Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, It almost looks like something in the supplicant is not configured properly to use the certificate sent from the server during the handshake phase... I have attached a copy of some of my notes (written to myself so some of the meaning in the notes may not be exactly correct - but heck - they were for me anyway [grin]) that show a EAP/TTLS session negotiation... Take a look and compare to what you are doing to see if you can determine where things are going off the deep end... I would suggest setting up testing for EAP/TTLS in a simple configuration for user authorization first - then fold in the Ldap authorization Hope this helps gm... - Original Message - From: Arnauld Dravet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 8:40 AM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Have you looked at the make output from the compile to see if there are any error or warning messages? yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for certificate generation, and of course i forgot to link freeradius-cvs against 0.9.7 =) works much better now, at least radiusd is launching. But, still have a prob during TLS init (i'm trying to setup a TTLS connection): The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2 tunneled protocol. Seems like i got a problem with certificates, but i don't understand why since i'm not supposed to have one on the client-side .. Here is the output, sorry if a bit long: rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79, length=242 NAS-IP-Address = 192.168.6.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 5 Framed-MTU = 1400 User-Name = arnauld.dravet Calling-Station-Id = 00904b625711 Called-Station-Id = 000d54fc1807 NAS-Identifier = EPSI AP1 State = 0xfdd7e79f9bbab3286563325da5e5199a EAP-Message = 0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a3 35e4 99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f006600 0500 040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = arnauld.dravet, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 modcall[authorize]: module files returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for arnauld.dravet radius_xlat: '((objectclass=posixAccount)(uid=arnauld.dravet))' radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter ((objectclass=posixAccount)(uid=arnauld.dravet)) rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21 rlm_ldap: Adding ntPassword as NT-Password, value EFAC11B52777F8D7A34BDC1A0F89228D op=21 rlm_ldap: Adding lmPassword as LM-Password, value 136BE46417241D68AAD3B435B51404EE op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization TLS_accept: SSLv3 read client hello A TLS_accept: SSLv3 write server hello A TLS_accept: SSLv3 write certificate A TLS_accept: SSLv3 write key exchange A TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 2 modcall: group authenticate returns handled for request
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Arnauld, Have you looked at the make output from the compile to see if there are any error or warning messages? It sounds like either there is an error in the latest CVS stopping the compilation of modules (most likely not) or something is missing the compilation requires - from the sounds of it I am wondering if the OpenSSL version is the correct version - you do have the latest (greater than 0.9.7) of OpenSSL installed??? ( I don't install a binary but instead download the source and compile on my machine - seems some of the binarys out there don't install all of the pieces needed to compile parts of freeradius (header files, libs, ect.). I would first look at the messages thrown out by the make command to and the configure command to see if something flags a problem... Just some thoughts... gm.. - Original Message - From: Arnauld Dravet [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 6:18 AM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) i really can't get CVS to work. Compiles fine, but i tried several cvs versions and i got that at startup: Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': file not found [EMAIL PROTECTED]:/usr/local/freeradius-cvs# don't know if i can use the rlm_eap module from the non-cvs version. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, TTLS is not in 0.9.3 version - you have to use the 1.0.0-pre version to get TTLS support. The nice thing about TTLS is the fact the client security certificate is optional! Makes it much easier to deploy if you have a good number of clients or you don't have access to the wireless devices to install said certificates. Glad to see you are gaining some insight into the wonderful world of hi-security wireless access [grin]. It is rather complicated but MUCH better protecting the content of the link vs WEP... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 3:53 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary Alan, Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the reading that I've done is this short period of time, I have learned a great deal about how this stuff works. When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the server-side, not the client (am I right?). I think that TTLS will be a better fit as it seems to support more methods, and PEAP seems to be strickly a MS thing. I actually got the PEAP working now, though, thanks to your direction. I'll look into demoing third party clients. Know of any free ones, though? It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. Thanks for the help! mack On 22 Jun 2004 at 12:37, Gary McKinney wrote: Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Have you looked at the make output from the compile to see if there are any error or warning messages? yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for certificate generation, and of course i forgot to link freeradius-cvs against 0.9.7 =) works much better now, at least radiusd is launching. But, still have a prob during TLS init (i'm trying to setup a TTLS connection): The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2 tunneled protocol. Seems like i got a problem with certificates, but i don't understand why since i'm not supposed to have one on the client-side .. Here is the output, sorry if a bit long: rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79, length=242 NAS-IP-Address = 192.168.6.