usercollide = no > > > main: lower_user = "no" > > > main: lower_pass = "no" > > > main: nospace_user = "no" > > > main: nospace_pass = "no" > > > main: checkrad = "/usr/local/sbin/checkrad" > > > main: debug_level = 0 > > > main: proxy_requests = yes > > > proxy: retry_delay = 5 > > > proxy: retry_count = 3 > > > proxy: synchronous = no > > > proxy: default_fallback = yes > > > proxy: dead_time = 120 > > > proxy: post_proxy_authorize = yes > > > proxy: wake_all_if_all_dead = no > > > security: max_attributes = 200 > > > security: reject_delay = 1 > > > security: status_server = no > > > read_config_files: reading dictionary > > > read_config_files: reading naslist > > > Using deprecated naslist file. Support for this will go away soon. > > > read_config_files: reading clients > > > read_config_files: reading realms > > > radiusd: entering modules setup > > > Module: Library search path is /usr/local/lib > > > Module: Loaded exec > > > exec: wait = yes > > > exec: program = "(null)" > > > exec: input_pairs = "request" > > > exec: output_pairs = "(null)" > > > exec: packet_type = "(null)" > > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > > Module: Instantiated exec (exec) > > > Module: Loaded expr > > > Module: Instantiated expr (expr) > > > Module: Loaded PAP > > > pap: encryption_scheme = "crypt" > > > Module: Instantiated pap (pap) > > > Module: Loaded CHAP > > > Module: Instantiated chap (chap) > > > Module: Loaded MS-CHAP > > > mschap: use_mppe = no > > > mschap: require_encryption = no > > > mschap: require_strong = no > > > mschap: with_ntdomain_hack = no > > > mschap: passwd = "(null)" > > > mschap: authtype = "MS-CHAP" > > > mschap: ntlm_auth = "(null)" > > > Module: Instantiated mschap (mschap) > > > Module: Loaded eap > > > eap: default_eap_type = "peap" > > > eap: timer_expire = 60 > > > eap: ignore_unknown_eap_types = yes > > > eap: cisco_accounting_username_bug = no > > > rlm_eap: Loaded and initialized type md5 > > > rlm_eap: Loaded and initialized type leap > > > gtc: challenge = "Password: " > > > gtc: auth_type = "Local" > > > rlm_eap: Loaded and initialized type gt
Re: peap + Windows XP
I found out what my problem was: the AP-8110 does not support PEAP. I thought that this was odd, because it does support some EAP-types. I am in contact with the manufacturer to see if there is an upgrade available. -Mark On Wed, 2004-07-07 at 15:18, Michael Griego wrote: > Be sure you have added the CA certificate into the trusted root store on > your windows machine. If you haven't, your PEAP conversation will stop > at this point (right after receiving the EAP-Identity response). > > --Mike > > > On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote: > > Hello Rinaldo- > > > > I tried what you told me, and it did not help. > > > > I'm looking at the log here, and see that it is building the TLS > > connection, but it is not going to the next step, whatever that may be. > > > > The XP machine just sits at "Attempting to authenticate" > > > > If I do a packet dump, then I am able to see the traffic go back and > > forth, with no NAKs. I even tried setting a static IP for the machine. > > > > Is there something that I am missing? > > > > -Mark > > > > /root/start-rad -sAX > > + LD_LIBRARY_PATH=/usr/lib > > + LD_PRELOAD=/usr/lib/libcrypto.so > > + export LD_LIBRARY_PATH LD_PRELOAD > > + radiusd -sAX > > Starting - reading configuration files ... > > reread_config: reading radiusd.conf > > Config: including file: /usr/local/etc/raddb/proxy.conf > > Config: including file: /usr/local/etc/raddb/clients.conf > > Config: including file: /usr/local/etc/raddb/snmp.conf > > Config: including file: /usr/local/etc/raddb/eap.conf > > Config: including file: /usr/local/etc/raddb/sql.conf > > main: prefix = "/usr/local" > > main: localstatedir = "/usr/local/var" > > main: logdir = "/usr/local/var/log/radius" > > main: libdir = "/usr/local/lib" > > main: radacctdir = "/usr/local/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 0 > > main: allow_core_dumps = no > > main: log_stripped_names = no > > main: log_file = "/usr/local/var/log/radius/radius.log" > > main: log_destination = "files" > > main: log_auth = no > > main: log_auth_badpass = no > > main: log_auth_goodpass = no > > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > > main: user = "(null)" > > main: group = "(null)" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/local/sbin/checkrad" > > main: debug_level = 0 > > main: proxy_requests = yes > > proxy: retry_delay = 5 > > proxy: retry_count = 3 > > proxy: synchronous = no > > proxy: default_fallback = yes > > proxy: dead_time = 120 > > proxy: post_proxy_authorize = yes > > proxy: wake_all_if_all_dead = no > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > read_config_files: reading dictionary > > read_config_files: reading naslist > > Using deprecated naslist file. Support for this will go away soon. > > read_config_files: reading clients > > read_config_files: reading realms > > radiusd: entering modules setup > > Module: Library search path is /usr/local/lib > > Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > Module: Instantiated exec (exec) > > Module: Loaded expr > > Module: Instantiated expr (expr) > > Module: Loaded PAP > > pap: encryption_scheme = "crypt" > > Module: Instantiated pap (pap) > > Module: Loaded CHAP > > Module: Instantiated chap (chap) > > Module: Loaded MS-CHAP > > mschap: use_mppe = no > > mschap: require_encryption = no > > mschap: require_strong = no > > mschap: with_ntdomain_hack = no > > mschap: passwd = "(null)" > > mschap: authtype = "MS-CHAP" > > mschap: ntlm_auth = "(null)" > > Module: Instantiated mschap (mschap) > > Module: Loaded eap > > eap: default_eap_type = "peap" > > eap: timer_expire = 60 > > eap: ignore_unknown_eap_types = yes > > eap: cisco_accounting_username_bug = no > > rlm_eap: Loaded and initialized type md5 > > rlm_eap: Loaded and initialized type leap > > gtc: challenge = "Password: " > > gtc: auth_type = "Local" > > rlm_eap: Loaded and initialized type gtc > > tls: rsa_key_exchange = no > > tls: dh_key_exchange = yes > > tls: rsa_key_length = 512 > > tls: dh_key_length = 512 > > tls: verify_depth = 0 > > tls: CA_path = "(null)" > > tls: pem_file_type = yes > > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > > tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" > > tls: private_key_password = "kickass" > > tls: dh_file = "/usr/local/etc/raddb/certs/dh" >
Re: peap + Windows XP
Be sure you have added the CA certificate into the trusted root store on your windows machine. If you haven't, your PEAP conversation will stop at this point (right after receiving the EAP-Identity response). --Mike On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote: > Hello Rinaldo- > > I tried what you told me, and it did not help. > > I'm looking at the log here, and see that it is building the TLS > connection, but it is not going to the next step, whatever that may be. > > The XP machine just sits at "Attempting to authenticate" > > If I do a packet dump, then I am able to see the traffic go back and > forth, with no NAKs. I even tried setting a static IP for the machine. > > Is there something that I am missing? > > -Mark > > /root/start-rad -sAX > + LD_LIBRARY_PATH=/usr/lib > + LD_PRELOAD=/usr/lib/libcrypto.so > + export LD_LIBRARY_PATH LD_PRELOAD > + radiusd -sAX > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_destination = "files" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: debug_level = 0 > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = no > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = yes > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "Local" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" > tls: private_key_password = "kickass" > tls: dh_file = "/usr/local/etc/raddb/certs/dh" > tls: random_file = "/usr/local/etc/raddb/certs/random" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > rlm_eap: Loaded and initialized type tls > peap: default_eap_type = "mschapv2" > peap: copy_request_to_tunnel = no > peap: use_tunneled_reply = no > peap: proxy_tunneled_request_as_eap = yes > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Mod
Re: peap + Windows XP
Hello Rinaldo- I tried what you told me, and it did not help. I'm looking at the log here, and see that it is building the TLS connection, but it is not going to the next step, whatever that may be. The XP machine just sits at "Attempting to authenticate" If I do a packet dump, then I am able to see the traffic go back and forth, with no NAKs. I even tried setting a static IP for the machine. Is there something that I am missing? -Mark /root/start-rad -sAX + LD_LIBRARY_PATH=/usr/lib + LD_PRELOAD=/usr/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + radiusd -sAX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_destination = "files" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: debug_level = 0 main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "Local" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "kickass" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/
Re: peap + Windows XP
Hi Mark! Mark Hoffer wrote: > peap: default_eap_type = "gtc" try changing to default_eap_type = "mschapv2" in the PEAP section of the eap.conf . This must also be specified in the win xp network propreties. Hope this helps... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap + Windows XP
Hello: I am using redhat 8. I compiled and am using openssl 0.9.7d. My access point is a sendfar ap-8110. I have tried both the latest CVS snapshots of freeradius, and release versions 1.0.0 pre0 and pre3. The client is Windows XP SP1 I have followed the web page http://www.dslreports.com/forum/remark,9286052~mode=flat to a T. I can get the EAP-TLS authentication to work, but I can not get PEAP to work. I don't know what I am doing wrong. I am supplying the log, but I can also supply the packet dump from the radius side and the XP side if needed as well as the config. users file-- hoffer User-Password == "a" a User-Password == "a" Reply-Message = " YSS, %u" -end Thanks- -Mark start-rad -sAX + LD_LIBRARY_PATH=/usr/lib + LD_PRELOAD=/usr/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + radiusd -sAX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_destination = "files" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: debug_level = 0 main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "Local" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "kickass" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "gtc" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_ha
PEAP + windows XP
Hello! :( Can someone, who has configured Windows XP using PEAP - MS-CHAPv2 and freeradius send me the radius.conf, users files and describe the windows xp config? And a sample radiusd -X output of saccessful authentification. Thanx a lot!!! P.Zibrita :| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html