Re: PEAP + Windows XP

2004-11-03 Thread Sergio Sagliocco
Hi
I 've had the same problem some days ago. To solve it I've recompiled 
freeradius  with the following configure  and npw it's ok:
/configure  
--with-openssl-includes=/usr/local/src/openssl-0.9.7e/include/ 
--with-openssl-libraries=/usr/local/src/openssl-0.9.7e/ --disable-shared
I think the problem is that you have more openssl libraries installed. 
With the --disable-shared you shuold solve the problem.

Regards
Sergio Sagliocco
Peter L. wrote:
Hello,
i got a problem with Windows XP and Freeradius using EAP/PEAP.
It seems as if Windows does not reply to the Access-Challenge sent by
Freeradius.
Windows XP:
Authentication tab - Protected EAP
Enabled "Validate server certificate", In Trusted Root Certification
Authorities list i enabled my root certificate. As authentication method i
select "Secured password (EAP-MSCHAPv2)"
See Freeradius configuration and debug output below.
Any idea?
kind regards,
Peter
users:
"testuser"  User-Password == "Secret149"
radius.conf:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
authorize {
preprocess
mschap
suffix
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
eap.conf:
eap {
default_eap_type = peap
[...]
tls {
private_key_password = secret
private_key_file = ${raddbdir}/certs/my-cert-server.pem
certificate_file = ${raddbdir}/certs/my-cert-server.pem
CA_file = ${raddbdir}/certs/my-root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
 peap {
default_eap_type = mschapv2
}
mschapv2 {
}
freeradius output:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem"
tls: cert

Re: PEAP + Windows XP

2004-11-02 Thread [EMAIL PROTECTED]
I think that is down to not hacing the right certificate on the client 
trying to authenticate.
There's a howto somewhere that explanis how to get the certificate on the 
client properly.
Do a google to find that, but it sounds as though it is definately 
certificate related.

Regards
Dave
- Original Message - 
From: "Peter L." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 02, 2004 6:03 PM
Subject: PEAP + Windows XP


Hello,
i got a problem with Windows XP and Freeradius using EAP/PEAP.
It seems as if Windows does not reply to the Access-Challenge sent by
Freeradius.
Windows XP:
Authentication tab - Protected EAP
Enabled "Validate server certificate", In Trusted Root Certification
Authorities list i enabled my root certificate. As authentication method i
select "Secured password (EAP-MSCHAPv2)"
See Freeradius configuration and debug output below.
Any idea?
kind regards,
Peter
users:
"testuser"  User-Password == "Secret149"
radius.conf:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
authorize {
 preprocess
   mschap
suffix
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
eap.conf:
eap {
default_eap_type = peap
[...]
tls {
private_key_password = secret
private_key_file = ${raddbdir}/certs/my-cert-server.pem
certificate_file = ${raddbdir}/certs/my-cert-server.pem
CA_file = ${raddbdir}/certs/my-root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
freeradius output:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem"
tls: certificate_file = "/etc/raddb/certs/my-cert-server.pem"
tls: CA_file = "/etc/raddb/certs/my-root.pem"
tls: private_key_password = "secret"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls

PEAP + Windows XP

2004-11-02 Thread Peter L.
Hello,

i got a problem with Windows XP and Freeradius using EAP/PEAP.
It seems as if Windows does not reply to the Access-Challenge sent by
Freeradius.


Windows XP:
Authentication tab - Protected EAP
Enabled "Validate server certificate", In Trusted Root Certification
Authorities list i enabled my root certificate. As authentication method i
select "Secured password (EAP-MSCHAPv2)"

See Freeradius configuration and debug output below.