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 5 Framed-MTU = 1400 User-Name = arnauld.dravet Calling-Station-Id = 00904b625711 Called-Station-Id = 000d54fc1807 NAS-Identifier = EPSI AP1 State = 0xfdd7e79f9bbab3286563325da5e5199a EAP-Message = 0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a335e4 99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f0066000500 040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = arnauld.dravet, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 modcall[authorize]: module files returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for arnauld.dravet radius_xlat: '((objectclass=posixAccount)(uid=arnauld.dravet))' radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter ((objectclass=posixAccount)(uid=arnauld.dravet)) rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21 rlm_ldap: Adding ntPassword as NT-Password, value EFAC11B52777F8D7A34BDC1A0F89228D op=21 rlm_ldap: Adding lmPassword as LM-Password, value 136BE46417241D68AAD3B435B51404EE op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization TLS_accept: SSLv3 read client hello A TLS_accept: SSLv3 write server hello A TLS_accept: SSLv3 write certificate A TLS_accept: SSLv3 write key exchange A TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 79 to 192.168.6.3:1794 EAP-Message = 0x0104040a15c00761160301004a0246030140d97726d7480866aec454ff67f74505234d 669e72f26ff753fef0269dcb813e20bcf69fe6863b9922dec0ccf8b178896627f9e78227c3b38356 951ec41fafef6000160016030105f20b0005ee0005eb00028e3082028a308201f3a0030201020201 02300d06092a864886f70d0101040500307f310b30090603550406130246523110300e0603550408 130748657261756c74311430120603550407130b4d6f6e7470656c6c6965723111300f060355040a 130845505349204d5450311330110603550403130a776973686d61737465723120301e06092a8648 86f70d010901161161646d696e40 EAP-Message = 0x6d74702e657073692e6672301e170d3034303632323136303934335a170d303530363232313630 3934335a307e310b30090603550406130246523110300e0603550408130748657261756c74311430 120603550407130b4d6f6e7470656c6c6965723111300f060355040a130845505349204d54503110
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Update of the previous mail: when i choose on the client to not validate the server certificate chain, radius crashes when opening the TTLS tunnel: rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 20 modcall: group authorize returns updated for request 20 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Segmentation fault [EMAIL PROTECTED]:/usr/local/freeradius-cvs# -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. Because it's impossible. EAP-TLS provides *nothing* with which to do LDAP authentication. There are no passwords or *anything* carried inside of EAP-TLS. The most you can do is verify that the person using EAP-TLS has an entry in the LDAP database. Use EAP-TTLS, or PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary Alan, Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the reading that I've done is this short period of time, I have learned a great deal about how this stuff works. When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the server-side, not the client (am I right?). I think that TTLS will be a better fit as it seems to support more methods, and PEAP seems to be strickly a MS thing. I actually got the PEAP working now, though, thanks to your direction. I'll look into demoing third party clients. Know of any free ones, though? It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. Thanks for the help! mack On 22 Jun 2004 at 12:37, Gary McKinney wrote: Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
On Tue, 2004-06-22 at 12:53, Mack wrote: I'll look into demoing third party clients. Know of any free ones, though? Mack, While buying all new client cards is probably not an option, buying one for testing may be. ZyXEL offers a free version of both the Funk and Meetinghouse supplicants which work only with their ZyAIR clients. The B-100 (a re-badge of the same OEM as a Linksys WPC-11) is about $30 from Provantage. The client s/w is on ZyXEL's ftp site. I've used both for EAP-TLS with 0.93 on XP, W2K and W98 and the Meetinghouse client on Linux. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, I am still making sure my configs are okay before starting up the CVS version. Will let you know how it goes. I am using the drivers provided by 3COM for my wireless nic, which is a 3CRPAG175a really nice a/b/g card with an xjack antenna. My supplicant is whatever comes stock with XP, plus whatever Windows Update offers on top of that (service packs, recommended update related to wireless, etc.) I did not see any, nor would I recommend using, drivers from the windows update site. I don't think a supplicant/client was shipped with my card, but to be honest I did not look very hard. I'm just playing with the XP supplicant right now, but will look at third- party next (like Odyssey (Funk), etc.) since they should support TTLS. I think the Window XP supplicant will work with PEAP, but not TTLS (someone correct me if I'm wrong). This is my first attempt at anything wireless (as you may have noticed by my previous posts), so I haven't had much experience with the various supplicants out there. I think you can get a fully working demo of Odyssey (double check that) from Funk Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client signons. We'll see. I'll let you know how my TTLS efforts go with the CVS version. BTW...are you also attempting Novell LDAP with TTLS? later, mack On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
I'm also a total newbie in wifi world =) spent 4 days on this auth thing and can't get it to work yet .. i'm not using Novell LDAP, it's an openldap with all our users infos in it: windows passwords without the 0x in front of the passwords (tried to add it manually, result is that i can't log in on a workstation after that), and unix encrypted passwords. I'll test the Aegis supplicant tomorrow, will post the results .. This is my first attempt at anything wireless (as you may have noticed by my previous posts), so I haven't had much experience with the various supplicants out there. I think you can get a fully working demo of Odyssey (double check that) from Funk Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client signons. We'll see. I'll let you know how my TTLS efforts go with the CVS version. BTW...are you also attempting Novell LDAP with TTLS? later, mack -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, About your runtime error... I'm getting this one: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory This happens straight out of the box, running radiusd -X...no configuration changes made yet (testing if it runs). I'm running the latest cvs shapshot, 20040622, on a gentoo linux system. Did a standard ./configure, make, make install, with no errors. Strange...if I comment exec in the instantiate section of radiusd.conf, it then gives me the same error but this time with rlm_expr.a. Anyone have any clues what's going on? thanks On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. That will work. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, I agree...I should read the docs and the lists more thoroughly. My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. If you were given my task, how would you go about implementing this? thanks, mack On 21 Jun 2004 at 11:07, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. That will work. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I didn't recognize any services as being a wireless network card manager. Didn't see anything in add/remove, either. Where/how did you find yours? Thanks for clueing me in on the meaning of ymmv! I'll keep digging around for more information on my problem. BTW...did you have a chance to look at the output I attached? If so, what's your interpretation? thanks, mack On 21 Jun 2004 at 20:47, Gary McKinney wrote: Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius, 802.1x, eap/tls, and edirectory (ldap)
Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html