Any idea?

kind regards,
Peter


users:

"testuser"  User-Password == "Secret149"

radius.conf:

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}

authorize {
preprocess
mschap
suffix
eap
files
}

authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}

eap.conf:

eap {
default_eap_type = peap

[...]

tls {
private_key_password = secret
private_key_file = ${raddbdir}/certs/my-cert-server.pem
certificate_file = ${raddbdir}/certs/my-cert-server.pem
CA_file = ${raddbdir}/certs/my-root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}

 peap {
default_eap_type = mschapv2
}

mschapv2 {
}


freeradius output:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/my-cert-server.pem"
 tls: certificate_file = "/etc/raddb/certs/my-cert-server.pem"
 tls: CA_file = "/etc/raddb/certs/my-root.pem"
 tls: private_key_password = "secret"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialize

Re: peap + Windows XP

2004-07-12 Thread Michael Griego
Stupid AP developers.  The whole point of EAP was to provide an
authentication *framework* by which hardware would not require upgrades
in order to be able to use new authentication methods 

--Mike



On Mon, 2004-07-12 at 16:34, Mark Hoffer wrote:
> I found out what my problem was:
> 
> the AP-8110 does not support PEAP.
> 
> I thought that this was odd, because it does support some EAP-types.
> 
> I am in contact with the manufacturer to see if there is an upgrade
> available.
> 
> -Mark
> 
> On Wed, 2004-07-07 at 15:18, Michael Griego wrote:
> > Be sure you have added the CA certificate into the trusted root store on
> > your windows machine.  If you haven't, your PEAP conversation will stop
> > at this point (right after receiving the EAP-Identity response).
> > 
> > --Mike
> > 
> > 
> > On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote:
> > > Hello Rinaldo-
> > > 
> > > I tried what you told me, and it did not help.
> > > 
> > > I'm looking at the log here, and see that it is building the TLS
> > > connection, but it is not going to the next step, whatever that may be.
> > > 
> > > The XP machine just sits at "Attempting to authenticate"
> > > 
> > > If I do a packet dump, then I am able to see the traffic go back and
> > > forth, with no NAKs.  I even tried setting a static IP for the machine.
> > > 
> > > Is there something that I am missing?
> > > 
> > > -Mark
> > > 
> > > /root/start-rad -sAX
> > > + LD_LIBRARY_PATH=/usr/lib
> > > + LD_PRELOAD=/usr/lib/libcrypto.so
> > > + export LD_LIBRARY_PATH LD_PRELOAD
> > > + radiusd -sAX
> > > Starting - reading configuration files ...
> > > reread_config:  reading radiusd.conf
> > > Config:   including file: /usr/local/etc/raddb/proxy.conf
> > > Config:   including file: /usr/local/etc/raddb/clients.conf
> > > Config:   including file: /usr/local/etc/raddb/snmp.conf
> > > Config:   including file: /usr/local/etc/raddb/eap.conf
> > > Config:   including file: /usr/local/etc/raddb/sql.conf
> > >  main: prefix = "/usr/local"
> > >  main: localstatedir = "/usr/local/var"
> > >  main: logdir = "/usr/local/var/log/radius"
> > >  main: libdir = "/usr/local/lib"
> > >  main: radacctdir = "/usr/local/var/log/radius/radacct"
> > >  main: hostname_lookups = no
> > >  main: max_request_time = 30
> > >  main: cleanup_delay = 5
> > >  main: max_requests = 1024
> > >  main: delete_blocked_requests = 0
> > >  main: port = 0
> > >  main: allow_core_dumps = no
> > >  main: log_stripped_names = no
> > >  main: log_file = "/usr/local/var/log/radius/radius.log"
> > >  main: log_destination = "files"
> > >  main: log_auth = no
> > >  main: log_auth_badpass = no
> > >  main: log_auth_goodpass = no
> > >  main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> > >  main: user = "(null)"
> > >  main: group = "(null)"
> > >  main: usercollide = no
> > >  main: lower_user = "no"
> > >  main: lower_pass = "no"
> > >  main: nospace_user = "no"
> > >  main: nospace_pass = "no"
> > >  main: checkrad = "/usr/local/sbin/checkrad"
> > >  main: debug_level = 0
> > >  main: proxy_requests = yes
> > >  proxy: retry_delay = 5
> > >  proxy: retry_count = 3
> > >  proxy: synchronous = no
> > >  proxy: default_fallback = yes
> > >  proxy: dead_time = 120
> > >  proxy: post_proxy_authorize = yes
> > >  proxy: wake_all_if_all_dead = no
> > >  security: max_attributes = 200
> > >  security: reject_delay = 1
> > >  security: status_server = no
> > > read_config_files:  reading dictionary
> > > read_config_files:  reading naslist
> > > Using deprecated naslist file.  Support for this will go away soon.
> > > read_config_files:  reading clients
> > > read_config_files:  reading realms
> > > radiusd:  entering modules setup
> > > Module: Library search path is /usr/local/lib
> > > Module: Loaded exec
> > >  exec: wait = yes
> > >  exec: program = "(null)"
> > >  exec: input_pairs = "request"
> > >  exec: output_pairs = "(null)"
> > >  exec: packet_type = "(null)"
> > > rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> > > Module: Instantiated exec (exec)
> > > Module: Loaded expr
> > > Module: Instantiated expr (expr)
> > > Module: Loaded PAP
> > >  pap: encryption_scheme = "crypt"
> > > Module: Instantiated pap (pap)
> > > Module: Loaded CHAP
> > > Module: Instantiated chap (chap)
> > > Module: Loaded MS-CHAP
> > >  mschap: use_mppe = no
> > >  mschap: require_encryption = no
> > >  mschap: require_strong = no
> > >  mschap: with_ntdomain_hack = no
> > >  mschap: passwd = "(null)"
> > >  mschap: authtype = "MS-CHAP"
> > >  mschap: ntlm_auth = "(null)"
> > > Module: Instantiated mschap (mschap)
> > > Module: Loaded eap
> > >  eap: default_eap_type = "peap"
> > >  eap: timer_expire = 60
> > >  eap: ignore_unknown_eap_types = yes
> > >  eap: cisco_accounting_username_bug = no
> > > rlm_eap: Loaded and initialized type md5
> > > rlm_eap: Loaded and initialized type leap
> > >  gtc: challenge = "Password: "
> > >  gtc: auth_type = "Local"
> > > rlm_eap: Loaded and initialized type gt

Re: peap + Windows XP

2004-07-12 Thread Mark Hoffer
I found out what my problem was:

the AP-8110 does not support PEAP.

I thought that this was odd, because it does support some EAP-types.

I am in contact with the manufacturer to see if there is an upgrade
available.

-Mark

On Wed, 2004-07-07 at 15:18, Michael Griego wrote:
> Be sure you have added the CA certificate into the trusted root store on
> your windows machine.  If you haven't, your PEAP conversation will stop
> at this point (right after receiving the EAP-Identity response).
> 
> --Mike
> 
> 
> On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote:
> > Hello Rinaldo-
> > 
> > I tried what you told me, and it did not help.
> > 
> > I'm looking at the log here, and see that it is building the TLS
> > connection, but it is not going to the next step, whatever that may be.
> > 
> > The XP machine just sits at "Attempting to authenticate"
> > 
> > If I do a packet dump, then I am able to see the traffic go back and
> > forth, with no NAKs.  I even tried setting a static IP for the machine.
> > 
> > Is there something that I am missing?
> > 
> > -Mark
> > 
> > /root/start-rad -sAX
> > + LD_LIBRARY_PATH=/usr/lib
> > + LD_PRELOAD=/usr/lib/libcrypto.so
> > + export LD_LIBRARY_PATH LD_PRELOAD
> > + radiusd -sAX
> > Starting - reading configuration files ...
> > reread_config:  reading radiusd.conf
> > Config:   including file: /usr/local/etc/raddb/proxy.conf
> > Config:   including file: /usr/local/etc/raddb/clients.conf
> > Config:   including file: /usr/local/etc/raddb/snmp.conf
> > Config:   including file: /usr/local/etc/raddb/eap.conf
> > Config:   including file: /usr/local/etc/raddb/sql.conf
> >  main: prefix = "/usr/local"
> >  main: localstatedir = "/usr/local/var"
> >  main: logdir = "/usr/local/var/log/radius"
> >  main: libdir = "/usr/local/lib"
> >  main: radacctdir = "/usr/local/var/log/radius/radacct"
> >  main: hostname_lookups = no
> >  main: max_request_time = 30
> >  main: cleanup_delay = 5
> >  main: max_requests = 1024
> >  main: delete_blocked_requests = 0
> >  main: port = 0
> >  main: allow_core_dumps = no
> >  main: log_stripped_names = no
> >  main: log_file = "/usr/local/var/log/radius/radius.log"
> >  main: log_destination = "files"
> >  main: log_auth = no
> >  main: log_auth_badpass = no
> >  main: log_auth_goodpass = no
> >  main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> >  main: user = "(null)"
> >  main: group = "(null)"
> >  main: usercollide = no
> >  main: lower_user = "no"
> >  main: lower_pass = "no"
> >  main: nospace_user = "no"
> >  main: nospace_pass = "no"
> >  main: checkrad = "/usr/local/sbin/checkrad"
> >  main: debug_level = 0
> >  main: proxy_requests = yes
> >  proxy: retry_delay = 5
> >  proxy: retry_count = 3
> >  proxy: synchronous = no
> >  proxy: default_fallback = yes
> >  proxy: dead_time = 120
> >  proxy: post_proxy_authorize = yes
> >  proxy: wake_all_if_all_dead = no
> >  security: max_attributes = 200
> >  security: reject_delay = 1
> >  security: status_server = no
> > read_config_files:  reading dictionary
> > read_config_files:  reading naslist
> > Using deprecated naslist file.  Support for this will go away soon.
> > read_config_files:  reading clients
> > read_config_files:  reading realms
> > radiusd:  entering modules setup
> > Module: Library search path is /usr/local/lib
> > Module: Loaded exec
> >  exec: wait = yes
> >  exec: program = "(null)"
> >  exec: input_pairs = "request"
> >  exec: output_pairs = "(null)"
> >  exec: packet_type = "(null)"
> > rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> > Module: Instantiated exec (exec)
> > Module: Loaded expr
> > Module: Instantiated expr (expr)
> > Module: Loaded PAP
> >  pap: encryption_scheme = "crypt"
> > Module: Instantiated pap (pap)
> > Module: Loaded CHAP
> > Module: Instantiated chap (chap)
> > Module: Loaded MS-CHAP
> >  mschap: use_mppe = no
> >  mschap: require_encryption = no
> >  mschap: require_strong = no
> >  mschap: with_ntdomain_hack = no
> >  mschap: passwd = "(null)"
> >  mschap: authtype = "MS-CHAP"
> >  mschap: ntlm_auth = "(null)"
> > Module: Instantiated mschap (mschap)
> > Module: Loaded eap
> >  eap: default_eap_type = "peap"
> >  eap: timer_expire = 60
> >  eap: ignore_unknown_eap_types = yes
> >  eap: cisco_accounting_username_bug = no
> > rlm_eap: Loaded and initialized type md5
> > rlm_eap: Loaded and initialized type leap
> >  gtc: challenge = "Password: "
> >  gtc: auth_type = "Local"
> > rlm_eap: Loaded and initialized type gtc
> >  tls: rsa_key_exchange = no
> >  tls: dh_key_exchange = yes
> >  tls: rsa_key_length = 512
> >  tls: dh_key_length = 512
> >  tls: verify_depth = 0
> >  tls: CA_path = "(null)"
> >  tls: pem_file_type = yes
> >  tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> >  tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> >  tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
> >  tls: private_key_password = "kickass"
> >  tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> 

Re: peap + Windows XP

2004-07-07 Thread Michael Griego
Be sure you have added the CA certificate into the trusted root store on
your windows machine.  If you haven't, your PEAP conversation will stop
at this point (right after receiving the EAP-Identity response).

--Mike


On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote:
> Hello Rinaldo-
> 
> I tried what you told me, and it did not help.
> 
> I'm looking at the log here, and see that it is building the TLS
> connection, but it is not going to the next step, whatever that may be.
> 
> The XP machine just sits at "Attempting to authenticate"
> 
> If I do a packet dump, then I am able to see the traffic go back and
> forth, with no NAKs.  I even tried setting a static IP for the machine.
> 
> Is there something that I am missing?
> 
> -Mark
> 
> /root/start-rad -sAX
> + LD_LIBRARY_PATH=/usr/lib
> + LD_PRELOAD=/usr/lib/libcrypto.so
> + export LD_LIBRARY_PATH LD_PRELOAD
> + radiusd -sAX
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/eap.conf
> Config:   including file: /usr/local/etc/raddb/sql.conf
>  main: prefix = "/usr/local"
>  main: localstatedir = "/usr/local/var"
>  main: logdir = "/usr/local/var/log/radius"
>  main: libdir = "/usr/local/lib"
>  main: radacctdir = "/usr/local/var/log/radius/radacct"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = "/usr/local/var/log/radius/radius.log"
>  main: log_destination = "files"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>  main: user = "(null)"
>  main: group = "(null)"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: checkrad = "/usr/local/sbin/checkrad"
>  main: debug_level = 0
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: post_proxy_authorize = yes
>  proxy: wake_all_if_all_dead = no
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> Using deprecated naslist file.  Support for this will go away soon.
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
>  exec: wait = yes
>  exec: program = "(null)"
>  exec: input_pairs = "request"
>  exec: output_pairs = "(null)"
>  exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
>  pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
>  mschap: use_mppe = no
>  mschap: require_encryption = no
>  mschap: require_strong = no
>  mschap: with_ntdomain_hack = no
>  mschap: passwd = "(null)"
>  mschap: authtype = "MS-CHAP"
>  mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded eap
>  eap: default_eap_type = "peap"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = yes
>  eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = "Password: "
>  gtc: auth_type = "Local"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = "(null)"
>  tls: pem_file_type = yes
>  tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
>  tls: private_key_password = "kickass"
>  tls: dh_file = "/usr/local/etc/raddb/certs/dh"
>  tls: random_file = "/usr/local/etc/raddb/certs/random"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
>  peap: default_eap_type = "mschapv2"
>  peap: copy_request_to_tunnel = no
>  peap: use_tunneled_reply = no
>  peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
>  mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Mod

Re: peap + Windows XP

2004-07-07 Thread Mark Hoffer
Hello Rinaldo-

I tried what you told me, and it did not help.

I'm looking at the log here, and see that it is building the TLS
connection, but it is not going to the next step, whatever that may be.

The XP machine just sits at "Attempting to authenticate"

If I do a packet dump, then I am able to see the traffic go back and
forth, with no NAKs.  I even tried setting a static IP for the machine.

Is there something that I am missing?

-Mark

/root/start-rad -sAX
+ LD_LIBRARY_PATH=/usr/lib
+ LD_PRELOAD=/usr/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ radiusd -sAX
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_destination = "files"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: debug_level = 0
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = no
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = yes
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "Local"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
 tls: private_key_password = "kickass"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/

Re: peap + Windows XP

2004-07-07 Thread Rinaldo Bergamini
Hi Mark!

Mark Hoffer wrote:
>  peap: default_eap_type = "gtc"

try changing to default_eap_type = "mschapv2" in the PEAP section of the 
eap.conf . This must also be specified in the win xp network propreties.

Hope this helps...

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


peap + Windows XP

2004-07-06 Thread Mark Hoffer
Hello:

I am using redhat 8.
I compiled and am using openssl 0.9.7d.

My access point is a sendfar ap-8110.

I have tried both the latest CVS snapshots of freeradius, and release
versions 1.0.0 pre0 and pre3.

The client is Windows XP SP1

I have followed the web page
http://www.dslreports.com/forum/remark,9286052~mode=flat to a T.

I can get the EAP-TLS authentication to work, but I can not get PEAP to
work.  I don't know what I am doing wrong.  I am supplying the log, but
I can also supply the packet dump from the radius side and the XP side
if needed as well as the config.

users file--

hoffer  User-Password == "a"

a User-Password == "a"
Reply-Message = " YSS, %u"

-end

Thanks-
-Mark


start-rad -sAX
+ LD_LIBRARY_PATH=/usr/lib
+ LD_PRELOAD=/usr/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ radiusd -sAX
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_destination = "files"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: debug_level = 0
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = no
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = yes
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "Local"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
 tls: private_key_password = "kickass"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "gtc"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_ha

PEAP + windows XP

2004-03-05 Thread zip
Hello!

  :( Can someone, who has configured Windows XP using PEAP - MS-CHAPv2 and
freeradius send me the radius.conf, users files and describe the windows
xp config? And a sample radiusd -X output of saccessful authentification.
Thanx a lot!!!

P.Zibrita :|

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html